PhD/2024

------------- JOB ANNOUNCEMENT -------------

POSITION TITLE
2 PhD Research fellow positions in Embedded Security

TELECOM PARIS

Télécom Paris, a school of the IMT (Institut Mines-Télécom) and a founding member of the Institut Polytechnique de Paris, is
one of the top 5 French general engineering schools.

The mainspring of Télécom Paris is to train, imagine and undertake to design digital models, technologies and solutions for a
society and economy that respect people and their environment. The school is committed to providing an environment
conducive to the development of all students and research professors, and is voluntarily and sustainably committed to an
ambitious plan for social and ecological transition. It is working to increase the number of female research professors and to
reduce the disparities between men and women.

An inclusive campus on a "human scale" but with a strong international component, Télécom Paris is recognized for its
proximity to companies. This public school guarantees excellent employability in all sectors and is the leading engineering
school for the entire digital vertical (from hardware layers to uses).
With its excellent teaching and innovative pedagogy, Télécom Paris is at the heart of a unique innovation ecosystem, based on
interaction and the importance of project mode in its training on the one hand, and its interdisciplinary research on the other.
Its teacher-researchers are affiliated with two research laboratories: on the one hand, the LTCI laboratory, which is presented
by the HCERES as a flagship unit in the field of digital sciences with remarkable international influence; and on the other hand,
the i3 laboratory, Institut interdisciplinaire de l'Innovation (I3 - UMR 9217 of the CNRS), which pursues a multidisciplinary
research program focused on innovation in the framework of a collaboration with the École Polytechnique and Mines ParisTech.

Télécom Paris is positioned as an open-air laboratory for all the major technological and societal challenges: artificial
intelligence, quantum computing, IOT, cybersecurity, large-scale digital equipment (Cloud), 5G/6G, Green IT.

Based in Palaiseau, at the heart of the Institut Polytechnique campus alongside the École Polytechnique, ENSTA, Télécom Sud
Paris and ENSAE, Télécom Paris also has an incubator based in Paris at the heart of the French start-up ecosystem.

SCIENTIFIC CONTEXT
Security failure in computing systems has become one of today’s biggest concerns. The primary threat is that modern computing
architectures –from computational optimizations to storage elements and interfaces, from end-user applications to the operating
system & hypervisor, and from microarchitecture to underlying hardware– may hide unexpected vulnerabilities. This concern
is gaining further momentum with the spectacular aggressiveness of Spectre, Meltdown, and ZombieLoad vulnerabilities. They
demonstrate that even hardware, which is often considered an abstract layer that behaves correctly by executing instructions
and giving a logically correct output, is leaking critical information as a side effect of software implementation and execution.
Even worse, the many undocumented parts of modern architectures open doors for yet undescribed side-channel attacks (SCAs).
There are four established categories of side-channel attacks at the microarchitectural level. For instance, software on- software
attacks could be an untrusted operating system attacking software that is being protected [1], [2]. A software-on-hardware
attack could be untrusted software using cache side-channel attacks to learn secret information from a processor cache’s
operation [3], [4]. A hardware-on-software attack could be an untrusted memory controller trying to extract information from
DRAM memory Rowhammer [5], [6]. A hardware-on-hardware attack could be an untrusted peripheral trying to disable the
memory encryption engine [7]. The vulnerability assessment will not be performed for components inside the software or
hardware Trusted Computing Base (TCB) as they are never assumed to be sources of attack, and, by definition, they are trusted
with ensuring protection for the system.

From the software point of view, hardware is often considered an abstract layer that behaves correctly and can safely keep
secret information. This assumption is no longer true when considering the systems relying on connected objects like IoT
(Internet of Things) or embedded military equipment that could be physically accessible and analyzed by a potential adversary.

Indeed, software execution on the underlying computing hardware can be the target of physical attacks, like side-channels
analysis or fault injection attacks. They open doors for critical vulnerabilities and cyber-physical attacks that can impact the
microarchitecture in terms of security and privacy. This project aims to propose a framework for the instrumentation such as
monitoring, detection, and mitigation of different types of attacks using Artificial Intelligence, both on software and hardware.
The implication of this framework will be relative to the assessment and mitigation of cyber threats happening in daily life IoT
products which involve computing in general life, i.e., home automation, mobiles, biometric security systems, smart cards, etc.

1
 PhD/2024

------------- JOB ANNOUNCEMENT -------------

POSITION TITLE
2 PhD Research fellow positions in Embedded Security

This proposition of this PhD argues in favor of assessment-based protection. Automated assessment will be our first-line-of-
defense against cache and covert timing SCAs. It will help apply mitigation only after a successful automated attack assessment
at runtime. This will reduce the all-weather performance degradation of mitigation approaches. This topic will first cover
generations of Intel, ARM processors, and their secure extensions. Through this PhD, we will extend our mechanisms toward
transparency to RISC-V initiatives.

To fulfill this issue, we intend to work on the following Ph.D. topic:

1) Topic 1 -Automated Assessment of Microarchitectural Vulnerabilities: It is focused on systematizing the discovery of

microarchitectural weakness in modern architectures, at design time as well as at runtime, and automatically detecting
vulnerabilities both in the software and hardware by training machine and deep learning models [8, 9, 11-15]. Manual
discovery of an attack is not viable when thousands of attack execution traces and attack behaviors are involved [10].

JOB DESCRIPTION

MAIN RESPONSIBILITIES AND DUTIES

1. To carry out research missions in the field of embedded security
2. To ensure supervision and tutoring missions
3. To contribute to the reputation of the School, the Institut Mines-Télécom and the Institut Polytechnique de
Paris

POSITION RESPONSIBILITIES
- Studying the current microarchitectures and recent attacks on them
- Considering one attack as base and proposing an automated assessment solution
- He/She should be able to model and evaluate the assessment ability to counter attack and its performance cost
- His/Her research will be published on security forums (workshops, conferences, journals)
- Continuing this ladder approach for other attacks to achieve a comprehensive solution until the end of student’s
PhD

SKILLS
Students having the following background are preferred:

• Knowledge of security (Side/Covert-Channel Attacks, Information Leakage)

• Expertise in Computer Architecture
• FPGA based Development using VHDL/Verilog
• Excellent Programming skills in C/C++/Python/RUST
• Knowledge of Embedded AI (CNNs/DNNs/Transformer-based Architectures)
• Knowledge on Post-Quantum Cryptography is well appreciated -For 1 PhD position

REQUIRED QUALIFICIATIONS
A graduate student (2 Year Masters or 5 Year Engineering) in Computer Science, Microelectronics, Embedded System &
Security.

ADDITIONAL INFORMATION

2
 PhD/2024

------------- JOB ANNOUNCEMENT -------------

POSITION TITLE
2 PhD Research fellow positions in Embedded Security

Type of contract: PhD Research Fellow

Duration of the contract: 3 Years

Deadline to Apply: February 28th 2024

Commencement of PhDs: Readily Available

Location: Télécom Paris, 19 Place Marguerite Perey, Palaiseau 91120, France

Department/Unit: LTCI Department

Superior/Supervisor: Maria Mushtaq, Ludovic Apvrille

APPLICATION INSTRUCTIONS
Applications should be submitted to: [email protected], [email protected], including:

1- Motivation letter including your background and interest in the position (explicitly
mention the topic you are interested)
2- Detailed CV
3- Master/Engineering transcripts
4- Two reference letters
5- List of publications (if any)
In order to be considered, applications must be received no later than: 28 Feb 2024.

Scientific contact person: [email protected], [email protected]

References

[1] Paul Kocher, Jann Horn, Anders Fogh, , Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp,
Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. Spectre attacks: Exploiting speculative execution.
In 40th IEEE Symposium on Security and Privacy (S&P’19), 2019.
[2] Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Anders Fogh, Jann Horn, Stefan
Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. Meltdown: Reading Kernel Memory from User
Space. In 27th USENIX Security Symposium (USENIX Security 18), 2018.
[3] Berk GÅNulmezo˘glu, Mehmet Sinan ˙Inci, Gorka Irazoqui, Thomas Eisenbarth, and Berk Sunar. A faster and more
realistic flush+reload attack on AES. In Revised Selected Papers of the 6th International Workshop on Constructive Side-
Channel Analysis and Secure Design - Volume 9064, COSADE 2015, pages 111–126, New York, NY, USA, 2015.
Springer-Verlag New York, Inc.
[4] Daniel Gruss, ClÅLementine Maurice, Klaus Wagner, and Stefan Mangard. Flush+ flush: a fast and stealthy cache
attack. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 279–299.
Springer, 2016.
[5] Daniel Gruss, ClÅLementine Maurice, and Stefan Mangard. Rowhammer. js: A remote software-induced fault attack in
javascript. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 300–
321. Springer, 2016.
[6] Andrew Kwong, Daniel Genkin, Daniel Gruss, and Yuval Yarom. Rambleed: Reading bits in memory without accessing
them.
[7] Ilya Kizhvatov. Side channel analysis of avr xmega crypto engine. In Proceedings of the 4th Workshop on Embedded
Systems Security, page 8. ACM, 2009.
[8] Mushtaq et al., WHISPER: A tool for runtime detection of side-channel attacks,” IEEE Access, 2020.
[9] M. Mushtaq et al., “Machine Learning for Security: The Case of Side channel Attack Detection at Run-Time, In ICECS,
2018.
[10] Akram, et al., Meet the Sherlock Holmes’ of Side Channel Leakage: A Survey of Cache SCA Detection Techniques,
IEEE Access, 2020.
3
 PhD/2024

------------- JOB ANNOUNCEMENT -------------

POSITION TITLE
2 PhD Research fellow positions in Embedded Security
[11] Mushtaq et al., Winter is here! A decade of cache-based side-channel attacks, detection & mitigation for RSA, Elsevier
Information Systems, 2020.
[12] France et al., Vulnera bility assessment of the rowhammer attack using machine learning and the gem5 simulator-work
in progress,” ACM Workshop on Secure and Trustworthy Cyber-Physical Systems, 2021.
[13] Mushtaq et al., WHISPER: A tool for runtime detection of side-channel attacks,” IEEE Access, 2020.
[14] Transit-Guard: An OS-based Defense Mechanism Against Transient Execution Attacks.Maria Mushtaq; David Novo;
Florent Bruguier; Pascal Benoit; Muhammad Khurram Bhatti. IEEE European Test Symposium (ETS), 2021.
[15] The Kingsguard OS-level mitigation against cache side-channel attacks using runtime detection. Maria Mushtaq,
Muhammad Muneeb Yousaf, Muhammad Khurram Bhatti, Vianney Lapotre & Guy Gogniat. Annals of
Telecommunications (2022).

Telecom Paris is an equal-opportunity employer.

All our positions are open to individuals with disabilities.