Göm menyn

TDDD82 Projekttermin inklusive kandidatprojekt: Säkra, mobila system

Kandidatarbeten

Projekt ID Studenter Handledare
Projekt 1 Matilda Engström Ericsson (mater832)
Niklas Lindström (nikli445)
Simin Nadjm-Tehrani
Projekt 2 Ludvig Thor (ludtho083)
Jesper Elgh (jesel704)
Simin Nadjm-Tehrani
Projekt 3 Sofie Eskilsson (sofes006)
Hanna Gustafsson (hangu116)
Andrei Gurtov
Projekt 4 Anton Blåberg (antbl294)
Gustav Lindahl (gusli687)
Andrei Gurtov
Projekt 5 Stephanie Persson (stepe231) Niklas Carlson
Projekt 6 Mathilda Moström (matmo820)
Alexander Edberg (aleed476)
Niklas Carlsson
Projekt 7 Alexandra Goltsis (alego025)
Carl Ekblad (carek682)
Niklas Carlsson
Projekt 8 Hendrik Wendt (henwe331)
Matteus Henriksson (mathe228)
Niklas Carlsson
Projekt 9 Niklas Carlsson
Projekt 10 Markus Wetterberg (marwe497)
Sebastian Flinck Lindström (sebli658)
Niklas Carlsson
Projekt 11 Carl Magnus Bruhner (carbr307)
Oscar Linnarsson (oscli329)
Niklas Carlsson
Projekt 12 Jerome Planken (jerpl728)
Theodor Fällman (thefa576)
Niklas Carlsson
Projekt 13 Sophie Ryrberg (sopry923)
Erica Weistrand (eriwe600)
Niklas Carlsson
Project 14 Erik Kronberg (erikr271)
Albin Vogel (albvo998)
Niklas Carlsson
Project 15 Linus Boström (linbo150)
Rami Abdul Latif (ramab817)
Niklas Carlsson

Instruktioner

Varje par skriver i ett mejl en sorterad lista över alla projekt (högst prioriterad först). I mejlet skall också framgå vilka två personer som ingår i gruppen. Bifoga inte några dokument eller liknande, allt ska stå direkt i mejlet. Notera att alla projekt måste ingå i listan. Mejlet skall se ut som följande exempel:

Marcus Bendtsen (marbe800)
Jakob Pogulis (jakpo779)

Projekt 4
Projekt 1
Projekt 8
osv.

Kursledningen kommer sedan att dela ut kandidatarbeten. Vi utgår från era preferenser men kan inte garantera att ni får de projekt ni har satt högst på listan.

Språk

Eftersom dessa kandidatarbeten har en vetenskaplig karaktär så genomförs arbetena på engelska. Framläggning och opposition är på svenska.

Specifika krav

Vissa projekt har specifika krav, de står skrivna i texten till projektet, se till att ni uppfyller dessa.

Projekt

Projekt 1

Attack generation and modelling for mobile applications
The criticality of the application that you have created in your project makes its security testing a necessity. The first step in many approaches to penetration testing is to employ "adversarial thinking" and systematically identify ways that an attacker would breach the integrity or confidentiality of a developed application. In this project you will create attacks that can demonstrably succeed on the application that you have developed. The attacks can be based on general description of attack models for mobile apps in earlier literature, or created based on your knowledge of the given application and its requirements, or from knowledge within known repositories used by practitioners. At least three attacks should be created and their impact on presentation of client-submitted data on the server, or on both ends documented. Note: In this project you may exclude possible denial-of-service attacks (that breach availability).

Projekt 2

Evaluating quality of service in an augmented reality edge application
Future applications with map-based or video-based components will most likely be enhanced by placing embedded objects or agents in an augmented (or mixed) reality (AR, MR) fashion. To run such applications on a mobile device is currently inappropriate for longer sessions due to the energy and CPU constraints in handheld devices. offloading the computations to a cloud server would create long delays and not provide the required responsiveness. The promise of edge computing is that expensive operations for such applications can be done at a node closer than the cloud (the edge or fog) and that the combined client-edge rendering and display is both energy-efficient and responsive. In this project you will use a research prototype for creating an AR application runnable on an edge node (published at a recent conference: link). The prototype is organised in a modular fashion and different improvements to its elements are possible for further improving its responsiveness.

Your objective is to improve the application responsiveness (as a QoS) compared to the current version, and document the method for improvement and measurement methodology. for satisfying the quality of service (QoS). Multiple ways of improvement can be explored:(a) fiding and integrating different MR modules with better performance or (b) running the encoding part of the application on a GPU. In either case, the change in the measured quality of service on the earlier documented Reference video, or alternative videos that might exhibit other characteristics should be quantified. The project provides a practical exposure to open source software (developed by others) and designing repeatable experiments for evaluating a performance property.

Projekt 3

Air data communication security
The aeronautical telecommunications network is utilized to provide air traffic communication (ATC) within the airspace. The standard method of communication between an air traffic controller and a pilot is voice radio, using either very high frequency (VHF) bands. Controller-pilot data link communications is a two-way data-link system by which controllers can transmit strategic messages to an aircraft as an alternative to voice communications. CPDLC enables controllers to issue ATC clearances (level assignments, lateral deviations/vectoring, speed assignments, etc.), radio frequency assignments, and various free text requests for information. ADS-B is a system used to broadcast aircraft position so that it appears on controller's screens.

Some studies have discovered there is an urgent need to protect air traffic management (ATM)-related technologies from a wide spectrum of cyberattacks, and the solutions need to be implemented in a timely manner. Anyone possessing relatively cheap radio equipment (e.g., SDRs) can access and monitor data link communications and decode or inject these messages.

In this project, your goal is to utilize HackRF SDR to transmit CPDLC and ADS-B messages at very low power in a closed environment for testing. RTL-SDR dongle with antenna can capture those messages to confirm their existence. Software such as Airspy can be used to decode messages. The goal is to demonstrate vulnerability of air data communication so that appropriate security solutions could be developed.

https://www.rtl-sdr.com/dumpvdl2-lightweight-vdl2-decoder
https://greatscottgadgets.com/hackrf/
https://www.youtube.com/watch?v=ZuNOD3XWp4A
https://airspy.com/

Projekt 4

Evaluation of threats in air traffic management
The research community is questioning the security of many of the aviation systems. Strohmeier et al. discuss the current lack of security within the automatic dependent surveillance - broadcast (ADS-B). The idea of ADS-B is that each airplane sends its GPS coordinates, altitude and speed to other planes and air traffic controllers without any encryption or authentication. Thus, the airplane marks on the "radar" screen of Controllers are actually just data points that could be spoofed.

Your first step is to get familiar with two open-source ATM simulators, OpenScope and BlueSky. The best simulator should be chosen for future work (default OpenScope). Then the task is to modify the source code to display various kinds of attacks on the screen. Possible scenarios include a 1) false airplane mark which is not responding to commands 2) incorrect speed or altitude data for real plane 3) spam commands coming from or to airplane or controller. The GUI should be modified to setup those kind of scenarios and record user's reactions.

http://www.openscope.co/
https://github.com/openscope/openscope/blob/develop/CONTRIBUTING.md
https://www.cs.ox.ac.uk/files/8463/its2016.pdf

Projekt 5

Longitudinal Study of Certificate Revocation Workloads
The security of our interactions over the internet relies heavily on the trustworthiness of the certificates provided by different web servers and domains (which in simple terms map public keys to identities). Such certificates are signed by trusted certificate authorities (CAs) and the validity of the certificates are later checked by the browsers, for example. However, sometimes certificates need to be invalidated. This is done through the process of certificate revocation; a fairly complex and messy process, which often involves clients contacting servers that hosts revocation lists (CRLs) or that respond to Online Certificate Status Protocol (OCSP) requests. In this thesis project, you will use a combination of datasets (to be discussed in person) to look closer at the general workload variations that such servers may see over time and try to explain the observed results by digging into other public resources (e.g., datasets). The project will involve using a combination of datasets to gather longitudinal information about these workloads and try to gain as much insight as possibly into observed workload spikes and the like.

The goals is that the created datasets (combining data from multiple existing datasets) and analysis can be used to give system insights and help answer example questions related to the above mentioned workloads. As with all projects, the dataset, tools, and analysis should not be shared publically until we potentially publish a research article using these tools and datasets. However, to enable continuous research and potential publication, already at the end of the term, all code, data, text, and results must be shared with your supervisor. Good programming skills (ideally with scripting) and interest in internet security is beneficial for this project.

Projekt 6

Longitudinal study of link-shortener usage on Twitter
Twitter has the power to greatly shape peoples' opinions and thoughts. It is therefore important to understand how information is shared among users. In this project, we characterize the link sharing usage on Twitter, placing particular focus on third-party link shortener services that hides the actual URL from the users until users click on a generic, shortened URL. As part of this project, one of the groups from last year's IT thesis projects developed a measurement framework to collect such datasets, collected a week-long dataset, and performed some initial analysis on this dataset. In this year's project you are expected to setup the same framework as last year's students and then collect a number of (likely week-long datasets with carefully selected time gaps - to be discussed in person) using this methodology and perform detailed analysis on the set of datasets. Part of this work is expected to be done together with the guidance of last year's group, who have agreed to help get you up-to speed, for example. However, significant amount of work will be needed (from your side) to get the framework up and running, collect new complementing datasets, and perform the new analysis. In addition to the thesis itself, the goal with the project would be to help further the research of last year's project and publish a joint research paper. (Likely target venue has deadline in beginning of May.)

As with all projects, the dataset, tools, and analysis should not be shared publically until we potentially publish a research article using these tools and datasets. However, to enable continuous research and potential publication, already at the end of the term, all code, data, text, and results must be shared with your supervisor. Good programming skills are expected as you will work with code that involves use of both the Bitly and Twitter APIs.

Projekt 7

Analyzing the Cirrus CT log
Certificate Transparency (CT) was developed to mitigate shortcomings in the TLS/SSL landscape and to assess the trustworthiness of Certificate Authorities (CAs) and the certificates they create. Today, there are on the order of 50-100 public CT logs that are actively used to log certificates. Almost all of these logs focus on X.509 certificates used on the world-wide web. However, a closer look (e.g., link) reveals that the Cloudflare Cirrus log (link) is used with the Resource Public Key Infrastructure (RPKI) and its root store only contains the certificates of the five Regional Internet Registries (RIRs): AFRINIC, APNIC, ARIN, LACNIC, RIPE. In this project, your task will be to extract all the certificates from this log, build an easily accessible dataset (e.g., a file with row-column format such as with .csv files) using this data, and to perform an initial characterization of this dataset, so to provide insights into how this log is being used and the content it stores. As part of this process you will need to figure out what is inside the records; i.e. decode and parse them. The analysis may also involve collecting (and parsing) some complementing datasets from other places (discussed during the project) and correlate and compare these datasets.

The goals is that the datasets collected with the tool can be used to help answer some example research questions. As with all projects, the dataset, tools, and analysis should not be shared publically until we potentially publish a research article using these tools and datasets. However, to enable continuous research and potential publication, already at the end of the term, all code, data, text, and results must be shared with your supervisor. This project requires good programming skills and you are likely to work partially with other people's code (so to avoid reinventing the wheel).

Projekt 8

Building a Selenium-based data collection tool for identification and evaluation of cross-website relationships and information leakage
Some years ago, we studied information sharing associated with third-party identity management solutions such as those provided by Facebook. With a large number of Facebook-related scandals occurring since then, the question of how much information sharing rights that websites ask their users for (when using an identity providers such as Facebook) are now again very much of importance. To better understand changes that have happened within this landscape over the past few years, this fall, two fourth-year IT students helped manually collect a more recent datasets as that described here (link). To further complement our view of the current landscape and the changes that have happened over the past few years, in this thesis project, you are expected to build a Selenium-based tool that identifies many of the observed RP-IDP relationships described in that work automatically, evaluate the accuracy of the tool using data collected manually this spring, and use the tool to collect larger datasets that spans much larger sets of websites (e.g., similar as in link). To ensure that identification and classification is similar to what was used by the fourth-year IT students involved with this project, you are also expected to work and consult with them for at least part of the project.

The goals is that the datasets collected with the tool can be used to help answer some example research questions and we hope to publish a paper on this topic during the term. As with all projects, the dataset, tools, and analysis should not be shared publically until we potentially publish a research article using these tools and datasets. However, to enable continuous research and potential publication, already at the end of the term, all code, data, text, and results must be shared with your supervisor. This project requires good programming skills. Familiarity with using Selenium or some web APIs is also recommended.

Projekt 9

Comparing tails through identification and collection of datasets claimed to be heavy tailed
Heavy-tailed distributions occurs almost everywhere in nature and computer science, including within both computer networks and social networks, just to name a few examples. The goal with this project is to (1) create a repository of uniformly formatted datasets that contain heavy-tailed properties (link) and references to where these datasets have been published (and distribution properties claimed), and to (2) use different fitting methods to fit and compare these distributions (and the fits themselves). (Depending on time and performance, there is a third part that may be added to the project. However, I think it is best to focus on steps 1 and 2 in the thesis project ...) Step 1 would primarily include identifying public distribution-related datasets (with different forms of network related data), but could also include collection or creation of additional datasets (e.g., by extracting the distribution data from other sources). All files should follow a uniform row-column format (to be discussed and agreed upon) or downloading tools and conversation scripts (to the agreed format) for cases when the data is too large, and a high level analysis that compare and contrast the datasets should be performed. Step 2 would include learning and applying various statistical tools. This project is most suitable for students comfortable with mathematics and/or statistics (as you would get an opportunity to learn statistical fitting tools; e.g., fitting libraries in R or Matlab), but is also possible for students that are interested to learn about such distributions, and where and how they occur.

The goals is that the datasets collected with the tool can be used to help build a foundation for step 3 (where we have some novel ideas we would like to try), and in the meantime provide some insights already in step 2; e.g., by comparing distributions, maximum likelihood values, etc. As with all projects, the dataset, tools, and analysis should not be shared publically until we potentially publish a research article using these tools and datasets. However, to enable continuous research and potential publication, already at the end of the term, all code, data, text, and results must be shared with your supervisor.

Projekt 10

Performance Evaluation of Interactive Game Streaming over Networks
New game streaming services that enable users to play interactive games remotely on relatively inexpensive devices are expected to transform the gaming industry. However, an important aspect here is the impact of end-to-end delays and network conditions. In this thesis projects, you are expected to develop a testbed for such services, perform carefully designed experiments, and evaluate the results across multiple dimensions (discussed in person).

As with all projects, the dataset, tools, and analysis should not be shared publically until we potentially publish a research article using these tools and datasets. However, to enable continuous research and potential publication, already at the end of the term, all code, data, text, and results must be shared with your supervisor. For this thesis, it is expected that you should have built similar test environments (e.g., in TDDD66) as described here and have familiarity with running experiments with the streaming services of Steam Link and NVIDIA GameStream.

Projekt 11

Rapid 7 Data Analysis Project with Security Focus
Project Sonar, by Rapid 7, offers large open access datasets (including collection of SSL certificates) that can be used to gain insights into server-side patterns and the global exposure to various common vulnerabilities. In this work, you are expected to create analysis tools and evaluate some of these large datasets, and to put the findings in relationship to past studies characterizing the HTTPS and certificate landscape in the past (e.g., link).

As with all projects, the dataset, tools, and analysis should not be shared publically until we potentially publish a research article using these tools and datasets. However, to enable continuous research and potential publication, already at the end of the term, all code, data, text, and results must be shared with your supervisor. For this thesis, to ensure feasibility, the ideal candidate should have familiarized themselves and discussed the Rapid 7 datasets and expected workflow with the supervisor (as this likely will be done in collaboration with additional partners, including external researchers).

Projekt 12

Longitudinal analysis of DNS traffic
In this thesis project, you will analyze long-term datasets to understand how potential temporal spikes in traffic demand impacts a websites ranking (e.g., as seen via various top-million ranking lists; e.g., link). Of particular interest here will be to perform spike detection on public datasets (including one to be named in person) and then trying to find supporting (historic) data that can explain why a service temporarily was more popular at that particular time. Initially, this can be done semi-manually, for example, and by automatically comparing with other ranking datasets, for example. However, the goal would be to try to identify data sources that we can leverage to provide such explanations mostly automatically. Ideas (and datasets to start with) will be discussed in more detail at the start of the project.

As with all projects, the dataset, tools, and analysis should not be shared publically until we potentially publish a research article using these tools and datasets. However, to enable continuous research and potential publication, already at the end of the term, all code, data, text, and results must be shared with your supervisor. Some familiarity with extracting information from the web (ideally using scripts or APIs) are beneficial.

Projekt 13

Build a test framework to determine what cipher suites that clients and servers accepts/selects
Within the TLS handshake, a client and server negotiate which cipher suite will be used for that connection. To complement our previous passive measurements (e.g., link), in this thesis, you are expected to (1) create a set of tools and datasets that captures which cypher suites each browser version (of different browsers) allows, and to (2) create a set of tools and datasets that captures what a given set of webservers selects from a given candidate selection of such protocols. For the second part, we are particularly interested in negotiation between the server and client (where the client could be a browser, but ideally a generic client for which we can more easily change what cyphers it lists for the server to choose from). Of particular interest here is to evaluate how far down the set of cipher suites a web server is willing to go (if we ranked the cipher suites based on their security level, for example). Depending on time, we would also be interested in collecting additional information from the handshake. However, such aspects can be discussed in person during the project.

As with all projects, the dataset, tools, and analysis should not be shared publically until we potentially publish a research article using these tools and datasets. However, to enable continuous research and potential publication, already at the end of the term, all code, data, text, and results must be shared with your supervisor. Good programming skills and familiarity working with existing coding frameworks are highly beneficial (as you likely will work with code from various open source tools).

Projekt 14

User interfaces for interactive story telling (aka. branched video)
Interactive storytelling using branched video streaming (also called "nonlinear" and "multipath" video streaming) allows users to make viewing choices that impact the storyline or plot sequences, while watching a video, and puts the viewer in control of their viewing experience. (E.g., see link and link or some recent movies released by Netflix, for example, including Bandersnatch.) The last two years, one group of IT thesis students first developed a nice generalized interfaces for this type of streaming experiences and then se second group performed user studies on this design. At the core of this evaluation, we evaluated the playback bar that the students implemented (in Dash.js). In this year's project on this topic, you are expected to create alternative playback bars and other features to give the user a better understanding of its current choices and more seamlessly move forward and backwards in the video. For example, we would like to implement playback bars similar to those used by eko.com, so that we can perform controlled user studies on this and similar alternative designs, but also incorporate aspects such as fast forward, rewind, and jumping between branches, for example. To demonstrate the value of the tool, you are also expected to create example videos and demo presentations that demonstrate the value and ease of use of the tools.

As with other coding projects, we are planning to sign an agreement that ensure that we keep the intellectual property rights to the design and the software. The goal would be to create a demonstrator of our software, which eventually will be made available with the next academic publication. Your contributions will be properly acknowledged and the publication process should not hinder you from publishing your thesis. (Explanation: The code is expected to be non-public until a research article eventually is published based on the software, at which time we would plan to release the source code (and acknowledge the people that have contributed and helped with the code). Until that point in time, the code and any technical solutions and ideas should remain non-public.) This project requires good programming skills and you would benefit from enjoy creating innovative designs, esthetic, and easy-to-use interfaces that hopefully also will become practical, user friendly, and look good/professional. Familiarity with using web APIs is also recommended.

Projekt 15

Simulating content-aware caching policies for tiled 360 videos
Some advantages to quality and content-aware caching policies have been demonstrated in the context of HTTP-based Adaptive Streaming (HAS). In this project, you are expected to significantly extend the simulation framework implemented in the labs of TDDD66 to capture caching of tiled 360 video, in scenarios in which the clients adapt the video quality selected for each tile (and direction) based on current network conditions and viewing patterns. At a high level, this work will combine generalizing and extending some of the policies discussed in our MASCOTS 2013 paper (link) for the context of caching of tiled 360 video (link). Details will be discussed in person, but the goal would be to carefully design and evaluate some new 360 caching policies.

As with other coding projects, we are planning to sign an agreement that ensure that we keep the intellectual property rights to the design and the software (both simulation framework and policies). The goal would be to create a demonstrator of our software, which eventually will be made available with the next academic publication. Your contributions will be properly acknowledged and the publication process should not hinder you from publishing your thesis. (Explanation: The code is expected to be non-public until a research article eventually is published based on the software, at which time we would plan to release the source code (and acknowledge the people that have contributed and helped with the code). Until that point in time, the code and any technical solutions and ideas should remain non-public.) This project requires careful implementation and methodological approach.


Sidansvarig: Marcus Bendtsen
Senast uppdaterad: 2020-02-20