Security Group

TAMPER Laboratory

The TAMPER (Tamper And Monitoring Protection Engineering Research) Lab at the University of Cambridge Computer Laboratory focuses on the hardware aspects of computer and communication security.

Experience shows that the most commonly exploited vulnerabilities in modern information security systems result from implementation defects, user errors and poorly understood characteristics of computer hardware. Hardware security is a particularly neglected field.

Hardware vendors have often made claims about the tamper resistance or even the correct functioning of their products which turned out to be unjustified, and the lack of published information about attack techniques made it difficult for customers to evaluate their claims. This has led to widespread and expensive security failures in applications such as pay-TV. Yet we see the designers of newly fielded systems making the mistakes over and over again.

Research in hardware security requires a broad range of capabilities. This includes not only classical cryptography and computer security know-how, but also expertise in physics, chemistry, material sciences, microelectronics, communication systems and signal processing. It often requires the construction of specialised equipment, and it usually takes some practice to acquire laboratory skills - especially where attacks involve techniques such as microprobing silicon chips, analysing unintended radio frequency emanations or the disassembly of software.

The TAMPER lab consists of faculty members and research students from the Security, Systems, Programming, and Graphics Groups in the Computer Laboratory; it also includes, cooperates with, or stays in close contact with interested researchers of other university departments such as Materials Science and Chemical Engineering. We are sponsored by local and international industry, including chip makers, test equipment vendors and laboratories specialising in semiconductor analysis and electromagnetic interference.

In the TAMPER Lab, we study existing security products, document how they have been penetrated in the past, develop new attack techniques, and try to forecast how newly available technologies will make it easier to bypass hardware security mechanisms. We then develop and evaluate new countermeasures and assist industrial designers in staying ahead of the game, most of all by giving them an advanced understanding of which attack techniques are most dangerous. We are especially interested in protection systems for mass-market applications, and in forensic applications.

Our current primary research focus is on

• Compromising emanations: What can we learn from a system (whether an office PC or a smartcard) by studying the electromagnetic, optic, acoustic and other signals that it emits? How can we either suppress the information leakage, or (if we are the attacker) covertly broadcast secrets over large distances?
• Smartcard security: How can we extract software from a security processor or otherwise reconstruct cryptographic keys stored in it? This may involve invasive techniques where we depackage the chip package and use semiconductor test equipment to probe, modify and interfere with it; it may also involve non-invasive techniques such as monitoring electromagnetic leakage and inducing faults using power transients and similar techniques.
• Security composition: How do security mechanisms at different levels in a system interact? Can we design systems so that even if we have vulnerabilities in hardware, system software, cryptography and so on as a result of cost, legislative and market constraints, the available protection mechanisms reinforce each other rather than interacting in fatal ways?

We are also interested in biometrics, physical seals, signal remanence in storage media, and whatever other technologies come along that may be useful to attack, defence or both.

Selected Publications of TAMPER Lab Researchers

1. Sergei Skorobogatov: Local Heating Attacks on Flash Memory Devices. 2nd IEEE International Workshop on Hardware-Oriented Security and Trust (HOST-2009), 27 July 2009, San Francisco, CA, USA. IEEE Xplore, ISBN 978-1-4244-4804-3
2. Sergei Skorobogatov: Using Optical Emission Analysis for Estimating Contribution to Power Analysis. 6th Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC 2009), 06 September 2009, Lausanne, Switzerland. IEEE-CS Press, ISBN 978-0-7695-3824-2
3. Sergei Skorobogatov: Semi-invasive attacks – A new approach to hardware security analysis. Technical Report UCAM-CL-TR-630, University of Cambridge, Computer Laboratory, April 2005.
4. Markus G. Kuhn: Compromising emanations: eavesdropping risks of computer displays. Technical Report UCAM-CL-TR-577, University of Cambridge, Computer Laboratory, December 2003.
5. Sergei P. Skorobogatov, Ross J. Anderson: Optical Fault Induction Attacks, Cryptographic Hardware and Embedded Systems Workshop (CHES-2002), San Francisco, CA, USA, 13-15 August 2002 (slides)
6. Markus G. Kuhn: Optical Time-Domain Eavesdropping Risks of CRT Displays, Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, California, May 12-15, 2002. (FAQ)
7. David Samyde, Sergei Skorobogatov, Ross Anderson, Jean-Jacques Quisquater: On a New Way to Read Data from Memory, First International IEEE Security in Storage Workshop, 11 December 2002, Greenbelt Marriott, Maryland, USA.
8. Sergei Skorobogatov: Low temperature data remanence in static RAM, University of Cambridge, Computer Laboratory, Technical Report UCAM-CL-TR-536, June 2002.
9. Oliver Kömmerling, Markus G. Kuhn: Design Principles for Tamper-Resistant Smartcard Processors, USENIX Workshop on Smartcard Technology, Chicago, Illinois, USA, May 10-11, 1999. (slides)
10. Markus G. Kuhn, Ross J. Anderson: Soft Tempest: Hidden Data Transmission Using Electromagnetic Emanations, in David Aucsmith (Ed.): Information Hiding, Second International Workshop, IH'98, Portland, Oregon, USA, April 15-17, 1998, Proceedings, LNCS 1525, Springer-Verlag, ISBN 3-540-65386-4, pp 124-142.
11. Markus G. Kuhn: Cipher Instruction Search Attack on the Bus-Encryption Security Microcontroller DS5002FP. IEEE Transactions on Computers, Vol. 47, No. 10, October 1998, pp 1153-1157.
12. Ross J. Anderson, Markus G. Kuhn: Tamper Resistance - a Cautionary Note, The Second USENIX Workshop on Electronic Commerce Proceedings, Oakland, California, November 18-21, 1996, pp 1-11, ISBN 1-880446-83-9.
13. Ross J. Anderson, Markus G. Kuhn: Low Cost Attacks on Tamper Resistant Devices, in M. Lomas et al. (ed.): Security Protocols, 5th International Workshop, Paris, France, April 7-9, 1997, Proceedings, Springer LNCS 1361, pp 125-136, ISBN 3-540-64040-1.

Associated staff and their interests:

• Markus Kuhn — compromising emanations, power analysis, VLSI reverse engineering, smartcard security, conditional access and e-cash applications, bus-encryption processors, low-cost attacks, biometric identification
• Ross Anderson — system security, compromising electromagnetic emanations, smartcard security, applications in banking, prepayment metering, medical systems and digital tachographs
• Simon Moore — self-timed logic, design of custom processors
• John Daugman — iris recognition, biometric identification, pattern recognition
• Mark Blamire — applications of focussed ion beam technology

Post-doctoral researchers:

• Sergei Skorobogatov — microcontroller and memory security, data remanence, optical attacks, reverse engineering, NVM remanence, local heating attacks, optical emission analysis, physical tampering

Contact details

If you want to work with us or become one of our partners or corporate sponsors, please contact Dr Ross Anderson or Dr Markus Kuhn at the University of Cambridge, Computer Laboratory, 15 JJ Thomson Avenue, Cambridge CB3 0FD, United Kingdom, phone +44 1223 334733 or 334676, fax +44 1223 334678.