Open Source Security

February 12, 2019 @ 7:00 pm – 9:00 pm
University of Gloucestershire
Room TC014
‘Teaching Centre’, The Park Campus, Cheltenham
GL50 2RH
Philip Statham

This event is hosted by Cheltenham and Gloucester BCS and starts at the later time of 7pm. The evening features two talks on the theme of open source security

There is no booking for this event, please just turn up at the venue. The talks will be recorded, but we regret no live-streaming will be available on this occasion.

SCARV: a side-channel hardened RISC-V platform

Speaker: Dr Dan Page, University of Bristol


SCARV is an EPSRC funded research project [1], housed at the University of Bristol within the national RISE initiative [2]. At a high level, the remit of SCARV spans computer architecture and cryptography: it aims to harness RISC-V [3] as a way to address challenges in efficient, secure implementation of cryptography.

This talk will cover 2 in-progress directions within SCARV, emphasising their use of and relationship with open source software and hardware.

  1. RISC-V is, by design, an easily extensible ISA: it is possible to adapt and/or extend the ISA to suit specific use-cases. We have developed an extension called XCrypto [4], which is intended to support software implementations of cryptography. By using some concrete examples, I will try to illustrate a) the design and implementation of XCrypto, and b) what value the extension provides.
  2. Implementation (e.g., side-channel [5]) attacks are are persistent threat to cryptography, particularly in embedded contexts such as IoT; robust security evaluation wrt. such attacks is therefore important. For certain classes of implementation attack, the infrastructure involved can be prohibitive. I will try to outline our goals and progress regarding the development of “lab. free” infrastructure, in part based on the open source SCALE platform [6].



Speaker bio:

Dr. Daniel Page, is a Lecturer within the Department of Computer Science, University of Bristol. His current research focuses on challenges in cryptographic engineering and applied cryptography, the  implementation (in hardware and/or software) of implementation attacks (e.g., side-channel and fault attacks) on cryptographic primitives and arithmetic in particular.

Over 60 (co-)authored, peer-reviewed publications have resulted from associated work, representing collaboration with industry and academic partners that include 6 (co-)supervised PhD students. The pre-eminent venue for such work is arguably Cryptographic Hardware and Embedded Systems (CHES); Dr. Page received the best paper award at CHES 2012, regularly serves on the CHES Programme Committee, and acted as Program (co-)Chair at CHES 2018. He (co-)founded the spin-out company Identum (with Prof. Smart), which was acquired by Trend Micro in early 2008.

Open source tools and processes for secure IoT development


Developing secure IoT software requires that good software engineering practices are used, and that an appropriate set of secure coding guidelines are followed. Much of the guidance on writing secure software is in common with that for minimising bugs and defects; however, some tasks (such as memory sanitisation, maintaining side-channel atomicity, etc.) are security-specific and are difficult even for experienced engineers to consistently implement.

The compiler is ideally placed to assist, because almost all code for any device goes through a compiler, which translates the program to binary code to run on the processor. This global view of the software can enable the compiler to detect insecure coding patterns and provide automated support for security-specific tasks.

The Innovate UK funded Security Enhancing Compilation for Use in Real Environments (SECURE) project, which ran from June 2017 – September 2018, has taken the latest academic research in security-specific programming techniques and integrated it within the two most widely used compilers, GCC and LLVM. These freely available tools will not “magically” write secure code – however, they make it much easier for engineers to follow good practice and avoid errors by automating the use of security-specific techniques and processes.

This talk will present the technology and show how it supports secure software development processes by reducing the burden placed on engineers who would otherwise have to manually implement security-specific techniques and inspect code for security issues.

This talk is an extended version of the presentation to the IoTSF Conference in December 2018, which will go into greater technical detail. It presents work carried out by Dr Graham Markall, Simon Cook, Paolo Savini and Craig Blackmore as well as the speaker Speaker: Dr Jeremy Bennett

Speaker Biography:

Dr Jeremy Bennett is Chief Executive of Embecosm, which provides open source compiler development, processor modeling and embedded operating system services to companies worldwide. He is author of the standard textbook “Introduction to Compiling Techniques” (McGraw Hill 1990, 1995, 2003) and serves as Chair of the BCS Open Source Specialist Group.

Leave a comment