5 Jan 2018 Brussels - Two newly-discovered security flaws in computer processors, named Meltdown and Spectre, could allow unauthorised users to gain direct access to the heart of computer systems and steal personal data. The vulnerabilities were discovered by an international research team, in which Graz University of Technology's Institute of Applied Information Processing and Communications at the TU Graz, Austria, played a central role. The EU's European Research Council (ERC) has been supporting this research project since 2016, to the tune of two-million euro.
Professor Stefan Mangard, the ERC grantee who led the team at TU Graz involved in the Meltdown and Spectre discovery, said that the traditional way of designing processors places all the focus on performance and only on performance. We can compare it to cars. In the beginning, cars were just designed to be fast, but today safety is the main concern. However, when it comes to Central Processing Units (CPUs), we buy them because of their speed. In today's environment of increasing attacks on computer systems though, we need to accept security as a major design criterion. Stefan Mangard hopes the discovery of the Meltdown and Spectre flaws will trigger a new way of thinking about computer design.
The main idea of the ERC project is that one needs to design computer systems with security in mind from the beginning of the design process. One needs basic research to achieve this; one needs to start at the very beginning and see how one can bring security into the design of computer systems. The discovery of these flaws confirms the proposal. Actually the team was very much surprised to discover these vulnerabilities in their computers and didn't expect it to be so severe. People were rather shocked - they couldn't believe that this is actually happening.
It is likely that that there are more security issues. However, they are probably not as large in scale as this one. The reason is the current trade-off between performance and security. So far, all systems were optimised for performance. But each time you optimise a CPU for performance, you potentially optimise against security. There were four research groups, including us at TU Graz, that found Meltdown and Spectre independently. It has been an ongoing process from mid-2017 until today. This research is highly relevant to modern IT challenges and multiple parties are working in this area simultaneously. This is just the start, the team opened the door and there is more to come.
There is a huge trend in connecting everything. On the one hand, we have the centres that store all the data and, on the other, the nodes that are in the field and collect the information. Nodes can include smart phones and IT devices in cars. They have become more and more powerful, and they have processors that now can be attacked.
"An ERC grant is a great opportunity. It provides funding that gives you a lot of freedom in the research you do. I can hire a large group of people and I don't have to write reports every month. The ERC allows scientists like myself to really focus on our topics, but also to study on an ambitious and broad scale. This makes finding something ground-breaking more likely - you are prepared for a lucky discovery. In this sense the ERC is an enabler for researchers", stated Stefan Mangard.
Some 120 ERC-funded projects mention the discipline of "cryptography" in their abstract. Some of this work, like that of Professor Elisabeth Oswald of the University of Bristol, also uses the physical properties of devices, power consumption and electromagnetic emanation, to investigate how information leaks. Other projects, such as the project SPOOC, conducted by Steve Kramer from the National Institute for Research in Computer Science and Automatic Control at France's INRIA, study how security protocols could allow us, one day, to perform delicate operations, like electing our political leaders, online. The 2013 Synergy Grant imPACT even analyses the intersection between cybersecurity, law, economics and society to develop tools to raise accountability and trust in the internet. Around 170 million euro have been awarded to ERC projects of this type.