Cryptographic libraries support security features in modern software applications. These libraries commonly implement cryptographic functionality such as pseudo-random number generation, key generation, symmetric and asymmetric key cryptography and data signing. Various cryptographic library implementations differ in their functionality, their use of hardware instructions, resistance to side-channel attacks, and implementation efficiency. Researchers have proposed approaches to provide further security guarantees for cryptographic libraries to protect the cryptographic material in use. Such approaches include storing the cryptographic libraries and cryptographic material in Trusted Execution Environments (TEEs), one notable example being Intel Software Guards Extensions (SGX). However, recent research results show that TEEs are susceptible to side-channel attacks. This indicates that data confidentiality is not automatically guaranteed by merely porting code and data to a TEE.
Within the framework of the ASCLEPIOS project, the Security Lab at RISE SICS is working on improving the security of cryptographic credentials in use. This is done by enforcing the use of cryptographic credentials according to a matching policy and by selecting among several implementations the one that provides the highest available confidentiality and integrity protection. This approach allows to adjust the protection level according to policies issued by the cryptographic material owner. Furthermore, it helps balance performance and security requirements towards the cryptographic functionality on a platform
The thesis consists of the following items:
- Review known side-channel attacks against Software Guard Extensions enclaves and identify known mitigations applicable to commodity cryptographic libraries.
- Implement a policy mechanism for cryptographic material control.
- Describe a detailed implementation design.
- Implement the selected design approach and evaluate its security and performance.
- Provide a written report on the findings.
Implementation will be carried out on x86 platforms, using Intel Software Guard Extensions.
The master project will be done at RISE SICS and will be supervised by researchers at RISE SICS.
A successful project can lead to:
- a valuable open-source contribution;
- a peer-reviewed publication presented at a prestigious conference or workshop.
We are looking for one or two ambitious MSc students in Kista or Lund (alternatively working remotely from other locations) who meet the following requirements:
- Knowledge in C (advanced skills are a bonus)
- Interest in performance evaluation
- Interest in isolated execution environments
- Good spoken and written English
Applications should include a brief personal letter, your CV with your education, professional experience and specific skills and recent grades. In your application, make sure to give examples of previous programming or other projects that you consider relevant for the position. Candidates are encouraged to send in their application as soon as possible, via the "Apply now" button. Suitable applicants will be interviewed on a rolling basis.