In this theme we investigate the design of new hardware and software platform security techniques as well as the use of current, widely deployed platform security techniques to secure applications and services. Our work spans all classes of systems, from small embedded devices through to cloud platforms.

Our current work focuses on functionality that can be incorporated into CPUs and compilers to protect data in memory from a attackers. PACStack protects the return address stack from an attacker exploiting vulnerabilities in the same process using ARM’s Pointer Authentication, and similar techniques can be used to protect other data stored in memory. For even greater security, BliMe protects users’ data when it is being processed using cloud services, even if the software on the other end is vulnerable or outright malicious.

Our work began more than a decade ago in the On-board Credentials project, in collaboration with Nokia Research Center which developed framework that allowed any developer to securely make use of hardware-assisted “trusted execution environments” (TEEs) that were already widely deployed in mobile devices. This work led to two Aalto doctoral dissertations as well as technology that was deployed in Nokia smartphones. Our work on making TEE application development easy resulted on Open-TEE, which is used by developers in several companies.

Resource-constrained and mobile computing devices are becoming increasingly prevalent, especially in the Internet of Things (IoT), and are thus becoming attractive targets for attack. In the Hardware-assisted Runtime Protection (HARP)  project, we study and develop technologies to harden these classes of devices against modern security threats. For example, we have investigated how to detect and mitigate run-time attacks against embedded devices. It is also important to consider the full life-cycle of IoT devices, from initial deployment, through normal operation and possibly change of ownership, through to device disposal, which was the focus of our SELIoT project. For a more general overview, we have written Hardware Platform Security for Mobile Devices detailing the wider usage of hardware platform security for mobile devices.

At the other end of the spectrum, our work in the Cloud-assisted Security Services (CloSer) project identifies and solves the critical security and privacy problems that arise when using cloud services, and specifically delivering security services via the cloud.

In terms of applications, our SafeKeeper project uses off-the-shelf Trusted Execution Environments (TEEs), like Intel SGX, to protect web passwords. In previous projects, we have investigated approaches for Linux kernel hardening and SEAndroid analysis.

Our platform security research has also supporeds other research themes and projects, including our work on scalable distributed systems in the Blockchain Consensus & Beyond (BCon) project, and various aspects of our work in the Intel Research Institute for Collaborative Autonomous and Resilient Systems (CARS).

Here is a 2018 poster depicting our platform security research over the years in a nutshell.