Motivation
A successful digitization in the economy and society relies on computer systems that also ensure security and privacy requirements such as trustworthiness, integrity, and authenticity. However, this is a significant challenge because computing devices are very diverse, including resource-constrained devices such as smart devices in the Internet-of-Things (IoT) as well as powerful general-purpose PCs or cloud servers.
Moreover, new attack methods are constantly being developed and existing ones improved. Side-channel attacks belong to the more sophisticated research-driven attacks, they are mounted during program execution and analyze recorded measurement data of hardware platforms such as execution time, power consumption, or electromagnetic emanation. This analysis of measurement data can lead to a complete exposure of cryptographic keys and other secret parameters if cryptographic devices are successfully attacked. Side-channel attacks usually proceed very inconspicuously, even remotely, and are rarely noticed because of their passive nature and also because many companies and users lack expertise in this area.
Goals and Approach
The goal of our project “Developer-centric Tools for Side-Channel Analysis – DevToSCA” is to investigate automated methods for testing the side-channel resistance of applications during software development and deployment, reducing their complexity, and building expertise in security testing. In order for developers of specific applications to use the new testing methods, they are integrated into user-friendly testing and reporting tools that inform software developers on found vulnerabilities to side-channel attacks. Furthermore, the tools are extended to different target platforms and self-test tools for self-monitoring during the operation of the systems.
Innovations and Perspectives
The project lays the foundation for novel verification tools that can be used during application development and for self-testing operations. Accordingly, the project has a high innovative character, and there are diverse possibilities for further exploitation and follow-up. The results of the project will be provided as open-source software, so that professional software developers in particular can benefit from them. Thus, the project makes an important contribution to increasing IT security for future developments.