Rice University logo
 
Top blue bar image
Comp527: Computer Systems Security
A graduate seminar: current topics in computer security
 

Final Project Ideas

Things to attack / analyze

  • Dedicated browsers running in unusual environments (Google Chromecast, other “smart” TV systems)
  • CyanogenMod (an Android distribution) has a new “Find My iPhone” style service that claims to preserve user privacy, and the author has asked for third parties to look over his work. That could be you. Alternately, you could examine Google’s new Android Device Manager, which does the same thing. (It’s probably easier to look at the CyanogenMod variant, since you can get the full source code to client and server.)
  • There are a number of web services that now provide a variety of APIs (Nest thermostats, Tesla cars, etc.). Pick one or two and analyze their security properties.
  • Exploits via WebGL — can you break out of whatever sandbox there is? Build a fuzzer?
  • JavaScript fuzzing against various browsers’ optimized JavaScript engines

Things to go build

  • CyanogenMod also has a new feature called “Privacy Guard” which lets users slap down undesirable app behaviors, like Facebook’s never-ending queries to the location system. Add a feature to Privacy Guard so it can give you “reports” on the privacy-relevant behavior of installed apps, then use it to generate reports on many popular apps.
  • HTML5 WebSockets and WebWorkers give much better access to the Internet to the code running in your browser.
    • DNS rebinding may be able to get around browser DNS pinning, letting you violate the same origin policy
    • Chrome / Firefox extensions can get you a long lived process
    • Chrome store apps may have extended privileges beyond regular pages
    • How might a web server (or, more pointedly, an advertising server) defend itself against click fraud generated through mechanisms like this?
  • You might select a project from the Tor volunteer project list
  • Reengineer Android’s WiFi pairing to work like SSH (first connect, remember the cert, afterward warn if change)
  • Trusted Platform Measurement (TPM) is a technology that can allow one computer to generate “attestations” that a computer booted properly into a secure state and isn’t running any malware. That’s the promise anyway, but these things have never really gone commercial. I’ve got an industrial collaborator who has something like this that appears to really work, on Windows 8, and we’ve got a voting machine prototype that needs this as part of its security story. You could integrate them together.

Things to go measure / survey

  • hack into some sort of botnet, see what you can learn of its network topology
  • web crawler to look for weird certs (which CAs in use, what key lengths, etc.), survey TLS connection settings (SSL v3 or earlier? BEAST vulnerabilities? Who supports TLS 1.1 or later?). You may be able to take advantage of Google’s Certificate Transparency efforts.
  • Android Market (or other markets): look for oddball patterns in apps (e.g., things being sent to SMS premium phone numbers?) — we have a corpus of over 100,000 apps for you to work on, so you can avoid needing to recrawl the app store
  • Perspectives / Convergence (SSL cert notaries): how well do they deal with regular cert transient issues (i.e., false positive rate)
  • How widely major web sites use various modern web security headers (frame busting, CSRF defenses, etc.) — also, there’s an opportunity to fuzz browsers with variants on these headers