CyAN Mentorship Programme Report – Nils Eiling

Nils Eiling is a recent master’s graduate in computer science of FAU Erlangen-Nürnberg (Germany), where he is currently engaged as a research assistant contributing to a project on securing Trusted Execution Environments in RISC-V processors. Nils also is a member of the recently completed CyAN mentorship programme pilot. We welcome him to the CyAN community as a full member.

All participants were asked to contribute content to CyAN as part of the programme wrapup, whether a blog post, a podcast, or similar. Below is his summary of Nils’ experiences in the CyAN mentorship process.

At the beginning of the mentoring, I shared with Boris my goals and expectations for the mentoring program. As a suggestion for possible discussion topics, Boris recommended the book “Security Engineering” by Ross Anderson, which is considered one of the iconic works in the field of cyber security.

My expectations were related to two areas: First, I wanted to gain insight into the cyber security industry in order to weigh a potential career path for myself. Therefore, my first questions in our meeting were directed at Boris’ own career path: “What did your path look like? Did you follow a specific plan?”

Boris traced his professional career for me and named important stations, punctuated with some anecdotes. In doing so, he also emphasized crucial experiences and insights he had gained in the course of his career. Later, Boris gave me an insight into his everyday professional life as a security architect, which mainly consists of “asking the right questions”. When I inquired what exactly he meant by this, he explained to me an approach that first aims to identify the actual problem, verify whether the proposed solutions address this problem, and what alternative approaches might exist. In this context, he advised me to look into TRIZ (Theory of Inventive Problem Solving), a method developed by Genrich Altshuller. The idea is to arrive at a more general problem by abstracting a special problem for which, in the best case, a general solution already exists that can be transferred to a special solution.

Through my studies and research, I have gained a deep technical understanding in some areas of cybersecurity. Nevertheless, it was important for me to look at cyber security from a meta-perspective. I was concerned with questions like, “How do I define security requirements for a system?”, “What does ‘security’ actually mean in this context?”, and “How can I anticipate potential risks and attackers in advance?”

It turned out that Boris was exactly the right person to address these issues. In 2020, he and Ganna Pogrebna published “12 Fundamental Cyber Security Problems,” which fall into four categories: System, Defense, Technology, and Behavior.

In our subsequent conversations, confirmed by Boris’ research, we were able to identify the three most important questions:

  1. “How can you consistently define the security of a system and the methods to demonstrate it?”
  2. “How to identify and prevent the adversary’s code from running on shared hardware / environment?”
  3. “How to remotely tell apart the legit user of a remote system and an adversary who remotely controls the system when this system is compromised?”

Particularly, the first question was the most exciting and fundamental for me during the mentorship program, as I was concurrently writing my master’s thesis. This thesis addresses Trusted Execution Environments (TEE), which provide a secure or trustworthy runtime environment for applications, typically ensured by hardware features such as the ARM TrustZone. The ARM TrustZone introduces the concept of the ‘normal’ and ‘secure’ world. Within the ‘normal’ world lies a conventional operating system like Android or iOS. In the ‘secure’ world, there runs a specialized operating system primarily focused on security and responsible for operating the so-called Trusted Applications (TA). Since the existing operating systems for the ARM TrustZone are often affected by the same security vulnerabilities, such as buffer overflows, the idea was to start from scratch and develop a kernel specifically for the ARM TrustZone, whose architecture and implementation are consistently focused on security. The requirements for this were extracted from an analysis of existing solutions.

The result was a statically partitioned microkernel with a Run-To-Completion semantics. Additionally, I verified all the C code of the kernel for memory safety using the C Bounded Model Checker (CBMC). Despite these extensive measures to engineer a kernel with maximal security, discussions with my mentor, Boris, led to a profound realization: the absolute security of a system is a conceptual ideal rather than a definitive state. It became clear that my efforts, although significant, could only assert the absence of known insecurities, such as memory corruptions, and this assurance was limited to a fraction of the system under specific conditions. This insight has been pivotal in my understanding of cybersecurity over the past weeks, underscoring the continuous and dynamic nature of striving for system security.

I am grateful to Boris for sharing his knowledge and experience with me. He has encouraged me to see my professional future in the field of cyber security.