Hide menu

TDDD17 Information Security, Second Course

Projects List

Project assignment is closed!

Project id Project name Supervisor Assigned students
001 Passphrase security in practice Jan-Åke Larsson Group A: Oliver Poignant, Pontus Thulin
Group B: Georgios Rizothanasis, Rahul Kumar Dutta
002 Quantum key distribution in practice Jan-Åke Larsson Pierre Mousa, Carl Beckman
003 Covert channels in the cloud Jan-Åke Larsson Tim Hedlund, Patrik Bjurling
004 Literature study on cloud computing Nahid Shahmehri Group A: Paul Borek, Avraam Mavridis
Group B: Kaveh Rezania, Eunyoung Kim
005 Analysis of Raspberry Pi Nahid Shahmehri Group A: Olle Westrin, Mattias Rönn
Group B: Tobias Alm Alström, Christian Tennsted
006 Evaluation of physical security in a movie Nahid Shahmehri Group A: Sara Fekade, Johannes Jarbratt
Group B: Rentas Dimitris, Marinos Makedos
007 Automated categorization of identity federations Anna Vapen Viktor Dahl, David Odelberg
008 Mandatory access control with SELinux David Byers Erik Sundqvist, Bahar Abbaspour Fasai
009 Practical WLAN security David Byers Group A: Tim Ziegenbein, Robert Udd
Group B: Claire Vacherot, Gustav Ahlberg
*011 Plug computer David Byers Rasmus Holm, Erik Sparre
*012 User identification using input devices Nahid Shahmehri Jacob Pogulis

1. Passphrase security in practice

Some systems use pass phrases rather than passwords for user authentication, e.g., PGP or GPG keyrings, WiFi routers, or disk encryption software. There exists specialized advice on how to choose passphrases in particular, and some systems also have limitations on what phrases are possible. But how do real users follow this advice? Have they even heard it? Do they find it cumbersome to adhere to it? Do they have problems with enforced restrictions on passphrase choice? Study restrictions from your own experience and searches of sites! Also create categories of passphrases and make a survey of to which extent user passphrases belong to each category according to their owners! (Categories can be names/words close to user, passphrases found in dictionaries, passphrases shared for several or all sites, passphrases following pattern for different sites etc.) Another possibility is to evaluate passphrase generation tools that can be found in the wild. Do these generate secure/useful/trustworthy passphrases? Finally make a summary of your view of passphrase security in practice. This summary should be based on passphrase guessing capabilities of possible attackers.

2. Quantum key distribution in practice

New technology has made quantum key distribution hardware relatively cheap, but there are still some drawbacks. Among these are the need of a dedicated fibre (for fibre-based systems), a limited range, and the problem of seed authentication key distribution. Make an overview of the technology, describing these and other possible reasons that hinder wide deployment of the technology. What recent advances have been made that improve the performance of the systems, for each of the problems? Are new developments expected in the short time frame/long time frame? Are there more fundamental problems that are not likely to be solved soon? What is the possible user base, who uses the system now, and who may use them in the short term? What is the main showstopper?

3. Covert channels in the cloud

There are now several cloud storage solutions to choose from for private and enterprise users. These are typically used for backup purposes, as cooperation platforms, for more simplistic data sharing, or just as a flexible data storage. Some providers use a technique called "deduplication", which ensures that identical files only are uploaded once. If a file already exists at the provider and a user attempts to upload it (again), the system notices this and gives the user a link to the already existing file, rather than uploading it a second time. This saves bandwidth and storage at the provider, but it incurs some new security issues. For example, this can be used to create a covert channel: attempt to upload a file and use the occurrence of deduplication as one communicated bit. Your task is to test that this does indeed work as a covert channel, and to extend this to more complicated messages. There are a number of initial questions that need to be answered in this setting. What services perform deduplication? How do you detect if deduplication has occurred? Is there an efficient way to set up your covert channel? You can also ask what other threats to privacy or more general security are enabled by deduplication.

Prerequisites: To be able to do this you need to know how to extract this type of information from your browser. More advanced communication may need programming in shell or Python, using wget or some other access means that are more directly controllable than your browser.

4. Literature study on cloud security

Today, information can conveniently be stored in the cloud and thus become accessible to the user from any location. Cloud computing also makes it possible to hire processing power and storage in order to store and process information without the need for local data centers. However, this way of distributing storage and computation may lead to new security and privacy problems. In this project you will study existing cloud services and compare them from a security perspective. The project will result in an in-depth theoretical analysis of cloud security.

5. Analysis of Raspberry Pi

Computers are getting smaller and more portable, an example of such a small computing device is the Raspberry Pi. In this project you will set up a Raspberry Pi with default settings and apply port scanning and penetration testing on it. You will also do a risk analysis with RMF in order to find ways of exploiting the system. Thereafter you will suggest suitable mitigations (depending on the results of your analysis and tests) and patch the system.

Prerequisites: Good knowledge of Linux and programming experience.

6. Evaluation of physical security in a movie

Evaluate physical security as well as information security as depicted in a movie or TV series, such as "Person of interest". Describe and evaluate scenarios and compare to the theory and reality.

7. Automated categorization of identity federations

Today, many websites offer their users the ability to access the website by using an account from another website (e.g. a user can access Yahoo by using their Google or Facebook account instead of creating a separate Yahoo account). Sites which accept authentication from other websites are called relying parties and sites which offer authentication for the relying parties are called identity providers. Together these two types of websites form an identity federation. In this project you will investigate the following: which type of websites collaborate in identity federations? Compare websites from different countries, with different contents etc. Which protocols and frameworks are used in the federations? You will create a program which parses websites and maps currently existing identity federations and their features. The focus will be on finding websites which is part of a federation and deciding which type of website it is (e.g. an e-commerce site or a social network).

Prerequisites: This project requires programming skills. We recommend that you have done the authentication lab in this course.

8. Mandatory access control with SELinux

SELinux is an implementation of mandatory access control for Linux that has become widespread and is now enabled by default in many distributions.

In this project you will study and explain the theoretical model and architecture behind SELinux (type enforcement, FLASK, Linux Security Modules). You will also look at the practical aspects of SELinux (default policy, tools to develop policy, how it is used in e.g. RedHat, CentOS and Ubuntu), and try it out for yourself.

Prerequisites: This project will require a working understanding of Linux for to try it out. We can provide a virtualized environment on which to experiment with SELinux, but strongly recommend that you provide your own computer, since this will make things a lot easier.

9. Practical WLAN security

Wireless networks present some particularly difficult security problems since physical access to the networks are not limited. In this project you will study the known security issues with 802.11 networks and the various mechanisms (WEP, WPA, RSN) that have been proposed to improve security. You will also study denial of service attacks and mitigation methods, as these are not part of WEP, WPA or RSN and the physical aspects of wireless security and intrusion detection in wireless networks.

You will also launch at least two serious attacks on a wireless network using a Linux laptop as your platform. Specific attacks and targets will be chosen in cooperation with course staff. At least one of these attacks will be demonstrated live in class.

Prerequisites: This project requires a good understanding of computer networking, particularly of protocols such as Ethernet, IP, TCP and DNS. Completing the practical part of this project will require previous experience with Linux networking. You will probably have to learn new tools, install and configure network services, and you may have to write or modify low-level network code.

Note: We have very little equipment to lend you, so plan on providing your own equipment (usually a laptop with Linux and WiFi and an access point are the minimum requirements).


Page responsible: Nahid Shahmehri
Last updated: 2016-01-07