CPI Spotlight: Physics-based Cybersecurity & Graduate Research

Wednesday, January 24, 2024
Murray Dunne
Cameron Hadfield

Written by: E. George McCutcheon

In the rapidly evolving landscape of computer science, the fascinating realm of embedded security is the research focal point for two University of Waterloo graduate students and Cybersecurity & Privacy Institute members, Murray Dunne and Cameron Hadfield. Murray, currently immersed in his PhD in Computer Science (CS), and Cameron, a recent graduate from Waterloo's Computer Science program pursuing a Masters in Electrical and Computer Engineering (ECE), share their insights into this multifaceted field and their academic journeys.

Dunne's entry into the world of computer science commenced in middle school, sparked by the allure of video games. He quickly pivoted into being interested in robotics and embedded systems, although he still harbors a fondness for computer graphics, noting that the ability to make a computer induce phenomena in the real world “will never stop being fascinating”. After completing his undergraduate studies in Computer Science at the University of Victoria in British Columbia, Murray continued his educational journey at the University of Waterloo, where he obtained his Masters and is currently pursuing his PhD. The unexpected turn towards a doctoral program unfolded during the final year of his Masters when the opportunity to teach undergraduate courses in Computer Science presented itself. Intrigued by the prospect of lecturing, Murray engaged in a discussion with his supervisor, Professor Sebastian Fischmeister, ultimately leading to his commitment to his PhD and the instruction of seven classes.

Murray's research focuses on the tiny perturbations in power consumption measurements and how they reveal information about the internal program execution of embedded devices. He is interested in observing and quantifying these phenomena to determine more accurately the relationships between branch instructions and power consumption in black-box environments. He notes that he enjoys the empirical side of computer science, where the results of experiments are analyzed and evaluated, more akin to traditional sciences. His research is motivated by the process of learning more about our world and protecting it, adding that the adversarial nature of security research adds an additional layer of challenge and intrigue to his work.

Cameron's interest in computers and security traces back to his high school years, mostly spurred on by portrayals of  'hacking' in tv and video games. This was increased with his participation in the CyberTitan cybersecurity competition, guided by his then secondary school tech teacher Tim King, who played a pivotal role. Placing seventh nationally in the competition, Cameron gained a profound appreciation for the importance of computer security. Reflecting on CyberTitan, Hadfield praises the program as a brilliant initiative, expressing pride in having participated in it, as well as the support it receives at CPI.

In collaboration with Dunne, Hadfield's research focuses on the security of safety-critical systems, particularly vulnerability detection. The duo employs conventional software testing methods, specifically fuzz testing, to induce unexpected or undefined behavior in these systems. Their project utilizes power consumption as a side channel to detect system activity, relying on the principle that the machine should consume more power when actively processing information. Unexpected spikes in power consumption signal potential vulnerabilities, leading to the identification of previously unnoticed behaviors. The collaboration between fuzz testing and powertrace monitoring in their research aims to uncover potential weaknesses in systems, especially along the supply chain.

One of the things I like as a researcher in physics-based cybersecurity is the specifics of the physics-based part of it. Much of cybersecurity research focuses on the analysis of software and software patterns and the construction of code and interactions between systems on a networking or software level, but physics-based cybersecurity takes cybersecurity a bit out of the analytical realm, and a lot more into the empirical realm. Instead of studying something by looking at how it works, you are studying the phenomena that are a result of what it produces. So, it turns computer science back into almost a natural science for a little while, which I think is incredibly fun.

Murray Dunne - on why physics-based cybersecurity research is intriguing

The critical nature of supply chain security becomes evident as Cameron emphasizes the importance of trust within the supply chain journey. As systems and components are often built with parts from all over the globe, with those parts making myriad stops along the supply chain before coming together in a final form, there are significant opportunities for malicious actors to affect these parts in multiple ways. Additionally, the quality and efficacy of these parts may also be affected by improperly sourced materials and production. In military applications, for example, consistent trust becomes challenging due to the involvement of various entities in the process, with the ramifications of compromised or unreliable parts being dire. Cameron draws parallels to scenarios where malicious actors might introduce backdoors into systems, emphasizing the need for rigorous security measures in safety-critical systems; public infrastructure safety issues, failures in transportation modes leading to catastrophic failures, etc.

The research aims to provide a pre-emptive approach by running analyses in a bench environment before the system gets installed. Engineers can ensure that the power consumption aligns with expectations, verifying the integrity of the components and their responses to network commands. Cameron sheds light on the objective of their research, which is to detect changes in the software domain. These changes could result from the replacement of components, intentional or unintentional, during the supply chain journey. Detecting these changes becomes crucial, especially in safety-critical systems, where a compromised component could have severe consequences. In terms that relate to the general public, Cameron and Murray both went to great lengths in explaining the real-world impacts of their research.

For me the aspects of supply chain security are interesting and important because at some point down that line, you have to be trusting someone, it is unavoidable. If your cellphone gets hacked, that’s not great, but you’ll probably survive it. Safety-critical systems are called safety-critical for a reason; if they are compromised, it is catastrophic. The story is different and it's grim, but it's the reality.

Cameron Hadfield - on why this is critical research and how it will benefit not only industry partners but the common good as well

For example, our electrical power grid is comprised of multiple installations across North America, all of them are comprised of systems that contain thousands of individual components. These components are vulnerable to attack, as well as needing to be capable of performing their purpose consistently. Their research technology provides an opportunity for every component to be tested for vulnerabilities, as well as ensuring their quality and desired performance. As the supply chain journey can have multiple stops along the way, this testing technology may be utilized at any of these stops, further helping to zero in on when and where problems have occurred.

Both researchers discussed the growing field of physics-based cybersecurity measures and shared their enthusiasm for its empirical nature. They contrast it with traditional cybersecurity research that focuses on software analysis and code construction. Physics-based cybersecurity, shifts the focus from analytical approaches to empirical studies, treating computer science more like a natural science. They find this shift intriguing and note that computer science has been moving towards natural sciences in recent years, particularly with the rise of machine learning, as studying those systems often takes the form of treating it like a natural system and looking at the results.

Both Murray and Cameron expressed gratitude for the unwavering support of their supervisor, Professor Sebastian Fischmeister, acknowledging the pivotal role he has played in fostering a supportive and encouraging research environment. Prof. Fischmeister’s belief in his students' capabilities promotes their exploration of new ideas and the opportunity to delve deeply into embedded security research.

As part of CPI’s 2023 Annual Conference, a poster competition took place, where Murray and Cameron’s entry, entitled “SIVUS: System Backdoor Discovery by Combining Fuzz Testing and Powertrace Monitoring”, won 1st place and garnered them a $1,000 scholarship, funded by CPI sponsors MasterCard Canada and BlackBerry.

Outside the research narratives, Murray and Cameron stress the need for a broader understanding of cybersecurity in education. Murray emphasizes the necessity of introducing the basics of cybersecurity and privacy into high school curricula, if not earlier. He believes that exposing students to the concept of cybersecurity not only helps them protect themselves, but makes it a viable career option, which also addresses the growing demand for skilled professionals in the field.

They both shared their thoughts on motivating others to pursue undergraduate and graduate level studies in the cybersecurity and privacy field, highlighting the importance of supportive supervisors, increased financial support, and proactive outreach from professors and academic institutions. Murray envisions a scenario where schools actively recruit individuals for cybersecurity and privacy studies, fostering a greater interest and understanding among students at grade school through to the post-secondary levels.

The research journey undertaken by Murray Dunne and Cameron Hadfield in the realm of embedded security underlines the intersection of computer science, cybersecurity, and the imperative need for securing safety-critical systems. Beyond their research endeavors, they emphasize the importance of integrating cybersecurity education into high school curricula to cultivate an early interest in the field, coupled with increased financial support, proactive outreach, and supportive mentors contributing to a holistic approach that encourages future students to pursue cybersecurity and privacy studies.