Computer Laboratory

2016-2017 Part II or MPhil Project Suggestions by Frank Stajano

If you are a brilliant programmer and are also interested in security, I want to hear from you!

The project suggestions below are © Frank Stajano. They turn into project proposals with a substantial contribution from a suitable candidate in the context of a constructive discussion and negotiation. You are expected to have done some background research on the topic before discussing it with me in person. The Pico website may be a useful source of additional information for many of these projects.

Note that a standard condition of me offering these projects is that all work performed (code and write-up) be released as open source.

After a mutual assessment that we are a good match, you may be supervised by me or by one of my knowledgeable associates, according to availability.

Pico Lens for Chrome

Pico Lens is a Firefox extension that lets Pico interact with web logins. The extension identifies traditional login forms in web pages, and can offer the option to sign in using Pico instead. Pico will then communicate with the browser over the Internet, via a Java daemon that implements the Pico protocols.

A lot of what already exists should work in Chrome, or be easy to port. However running Java is not supported by Chrome. For this project you would implement the Pico protocols in Javascript, including some cryptographic operations for which there are currently no known libraries. If you were to produce and release a good quality open source crypto library in Javascript, that would be a significant deliverable in itself! You could also investigate rewriting the extension using WebExtensions, which should make cross-browser compatibility less of an issue.

Recommended reading:
Frank Stajano. Pico: no more passwords!
Official Chrome developer's guide

Port the Pico client to iOS

Authentication using Pico involves a hardware device that can scan a QR code or communicate using Bluetooth. Currently this has been implemented as an Android app that can run on the user's smartphone. However, given that a significant proportion of people use iPhone devices, it would be interesting to have a version running on iOS.

Although this could be a straightforward port, some big changes to the project structure could be involved, and there is also scope for creativity. The user interface for example should meet the iOS style guidelines, and any new features that iOS offers that could improve usability should be investigated. Plus, porting software is always a good opportunity to redesign and make it better.
Recommended reading:
Frank Stajano. Pico: no more passwords!

Log into your Mac computer using Pico

Pico is intented as authentication device for any platform. Some work has been done in the past to support authenticating to Windows and Linux machines but no study has been done regarding macOS.

For this project you would have to implement a login scheme on Mac using Pico. Possibly part of the current Linux implementation can be used.

The candidate who takes on this project must already own and use a Mac computer and enjoy low-level OS hacking.
Recommended reading:
Frank Stajano. Pico: no more passwords!

Implement Password Manager Friendly (PMF)

One of the problem encountered by password managers, and by Pico Lens, is how to find and correctly interpret a login form in a web page. Sometimes this can be guessed, but in other cases it is hard to detect. Password manager friendly (PMF) is a proposal of a standard for web pages that defines a number of annotations for form elements, which would make it easy for a password manager to find the correct data.

For this project you would implement the standard in at least two widely-used browsers (Chrome and Firefox), and modify some popular web page frameworks (e.g. Wordpress) to include it. As an extension, it would be good to make contact with those projects and have your implementation approved, thereby making a real contribution to open-source projects. It would also be great to persuade some websites actually take up PMF and include some user testing in the scope of the project.
Recommended Reading:
Frank Stajano, Max Spencer, Graeme Jenkinson, Quentin Stafford-Fraser. Password-manager friendly (PMF): Semantic annotations to improve the effectiveness of password managers. Proc. Passwords 2014, Springer LNCS 9393.
http://pmfriendly.org/documents/passwords-2014-slides-with-notes.pdf

Tagged email from Thunderbird

The mail system at Cambridge helpfully delivers any mail addressed to abc123--tag@cam.ac.uk (note the double hyphen) to the base address abc123@cam.ac.uk, for any tag. This allows you to generate arbitrarily many distinct addresses that will all deliver mail to your account. When you have to subscribe to a mailing list or sign up to a web form, you can give them abc123--thatmailinglist@cam.ac.uk and reliably filter all their mail to a specific folder. (And if you then get spam from someone else, you know who leaked your address.)

What's missing from this system is a convenient way for you to reply as abc123--tag@cam.ac.uk, so that you could also reliably filter your own messages into that same destination folder. You might write a client-side extension to Thunderbird to do that. So far this is fairly easy, so something else would need to be added to the plan for this to become a sizeable project.

vPro security and VNC viewer plus on Linux

VNC is a widely used software KVM that allows you to access a display remotely, even from a different architecture (e.g. drive a Windows desktop from a Linux laptop). Intel vPro is a technology, included in some modern processors and chipsets, that embeds a VNC server in the hardware, thus allowing a system administrator to access a computer remotely, even when the OS is not running and even when the machine is (soft) off. The administrator may view the boot screen of the remote computer, remotely enter the BIOS setup screen and even boot the remote machine off her own local CD.

You will implement a Linux version of the VNC Viewer Plus that connects to selected VPro processors (the retail version of VNC Viewer Plus runs only on Windows). As part of that, you will understand the authentication mechanisms so as to be able to explore and hopefully fix any potential vulnerabilities. What if a bad guy could impersonate the security administrator and 0wn your computer at a distance?

Concerning licensing the code, besides the standard condition that you will release all your work as open source, for this project the RealVNC company, makers of VNC, would also offer support (ie access to the lead developer of VNC Viewer Plus, and potentially an internship after the degree) in exchange for them getting from you an additional commercial licence to the final code at zero cost to them.

Recommended reading:
Vassilios Ververis, Security evaluation of Intel Active Management Technology, MSc Dissertation, KTH Stockholm, 2010.

Privacy-protecting PIM on smartphone

15 years ago, only the geek carried around a PDA (personal digital assistant) with their calendar, notes and contacts list. Nowadays, everyone and their dog has a smartphone with vastly superior PIM (personal information management) functionality. However, in the new world, privacy suffers: whether the smartphone is from Apple or Google, your data is stored in plaintext in NSA-accessible cloud storage, rather than locally on your own devices.

In this project you'll build a PIM system (for Android or IOS, at your choice) that won't trust the cloud for storage of user data. It will still allow editing on one device and viewing on another and it will, as far as possible, reuse existing PIM programs by transforming the back-end rather than rewriting the front-end. Different architectures (from local-only storage and peer-to-peer sync to encrypted in-cloud storage) will be explored and compared against the state of the art in research, including Google's Nigori which local PhD student Daniel Thomas is extending to support synchronization.

With an eye to security usability, ease of installation and maintenance for non-technical users will be considered an important feature.

Making MythTV more robust

MythTV is an open source digital video recorder. It's brilliant, but it depends rather unhealthily on a central database of metadata (conceptually similar to the dreaded "windows registry" or the equally dreaded itunes) without which its archive of recorded files becomes practically unusable: the database contains the names and dates of the shows, the cutlists describing the parts you edited out (commercials and head/tail) and so forth. This makes the system rather unstable because, if the database gets corrupted, then your terabytes of thousands of hours of recorded video become practically unusable. If you get fed up and reinstall from zero on a new hard disk, it's practically impossible to merge two video archives.

In this project you will address this problem by first providing an export and mergeback facility for the video archive (the current backup/restore does not support merging) and then, more substantially, by redesigning the architecture so that each video recording is atomically associated with its own metadata (e.g. by introducing a new file type consisting of an archive with both the video and its metadata). The focus of this project is not security but robustness, usability and good software engineering.