Please visit View Michael LeMay's profile on LinkedIn for more information.


  • Provide strong Trusted Computing Base (TCB) support for critical systems, including resource-constrained embedded systems.
  • Strengthen the TCB by shrinking it and modifying the processor core to support it.
  • Formally verify that it is secure in realistic operating conditions.

Trustworthy Computing Research

Processor-Supported Whitelist Enforcement

  • XIVE enforces a network-hosted code whitelist for software running on a specially-modified processor.  XIVE could be used to block attacks that rely on code injection, such as the PLC malware injection performed by Stuxnet.
    • The hardware modifications reduce XIVE's performance overhead and reduce the size of its TCB.
    • XIVE's kernel component comprises only 859 instructions.
  • Ph.D. Dissertation: "Compact Integrity-Aware Architectures" at University of Illinois at Urbana-Champaign. Aug. 2011.
  • Publication: Michael LeMay and Carl A. Gunter, "Enforcing Executing-Implies-Verified with the Integrity-Aware Processor," at International Conference on Trust and Trustworthy Computing (TRUST '11). Jun. 2011, Pittsburgh, PA, USA.

Critical Infrastructure TCB Requirements

  • The electric power grid relies on increasing numbers of embedded systems with remotely-upgradeable firmware.
    • Intelligent Electronic Devices (IEDs) in substations
    • Advanced electric meters in Advanced Metering Infrastructure (AMI)
  • Such systems potentially exhibit a variety of security and privacy vulnerabilities.
  • Remote attestation is desirable.  It permits authorized entities to verify that systems are running known firmware, to detect malware.
  • Publication: Michael LeMay, George Gross, Carl A. Gunter and Sanjam Garg: "Unified Architecture for Large-Scale Attested Metering" at Hawaii International Conference on System Sciences (HICSS '07). Jan. 2007, Waikoloa, HI, USA.

Remote Attestation for 32-bit and 8-bit Flash MCUs

  • Flash MCU: MicroController Unit (MCU) with small built-in flash memory and RAM, suitable for use in advanced meters.
  • We implemented remote attestation for a 32-bit flash MCU using only on-chip computational resources to conserve energy and reduce costs.
  • The remote attestation model is cumulative, meaning that all firmware revisions are recorded, not just the latest one.
  • We formally verified that our prototype satisfies important security and fault-tolerance properties using the Maude model checker.
  • Popular 8-bit flash MCUs do not have sufficient resources to support remote attestation in a standalone configuration.
  • We developed a remote attestation solution that offloads some work to a secondary 8-bit flash MCU.
  • Ph.D. Dissertation: "Compact Integrity-Aware Architectures" at University of Illinois at Urbana-Champaign. Aug. 2011.
  • Publication: Michael LeMay and Carl A. Gunter: "Cumulative Attestation Kernels for Embedded Systems" in IEEE Transactions on Smart Grid. Jun. 2012.

Other Research

Architectures for Effective Demand Response

  • Demand response: A process whereby an electricity consumer receives information from an electricity provider at a relatively fast rate and modifies their demand in response.
  • We propose and demonstrate an architecture for automating this process in the presence of multiple loci of control.
  • Example: An in-home-display centrally dims lighting in response to rising electricity prices, and a smart clothing dryer decides independently to turn off its heating element.
  • Publication: Michael LeMay, Rajesh Nelli, George Gross and Carl A. Gunter: "An Integrated Architecture for Demand Response Communications and Control" at Hawaii International Conference on System Sciences (HICSS '08). Jan. 2008, Waikoloa, HI, USA.

Opportunistic Use of Heterogeneous Networks for Emergency Response

  • Common networks may become disconnected during disasters.
  • We show how ad-hoc networking techniques can permit limited communication to occur over heterogeneous networks that happen to survive.
  • We demonstrate our technique using IP and a resilient mesh protocol, ZigBee, which is similar to some AMI networks that will be widely-deployed and thus potentially useful in a disaster scenario.
  • M.S. Thesis: "Dependable Emergency-Response Networking Based on Retaskable Network Infrastructures" University of Illinois, 2008.

Power Analysis for Remote Sensor Node Diagnosis

  • Sensors sometimes exhibit in-situ failures and are unable to communicate with the base station to indicate their status.
  • Some failures require immediate remedies to preserve critical sensor functionality, whereas others are solely communication-related.
  • We developed a parallel sensor network with independent radios to transmit and analyze power measurements from sensor nodes and thus distinguish between their failure modes to support appropriate responses.
  • Publication: Mohammad Maifi Hasan Khan, Hieu K. Le, Michael LeMay, Parya Moinzadeh, Lili Wang, Yong Yang, Dong K. Noh, Tarek Abdelzaher, Carl A. Gunter, Jiawei Han and Xin Jin: "Diagnostic Powertracing for Sensor Node Failure Analysis" at ACM/IEEE International Conference on Information Processing in Sensor Networks (IPSN '10). Apr. 2010, Stockholm, Sweden.

Complete Publication Listing