Carlton Shepherd

Quick links: Publications · Google Scholar · Contact

Last updated: March 2026

I am an Assistant Professor in Computer Science at Durham University, United Kingdom. Before this role, I was a Lecturer in Computer Science at Newcastle University and a Senior Research Fellow at the Information Security Group (ISG) at Royal Holloway, University of London.

I was previously at Atom Bank, the UK's first mobile bank; and at OneSpan, a NASDAQ-listed financial technology vendor, based at their Innovation Centre in Cambridge, working on the design and implementation of privacy-enhancing technologies.

My expertise centres broadly around mobile security, trusted execution environments, sensor data analysis, and side-channel analysis.

• Trusted Execution Environments (TEEs), remote attestation, and platform trust.
• Mobile and embedded systems security, including side-channel and sensor-enabled attacks.
• Privacy-enhancing technologies and secure analytics.

If you are interested in pursuing a project, Ph.D. etc. on the above topics, then please reach out at carlton.g.shepherd@durham.ac.uk.

I hold a Ph.D. from Royal Holloway, University of London, and a B.Sc. in Computer Science from Newcastle University.

My technical publications can be found on my Publications page or on Google Scholar.

TEE Book

I'm pleased announce the release of our book, Trusted Execution Environments, published by Springer. We take a holistic view of TEEs, looking at operating system-level controls, containers and secure elements, those based on the Trusted Platform Module (TPM), and modern technologies such as Arm TrustZone, AMD SEV, and Intel SGX and TDX. Available from various retailers, including:

• Springer: https://link.springer.com/book/10.1007/978-3-031-55561-9
• Amazon: https://a.co/d/2QqU4DJ
• Barnes & Noble: https://www.barnesandnoble.com/w/trusted-execution-environments-carlton-shepherd/1144820147

News

• 📌 New: Appointed Associate Editor of the Journal of Information Security and Applications.
• I've joined the Editorial Board of Scientific Reports (Nature).
• New paper on control-flow attestation in Computers & Security. We present the first comprehensive look at using control-flow information for building trust in a target platform. You can read the paper here.
• I have a new Python package on multi-set hashing, pymsh, which implements the schemes by Clarke et al. (Asiacrypt '03).
• I've been awarded Fellowship (FHEA) status from the Higher Education Academy in recognition of high-quality teaching and support for student experience in higher education.
• At Newcastle, I am a co-investigator of one of NCSC's Academic Centres of Excellence in Cyber Security Research (ACE-CSR), a part of GCHQ, recognising internationally leading cyber security research.
• Our project, Chameleon, has been funded by EPSRC (~£1m). Here, we're tying CPU execution to environmental attributes, developing methods to prevent physical attacks that 'brick' the device when it's (physically) perturbed post-deployment.
• Our work on new firmware-level side-channel attacks on Android devices has been published in IEEE Transactions on Dependable and Secure Computing. We show that methods for sensor measurement distribution to multiple applications can expose some quite nasty attacks which are difficult to rectify. Namely, we show how attackers can create covert channels that completely bypass the Android permissions system, as well as identifying types of sensor-enabled applications.

• Our work on recognising black-box functions using hardware performance counters (HPCs) was accepted to IEEE Transactions on Computers. We show that HPCs on mainstream processors can be used as a side-channel for vulnerability detection (using OpenSSL as a use case), interrogating trusted execution environments (using OP-TEE and ARM TrustZone), and general function fingerprinting with high accuracy. The paper can be read here.

  We comprehensively show that combining modalities, e.g. L1 cache hits, TLB misses, branch mis-predictions and more, is far more powerful than using individual ones explored up to this point. Personally, it's reasonable to expect that multi-modal micro-architectural attacks will be a source of major security problems; far more than, say, Spectre-style speculative execution or cache attacks alone.

• In January 2023, I left Royal Holloway and joined Durham University as an Assistant Professor in Computer Science.

Contact

I can be found on X/Twitter (@carltonshep), LinkedIn, and by email at carlton.g.shepherd@durham.ac.uk.

Service

Programme Committee member for SecureComm 2026, IFIP SEC 2026, IFIP SEC 2025, IFIP SEC 2024 and ACM TAS 2024.

I am also a regularly invited reviewer for many journals, including:

• IEEE Transactions on Information Forensics and Security (TIFS)
• IEEE Transactions on Dependable and Secure Computing (TDSC)
• IEEE Transactions on Computers (TC)
• IEEE Transactions on Cybernetics
• ACM Transactions on Intelligent Systems and Technology (TIST)
• IEEE Internet of Things Journal
• IEEE Systems Journal
• Computers & Security, Elsevier
• Journal of Cryptographic Engineering, Springer
• EURASIP Journal on Wireless Communications and Networking, Springer
• Journal of Systems and Software, Elsevier

Teaching

I've been involved in the following courses:

• Durham University - Blockchain and Cryptocurrencies (2025/2026).
• (Module Leader) Newcastle University - Network Security and Ethical Hacking (2023/2024 - 2025/2026).
• (Module Leader) Newcastle University - Web Technologies (2023/2024 - 2025/2026).
• (Co-module Leader & Lecturer) Newcastle University - Advanced Topics in Cyber Security (2023/2024 - 2025/2026).
• (Co-module Leader & Lecturer) Newcastle University - Research Methods Group Project in Cyber Security (2022/2023 and 2023/2024).
• (Lecturer) Newcastle University - UGT System and Network Security (2024/2025 - 2025/2026).
• Royal Holloway - Smart Cards, RFID and Embedded Systems Security (Guest Lecturer; 2019-Present)

Grants

• Principal investigator (PI): CyberShip: A Portable Cyber Security Training Programme for Underserved Communities in the North East, Innovate UK/CyberLocal. Project total: £45,000. (2025-2026)
• Co-investigator (Co-I): Chameleon: Dynamic Device-Unique Confidentiality and Fingerprinting, EPSRC (EP/Y030168/1). Project total: £783,319 (c.£250k, Newcastle).
  • We are developing a new security-enhanced CPU platform that binds functional units to the device's environment. This project is in collaboration with colleagues from the University of Essex and University of Manchester, with partners from aerospace and security. (2024-2027)
• Principal investigator (PI): Tensorcrypt: Democritising Encrypted Data Analytics, Innovate UK, UKRI. Project total: £73,740 (Apr. '21 - Feb. '22).
  • This project developed a proof-of-concept privacy-preserving machine learning platform for collaborative analytics in sensitive domains (e.g. transaction fraud), delivered through Innovate UK's CyberASAP programme.