Managers, consultants, and security engineers have responsibility for delivering the security of possibly large, complex systems. Policy-makers and industry/business leaders, on the other hand, have responsibility for ensuring the overall sustainability and resilience of information ecosystems that deliver services, including those in commercial, governmental, intelligence, military, and scientific worlds. Despite these differences in focus and scope, both groups must make security policy design decisions that combine a wide range of competing, often contradictory concerns. Considering this range of stakeholders, we are motivated by the following closely related questions: For a given system, with a given set of stakeholders operating in given business and threat environments, how do we determine what is an appropriate (i.e., effective, affordable) security policy? What attributes should be protected, to what extent, in what circumstances? What impact on business operations is acceptable, and at what financial cost? Such an analysis will, if it is to be achievable and robust, be dependent on the provision of rigorous economic and mathematical models of systems and their operations. How are we to express and reason about policies so that their effectiveness against the desired security outcomes and their impact upon the stakeholders and business operations can be understood? Our hypothesis, supported both by extensive background work and experience in an industrial setting and by extensive background mathematical work, is that a marriage of the modelling techniques of logic with those of mathematical economics will provide an appropriate framework. We aim to establish a mathematical basis for a systems security modelling technology that is able to handle the structural aspects of systems, the stochastic behaviour of their environments and, specifically, a utility-theoretic representation of security policies and their effectiveness. The development of this theory poses significant challenges. We need to reconstruct utility theory to take advantage of the sophisticated account of actions provided by the mathematical models of processes common in theoretical computer science. Another technique of theoretical computer science, Hennessy-Milner logic, provides a logical characterization of process behaviour; this will need to be enhanced to enable specification of properties involving utility- and game-theoretic concepts, such as Pareto optimality and equilibrium properties. The development of this novel mathematics must be driven and guided throughout by the policy decision-making applications, and we must explore how the methodology used in previous work can be extended and generalised to take advantage of this new mathematics.

Many modern processors are equipped with hardware extensions that enable some kind of Trusted Execution Environment (TEE). This allows programs to run securely - protected from other programs or operating system software running on the processor. By establishing a secure interface between the user and the hardware-anchor, we can make user platforms and devices more resilient to malware and other types of cyber attacks. One of the main goals of this project is to promote and facilitate the adoption of TEE as the main trust anchor for our security architectures. As such, the security of the TEEs themselves is of paramount importance. We will perform a thorough evaluation of the security features of different TEE implementations to determine their suitability as trust anchors. This includes assessing cryptographic protocols, side-channel vulnerabilities, and implementation weaknesses. Hardware supported TEEs aim to ensure that code can execute securely. However, user interface devices (for example, a keyboard, display or touch screen) are usually not connected directly to the secure hardware, which means that the user cannot interact securely with the TEE. We will address the limitations of users interacting directly with TEEs through analysing use cases and developing secure interfaces using auxiliary devices and dedicated features. Authentication today is largely based on user supplied information like passwords or biometrics. These approaches often use information that is easy to steal or brute force. The industry has been moving towards multi-factor authentication as a means of spreading risk, but these approaches impose usability challenges while still relying on weak factors. We will investigate opportunities to leverage strong hardware-based security mechanisms to improve both the strength and usability of authentication. We will also build an architecture for designing protocols and user experiences that leverage these hardware security primitives to enhance the security, manageability, and usability of user authentication over existing approaches. The analysis and applications of our research findings will be demonstrated and implemented on suitable platforms including secure hardware, smart devices and integration with authentication tokens.

Despite increased efforts to improve cyber-security for organisations and individuals, growing reports of breaches and attacks suggest that not only are we more vulnerable than ever, but also that there "is no obvious solution to the problem of cyber-security" (Garfinkel, 2012, p. 32). As technology has become embedded in virtually all aspects of everyday life, and more and more people are engaged in interactions with systems, it seems likely that the 'problem' of cyber-security will remain unsolved in the foreseeable future. While it has become accepted wisdom that cyber-security is a 'socio-technical' system, with both technical and human elements, making advances based on this understanding has proved difficult. In part this is due to the diversity of both people and the social contexts in which they live their lives, and the systems with which they interact. At the same time, the public discourse and guidance about cyber-security is confusing and often inappropriately targeted. For instance, the term 'cyber-security' can be used to encompass a wide range of attitudes, behaviours, technologies and threats ranging from authentication methods, SCADA systems, spear phishing and cyber-bullying, with interventions poorly targeted and overly technology-threat based. Crucially, however, the experience and understanding of the cyber-security problem is not the same for everyone and the cSALSA project seeks to address the fundamental challenge of how we can more fully understand a diverse range of cyber-security experiences, attitudes and behaviours in order to design better, more effective cyber-security services and educational materials. In the cSALSA project, we take a lifespan approach to studying how cyber-security is understood, and the attitudes and behaviours of people to cyber-security and risk. The project will study cyber-security across three main life stages - amongst young people, those of working age, and older people. The research project will focus on how people's attitudes and behaviours towards cyber-security and risk change across the lifespan in sync with their goals and aspirations, cognitive abilities and knowledge and ability to control and adapt their cyber-security behaviour. Importantly, we recognize that neither cyber-security related behaviours nor life course development occur in a vacuum. Rather, they are part of a complex inter-play of individual characteristics, elements shared with others in a particular life stage, and the dynamic context in which the person finds themselves. These contexts include aspects of family life, organizational structures, cognitive capacity and knowledge, and social support networks. We propose a three pronged approach to studying these three life stages: (1) research investigating how cyber-security is understood and framed in everyday language across the lifespan; (2) in-depth qualitative and quantitative work on cyber-security attitudes, knowledge and behaviour across our three points in life, with a specific focus on how the dynamics of people's lives influences how cyber-security is understood, risks appraised and talked about, and actions taken; and (3) specific work on metrics for cyber-security, and the development of new psychometrically validated measures of cyber-security perceptions and behaviours.

Our society has an unsatisfiable hunger for images. The UK printing industry is the 5th biggest in the world with a turnover of £13.5 billion employing c.122 000 people. The internet is now the main platform for advertising, with 39% of advertising expenditure, print comes second with 32% and is fast growing. A historic development, the CMYK halftone process and the ruled glass screen patented by Frederick Ives, has led to the reproduction of almost all present day images as pixelated CMYK prints. Historic processes, such as those invented by Woodbury and Lippmann produce prints far superior to anything which is commercially available at the present time. Those processes have been largely forgotten as they were not commercially competitive. The applicant, with her expertise in colloidal chemistry, optics and 3D printing, aims to lift those technologies from obscurity to the forefront of modern developments. The new incarnations of old printing technologies will allow production of high quality prints for advertising, packaging, fashion and, at the same time, include impossible to replicate security features. By transferring the principals of historic, high quality, continuous tone printing processes to non-impact printing, the processes will be freed from dimensional restrictions and restrictions of shape and material of the substrate. Woodburytype was the first, and still is the only photomechanical process that can reproduce truly continuous tone. A topographic print of pigmented gelatin layers, the image is generated by the absorption of light in those layers. The applicant aims to generate the layers by an additive process, for example ink jet printing, instead of an imprint from a plate. With especially formulated inks and modified printers which allow multipath printing, the continuous tone print can then be generated on a multitude of substrates and shapes. Combining this new process with Lippmann photography will lead to a full colour, non-pixelated printing process with in-built security features. Lippmann photography does not contain any dyes or pigments, but still reproduce the biggest colour gamut possible on the basis of interference colours like the ones observed on the surface of soap bubbles. Light is selectively reflected by resonance cavities which makes the print change colour under different viewing angles. This characteristic cannot be copied by simple means and can therefore be exploited as a security feature. In classic Lippmann photography, the reflective layers of the cavities consist of very fine metallic silver grains separated by layers of gelatin. The layers are generated by a direct photographic process making Lippmann photography a one-off method. In collaboration with industrial partners, the applicant aims to formulate two inks, one transparent and the other reflective and aims to print a hybrid Lippmann/ Woodburytype by non-impact methods. The hybrid type will have no dimensional restrictions and can be customized. On an ID card or driving license, a Lippmann/Woodburytype could be included as an owner specific security feature. Creating the cavities by direct print will be a challenge, but materials exist which can be printed and organize themselves in periodic structures: chiral liquid crystals for example. Liquid crystals interact with light and are the active layer in most displays today. In chiral liquid crystals the molecules are organized in helical structures. When the spacing of the helix fulfils a specific condition, colour is generated. The final print will consist of a variety of liquid crystal and containment layers which will have additional functionality. An electric or magnetic field can switch the liquid crystal, i.e. the print is rewritable which can be exploited as a security feature. By hosting the fellowship at the Centre for Fine Print research, an ideal combination of printing and material expertise is achieved guaranteeing the success of the project.

Software compartmentalisation is the decomposition of larger software packages - such as web browser or OS kernels - into isolated components. Each is granted limited rights to utilize system services or communicate with other isolated components. Intuitively, vulnerability mitigation from compartmentalisation is grounded in the principle of least privilege, which argues that security is improved by minimising the set of privileges available to those required. Compromised software will yield fewer rights and limit further attack surfaces to a successful attacker. In prior work, we have developed CHERI, a set of architectural extensions to RISC instruction-set architectures to support efficient, fine-grained memory protection and scalable software compartmentalisation. Supported by the UK Industrial Strategy Challenge Fund (ISCF), Arm is creating the Morello CPU, SoC, and board, a high-end, industrial-quality demonstrator of the CHERI principles embodied within a commercial hardware design. This platform has the potential to support far more granular and more easily integrated compartmentalization support than convention hardware designs. However, the current research software stacks for CHERI have been almost entirely focused on memory protection rather than compartmentalisation -- in part because the software operational models associated with CHERI-based compartmentalisation have not yet been established. We propose to design, prototype, and evaluate new CHERI-based compartmentalisation techniques usable to support fine-grained, scalable software compartmentalisation of real-world software on the Morello board, building a deep understanding (as well as practical prototypes) spanning a rich range of use cases and operational models. CHaOS will enable extensive adoption of software compartmentalisation in systems software stacks, offering strong mitigation for many known (and also still-to-be-discovered) vulnerability classes and exploit techniques affecting server, desktop, mobile, and embedded systems. CHaOS will investigate the hypotheses that: (1) CHERI can support multiple effective operational models for compartmentalisation; (2) approaches to CHERI compartmentalisation must cater to substantial differences up and down the systems stack; (3) detailed elaboration of compartmentalisation will turn up critical practical considerations (e.g., as relates to debugging); and (4) further refinement of the CHERI (and Morello) architectures may be required as a result of lessons learned in this work. We will explore these hypotheses across the systems software stack: the hypervisor, general-purpose OS kernel, and user applications. Our existing open-source corpus adapted for CHERI memory safety will be our starting point: the FreeBSD kernel and userspace, the PostgreSQL database, and Apple's WebKit. With our industrial partners on this proposal (Arm, Google, HPI, and Microsoft), we will extend our investigation to include Arm's Morello Android, Google's Hafnium hypervisor, HPI's printer software stack, and Microsoft's Verona language runtime.