Design for User Trust in an Ecosystem of Ubiquitous Internet of Things. A vision for awareness, safety and security. A systematic approach at the hardware-software interface
Sujet proposé par
Directeur de thèse:
Unité de recherche
Laboratoire de recherche d'EURECOM
Domaine: Sciences et technologies de l'information et de la communication
In a world of ubiquitous connected smart devices and pervasive computing, several security
issues that deeply aect people's lives arise. In particular the tension between safety and secu-
rity, liability and the contrast between trust and veriability are major concerns. A Copernican
revolution putting users at the center and enabling them to trust devices is fundamental. Concil-
iating their interests with the ones of the manufacturers is of great importance too. A systematic,
analytical approach is required to achieve design for user trust. In particular challenging goals
reside at the architectural level, at the hardware-software interface, without forgetting low-level
hardware security issues.
2 Scientic context
We live in a world of interconnected smart devices, i.e., an ecosystem of objects able to sense,
connect and control the environment in which they are embedded. These objects already prop-
agate our daily life, yet their role in the society of the future has still an enormous margin of
growth (e.g., in intelligent transport systems, wearables, health, smart cities, industry). The list
is virtually innite as research is simply trying to bring computing power inside every human
activity to enhance it 1. In such a world, several security issues with these embedded devices
arise , many are still open problems and new ones arise with every new system deployed.
One of the main directions to build a secure ecosystem of connected computing objects is "trusted
computing" 2. The main goal is to obtain a guarantee that a certain system is not compromised
or at least to be able to tell if it has been compromised. This is called trust and it is based on
a Root Of Trust, i.e., hardware, rmware, and/or software that is inherently trusted to perform
a vital security function, thanks for instance to signature verication on software performed by
specic hardware modules.
3 Scientic contents
Trusted computing seems the perfect systematic solution to security for such systems. However,
several issues arise and must be solved to let it reach its great potential.
Trust is something that is not blindly granted but that is earned by verifying it. Currently,
trusted computing mechanisms often rely on unconditional trust on the systems manufacturer
since users have too few ways to verify them. There comes the importance of designing systems
where the users can decide whom (for instance a community of experts and independent author-
ities) and what to trust. We call this Design For User Trust. Unfortunately, the rst security
measures that are implemented in embedded systems often prevent such an independent analysis
(e.g., deactivation of a debug port, secure boot, encrypted le system, obfuscation). Moreover,
documentation is condential. Such measures are more hiding the problems (making it dicult
to discover hardware or software vulnerabilities) than solving them. These are violations of the
Kerckhos's principle. Lack of veriable trust leads to a lemons market (). The manufacturer
(may) know if the product is secure or not, but buyers cannot tell. Thus they are not willing to
pay much more than for a lemon (i.e., an insecure one). This essentially remove quality (secure)
goods from the market, because they are not worth selling at a low price .
Complexity of trustworthy environments is an obstacle for their use in simple cheap embed-
ded architectures. Several papers try to address this problem through smart usage of existing
resources and minor hardware modications [4, 5, 6, 7]. Also, more and more secure trusted
systems move the security problem at the lower layers, i.e., at the rmware level of the com-
ponents and at the physical hardware level. The importance of side-channel and semi-invasive
attacks is thus increasing and must be considered during higher-layer design too. This research
shows several ways to defeat secure boot and they mostly are at very low level 3.
3.2 Main goals, expected innovation and approach
The main goal is to contribute with a breaking impulse to the development of an healthy
ecosystem of ubiquitous connected devices with an enhanced \user control", and where security
is no more an obstacle to safety.
Addressing this issue is a great challenge, that envisages the development of a new hard-
ware/software architecture to support design for user trust. Our approach will be based on
an holistic view of the embedded world and on an analytical, systematic, cross-disciplinary ap-
proach. It will enable the design of cheap, simple, smart architectures including features such as
safety, trustworthiness veriability and control in the hands of the user. A further goal will be
to test this methodology on real-life applications and develop eective solutions. Last but not
least, this research aims at putting the basis for further works in a general view of embedded
More precisely, our approach will be as follows:
1. Detailed bibliography on trusted platforms and architectures for a wide range of systems
(i.e., information systems, cloud services, embedded systems) considering open platforms
oriented towards user trust. This shall also emphasize the current limitations that have
lead manufacturers not to settle current trusting solutions.
2. Proposal of a mixed hardware/software open architecture, in terms of dedicated hardware
blocks (e.g., hardware accelerators, specic CPU support, debug capabilities) and in terms
of software elements (e.g., boot code, drivers).
3. Verication of the solution in terms of security, trust, and implementability. At a platform
level, the TTool / SysML-Sec environment from Telecom ParisTech shall be used (and
enhanced if necessary).
. Prototyping of the solution in the scope of Internet of Things, using a well-know IoT
platform (e.g., STM Nucleo, Intel solution) or open source soft cores (e.g., OpenMSP430,
pulpino), and demonstration of a user trust mechanism.
5. Publications in well know conferences/journals, and dissemination among industrial part-
ners, rst locally (e.g, Intel has a IoT branch in Sophia-Antipolis), and more broadly (see
3.3 State of the art and past research
The hardware/software is the layer at which software comes to life by interacting with hardware
architecture. However, the complex interplay between several concurrent modules and the mis-
understandings among dierent disciplines make it a fertile ground for bugs and vulnerabilities.
Hardware/software interface is also a great place to eciently implement security measures (e.g.,
eXecutable disable by Intel, eXecute Never by ARM to prevent data execution).
In the last years Trusted Execution Environments provide strong guarantees for critical opera-
tions have seen important developments. Intel Soft Guard Extensions should guarantee integrity
and condentiality for sensitive operation, even when all privileged code is malicious, but this
still need further research and more openness . Lightweight HW/SW trustworthiness for sim-
ple embedded systems was proposed in the SMART architecture . It consists in a very eective
system-level solution, based on hardware features that can be easily added to existing devices
with minor changes at a low price. This approach was extended and improved in many follow
up works [5, 6, 7]. While those are important starting point for design for user trust as well as
for design for testability, they do not yet solve the security/safety issues, nor they consider who
should be in charge of the system (user v.s. manufacturer): this is the open problem we aim to
address in this work.
Many research work exist regarding verication of complex concurrent architectures. This as-
pect is very important for a secure design because corner cases were the device is not reliable can
be used for exploits. Interaction between hardware and software in complex concurrent struc-
tures is important for security. Embedded systems are smaller and simpler, yet SoCs commonly
include powerful and multi-core processors, several peripherals, memories and so on. Hard-
ware/rmware design can explicitly try to address security of such systems from the beginning
of their design. For instance Intel Integrated Sensor Solution  tries to identify a secure plat-
form for sensing IoT multi-core boards. Providing secured and veried hardware primitives for
concurrent programming and handling peripherals is useful for security.
Finally, there are some examples of designs that represent a rst, partial attempt to design for
Trust. For example, Google Nexus phones can be turned into developers phones by unlocking
the bootloader (which voids the warranty). On such developer phones it is possible to install
custom images. Nokia Maemo phones were also providing a similar developer mode, once started
with a non signed image the phone was still booting, but some (DRM) features are not available
anymore . However, those approaches are giving control to the user at the cost of a very
reduced security level.
3.4 Competences and expertise
The Ph.D. is clearly ambitious, and deals with both hardware/software design and security/trust
issues. However it will be co-advised by 2 advisers with previous experience in these topics.
Aurelien Francillon will advise the Ph.D. He is an assistant professor in the digital security
department at EURECOM. Together with Davide Balzarotti he is heading the Software and
System Security (S3) group. He obtained a PhD from INRIA Grenoble and was a postdoctoral
researcher in the System Security Group at ETH Zurich. His main scientic interests are in
security of embedded systems as well as software security and network security. He has been
working on trusted computing for embedded systems security for the past 10 years and was one
of the authors of the SMART paper .
Ludovic Apvrille will co-advise the Ph.D. student. He leads the LabSoC group. His main re-
search interest lies in the design and analysis of safe and secure complex embedded systems. In
particular, he's part of research projects involving the security of mobile devices - he partici-
pated to the recent discovery of 15 totally unknown Android malware -, and leads a research
grant on the security - and it's impact on safety - for autonomous and connected vehicles. His
scientic contribution in the security and safety domains are around the models and verication
techniques. Last but not least, he's the leader of the SysML-Sec environment.
Thus, both advisers have expertise in hardware architectures, embedded systems verication
and software/system security, as demonstrated by several of their recent publications 4.
3.5 Ph.D. Candidate
M. Giovanni Camurati is a student in the double-diploma polito-Telecom ParisTech curriculum.
He's ranked among the top 5% of students (currently 1st of 156 Eurecom students). He obtained
excellent grades in all courses related to the Ph.D. (Operating Systems, System Security). He
demonstrated a very strong motivation for doing a PhD. He already started to read papers in
the eld of the proposition. Last but not least, he will make his internship in ARM, thus further
enhancing his current expertise in hardware and low-level software concerns.
This proposal is based on a vision of trustworthy embedded devices, identifying the layer which
is still largely unexplored and that has room for big developments. This project is about imple-
menting a vision of a design philosophy, namely design for user trust. It is indeed very ambitious
as it aims at proposing a set of new solutions in a broad area with a systematic analytic approach,
exploring a large research and design space and not only a single issue. One PhD position will
certainly not exhaust possible activities, rather it serves as a starting point to set up shared
knowledge and expertise and to disseminate it in the academic and the industrial environment.
3.7 International visibility
Both teams has well-established cooperative research actions with many academic partners in
the scope of security and trust. For example, Ludovic Apvrille recently participated to the
EVITA European project addressing the denition of a secure and trustable hardware/software
architecture for automotive systems. The results of this project have been embraced by several
automotive suppliers that now have products following the architecture proposition, e.g., the
AURIX solution from Inneon, or the SPC58NE84E7 from STMicroelectronics.
Aurelien has past collaborations on SMART with Gene Tsudik (University of California, Irvine)
and Kasper Rasmussen (Oxford University). Other collaborations are possible through existing
links, for example, with KU Leuven, TU Darmstadt and TU Graz which are interested in
such topics. The CRYPTACUS COST Action (for which Aurelien Francillon is a Management
Committee member for France) can also be used for fostering collaborations and for funding
short term scientic missions, as this thesis falls into the topics of interest of the COST Action
(in particular Work groups 1, 3 and 4).