2011-2012 Part II or MPhil Project Suggestions by Frank Stajano
If you are a brilliant programmer and are also interested in security, I want to hear from you!
Pico: a security token to replace passwords (TAKEN by Bo Tian)
Passwords are no longer acceptable as a security mechanism. I recently proposed a clean-slate design to get rid of them using a portable gadget called Pico that transforms your credentials from “what you know” into “what you have”. Read the paper or watch me give an invited talk at Usenix Security 2011 (Forbes coverage).
In this project you will build a prototype of the Pico, implementing the core functionality of talking to an app through a multi-channel protocol, either for initial pairing or for offering credentials. An interesting extension is to investigate how the use of a hardware TPM might help secure the storage of the Pico.
Recommended reading: Frank Stajano, Pico: no more passwords!, Proc. Security Protocols Workshop 2011, Springer LNCS 7114.
Picosiblings: proximity locking of a security token (TAKEN by Oliver Stannard)
As mentioned in the description of the previous project, Pico is a security token that replaces passwords by transforming your credentials from “what you know” into “what you have”. As above: read the paper or watch me give an invited talk at Usenix Security 2011 (Forbes coverage).
To protect Pico against loss or theft, its storage is backed up and encrypted and can only be unlocked by a key whose shares are held by other devices worn by the user, the Picosiblings. This project will implement and prototype the backup and restore facility and the interaction with the Picosiblings, including all the necessary protocols for secret sharing, initial pairing etc. (Cfr. the state diagram in the paper). Development will take place on Linux, with virtual machines simulating the various devices (Pico, docking station and Picosiblings). Optional extensions might include prototyping the devices in hardware.
This is a challenging project offering unsolved research problems (especially in the implementation of the protocol between the Pico and the Picosiblings, which had been specified but not developed yet) suited to a candidate with a keen interest and ability in security.
Recommended reading: Frank Stajano, Pico: no more passwords!, Proc. Security Protocols Workshop 2011, Springer LNCS 7114.
vPro security (suitable for MPhil)
Intel vPro is a technology, included in some modern processors and chipsets, that allows a system administrator to access a computer remotely, even when the OS is not running and even when the machine is (soft) off. The administrator may view the boot screen of the remote computer, remotely enter the BIOS setup screen and even boot the remote machine off her own local CD. But what if a bad guy could impersonate the security administrator and 0wn your computer at a distance?
I have recently started looking at the security of this control connection with some US colleagues and we already have a few ideas about where to look. You will be involved in probing for vulnerabilities and possible attacks. The work may involve fuzzying and reverse engineering.
A high risk / high reward project for a low level hacker. High risk because you might not find any vulnerability worth exploiting; high reward because, if you do a great job, you might end up as coauthor on our paper.
Recommended reading: Vassilios Ververis, Security evaluation of Intel Active Management Technology, MSc Dissertation, KTH Stockholm, 2010.
Simple Video Editor (suitable for Part II, less appropriate for MPhil)
(NB: not a security project, but may still be fun for the right person.)
I don't know of any open source, simple to use video editors that can edit an MPEG-2 file (recorded from a UK Freeview DVB broadcast) without destroying the subtitles.
Core of project:
- Patch the command-line-based ffmpeg program so it will retain subtitles when cutting an MPEG-2 file produced by recording a UK DVB broadcast. OK to cut only at I-frames. This work will involve studying and understanding the MPEG-2 standard and the ffmpeg code.
- Produce a simple stand-alone viewer/editor, in the spirit of the one included in mythtv, that allows the user to define cut points (only on I-frames is OK) and a cutlist. The file is then to be split and re-joined using the patched ffmpeg previously produced. This work will involve some GUI programming under Linux and possibly studying and understanding the code of an existing open-source video player such as VLC.
Optional extension: submit the patch to the ffmpeg project and have it accepted. You will develop skills not only in software engineering but also in interacting with the open source community.
Project recommended for video enthusiasts. Skills acquired/exercised: deciphering a complex standard, hacking complex code written by others, interacting as a peer with other members of the developer community.
I'll be keen to supervise enthusiastic and dedicated students for any of the above projects.