Security of Embedded Systems (SEC)
Research in the Security (SEC) group spans two areas vital to the security of decentralized and embedded systems, and has its center of gravity in the intersection of these areas. The two areas are security policy specification & enforcement and security of embedded systems.
Policy Specification and Enforcement. While the Internet allows for a free exchange of data, the security boundaries needed to guarantee privacy and confidentiality have become the main obstacle to flexible cooperation within and between (virtual) organizations.
The classical preventive access control mechanisms cannot cope with heterogeneous distributed systems and they have to be at least partially replaced by more elaborate trust management and compliance control systems. This is where SEC expertise lies: in the specification and implementation of policies for distributed systems.
Securing networked embedded systems is particularly challenging because of their lack of computational and physical resources. In this area, SEC focuses presently on the security of mobile (e.g. smart-card based) systems; for instance in the PinpasJC project we are studying side channel attacks on smart cards.
One of the challenges that embedded devices face is secure key storage. This issue is addressed by SEC's research on Physical Unclonable Functions, a novel approach based on the extraction of randomness from the physical components of the device itself. Also in this area and closely linked to coding and crypto we have the project PinpasJC (on the analysis of smart card algorithms to identify possible side-channel attacks).
These areas overlap to a great extent and their intersection forms the core of SEC's research: compliance control for distributed and embedded systems. SEC's approach is to start from a concrete security problem and solve it by addressing the fundamental issues behind it. SEC's strength lies precisely in the ability to understand deeply both the user's concern as well as the theory behind it.