With Clémentine Maurice, cybersecurity is gaining recognition

'In 2012, when I told my thesis supervisor that I wanted to focus on microarchitectural attacks, he replied: 'It's not a popular topic at all, but if it interests you, go for it...' That's how, almost by chance, Clémentine Maurice became involved very early on in a field whose importance no one realised at the time.

She quickly proved herself there. In 2016, while finishing her thesis, she co-authored one of the most notable articles of her career: it has been cited more than 600 times to date. ‘We demonstrated that it was possible to launch a type of microarchitectural attack known as “by fault” from a simple browser, without the user's knowledge, if they visited an infected web page.’

Buoyed by this early recognition, the young researcher completed a postdoctoral fellowship in Austria marked by a series of ‘super discoveries’. She was then recruited by the CNRS in 2017 as a research fellow. ‘I went into the CNRS competition feeling unsure of myself, but I finished first.’ It was then that she realised that cybersecurity was a real scientific subject, ‘even though some of my colleagues considered it too practical and not noble enough to be worthy of interest’.

Now a member of the Spirals project team (jointly run by Inria and the CNRS), Clémentine Maurice has become a leading figure in her field. At just 35 years of age, she publishes in high-ranking journals, sits on several expert committees, participates in the development of programmes for major global conferences, and receives prestigious awards. She is also a researcher committed to causes such as open science and the place of women in research.

As for computer hacking, it has gone far beyond being a ‘trendy topic’ to become a major issue.

Attacks targeting cryptographic protocols

Clémentine Maurice has remained faithful to her initial subject since her early days: microarchitectural attacks. ‘They use software to exploit hardware weaknesses in processors, such as those in their cache memories,’ she explains. 'This allows them to access the cryptographic keys that encrypt the most sensitive data. No antivirus software can stop them, and they leave no traces. As these attacks require a great deal of expertise and must be adapted to the targeted hardware, they are highly targeted: it is impossible to deploy them on a large scale like ransomware campaigns.' But their repercussions can be severe. For example, a few years ago, Intel saw its share price plummet when an attack highlighted the vulnerabilities of one of its processors.

The young woman approached the subject from three angles. First, she explored the ‘attack surface’ of processors: which components are most targeted, what are their vulnerabilities, and what techniques can be used to exploit them? ‘Every cybersecurity researcher is first and foremost an expert in attacks, in order to understand where the danger comes from.’

Clémentine Maurice then studied and analysed attacks launched from a web browser. She also demonstrated that these attacks could be used to identify and track internet users, in violation of privacy protection rules. ‘A discovery that gave rise to a whole new field of research.’

Since obtaining her HDR (Habilitation à diriger des recherches, or accreditation to supervise research) at the University of Lille in 2023, the researcher has been focusing on ‘countermeasures’ to microarchitectural attacks. ‘Processor manufacturers often modify their products to boost performance, unwittingly creating new vulnerabilities. So I'm working on software that can withstand attacks regardless of the processor, to protect users of smartphones, laptops, personal computers, servers, and so on. Because the threat has become ubiquitous.’

Interdisciplinarity as a driving force

All of her results have been achieved as part of multidisciplinary teams: Clémentine Maurice collaborates with colleagues from Spirals on web security, and with other French and international researchers on security and software engineering, systems, cryptography, compilation and processor architectures. 'No one can master this range of expertise alone. So we pool our knowledge: everyone contributes their piece to the puzzle.‘ Another intellectual stimulus is that cybersecurity is a never-ending game of cat and mouse. ’Faced with increasingly inventive hackers, we must constantly challenge ourselves.'

In the coming years, the young woman aspires to fruitful collaborations with industry. 'I want to find solutions that are perfectly suited to the needs of developers, so that they can be deployed on a large scale.' She is already succeeding in this endeavour: Linux, used by more than 60% of servers worldwide, has incorporated a countermeasure inspired by her work since 2018. This success is sure to lead to others.