Jorge Barredo
Ferreira
Embedded/Firmware Software Security Engineer · PhD in Industrial Cybersecurity
I am a security engineer with a PhD in Industrial Cybersecurity and a track record across embedded systems, 5G networks, industrial protocols, and high-performance computing. I enjoy working at the boundary between hardware and software — finding vulnerabilities that conventional tools miss, building the infrastructure to reproduce them, and understanding why they exist at the hardware level. I also have a genuine interest in AI and LLMs, which I have applied to learning analytics, fuzzing seed generation, and vulnerability triage. Research stay at University College London.
Background
I am an Embedded/Firmware Software Security Engineer with a PhD in Industrial Cybersecurity (Mondragon Unibertsitatea, cum laude). I work at the intersection of software testing and hardware observability — building systems that find vulnerabilities in firmware before they reach production.
My PhD was carried out at IKERLAN Technology Research Centre, producing four frameworks — CARNYX, GJALLARHORN, GAFLERNA, and TRENTI — that integrate power, electromagnetic, and timing side-channel signals into fuzzing campaigns without source code access. I did a research stay at University College London as visiting PhD researcher in the SOLAR Group, collaborating with Prof. Justyna Petke and Prof. David Clark.
Before my PhD I worked at Ericsson on 5G core security and cloud-native service mesh hardening, at DNV on protocol conformance testing for energy and telecom devices, and at Barcelona Supercomputing Center on FPGA acceleration for graph workloads.
I hold two MSc degrees from Universidad Carlos III de Madrid — Cybersecurity and Telecommunication Engineering — and a BSc in Telecommunication Technologies from Universidad de Cantabria (Honours thesis, 10/10).
Beyond security, I have a genuine interest in AI and large language models — I have used them to generate fuzzing seeds for critical infrastructure software (published at CRITIS 2025), to build learning analytics tools, and for automated vulnerability triage. I find the intersection of AI and security one of the most exciting research directions today.
Published Papers
@article{Barredo2025Carnyx,
title = {CARNYX: A framework for vulnerability detection via
power consumption analysis in embedded systems},
author = {Barredo, Jorge and Eceiza, Maialen and
Flores, {Jose Luis} and Iturbe, Mikel},
journal = {International Journal of Information Security},
volume = {24},
number = {4},
pages = {172},
year = {2025},
issn = {1615-5270},
doi = {10.1007/s10207-025-01092-2}
}
@article{Barredo2025Gjallarhorn,
title = {GJALLARHORN: A framework for vulnerability detection via
electromagnetic side-channel analysis in embedded systems},
author = {Barredo, Jorge and Eceiza, Maialen and
Flores, {Jose Luis} and Iturbe, Mikel},
journal = {Computers & Security},
pages = {104692},
year = {2025},
issn = {0167-4048},
doi = {10.1016/j.cose.2025.104692}
}
@inproceedings{Barredo2025Gaflerna,
title = {{GAFLERNA} {Ahoy!} Integrating {EM} Side-Channel
Analysis into Traditional Fuzzing Workflows},
author = {Barredo, Jorge and Petke, Justyna and Clark, David
and Blackwell, Dan and Eceiza, Maialen and
Flores, {Jose Luis} and Iturbe, Mikel},
booktitle = {Proceedings of the 33rd {ACM} International
Conference on the Foundations of Software Engineering},
series = {{FSE} Companion '25},
pages = {550--554},
year = {2025},
isbn = {9798400712760},
location = {Trondheim, Norway},
publisher = {Association for Computing Machinery},
doi = {10.1145/3696630.3728497}
}
@inproceedings{Barredo2025Sow,
title = {Sow Smarter, Not Harder: Evaluating {LLM}-generated
Seeds for Fuzzing Critical Infrastructure},
author = {Barredo, Jorge and Eceiza, Maialen and
Flores, {Jose Luis} and Iturbe, Mikel},
booktitle = {Proceedings of the 20th International Conference on
Critical Information Infrastructures Security
({CRITIS} 2025)},
year = {2025},
month = oct,
location = {J\"onk\"oping, Sweden},
publisher = {Springer}
}
@inproceedings{MorenoMarcos2023Statoodle,
title = {Statoodle: A Learning Analytics Tool to Analyze
{Moodle} Students' Actions and Prevent Cheating},
author = {Moreno-Marcos, Pedro Manuel and Barredo, Jorge and
Mu{\~n}oz-Merino, Pedro J. and Delgado Kloos, Carlos},
booktitle = {Responsive and Sustainable Educational Futures:
18th European Conference on Technology Enhanced Learning,
{EC-TEL} 2023},
series = {Lecture Notes in Computer Science},
volume = {14200},
pages = {736--741},
year = {2023},
isbn = {978-3-031-42681-0},
location = {Aveiro, Portugal},
publisher = {Springer-Verlag},
doi = {10.1007/978-3-031-42682-7_70}
}
Research & Projects
Multimodal in-loop side-channel feedback for embedded fuzzing — simultaneous EM, power, and timing signals feeding AFL++ via Firm-AFL/QEMU under full black-box conditions.
TRENTI addresses a fundamental limitation of firmware fuzzing: when no source is available and the target runs on real hardware or emulation, standard coverage signals become unreliable. TRENTI closes this by simultaneously capturing EM, power, and timing signals during a campaign, feeding them back to AFL++ as composite hardware-level coverage.
The framework integrates with Firm-AFL/QEMU for full-system emulation and falls back to direct hardware measurement for bare-metal. A custom feedback bridge translates physical signal deviations — detected via HDBSCAN on EM traces — into edge discovery events guiding AFL++ mutation. Cross-modal triangulation diagnoses anomalies without decompilation.
First integration of live EM side-channel analysis as an in-loop oracle in AFL++ for IoT firmware — no target modification, no source code, no recompilation.
GAFLERNA treats the device's electromagnetic field as a real-time anomaly detector. During each AFL++ execution, a near-field probe and SDR record an EM trace, classified by a pre-trained HDBSCAN model. Anomalous traces trigger a virtual crash to AFL++ — preserving the input in the crash corpus without touching the binary or requiring debug symbols.
Evaluated on four programs compiled for STM32, validated against ground-truth ASan findings. Outperforms prior EM monitoring approaches that required labelled datasets — GAFLERNA operates entirely unsupervised, in-loop.
Automated EM side-channel measurement framework classifying 16 firmware vulnerability types non-invasively — validated on STM32 and Raspberry Pi, without source code or debug interfaces.
GJALLARHORN asks: can we detect that firmware contains a vulnerability simply by observing EM emissions, without triggering the bug? The answer is yes — for a broad class of memory and arithmetic flaws. The framework automates trace acquisition, signal conditioning, time-frequency decomposition, and multi-class ML classification, distinguishing 16 distinct vulnerability categories.
Key insight: different flaw types produce characteristic EM signatures. Buffer overflows generate irregular DRAM bursts; divide-by-zero creates truncated traces; memory leaks manifest as monotonically growing heap traffic.
Power side-channel analysis framework for pre-deployment vulnerability detection — classifying 16 flaw classes across three hardware platforms, up to 99.69% recall, no source code required.
CARNYX establishes the series' core methodology: classify which type of software vulnerability is present in running firmware using only its power consumption signature — before any crash occurs. A current probe on the supply rail, no firmware modification. An unsupervised HDBSCAN model builds a behavioural baseline; new traces are compared to detect and categorise deviations across 16 distinct flaw categories.
First to quantify how peripheral selection affects SCA leakage quality — a previously underexplored variable. Results directly inform attack surface prioritisation in firmware security assessments.
Learning analytics platform extending Moodle — quiz performance reports, item difficulty estimates, structured Excel outputs from activity logs, and a behavioural warning layer for online assessments.
Built during my Master's years guided by a simple principle: technology matters when it solves real needs. Statoodle helps instructors make practical use of Moodle data — turning exported reports and logs into actionable teaching information without requiring programming skills.
Presented at EC-TEL 2023 by my colleague Pedro Moreno-Marcos. A free MOOC by Ruth Cobos Pérez, Pedro, Antonio Balderas, Miguel Ángel Conde González, and Manuel Freire has since spread the tool across Spanish universities, with strong uptake in the education community. If you're a Moodle instructor, I encourage you to try the free MOOC.
Work & Education
Designed and operated firmware fuzzing pipelines. Developed harnesses, managed corpora with LLM seed generation, triaged crashes with sanitizers and gdb. Integrated EM/power/timing SCA feedback for attack surface prioritisation. Containerised with Docker for CI; aligned with IEC 62443.
International PhD mention. Extended fuzzing with live EM SCA integration — direct output: GAFLERNA at ACM FSE 2025. Worked with Prof. Justyna Petke and Prof. David Clark.
Protocol conformance and interoperability testing for energy/telecom devices (DLMS). Reproducible HW/SW testbeds and Python automation for IEC/ISO certification.
5G core security mechanisms in C/C++ and Python. Configured mTLS and validated Istio sidecar injection in Docker/Kubernetes cloud-native deployments.
FPGA-oriented HW/SW co-design for graph workloads. Bachelor thesis: Accelerating PageRank with ZCU102-ES2 FPGA (10/10, Honours).
Novel Techniques for Embedded Fuzzing with Side-Channel Analysis and Seed Optimisation. Frameworks: CARNYX, GJALLARHORN, GAFLERNA, TRENTI. Supervised by Dr. Maialen Eceiza and Dr. Mikel Iturbe. International doctorate mention awarded for research stay at UCL.
Thesis: Protocol for Avoiding Negotiation Reset due to Eavesdropping in Quantum Key Distribution. Proposed a protocol improvement for QKD networks that prevents negotiation session resets caused by passive eavesdropping — a vulnerability in BB84-based implementations that can disrupt key exchange without triggering standard intrusion detection.
Thesis: External Learning Analytics Tool for Aula Global Courses. Designed and implemented an analytics platform integrating with UC3M's Aula Global (Moodle-based LMS) to provide instructors with interactive dashboards for monitoring student engagement, quiz performance, and activity patterns. This work later evolved into Statoodle.
Thesis: Accelerating PageRank with ZCU102-ES2 FPGA. Implemented the PageRank graph algorithm on the Xilinx ZCU102 UltraScale+ MPSoC, exploiting HW/SW co-design with Vivado HLS to achieve significant speedup over CPU baselines through memory access optimisation and pipeline parallelism. Supervised by Miquel Moretó Planas (BSC).
Let's Connect
Open to roles in embedded security engineering, firmware vulnerability research, and hardware security R&D — particularly in IoT, automotive, semiconductor, or critical infrastructure sectors.
Available for full-time positions, research collaborations, and consulting.