C5: Security in Invasive Computing Systems

Principal Investigators:

Prof. F. Freiling, Prof. W. Schröder-Preikschat, in cooperation with Mercator Fellow Prof. I. Verbauwhede

Scientific Researchers:

Dr. T. Müller, R. de Clercq, J. Götzfried, P. Maene


Project C5 explores security aspects of invasive computing and resource-aware programming. Invasive MPSoC architectures will only be accepted if basic security properties are supported. The final goal is to ensure confidentiality, integrity, and availability in the presence of untrustworthy programs that compete for resources and/or can contain malicious functionality. This requires a comprehensive approach, addressing both hardware and software mechanisms. C5 is a new project established within the second fundung phase.


The scientific objective of C5 is to embed information flow protection into the invasive computing paradigm through all architectural design layers. Indeed, security and trust can only be provided if there is a chain of trust from the user application down to the hardware component. This concept has two aspects: there should be a correct execution of intended behaviour. But there should also be no loss of information through side-channels. This is specifically important for invasive computing since resource-aware programming offers a multitude of possibilities to convey information over unintended communication channels (side channels or covert channels over shared resources) between applications. The challenge lies in closing (or at least reducing the capacity) of all these channels even when applications share resources in an invasive computing architecture.

Security has a cost and no perfect security exists. Therefore, a critical measure with be the price of security. We will investigate which properties of an invasive platform benefit and which reduce security. As an example, invasion of resources is exclusive by default with run-to-completion semantics. Interestingly, this aspect supports information flow protection by default.

At the application level, we propose to embed information flow protection constraints into the language with which invasive programs formulate their claims. Information flow protection interacts with other requirements of the platform. For instance, stronger degrees of isolation imply more exclusive use of resources, which at the same time could also improve the predictability of execution. As another example, strong information flow protection might require processors at the border of an application to remain idle, and so security constraints can even be used to handle issues of dark silicon without additional performance penalty. We will investigate security requirements in relation with other requirements of invasive hardware.


The security investigation starts with an attack analysis. Our basic attacker model assumes that basic hardware and systems software are trustworthy, but that the code of invasive applications can be malicious at the level of the X10 programming language. As an example, we assume that Trojans can appear at the application software layer, but not at the hardware layer. The details of the attacker model together with the different levels of isolation will be studied in a separate work package. This again requires close cooperation with the other projects (especially the application projects D1 and D3).

Design for security requires a close interaction between hardware and software design. For instance, certain forms of memory protection can be enforced at compile time. In parallel, techniques to ensure security assuming arbitrary low-level application code (binary exploits) are explored. This is much more demanding and requires additional hardware support. The research challenge is to keep changes to hardware minimal, i.e. establish a provably minimal trusted computing base (TCB), and using the reconfigurability of an invasive architecture to establish this TCB dynamically when needed. The hardware aspects will be the main contribution of the Mercator fellow Ingrid Verbauwhede.

An important aspect of security is evaluation. The effectiveness of the proposed techniques will be analysed analytically as well as empirically by trying to construct covert channels on a real invasive multi-tile hardware architecture as prototyped in Z2. The cost of the different approaches will be compared to each other.


[1] Pieter Maene, Johannes Götzfried, Ruan de Clercq, Tilo Müller, Felix Freiling, and Ingrid Verbauwhede. Hardware-Based Trusted Computing Architectures for Isolation and Attestation. IEEE Transactions on Computers, PP(99):1–1, 2017. [ DOI ]
[2] Ruan de Clercq, Johannes Götzfried, David Übler, Pieter Maene, and Ingrid Verbauwhede. SOFIA: Software and Control Flow Integrity Architecture. Computers & Security, 68:16–35, 2017. [ DOI ]
[3] Johannes Götzfried, Moritz Eckert, Sebastian Schinzel, and Tilo Müller. Cache Attacks on Intel SGX. In Proceedings of the Tenth European Workshop on System Security (EuroSec'17). ACM, 2017. [ DOI | http ]
[4] Mykolai Protsenko. Securing the Android App Ecosystem: Obfuscation, Tamperproofing, and Malware detection. Dissertation, Department of Computer Science, Friedrich-Alexander-Universität Erlangen-Nürnberg, Germany, 2017.
[5] Gabor Drescher, Christoph Erhardt, Felix Freiling, Johannes Götzfried, Daniel Lohmann, Pieter Maene, Tilo Müller, Ingrid Verbauwhede, Andreas Weichslgartner, and Stefan Wildermann. Providing security on demand using invasive computing. it – Information Technology, 58(6):281–295, September 30, 2016. [ DOI ]
[6] Andreas Weichslgartner, Stefan Wildermann, Johannes Götzfried, Felix Freiling, Michael Glaß, and Jürgen Teich. Design-time/run-time mapping of security-critical applications in heterogeneous mpsocs. In Proceedings of the 19th International Workshop on Software and Compilers for Embedded Systems (SCOPES), pages 153–162. ACM, May 23, 2016. [ DOI ]
[7] Ruan de Clercq, Ronald de Keulenaer, Bart Coppens, Bohan Yang, Pieter Maene, Koen de Bosschere, Bart Preneel, Bjorn de Sutter, and Ingrid Verbauwhede. SOFIA: Software and Control Flow Integrity Architecture. In 2016 Design, Automation Test in Europe Conference Exhibition (DATE), pages 1172–1177. IEEE, 2016.
[8] Johannes Götzfried, Nico Dörr, Ralph Palutke, and Tilo Müller. HyperCrypt: Hypervisor-based Encryption of Kernel and User Space. In SBA Research, editor, 11th International Conference on Availability, Reliability and Security (ARES'16). IEEE, 2016. [ http ]
[9] Lars Richter, Johannes Götzfried, and Tilo Müller. Isolating Operating System Components with Intel SGX. In 1st Workshop on System Software for Trusted Execution (SysTEX'16). ACM, 2016. [ DOI | http ]
[10] Johannes Götzfried, Tilo Müller, Gabor Drescher, Stefan Nürnberger, and Michael Backes. RamCrypt: Kernel-based Address Space Encryption for User-mode Processes. In 11th ACM Asia Conference on Computer and Communications Security (ASAICCS), Special Interest Group on Security, Audit and Control (SIGSAC). ACM, 2016. [ DOI | http ]
[11] Furkan Turan, Ruan de Clercq, Pieter Maene, Oscar Reparaz, and Ingrid Verbauwhede. Hardware Acceleration of a Software-based VPN. In 26th International Conference on Field Programmable Logic and Applications (FPL'16), pages 1–9. IEEE, 2016. [ DOI ]
[12] Alexander Würstlein, Michael Gernoth, Johannes Götzfried, and Tilo Müller. Exzess: Hardware-based RAM Encryption against Physical Memory Disclosure. In Architecture of Computing Systems (ARCS'16). Springer, 2016. [ DOI | http ]
[13] Michael Gruhn. Forensically Sound Data Acquisition in the Age of Anti-Forensic Innocence. Dissertation, Department of Computer Science, Friedrich-Alexander-Universität Erlangen-Nürnberg, Germany, 2016.
[14] Maxim Anikeev, Felix Freiling, Johannes Götzfried, and Tilo Müller. Secure garbage collection: Preventing malicious data harvesting from deallocated java objects inside the dalvik vm. In Journal of Information Security and Applications, pages 81–86, Amsterdam, 2015. Elsevier. [ DOI ]
[15] Johannes Götzfried, Tilo Müller, Ruan de Clercq, Pieter Maene, Felix Freiling, and Ingrid Verbauwhede. Soteria: Offline software protection within low-cost embedded devices. In Proceedings of the 31th Annual Computer Security Applications Conference (ACSAC'15), pages 241–250. ACM, 2015. [ DOI | http ]
[16] Christopher Kugler and Tilo Müller. Separated control and data stacks to mitigate buffer overflow exploits. In Endorsed Transactions on Security and Safety, pages 1–36. European Alliance for Innovation (EAI), Institute for Computer Sciences, Social Informatics and Telecommunications Engineering (ICST), 2015.
[17] Pieter Maene and Ingrid Verbauwhede. Single-cycle implementations of block ciphers. In Lightweight Cryptography for Security and Privacy, Lecture Notes in Computer Science. Springer-Verlag, 2015.
[18] Maximilian Seitzer, Michael Gruhn, and Tilo Müller. A bytecode interpreter for secure program execution in untrusted main memory. In 20th European Symposium on Research in Computer Security (ESORICS'15), pages 376–395. SBA Research, 2015.
[19] R. de Clercq, F. Piessens, D. Schellekens, and I. Verbauwhede. Secure interrupts on low-end microcontrollers. In IEEE 25th International Conference on Application-specific Systems, Architectures and Processors (ASAP), pages 147–152, June 2014. [ DOI ]
[20] Felix Freiling, Mykola Protsenko, and Yan Zhuang. An empirical evaluation of software obfuscation techniques applied to android apks. In Jingqiang Lin and Tilo Müller, editors, International Workshop on Data Protection in Mobile and Pervasive Computing, 2014.
[21] Johannes Götzfried and Tilo Müller. Mutual authentication and trust bootstrapping towards secure disk encryption. In Transactions on Information and System Security (TISSEC), volume 17, New York, 2014. [ DOI | http ]
[22] Christopher Kugler and Tilo Müller. Scads: Separated control- and data-stacks (best student paper award). In Social Informatics ICST (The Institute for Computer Sciences and Telecommunications Engineering), editors, 10th International Conference on Security and Privacy in Communication Networks, 2014. [ .pdf ]