LHS: A high security laboratory in Rennes
Eleven research organisations signed an agreement with the French Ministry of Defence and the Brittany Region on the 12 December last year with the aim of setting up a facility to carry out research into cyber defence. This agreement followed in the wake of the Cyber Defence Pact that designated Brittany as a Cyber Centre of Excellence. One of the facilities contributing to this Centre of Excellence is the LHS high security laboratory, funded jointly by Inria, Supelec, the French defence procurement agency (DGA) and the Brittany Region. Technology transfer will form an important part of the work of the laboratory as Jean-Louis Lanet, the scientist in charge of the project, explains.
“Cyber security research in Brittany is like a Swiss cheese – mainly solid, but with plenty of holes. The region is home to plenty of researchers working in the field, and the work they are doing is excellent. However, we are under-represented in some specialist fields, while others are absent altogether. It is these holes that the LHS is intended to fill ”. Professor at the University of Limoges and previously a researcher with Gemalto, Jean-Louis Lanet has moved to Rennes to oversee the start-up of the High Security Laboratory. Since 2015, the laboratory has been based at an Inria site on the Beaulieu campus in Rennes. The formal constitution of the facility has yet to be decided. “We are not yet sure. But we definitely want the structure to be lightweight and very reactive ”. The cornerstone of the project: “A professorial chair in cyber security funded by the Brittany Region ”. The objective: “To attract an internationally respected figure to Rennes ”. This leading scientist “will have the support of an Inria research team. The DGA will fund three successive rounds of three PhD students, i.e. nine students in all. This will form the framework. In addition, three researchers from the DGA will dedicate 50% of their time to the laboratory ”.
The study of malicious software
The scientific fields to be studied will cover “Computer viruses first of all. This is the analysis of the threat. Very few researchers are working in this field in Brittany, or even in France as a whole. Five people at most. The new professorial chair will have an emphasis on malware. We need to understand the ways in which the enemy can attack us before we can deploy our defence. The second phase will focus on the link between hardware and software.Work in this area has already begun in Brittany, and we are going to try and expand our involvement in this field ”. Tackling the relationship between hardware and software is likely to prove difficult. “The first thing to realise is that we have very little control over hardware. For example, suppose that we install a new router. It appears to be working well, but where were the components made? How confident can we be that these components themselves are not malicious? When software is written, it is designed independently of the platform. However, the software runs on the platform. This has to be taken into account. Usually, there is no link between the two. The software specialists inhabit one world, the hardware designers another ”. Between the two, there is a no man's land that few dare to enter. “When a problem arises, we never know whether it was caused by one aspect or the other. We have to encourage researchers to work together on this ”. The hardware itself has an important role to play in the security chain. “It can be used to isolate software packages. It is possible to build a sandbox in which a program can run without ever being able to leave it. If the software malfunctions, it cannot contaminate the rest of the system ”. The idea can be taken even further: “If more functionality is built into the hardware, the software can be smaller, easier to control and less likely to contain bugs. This will increase the level of confidence. Good hardware therefore leads to more secure software. That’s the good news ”. The other side of the coin: “All hardware leaks information, either through electromagnetic radiation, or along the power cable. We have to overcome these potential problems through the use of suitable hardware or software. Everything then becomes more complex ”. Especially as the enemy is not content to leave it at that. “It is possible to use a laser beam or an electromagnetic pulse to disturb the hardware and extract information.This technique is capable of damaging chips containing the strongest security features. It has no problem attacking ordinary chips such as those in telephones. Investigating this area requires large and powerful instruments. Here we will have support from the DGA who have many resources available in this field ”.The third scientific field to be investigated: “The monitoring of security. When an alarm is triggered in a system, it can manifest itself in a number of ways. A large number of sensors begin to transmit information. We must be able to interpret these data flows. The person in front of the screen must be able to understand what is happening. This is an area of research being addressed by the Cidre team ”. Finally, a fourth point also has to be considered. “The defence of the citizen.We can’t leave them out of all this. Protecting our private lives in the computer age raises many problems. If you need proof, you need look no further than the study on smartphones recently published by the CNIL and Inria. This concern has also been raised by the Brittany Region. Now, we have researchers based here who are addressing these questions ”.
And a business incubator too
In addition to its scientific work, the LHS also intends to provide “an incubator for technology transfer.Both activities will run in parallel ”. How will the collaboration work? “The project is at an early stage. Everything still remains to be built. We’re not ruling anything out. I shall go on the road and talk to businesses. For example, I’ve already visited Secure-IC, a local SME,and I’ve discussed the project with Gemalto, a world leader in computer security. We are definitely getting the impression that there is interest out there in what we are doing. And while the scientific fields remain the same, the range of possible applications is almost limitless, from making smartphones smarter, through Internet modem-routers to the intelligent electricity meters that are soon to be fitted in our homes ”.
These articles could interest you:
The 13 signing parties of the agreement on research into cyber defence are :
Ministère de la Défense (DGA), Région Bretagne, CNRS, Inria, Université européenne de Bretagne (UEB), Université de Bretagne-Sud (UBS), Université de Bretagne occidentale (UBO), Université Rennes 1, Université Rennes 2, ENS Rennes, Supelec, Insa Rennes, Télécom Bretagne.
For more information
Cidre is an Inria project-team associated to Supelec, the Université-Rennes 1 and to CNRS, also in partnership with Irisa (UMR6074).