ITEA 4 is the Eureka Cluster on software innovation
ITEA 4 is the Eureka Cluster on software innovation


Security, a question of surface!

Philippe Letellier · 16 September 2019

Security means attack, attack means value. Value can require different constraints: confidentiality, integrity and availability.

Value can be the name and contact details of your providers. Potentially, it is not so confidential because it is directly visible on your product, but the integrity and availability of these data is key for the efficiency of your process.
On the other side, your list of customers is surely confidential because it has a unique value for your competitors.

Sometimes, value can be insignificant for your product service but high for someone else. In this case, it is an opportunity to create a new business. Typically, the search engine of Google acquires a lot of information on the user which is not so useful for the search engine itself but has created unique value for Google through the advertisement business. Thus, the value to consider is not only the direct value for your enterprise but any value which can potentially generate business for other companies.

Below, you can find a very interesting analysis of what to protect and the associated tools to do it, developed by Norman Feske from the Dresden start-up Genode, a unique expert on these topics and partner in the ITEA project Flex4Apps.

Security landscape
Security Landscape

This table is very useful to measure the complexity of security, illustrating the different perspectives and the numerous technologies to connect to solve the security challenge. Hackers are very creative and generate, on a regular basis, new kinds of attack (cf. the yearly Data Breach Investigations Report from Verizon). Security is an endless challenge, a kind of race between hackers and shields. Many of the new attacks use newly-identified bugs in the information systems components. Last but not least, the man-in-the-loop is also a regular element of the attacks. It can be intentional or unintentional.

Thus, before securing your system, you have to do an analysis of value of what you intend to protect for you but also for other players. Something with a low value for you can have a high value for someone else and thus justify a lot of effort to hack it. Finally, you have to have a balance between the global value of what you want to protect and the effort and intensity needed to protect it. This analysis is not a one-shot game but an actual process to adapt to:

  • the change of the value itself;
  • the available technologies and their cost to protect it;
  • the newcomers in your organisation;
  • the identified bugs in your information system tools;
  • the last ideas of hackers to attack.

The hackers must be considered as the most creative professionals and, when an attack occurs, very often it is difficult to understand what occurred:

  • an attack,
  • a bug,
  • a bad configuration of the system, or
  • an unexpected actual usage?

This requires many posthumous security analyses, but also some real-time analyses (cf. the ITEA project ADAX, awarded for its innovative countermeasure analysis) to be able to understand what occurred and what is the most economical countermeasure. Sometimes, the cost of the countermeasure (stopping the server for a while, for example, can cost a lot for the business) can be worse than the risk of the attack.

A very interesting approach, pushed by Genode to tackle this challenge of security, is rather than to fight against attacks, increase the resilience of the system. Their key concept is the surface of attack. With millions of lines and the number of bugs per number of lines (15-50 errors per 1000 lines of delivered code in usual industry, said Steve McConnell), you are sure to have many doors to attack your system. Some of these doors are even not yet identified and thus surely not protected; the best cake for the hackers.

Beyond formal verification, which is still a dream for a large piece of code, the other way to reduce the risk is compartmentation of the code.

Genode is working on an open-source kernel of isolated compartments with controlled and explicitly authorised interactions between compartments. The less complex the kernel, the smaller the chance of cracks in the walls between the compartments. With a microkernel of less than 15K lines of code in open source being viewed by many other developers than the authors, there is a realistic chance that the kernel is completely free from vulnerabilities.

With the correctness of the kernel assured, security questions are simplified to:

  • How can a compartment possibly be reached by an attacker? What would happen in the event the compartment gets compromised?
  • Assuming the compartment falls completely into the hands of an attacker, what negative effects on other compartments, and the system as a whole, could the attacker accomplish?

I am not saying Genode solved the security problem, but they choose an innovative and interesting approach that deserves to be analysed to secure a system. Feel free to contact Norman Feske (; he is very open and an expert on all these questions.

To write this post, I have been inspired a lot by Norman's blog:

If you want to know more about the last developments, check the ITEA project Flex4Apps’ results. They have done their very interesting research, in collaboration with Evermind, to design a low-cost, secured home gateway.

Tags: Safety and Security



ITEA 3 Call 2
Winner ITEA Award of Excellence Impact and Exploitation 2020
project header


Platform for Application and Infrastructure Flexibility in Cyber-Physical Systems