"I am a bit jealous of my students"
Prof. Kaveh Razavi is leader of the Computer Security Group (COMSEC). In our interview he talks about his passion for hacking, why we should care more about computer security, and how he is preparing the Computer Engineering lecture he will take over next semester from Prof. Lothar Thiele. Currently the group is looking for a new doctoral student in Hardware Security. Applications are very welcome!
Prof. Razavi, what is your main area of research?
We do research in the intersection of computer systems and security. The goal is the construction of secure and reliable computing systems by considering all layers of the computing stack. By doing this, we would like to find out how we can guarantee that a system is secure against different classes of attacks.
With the inception of mobile devices and their omnipresence for around a decade, computer security has become ever more important. While we have given much attention to the security of software that runs on our systems, the same level of attention has unfortunately been missing for hardware. Hardware components in our systems were not designed with an appropriate level of security in mind, so we now have quite a lot of difficulties when it comes to the security of the entire system. Typically, people abuse hardware to compromise software or data which is on the system. So, while we mostly focus on hardware security, our research also spans to software security and its interaction with hardware issues.
What brought you to this field? Why does it fascinate you?
I was fascinated by hacking in my teenage years in the late 90s in Iran. It was more from a, let’s say, innocent and “fun” point of view because back then companies or governments were not yet that interested in computer security and the internet was less developed. Very soon I realized that there are these magical pieces of code called "exploits" that hackers use to compromise computers remotely. Building these exploits required lots of puzzle-solving and a good understanding of how computers work. The challenges involved got me hooked pretty quickly. I am still hooked and a bit jealous of my students who get to do most of the action nowadays.
Since I wanted to understand better how computers work, I did my Bachelor’s degree in Computer Science in the Department of Mathematical Sciences at Sharif University of Technology in Tehran. For my Master’s studies, or even for directly starting a PhD, I could have gone to the USA to continue working on theoretical aspects of computer science, but I chose ETH Zurich because here I had the opportunity to learn more about the practical side of computer systems. With computer security gaining more importance, my transition from computer systems to this exciting new field then came quite naturally.
What is the impact of your research on society? And what are currently the biggest challenges in your field of research?
Everyone likes to trust their mobile phone or laptop when they enter their sensitive information. However, if we do not react now and close the security gaps we currently have in our hardware, in a few years, hackers will inevitably start using these gaps to compromise systems as it becomes harder to hack systems in other ways. This means that one day, not only persons of interest (such as a journalist or an activist), but anybody could become a target.
We currently study cases where consumer’s trust is severely compromised by various security problems and explore alternative designs that lead to more trustworthy systems. As an example, we have recently shown cases where computer hardware has major security problems and are currently busy building systems that withstand these new classes of attacks. That is the most important societal impact I would say. The other thing we do is to push companies to improve security for everyone. Companies want to sell their products or services, and consequently their interests are not necessarily always aligned with the interests of the public. So, I sometimes refer to us as a kind of "public prosecutors": Being independent from companies, we have the freedom to explore security problems in widely-used products and draw people’s attention to these problems. That said, sometimes the problems are difficult to address. In these cases, we often collaborate and help companies fix security problems in their products. We have done this successfully with companies such as Microsoft, Google and Intel to name a few.
We are also in touch with the Swiss government. It is sometimes very valuable to have an official intermediary to deal with security issues instead of directly talking to a producer. When I came back to Switzerland in 2020, I realized that unfortunately we do not yet have a legal entity that can help us with these matters. Fortunately, I knew Florian Schütz, the federal Cyber Security Delegate, from my study times at ETH. He set up the responsible disclosure process which we used for the first time this year to report a security problem. I am proud to say that the first CVE ever issued in Switzerland was for a hardware vulnerability we reported in 2021.
“"I sometimes refer to us as a kind of ‘public prosecutor’: Being independent from companies, we have the freedom to explore security problems in widely-used products”.”Prof. Kaveh Razavi
As we heard, you did your Master’s studies in Computer Science at D-INFK. How was it to come back to ETH Zurich after nine years in Amsterdam?
Coming back during the pandemic in summer 2020 was a little bit strange, and there are a few fellow professors I still haven’t met in person. But many of my study friends are still in Zurich and they made me feel like I never left! It is very interesting to see how the university operates by being on the "other" side. As a student, I rarely thought about the organization of the university and how certain courses that I enjoyed came to be. It is also a great privilege to have some of my former professors, e.g. Roger Wattenhofer, now as my colleagues.
Are you collaborating with other people at D-ITET or other departments at ETH Zurich?
Yes, we collaborate with hardware-oriented colleagues at D-ITET such as Prof. Onur Mutlu’s group for certain hardware issues and Prof. Luca Benini’s group, mostly for secure CPU design. The colleagues at the DZ (Microelectronics Design Center), led by Frank Gürkaynak, are also very supportive when we need help getting a piece of hardware design working. The DZ is one of the reasons why I actually came back to ETH Zurich. No other university I know of in Europe has their own end-to-end chip design! We also regularly interact with Prof. Srjdan Capkun and his group at D-INFK as part of various projects, such as the NCCR Automation that covers many groups at both D-ITET and D-INFK. I hope to establish more collaborations over time!
How do you like ETH as a research institution?
I like it a lot. I am amazed about the quality and impact of research at ETH every time I attend a talk by a colleague or read about their research. Having experienced many different research environments, I find this very unique and inspiring. What I find great here at D-ITET is that it is such a diverse department bringing together various different ideas, research areas and cultures.
How is your group composed? Are you currently looking for doctoral students?
We are a tight-knit group composed of five doctoral students from five different countries, two of whom came with me from Amsterdam, and myself. The students have very diverse backgrounds, from biomedical engineering to cryptography. This diversity is enabling us to do projects that are different and innovative in their own ways. We currently have an open position and ETH students are more than welcome to apply! We also have many interesting semester or thesis projects for students who are curious about security and want to give it a try.
What courses are you teaching this semester and will you teach next semester?
This semester we are teaching a research-oriented Master’s course in Hardware Security where the students learn by replicating some of the most advanced recent hardware attacks in existence. We provide them with the necessary infrastructure to play with and do a "demo day" with an award at the end of the semester. Sometimes the students come up with better ideas than we did in our research papers! Next semester, we will be teaching a revamped version of Computer Engineering. We have been busy for almost a year designing an OS kernel for the sole purpose of training our Bachelor’s students in Computer Engineering topics. We are looking forward to teaching this redesigned course to more than 200 students!
Do you think the Corona pandemic will have a lasting effect on teaching and research?
Yes, certainly. We had to adapt both research and education to deal with the pandemic. I hope that some of the positive developments, such as availability of course materials online as well as the possibility for attending conferences remotely or in a hybrid setting remain in place after the pandemic is over. That said, I am also personally looking forward to more in-person teaching and conferences. It feels much more rewarding to interact with students in person.