Jorge Barredo Ferreira
PhD in Industrial Cybersecurity · Software Security Engineer
I find security weaknesses in the software running on IoT and embedded devices — connected hardware that powers critical infrastructure, industry, and everyday products — before they can be exploited. My PhD (Mondragon Unibertsitatea, cum laude, research stay at UCL London) focused on automating this process: I built tools that stress-test device software at scale using fuzzing and LLMs, and use side-channel analysis — physical hardware signals — to detect hidden flaws, earning a 🥈 Young CRITIS Award along the way. Previously I worked on 5G network security at Ericsson, industrial device certification at DNV, and high-performance computing research at Barcelona Supercomputing Center.
Background
I am an Embedded/Firmware Software Security Engineer with a PhD in Industrial Cybersecurity (Mondragon Unibertsitatea, cum laude). My work centres on firmware security and vulnerability research — building systems that find vulnerabilities in embedded and IoT targets before they reach production, combining coverage-guided fuzzing with hardware-level side-channel analysis.
My PhD was carried out at IKERLAN Technology Research Centre, producing four frameworks — CARNYX, GJALLARHORN, GAFLERNA, and TRENTI — that integrate power, electromagnetic, and timing side-channel signals into fuzzing campaigns without source code access. I did a research stay at University College London as visiting PhD researcher in the SOLAR Group, collaborating with Prof. Justyna Petke and Prof. David Clark.
🥈 Young CRITIS Award 2025 — 2nd Place: recognised for work on LLM-generated seeds for firmware fuzzing of critical infrastructure — the only external award in this space at CRITIS 2025, directly relevant to vulnerability detection R&D.
Collaborations: co-authored with researchers at UCL SOLAR Group (Prof. Justyna Petke, Prof. David Clark, Dan Blackwell) and with Dr. Mikel Iturbe and Dr. Maialen Eceiza at IKERLAN/Mondragon. All four security frameworks were developed and validated in close collaboration with domain experts across hardware, software, and signal processing.
Before my PhD I worked at Ericsson on 5G core security, at DNV on protocol conformance testing for energy devices, and at Barcelona Supercomputing Center on FPGA acceleration for graph workloads.
I hold two MSc degrees from Universidad Carlos III de Madrid and a BSc from Universidad de Cantabria (Honours thesis, 10/10).
Beyond security, I have a genuine interest in AI and large language models — applied to fuzzing seed generation for critical infrastructure (CRITIS 2025), learning analytics tools, and automated vulnerability triage. I find the intersection of AI and security one of the most exciting research directions today.
Technical Focus
Published Papers
@inproceedings{Barredo2025Sow,
title = {Sow Smarter, Not Harder: Evaluating {LLM}-generated
Seeds for Fuzzing Critical Infrastructure},
author = {Barredo, Jorge and Eceiza, Maialen and
Flores, {Jose Luis} and Iturbe, Mikel},
booktitle = {Proceedings of the 20th International Conference on
Critical Information Infrastructures Security
({CRITIS} 2025)},
year = {2025},
month = oct,
location = {J{"o}nk{"o}ping, Sweden},
publisher = {Springer}
}
@article{Barredo2025Gjallarhorn,
title = {GJALLARHORN: A framework for vulnerability detection via
electromagnetic side-channel analysis in embedded systems},
author = {Barredo, Jorge and Eceiza, Maialen and
Flores, {Jose Luis} and Iturbe, Mikel},
journal = {Computers {\&} Security},
pages = {104692},
year = {2025},
issn = {0167-4048},
doi = {10.1016/j.cose.2025.104692}
}
@article{Barredo2025Carnyx,
title = {CARNYX: A framework for vulnerability detection via
power consumption analysis in embedded systems},
author = {Barredo, Jorge and Eceiza, Maialen and
Flores, {Jose Luis} and Iturbe, Mikel},
journal = {International Journal of Information Security},
volume = {24},
number = {4},
pages = {172},
year = {2025},
issn = {1615-5270},
doi = {10.1007/s10207-025-01092-2}
}
@inproceedings{Barredo2025Gaflerna,
title = {{GAFLERNA} {Ahoy!} Integrating {EM} Side-Channel
Analysis into Traditional Fuzzing Workflows},
author = {Barredo, Jorge and Petke, Justyna and Clark, David
and Blackwell, Dan and Eceiza, Maialen and
Flores, {Jose Luis} and Iturbe, Mikel},
booktitle = {Proceedings of the 33rd {ACM} International
Conference on the Foundations of Software Engineering},
series = {{FSE} Companion '25},
pages = {550--554},
year = {2025},
isbn = {9798400712760},
location = {Trondheim, Norway},
publisher = {Association for Computing Machinery},
doi = {10.1145/3696630.3728497}
}
@inproceedings{MorenoMarcos2023Statoodle,
title = {Statoodle: A Learning Analytics Tool to Analyze
{Moodle} Students' Actions and Prevent Cheating},
author = {Moreno-Marcos, Pedro Manuel and Barredo, Jorge and
Mu{\~n}oz-Merino, Pedro J. and Delgado Kloos, Carlos},
booktitle = {Responsive and Sustainable Educational Futures:
18th European Conference on Technology Enhanced Learning,
{EC-TEL} 2023},
series = {Lecture Notes in Computer Science},
volume = {14200},
pages = {736--741},
year = {2023},
isbn = {978-3-031-42681-0},
location = {Aveiro, Portugal},
publisher = {Springer-Verlag},
doi = {10.1007/978-3-031-42682-7_70}
}
Research & Projects
These four frameworks form a coherent research programme — each one extending the previous. CARNYX established power-based vulnerability classification. GJALLARHORN moved to electromagnetic signals, enabling non-contact detection. GAFLERNA closed the loop: EM feedback integrated live into AFL++ during a fuzzing campaign. TRENTI combined all three channels simultaneously for full multimodal in-loop guidance.
Multimodal in-loop side-channel feedback for embedded fuzzing — simultaneous EM, power, and timing signals feeding AFL++ via Firm-AFL/QEMU under full black-box conditions.
TRENTI addresses a fundamental limitation of firmware fuzzing: when no source is available and the target runs on real hardware or emulation, standard coverage signals become unreliable. TRENTI closes this by simultaneously capturing EM, power, and timing signals during a campaign, feeding them back to AFL++ as composite hardware-level coverage.
The framework integrates with Firm-AFL/QEMU for full-system emulation and falls back to direct hardware measurement for bare-metal. A custom feedback bridge translates physical signal deviations — detected via HDBSCAN on EM traces — into edge discovery events guiding AFL++ mutation. Cross-modal triangulation diagnoses anomalies without decompilation.
First integration of live EM side-channel analysis as an in-loop oracle in AFL++ for IoT firmware — no target modification, no source code, no recompilation.
GAFLERNA treats the device’s electromagnetic field as a real-time anomaly detector. During each AFL++ execution, a near-field probe and SDR record an EM trace, classified by a pre-trained HDBSCAN model. Anomalous traces trigger a virtual crash to AFL++ — preserving the input in the crash corpus without touching the binary or requiring debug symbols.
Evaluated on four programs compiled for STM32, validated against ground-truth ASan findings. Outperforms prior EM monitoring approaches that required labelled datasets — GAFLERNA operates entirely unsupervised, in-loop.
Firmware security outcome: Enables vulnerability discovery in shipping IoT firmware with no source code — directly applicable to closed binary targets in automotive, industrial, and consumer embedded devices.
Automated EM side-channel framework classifying 16 firmware vulnerability types non-invasively — validated on STM32 and Raspberry Pi without source code or debug interfaces.
GJALLARHORN asks: can we detect that firmware contains a vulnerability by observing EM emissions alone, without triggering the bug? The answer is yes — for a broad class of memory and arithmetic flaws. The framework automates trace acquisition, signal conditioning, time-frequency decomposition, and multi-class ML classification.
Key insight: different flaw types produce characteristic EM signatures. Buffer overflows generate irregular DRAM bursts; divide-by-zero creates truncated traces; memory leaks manifest as monotonically growing heap traffic patterns.
Vulnerability detection outcome: Non-invasive pre-deployment screening for 16 flaw categories — reduces the attack surface before firmware ships, without requiring instrumentation or debug access to the target device.
Power side-channel analysis framework for pre-deployment vulnerability detection — classifying 16 distinct flaw types across three hardware platforms, up to 99.69% recall, no source code required.
CARNYX establishes the series’ core methodology: classify which type of software vulnerability is present in running firmware using only its power consumption signature — before any crash occurs. A current probe on the supply rail, no firmware modification. An unsupervised HDBSCAN model builds a behavioural baseline; new traces are compared to detect and categorise deviations across 16 distinct flaw categories.
First to quantify how peripheral selection affects SCA leakage quality — a previously underexplored variable. Results directly inform attack surface prioritisation in firmware security assessments.
Security assessment outcome: Identifies vulnerability class from power trace alone — no source, no binary modification, no debug interface. Demonstrated on STM32F4 (99.69% recall) and BeagleBone Black across arithmetic and memory safety flaws.
Learning analytics platform extending Moodle — quiz performance reports, item difficulty estimates, activity log analysis, and a behavioural warning layer for online assessments.
Built during my Master’s years guided by a simple principle: technology matters when it solves real needs. Statoodle helps instructors make practical use of Moodle data — turning exported reports and logs into actionable teaching information without requiring programming skills.
Presented at EC-TEL 2023 by my colleague Pedro Moreno-Marcos. A free MOOC by Ruth Cobos Pérez, Pedro, Antonio Balderas, Miguel Ángel Conde González, and Manuel Freire has since spread the tool across Spanish universities, with strong uptake in the education community.
Work & Education
Designed firmware fuzzing pipelines, developed harnesses, managed corpora with LLM seed generation, triaged crashes with sanitizers and gdb. Integrated EM/power/timing SCA feedback for attack surface prioritisation. Containerised with Docker for CI; aligned with IEC 62443.
International PhD mention. Extended fuzzing with live EM SCA integration — direct output: GAFLERNA at ACM FSE 2025. With Prof. Justyna Petke and Prof. David Clark.
Protocol conformance and interoperability testing for energy/telecom devices (DLMS). Reproducible HW/SW testbeds and Python automation for IEC/ISO certification.
5G core security mechanisms in C/C++ and Python. Configured mTLS and validated Istio sidecar injection in Docker/Kubernetes cloud-native deployments.
FPGA-oriented HW/SW co-design for graph workloads. Bachelor thesis: Accelerating PageRank with ZCU102-ES2 FPGA (10/10, Honours).
Novel Techniques for Embedded Fuzzing with Side-Channel Analysis and Seed Optimisation. Supervised by Dr. Maialen Eceiza and Dr. Mikel Iturbe. International doctorate mention for research stay at UCL. Official announcement ↗
Thesis: Implementation of a Protocol for Avoiding Negotiation Reset due to Eavesdropping action in Quantum Key Distribution. Proposed a QKD protocol improvement preventing session resets caused by passive eavesdropping in BB84-based networks.
Thesis: Implementation of an External Learning Analytics Tool for Moodle Courses. Designed analytics platform integrating with UC3M's Moodle (Aula Global) — direct predecessor of Statoodle.
Thesis: Accelerating PageRank with ZCU102-ES2 FPGA. HW/SW co-design with Vivado HLS. Supervised by Miquel Moretó Planas (BSC).
Service
- TBD
I regularly review or have reviewed papers for the following journals:
Check my Web of Science profile for more information on my reviewing activity.
- TBD
Let’s Connect
Open to roles in embedded security engineering, firmware vulnerability research, and hardware security R&D — particularly in IoT, automotive, semiconductor, or critical infrastructure sectors.
Available for full-time positions, research collaborations, and consulting.