My research involves the development of new mathematical analysis techniques, and the application of these techniques to cyber security problems. Some highlights are listed below (some papers appear in more than one category). A fuller list of my publications can be found here and on my google scholar profile.
- Protocol Security:
- The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning (CCS 2022) CVE-2020-17497 CVE-2021-44718. Source code and all artifacts can be found here.
- Security Analysis and Implementation of Relay-Resistant Contactless Payments (CCS 2020) Protection for EMV cards from rouge readers, models in ProVerif.
- Modelling of 802.11 4-Way Handshake Attacks and Analysis of Security Properties (STM 2020) We use Tamarin to test if the official WPA security properties were sufficient to catch the KRACK attack (they weren't).
- Modelling and Analysis of a Hierarchy of Distance Bounding Attacks (Usenix 2018). Using ProVerif, we build on the FC2015 paper to make the first automated method to test for distance bounding attacks, first models of Mastercards RRP and NXP's proximity check. More information here.
- Extending Automated Protocol State Learning for the 802.11 4-Way Handshake (ESORICS 2018) State machine learning for WPA, tool, CVE-2018-0412.
- Analysing Unlinkability and Anonymity Using the Applied Pi Calculus (CSF 2010).Analysing the MUTE Anonymous File-Sharing System Using the Pi-calculus (FORTE 06) Best Paper Award. We analysed a popular (in 2006) anonymous peer to peer file sharing system using the pi-calculus and found a flaw in the design.
Industrial Control System and Rail Systems Security:
- An Attack Against Message Authentication in the ERTMS Train to Trackside Communication Protocols (ASIACCS 2017) An attack against the most widely used rail control protocol.
- TRAKS: A Universal Key Management Scheme for ERTMS (ACSAC 2017) A proposal for a quantum secure key management system for rail.
Statistical Estimation of Information Flow and Leakage: Tools and software to support these papers can be found here
- Time Protection: The Missing OS Abstraction (EuroSys 2019), time side-channel protection for sel4. The methods below are used to measure information leakage for a range of processor types.
- LeakWatch: Estimating Information Leakage from Java Programs (ESORICS 2014), applying the methods below to make a tool for measuring information leaks in Java programs.
- A Tool for Estimating Information Leakage, (CAV 2013) a tool and case studies based on the methods below.
- Probabilistic Point-to-Point Information Leakage (CSF 2013), formally defining information leakage for programs that may loop or not terminate.
- A Statistical Test for Information Leaks Using Continuous Mutual Information (CSF 2011), leakage model and test for continuous data.
- Statistical Measurement of Information Leakage (TACAS 2010), How to estimate mutual information based leakage measures from sampled data.
Cyber Security Education and Games:
- Phishing Attacks: Learning by Doing (ASE 18), a phishing simulation VM.
- SCAIL: An integrated Starcraft AI System (CIG2012).
BioInformatics: Before cyber security I worked on:
- Finishing the euchromatic sequence of the human genome (Nature 431, 2004), I was one of 4000+ authors of the initial version of the human genome.
- GAZE: a generic framework for the integration of gene-prediction data by dynamic programming, a dynamic programming framework for finding genes in DNA (Genome research 12/9 2002)
Funded projects include:
- Advice to ORR's Railway Safety Division, £50,000, The Office of Rail and Road, with Razor Secure, 2022
- Research into the Cyber Security of the US Railways, £80,000, NCSC, 2022
- Rail Cyber Security in the ESCAP Region, £14,000, The United Nations, 2021
- TimeTrust: Robust Timing via Hardware Roots of Trust and Non-standard Hardware - with Application to EMV Contactless Payments, £297,596.00, EPSRC, with the University of Surrey, 2019-2022
- Effective Solutions for the NIS Directive - Supply Chain Requirements for Third Party Devices, £256,702, NCSC 2019-2021
- Automated Protocol Learning and Vulnerability Detection for TLS, WPA and IoT Protocols, £122,014, NCSC, 2017-2021
- Crypotographic Device Key Management for a Wider Audience, £100,000, TRL Level 3, 2015-2018
- SCEPTICS: A SystematiC Evaluation Process for Threats to Industrial Control Systems, £499,328.75, EPSRC, 2014-2017
- Backdoor Detection Systems for Embedded Devices, £116,580.00, NCSC, 2014-2018
- Randomised capture the flag (CTF) hacking challenges VMs for computer security education, £174,844, Higher Education Academy, 2014-2016
- New Techniques for Finding and Analysing Information Leaks, £111,716.25, TRL Level 3, 2012-2013