The founders of Emproof – Marc Fyrbiak, Phillip Koppe and Tim Blazytko – met at Germany’s Ruhr-Universität Bochum while researching IT security. Marc worked on the hardware security side, while Philipp and Tim focused on research in software security.
For Marc computer security is an interest that goes all the way back to his schooldays – but he didn’t realise it would eventually involve running a company. We asked him how he got from a teenage fascination with computers to founding Emproof.
My area of expertise is mainly hardware security. I was always fascinated by computers and security. Even at school I was constantly asking “what’s going on?” “How does it work?” “How is it protected?”
I even did some internships at some very large organisations where I had a chance to look at networks and get round firewalls. At university, however, I moved towards the theory side, math and cryptanalysis, before moving back into practical areas such as hardware reverse engineering: how chips are built, how hardware security systems can be manipulated and circumvented. I also worked on the software side, but my area of expertise is mainly in hardware security. So, what I bring to the table for Emproof is the hardware security view but also relevant experience in building software systems.
It’s the overall product that we build that excites me most: the fact that it adds value to the overall state of embedded security and software security – and that building it is so challenging. We’ve tried to answer the question: How do you ensure support for multiple architectures but also create a solution that has minimal impact on performance and memory overhead? If the security is 100 times the size of the original functionality it might be the most secure system imaginable, but it would not be viable for commercial use. That’s why we had to find a way to develop a solution with a limited impact on the original product.
There’s also supporting software involved in achieving this functional safety: test systems that customers do not see but that are vital to the product value proposition. Some assume that if they apply our solution their software works as intended. Making that happen involves these advanced test and validation systems. That, again, is both exciting and challenging.
There’s a lot of exciting developments that would provide solutions to the problems facing industry. So many cool things are happening that use embedded systems and that will affect our daily lives. Specifically, in the field of automotive with sophisticated software and hardware to build autonomous systems, and the medical field where smart sensors are used for monitoring and diagnostics.
Yes and no. A lot of systems are not attacked by the most sophisticated attackers. Most of the systems we have seen – and sometimes also attacked ourselves for demonstration purposes – have no software security implemented at all. In that regard yes, it’s good that legal requirements are being introduced. As a security engineer I would love to see security measurements or functionality already in place. It’s better for the overall state of embedded systems.
But bear in mind when we started it was unclear how to build such a solution. This is why we spent a couple of years in research to develop Emproof Nyx. We needed to develop something that would work everywhere – because embedded systems are heterogeneous in the underlying hardware– but that also had minimal impact on memory, performance and latency, and would be compliant with functional safety.
At the time such a solution didn’t exist. We needed to come up with new algorithms and strategies custom-tailored for embedded systems to achieve the software security properties and low overhead we were aiming for. You can’t just take something that works on your laptop and put it in an embedded system and hope for the best. So I’m glad the law is supporting our efforts. But developing this sort of security and getting it adopted is not a simple process.
Again, yes and no. We sometimes ask potential customers: “Who’s running your security department?” and they go blank. After all, if I’m building a pacemaker, and it doesn’t work, somebody is responsible. For security this wasn’t always the case. If people now must be legally responsible for security, that’s good. Awareness is growing now. You can’t just ship a product and hope it doesn’t get hacked.
However, the problem is a lot of systems are out there with a lot of vulnerabilities that are sometimes not exploited because attackers haven’t tried yet– and designers don’t realise the vulnerabilities exist. I’ve been shown systems where I’ve found and exploited a major security flaw in minutes. The owners have said it was secure for 10 years. It wasn’t. It’s just that no one had tried. So, awareness is still a tricky subject.
It’s always the right time to find a security solution for any problem. It’s just that we have done so at a time when companies feel they can no longer legally leave security as an afterthought. We’ve also been able to get the overhead numbers down. Support for ubiquitous high-volume low-end embedded systems is now possible.
Having a company was not on the initial agenda! At school I just wanted to understand how these things can be done to computers – whether I found a job in that domain or not. Running a company was not really on my radar until my PhD. The three of us demonstrated attacks on systems and we were asking ourselves: Why is this so easy? What’s missing and why? What would a security solution would prevent us from being able to do this?
It was a huge success for Emproof to receive a government grant to build demonstrators and conduct research into how to develop something that could deliver IP protection in embedded systems with limited overhead – as a new program for the ministry it showed they had real trust in our expertise and what we could deliver. That took a couple of years. Then we translated that knowledge into a company and founded Emproof. And here we are!
We think we will play an important role in the embedded software security domain, both as a driver for the market and as a provider of effective security solutions. As for the next five years, by 2028 we hope to be securing many products across several sectors and providing real security value.