Skip to main content

CSAW Europe Conference Nov. 9th 2023

Conference / Conferences

On 9 November 2023

Valence

CSAW 2023 Europe 9-11 November 2023

CSAW Europe – Cyber Security Awareness Week Europe – Grenoble INP – ESISAR

On the occasion of CSAW Europe, LCIS and Grenoble INP Esisar invite you to a day of conferences on November 9th at the Grenoble INP Esisar campus in Valence.

The morning session, organized with the GT Security of Material Systems, common to the GDR Cybersecurity and SOC2, will focus on the use of Unclonable Functions for system security.
The afternoon session will feature the 10 finalists of the Applied Research competition, who will present their published works from this year in high-level conferences. This session should provide a comprehensive overview of cutting-edge research activities in Europe across different areas of cybersecurity.

Below, you will find the complete program for the day.

Registration to this event is free and can be done via the following link: https://framaforms.org/seminaire-csaw-europe-2023-1696229009

For any additional information, please do not hesitate to contact us at csaw.europeatesisar.grenoble-inp.fr (csaw[dot]europe[at]esisar[dot]grenoble-inp[dot]fr)

CSAW Europe will take place from November 9th to 10th in Valence at the Grenoble INP Esisar campus, with competitions and animations for all students from high school to PhD (https://www.csaw.io/europe https://esisar.grenoble-inp.fr/fr/l-ecole/csaw ). The finals of the various competitions will take place on Friday, November 10th.

 

PUF-Enabled System Security (9:30 – 12:30)

talks details are given at the end of this page

Methodologies for verification and quality assessment of Physical Unclonable Functions, Dr. Sergio Vinagrero Gutiérrez , Laboratoire TIMA / TIMA Laboratory
PHASEPUF: PHotonic Augmented SEcurity via Physical Unclonable Functions, Dr. Fabio Pavanello, IMEP-LAHC
Dynamic SRAM PUF, a use case for PUF in consumer electronics, Pr. Pascal Urien , Telecom Paris
CSAW23 PUF-enabled Security Challenge presentation

Applied Research Presentations (14:00-17:30)

SoK: Taxonomy of Attacks on Open-Source Software Supply Chains Piergiorgio Ladisa , SAP Security Research & Université de Rennes 1, Inria, IRISA
ClepsydraCache — Preventing Cache Attacks with Time-Based Evictions Christian Niesler & Jan Thoma, University of Duisburg-Essen & Ruhr University Bochum
LibAFL: A Framework to Build Modular and Reusable Fuzzers, Andrea Fioraldi, EURECOM
It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses, Soheil Khodayari , CISPA Helmholtz Center for Information Security
A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs, Gerlach Lukas, CISPA Helmholtz Center for Information Security
RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64, Tobias Cloosters University Duisburg Essen
Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js, Mikhail Shcherbakov, KTH Royal Institute of Technology
ShowTime: Amplifying Arbitrary CPU Timing Side Channels, Marton Bognar , KU Leuven
NatiSand: Native Code Sandboxing for JavaScript Runtimes, Matthew Rossi, Università degli studi di Bergamo
Why So Toxic? Measuring and Triggering Toxic Behavior in Open-Domain Chatbots, WAI MAN SI , CISPA Helmholtz Center for Information Security

References :

o Fioraldi, Andrea, et al. « LibAFL: A framework to build modular and reusable fuzzers. » Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022.

o Thoma, Jan Philipp, et al. « {ClepsydraCache}–Preventing Cache Attacks with {Time-Based} Evictions. » 32nd USENIX Security Symposium (USENIX Security 23). 2023

o Khodayari, S., & Pellegrino, G. (2023, May). It’s (DOM) Clobbering Time: Attack Techniques, Prevalence, and Defenses. In 44th IEEE Symposium on Security and Privacy.

o Ladisa, Piergiorgio, et al. « Sok: Taxonomy of attacks on open-source software supply chains. » 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 2023.

o Gerlach, Lukas, et al. « A Security RISC: Microarchitectural Attacks on Hardware RISC-V CPUs. » 44th IEEE Symposium on Security and Privacy. 2023.

o Cloosters, Tobias, et al. « RiscyROP: Automated Return-Oriented Programming Attacks on RISC-V and ARM64. » Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses. 2022.

o Abbadini, M., Facchinetti, D., Oldani, G., Rossi, M., & Paraboschi, S. (2023). NatiSand: Native Code Sandboxing for JavaScript Runtimes. IEEE RAID 2023

o Shcherbakov, Mikhail, Musard Balliu, and Cristian-Alexandru Staicu. « Silent spring: Prototype pollution leads to remote code execution in Node. js. » USENIX Security Symposium 2023. 2023.

o Purnal, Antoon, et al. « ShowTime: Amplifying Arbitrary CPU Timing Side Channels. » ACM SIGSAC Asia Conference on Computer and Communications Security (AsiaCCS). 2023.

Si, Wai Man, et al. « Why so toxic? measuring and triggering toxic behavior in open-domain chatbots. » Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022.

o Methodologies for verification and quality assessment of Physical Unclonable Functions: Physical Unclonable Functions (PUFs) leverage process variability to generate unique signatures in electronic devices. PUFs can generate secrets « on-the-fly » and do not require non-volatile memory to store them, which makes them a good candidate to conventional security mechanism. However, PUFs can be influenced by external factors and can present biasing towards certain stimuli, which can be exploited by external attackers. That is why PUFs are normally evaluated through a common set of metrics such as uniformity, bitaliasing, uniqueness and reliability. PUFs also need to be tested in a great number of devices over a large set of operating conditions, since the underlying physics and mechanisms of PUFs makes them difficult to study and mitigate potential vulnerabilities and attacks. Yet, this methodology is not properly standardised which makes the process of comparing different PUF design limited, time-consuming and expensive. Overall, the quality metrics for PUFs are still evolving, and there is ongoing research to address these challenges and develop more robust and reliable PUFs. The objective of this presentation is twofold: first provide an introduction to the evaluation and quality assessment of Physical Unclonable Functions and statistical pitfalls to beware. Secondly, demonstrate some PUF oriented utilities, primarily a platform for the automatic collection of data for SRAM based PUFs and a framework focused on exploration and verification of PUF responses.

o PHASEPUF: PHotonic Augmented SEcurity via Physical Unclonable Functions: Physical unclonable functions (PUFs) are hardware-based security primitives that can be used as fingerprints for detecting counterfeit hardware, to provide secure authentication services or yet as cryptographic keys for encryption protocols, avoiding local storage of secret keys into digital memory. These features can be achieved thanks to their complex and highly unpredictable responses, strongly dependent on fabrication tolerances. However, in order to be considered as serious alternatives to more standard digital technologies, they need to present several properties such as robustness, CMOS-compatibility, and reliability. In this talk novel designs based on photonic integrated technologies will be showcased within the framework of the ANR project PHASEPUF and their advantages as well as their limitations will be highlighted with respect to current competing technologies.

o Dynamic SRAM PUF, a use case for PUF in consumer electronics:

This talk is the journey story to introduce PUF authentication in consumer electronics. In 2011 Thomas Fischl designed open hardware and software for USBASP token, i.e. USB in-circuit programmer for AVR microcontrollers, widely used by the Arduino IDE. These devices may act as the root of trust for microcontroller programming. Many clones are manufactured at very low prices. Using commercial tokens, the idea was to prove both hardware and software authenticity in order to avoid supply chain attacks or counterfeit boards. USBASP tokens work with the Atmega8 processor, and they can program each other. The first step was to design software (with Arduino IDE) to dump the SRAM, to download it, and to collect SRAM content through a serial link. For this purpose we designed « a PUF extractor » based on an Arduino chip ». Thereafter we defined graphic tools and enrollment methods for SRAM PUF. Thanks to this process we are able to perform static authentication. In 2017 Abdelrahman T. Elshafiey & Al, observed that, due to capacitance dissymmetry, the power supply ramp time modifies SRAM PUF. This introduces the concept of flipping bits, which, depending on ramp time, are either always seen at one or zero. Because this effect occurs at very low voltage, it enables the definition of dynamic SRAM PUF, which can’t be guessed by malicious software. This effect enables dynamic authentication. By using an attestation algorithm that hashes the content of microcontroller memories (including part of SRAM) according to a permutation, we produce a result that proves the firmware integrity, but also the existence of flipping bits. Finally this process can be applied to many microcontrollers.

Date

On 9 November 2023

Localisation

Valence

Submitted on 21 August 2025

Updated on 10 June 2026