My employees were nice enough to come up with three questions, allowing me to share some of my insight into security and cryptography. At least, I hope I have some insight 😉 I give some bio stuff at the end to get an idea of my background. Also, here is an interview I recently gave to Rajapinta. Anyway, on with the questions!
Worldwide, it seems that there is an ever increasing demand for crypto- and security-related products and experts in every aspect of society, for consumers’ products, in companies, in the military and in all kind of infrastructures. Tampere aims to be the first digital smart city in Finland, and Finland used to be among the leading countries when it came down to research and development in these fields. Yet it seems that recently there has been a downward trend on the number of research groups and projects on these topics in the Finnish academic world. Why do you think this happened and how do you think it will evolve?
Maybe 12 years ago, when I was still an MSc student at Aalto (then HUT) I worked for the Interconnected Broadband Home Networks (InHoNets) project; the main PI for the consortium was Prof. Jarmo Harju (who went on to recruit me in my current position roughly 8 years later). I remember as part of one of the project meetings we visited Tampere, and toured an NRC “smart apartment”. It seemed so crazy at the time — like The Jetsons.
Trusted Execution Environments (TEE) are a buzzword over the past few years. But Nokia had commercial TEEs and trusted applications even in their feature phones long before smartphones even existed.
My point is, Finland is often ahead of it’s time with technology. Somehow this small country experiences hyper evolution when it comes to new technologies — take for example mobile phone adoption and coverage. It’s a good and bad thing to be ahead of the curve. When you look at worldwide research trends, in Finland you sometimes get the feeling “we did that last decade”. But when you see disruptive technology, and your research in Finland is already one or two generations ahead, it can be a crushing blow.
When I finished my BSc in 2002, I couldn’t land a security-related job. So I went to graduate school instead. Now, the market demand for security experts is ridiculous. It also means it’s that much harder to keep talented people in academia. Couple that with nationwide budget cuts to research funding, and it’s a bad situation that I personally feel explains the current trend. And I don’t know how to fix that. My advice to those unsure whether to take the academic or industry path: industry simply cannot match the freedom you get in academia. I’ve experienced it firsthand.
What would you say to motivate students to focus their interests on your field of study, especially considering that in general people associate Cryptography with crazy scientists working on obscure and hard math problems?
When I was in industry working in product security, we hired an awful lot of cryptographers. Yet we did surprisingly little crypto. I always say that’s because cryptographers understand threat modeling extremely well, which has wide applications in security as a whole.
So to me, crypto is less about obscure math, but instead about being able to think deviously. So kids, study cryptography: get paid to think and act like a criminal.
In the aftermath of the Meltdown and Spectre attacks, considering their impact on the press, on the stock market and in the ongoing process of mitigating their impact at different levels, what is your opinion on the role of research on the field of microarchitectural side-channel attacks in the past and in the future, when it comes down to the design and the production of consumer electronics?
Security always has and always will be a second class concept when it comes to design, whether it be software or hardware. At the uarch level, it’s even worse; mitigations negatively impact performance, which is really the whole point of uarch optimizations. Some journalist will take your chip vs your competitor’s chip, run some benchmarks, and throw some bar graphs on Twitter. Try explaining in 140 characters or less why it’s OK your’s performed 10% worse, but has e.g. a secure caching mechanism 🙂
My bold prediction: over the next decade or so, we’ll start to see more wide-spread exploitation of uarch side-channels in the wild. Low-hanging traditional software defects are getting rarer and harder to exploit for many reasons — for example, software quality improvements from fuzz testing. Attackers will adapt and start utilizing these more advanced uarch techniques.
So I see the role of research in uarch side-channels as only increasing in the near future.