Research Group Critical and Extreme Security and Dependability (CritiX)

Research Statement

CritiX pursues excellence in research, with the right balance between science and technology. We study new theories and conduct proof-of-concept experiments. We always strive for our publications to describe our research as clearly as possible, and for our demonstrations to be convincing and captivating. We all rejoice when our research impacts the real world, because we believe science is made for others. You may learn more about our culture in the CritiX Research Book of Style.

Resilience of Cyber-Physical Systems Infrastructures and Control

Critical infrastructures such as the energy grid used to be highly isolated, mostly proprietary, and hence, secure against most threats and reasonably robust against accidental faults. However, in recent years their complexity has increased due to three main factors. First, the added computer and network machinery; secondly, the mutation of control systems into cyber-physical systems (CPS), which has increased the likelihood of accidental computer-generated faults pervading the control system – a dependability problem. Thirdly, the fact that any of these vulnerabilities might be exploited with malicious intent – a security problem.

Stuxnet, a well-designed worm targeting CPS infrastructures, which was estimated to have impaired the operation of hundreds of networked controllers, is a real-world example of the risks at stake. The main subsystems at stake in CPS infrastructures are SCADA/DCS, which specifically in energy grids as well as in autonomous vehicles, deserve our special attention.
In this sense, our aim is to investigate the use of techniques such as intrusion tolerance or Byzantine fault tolerance, as well as adaptation and self-healing mechanisms, in the demanding real-time and real-world context of CPS. The final purpose of our research is to achieve resilience, i.e. resist advanced persistent threats, so that even if an attacker manages to access the system, they can do no harm, nor can they ever go any further than the fault tolerance we purposely allowed.

Internet and Cloud Infrastructures Resilience

Internet and the cloud have two main weak points in terms of security and dependability on which we focus our research on: cloud computing (CC), and software-defined networking (SDN).

Cloud computing has been an extremely successful process and business model. Yet, the dependence of the IT world on clouds is probably not yet matched by adequate levels of robustness. This can be testified by the numerous failures of cloud provider services made public, that have caused service and data loss, as well as confidentiality leaks. Existing approaches (e.g., privileged or federated) provide only partial mitigations to this problem and require an ample margin of trust on the providers. Following the basic principles of design for resilience, our research here specifically draws from early advances on using the multi-cloud or cloud-of-clouds paradigm as a path to achieve resilience for cloud computing, leveraging the availability of multiple cloud environments to create diverse ecosystems. Such a vision obviously reiterates the need to resist advanced persistent threats with fault tolerance, in that the cloud infrastructure may be partially controlled by attackers and yet remain secure and dependable. Ransomware attacks like Wannacry in 2017 would have been much less effective had these paradigms been part of the industry standards.

Software-defined networking is another research interest for our group. SDN is an emerging paradigm that consists in the separation of the control plane and the data plane. Whilst centralising the control logic, and offering network programmability are crucial elements of the value proposition of SDN, they also introduce serious security and dependability issues. In particular, they offer new fault and attack planes, that open the doors to new threats that did not exist before, or were harder to exploit. An attack similar to Stuxnet could have dramatic consequences in a highly configurable and programmable network, albeit ill-protected. It is more than likely that such advanced persistent threats will be developed against SDNs, if there is an opportunity for success. In this context, we plan to study approaches that consider security and dependability of the SDN itself as first-class properties of future SDNs, built into their design and not bolted on. Avenues for such research include security of control plane communications, or controller resilience.

Security and Dependability of Embedded Components

Whilst the previous research interests are essentially architectural, there are several motivations for investigating trustworthiness at the component level, as any unexpected failure of key components can cause the failure of an entire system. First, we focus on assessing and avoiding premature exhaustion failure. Secondly, many systems, especially CPS and VMMs, have unique components that are trusted computing bases without any particular measures to enforce it and, as such, can become single points of failure. Trusted components must be made trustworthy by both design and construction. There are, however, fragilities in the degree of trustworthiness of several key known components of secure systems that can undermine the confidence we have in the systems.

We investigate measures to ensure the security and dependability of embedded components against external attacks and in particular, against subversion (RTEs, VMMs, etc.). In particular, when it comes to RTEs in the context of CPS-based infrastructures, we have a particular research interest in the problems of smart grid components. The VMM part of the equation is also particularly interesting, since a crucial assumption on which a lot of the cloud business relies is the assumption that the hypervisors might be tamper-proof, when in fact, their imperfect coverage needs to be investigated in detail.