Position on Static Side-Channel Analysis (Ph.D./PostDoc)
Topic
When secret data is used by programs, there is a danger that this results in information leakage via side channels. Execution characteristics (like, e.g., running time or power consumption) might provide attackers with information that enables them, for instance, to learn a cryptographic key directly or in combination with a feasible brute-force attack. Meltdown, Spectre, and Platypus are prominent examples of such side-channel vulnerabilities.
In a side-channel attack, an attacker observes characteristics of a program run, (e.g., the duration of the run) and exploits these observations to deduce secrets (e.g., cryptographic keys). Such attacks target concrete implementations and might succeed even against programs whose underlying algorithm was proven to be secure. Formal models and static program analyses enable the derivation of reliable guarantees of how much information could be leaked at most via a side channel during a run of a given program. Experiments, including proof-of-concept attacks, can be used to demonstrate the seriousness of side-channel vulnerabilities.
Our overall goal in this project is to create a framework for detecting side-channel vulnerabilities in cryptographic implementations. In addition, we develop qualitative and quantitative program analysis techniques that enable engineers to systematically assess the seriousness of detected vulnerabilities. We complement our static analysis techniques by distinguishing experiments to demonstrate the seriousness of vulnerabilities and to validate the precision of our static analyses. Moreover, we aim at increasing the trustworthiness of cryptographic implementations by an informed use of mitigation techniques and by engineering techniques.
The Position
In this position, you will contribute to detecting side-channel vulnerabilities, understanding their severity, mitigating them, and/or avoiding them by construction. Three complementary research directions are possible that fit different backgrounds and interests
:
Your research could focus on the side-channel security of state-of-the-art implementations of post-quantum cryptography (or implementations of cryptographic algorithms from some other domain). In this direction, you would use and improve combinations of static program analysis and distinguishing experiments to assess and improve the side-channel resistance of cryptographic implementations.
Alternatively, your research could focus on quantitative formal models for capturing varying degrees of confidentiality and on quantitative program analyses for deriving such quantitative security guarantees while taking micro-architectural features of the underlying execution platform into account. In this direction, you could build on our prior foundational research and our tool development (including multiple variants of the tools SideChannelFinder and CacheAudit).
Finally, your research could focus on demonstrating the seriousness of side-channel vulnerabilities by the feasibility of exploits and on developing construction principles whose application ensures that side-channel vulnerabilities are avoided proactively when engineering security-critical systems. You could build on our prior research on distinguishing experiments for timing side channels and for software-based energy side channels.
This position is associated with the project "Secure Refinement of Cryptographic Algorithms" in the DFG CRC CROSSING.
Prior Skills and Experiences
You should
be competent in at least one of the following areas: static program analysis, side channel attacks/vulnerabilities/analyses, cryptography, other aspects of IT-security and
be interested to push forward side-channel security.
If you want to focus on theoretical aspects in your research, you should, in addition, be competent in formal methods, mathematical logic, information theory, or statistics.
If you want to focus on practical aspects, you should, in addition, be competent in tool development, using theorem provers, or experimental evaluations.
Moreover, you should be highly motivated to tackle challenging research problems, to produce innovative insights and tools, to strive for international visibility as a researcher, and be open minded.
You need good language skills in English (writing and talking). Prior knowledge of the German language is not expected, but you should be willing to obtain basic skills within a year.
Candidates for a postdoc position should have a publication record on side channels or static program analysis.
For a Ph.D. position, you should have a M.Sc. in Computer Science, Mathematics, or Electrical Engineering or be about to graduate within a few months.
For a postdoc position, you should hold a Ph.D. or have completed all requirements for your Ph.D. upon start of employment.
For a postdoc position, you must have demonstrated your ability to perform research at an internationally competitive level by multiple reviewed publications.
Please submit your application to contact@mais.informatik.tu-darmstadt.de, attaching your application package as pdf-file(s).
Your application package should include
your detailed CV,
a letter explaining your motivation for the specific position and outlining relevant prior work and experiences,
for each of your degrees, complete transcripts (including certificates of degrees, lists of courses, and individual grades), and
all theses or final projects that you have completed for your degrees (even if not in English or German).
If you are applying for a postdoc or senior-researcher position, you should include in addition
complete list of publications,
up to three selected publications, and
if possible, up to three references whom we may contact for letters of recommendation
and establish in your motivation letter a connection to some of our publications (after reading them in detail).
TU Darmstadt is one of Germany's top technical universities with an outstanding reputation in research and education in Computer Science. TU Darmstadt is an equal opportunities employer and encourages applications from women. In case of equal qualifications, applicants with a degree of disability of at least 50% will be given preference.
The chair MAIS is led by Prof. Dr. Heiko Mantel. The overall goal of MAIS is to increase the trustworthiness and reliability of software-based systems. The working language at the chair is English.