Two newly-discovered security flaws in computer processors, named Meltdown and Spectre, could allow unauthorised users to gain direct access to the heart of computer systems and steal personal data. The vulnerabilities were discovered by an international research team, in which Graz University of Technology’s Institute of Applied Information Processing and Communications (TU Graz, Austria) played a central role. The EU's European Research Council (ERC) has been supporting this research project since 2016, to the tune of two-million euro.
We spoke today with Professor Stefan Mangard, the ERC grantee who led the team at TU Graz involved in the Meltdown and Spectre discovery.
Are our computers safe enough?
The traditional way of designing processors places all the focus on performance and only on performance. We can compare it to cars. In the beginning, cars were just designed to be fast, but today safety is our main concern. However, when it comes to Central Processing Units (CPUs), we buy them because of their speed. In today's environment of increasing attacks on computer systems though, we need to accept security as a major design criterion. I hope the discovery of the Meltdown and Spectre flaws will trigger a new way of thinking about computer design.
And this was the whole motivation for your ERC project?
Indeed. Its main idea is that we need to design computer systems with security in mind from the beginning of the design process. We need basic research to achieve this; we need to start at the very beginning and see how we can bring security into the design of computer systems. The discovery of these flaws confirms our proposal. Actually we were very much surprised to discover these vulnerabilities in our computers and didn't expect it to be so severe. People were rather shocked - we couldn't believe that this is actually happening.
Is this just the tip of the iceberg?
It is likely that that there are more security issues. However, they are probably not as large in scale as this one. The reason is the current trade-off between performance and security. So far, all systems were optimised for performance. But each time you optimise a CPU for performance, you potentially optimise against security. There were four research groups, including us at TU Graz, that found Meltdown and Spectre independently. It has been an ongoing process from mid-2017 until today. This research is highly relevant to modern IT challenges and multiple parties are working in this area simultaneously. This is just the start, we opened the door and there is more to come.
Do these security flaws have relevance to the Internet of Things?
There a huge trend in connecting everything. On the one hand, we have the centres that store all the data and, on the other, the nodes that are in the field and collect the information. Nodes can include smart phones and IT devices in cars. They have become more and more powerful, and they have processors that now can be attacked.
Michael Schwarz, Daniel Gruss, Stefan Mangard and Moritz Lipp from TU Graz, members of ERC-funded Secure Systems Group, who were behind the recent discovery of devastating vulnerabilities in computer processors.
In what way did the ERC funding help develop your research project?
An ERC grant is a great opportunity. It provides funding that gives you a lot of freedom in the research you do. I can hire a large group of people and I don't have to write reports every month. The ERC allows scientists like myself to really focus on our topics, but also to study on an ambitious and broad scale. This makes finding something ground-breaking more likely - you are prepared for a lucky discovery. In this sense the ERC is an enabler for researchers.
Some 120 ERC-funded projects mention the discipline of "cryptography" in their abstract. Some of this work, like that of Professor Elisabeth Oswald of the University of Bristol, also uses the physical properties of devices, power consumption and electromagnetic emanation, to investigate how information leaks. Other projects, such as the project SPOOC, conducted by Steve Kramer from the National Institute for Research in Computer Science and Automatic Control at France's INRIA, study how security protocols could allow us, one day, to perform delicate operations, like electing our political leaders, online. The 2013 Synergy Grant imPACT even analyses the intersection between cybersecurity, law, economics and society to develop tools to raise accountability and trust in the internet. Around 170 million euro have been awarded to ERC projects of this type.
Chart: Distribution of ERC projects that mention "cryptography" in their abstract.