Most of the chapters of my book have suggestions for further research at the end, some of which might make decent student projects.
Further ideas below.
Hardware trojan detection
There is a lot of interest in whether you can detect a hardware Trojan that a manufacturer has been ordered to insert by its government. In this project your task is to use one of the Lab teaching boards to create a CPU with such a Trojan, designed to signal out the contents of a certain memory location (that might contain, for example, a target cryptographic key) by modulating the device's power consumption using a secret pseudonoise sequence. You then measure whether the extra noise can be detected using standard testing techniques by someone who does not know the secret key, and whether the target can be extracted by someone who does. (For the former, see for example papers no. 63, 94 and 126 from here.)
Many websites make life harder for robots using a CAPTCHA – a "Completely Automated Public Turing Test to Tell Computers and Humans Apart". Since these were devised by Luis von Ahn and colleagues at CMU, many types have been tried, with an arms race between website operators trying to design better CAPTCHAs and attackers finding ways to defeat them. The beauty of CAPTCHA research is that if you design a novel CAPTCHA, then either the bad guys break it or they don't; if they don't, you have a useful new security mechanism, while if they do you have made progress in a hard AI problem.
One problem that's easy for humans to solve but hard for current signal-processing software is the cocktail party problem – how we manage to follow a single conversation in a crowded room out of the dozen that go on round about us. The goal of this project is to develop a workable audio CAPTCHA which will identify humans by their ability to follow one conversation out of several overlaid ones, which may be in different voices (male vs female, old vs young) or different dialects (Glasgow vs Geordie vs RP). Robust evaluation is needed to see whether such designs will achieve good security and usability.
Modern smartphones contain a variety of sensors including gyros and accelerometers. This raises the question of whether a phone could be used to authenticate transactions by signing them. There has been research since the 1980s on recognising manuscript signatures captured in a traditional way using a stylus on a tablet, and it's possible to do this on a smartphone by getting the user to sign on the screen using a stylus or fingernail.
Now the interface to the screen is very rich and the phone's operating system is very complex, leading to the fear that if fingernail signatures were commonly used to sign bank transactions, they'd be targeted by malware. But it's possible that future smartphones using TrustZone and Global Platform mechanisms might provide a more trusted path to components such as the accelerometers and gyros. This leads us to ask whether a user could sign a transaction by using the phone itself as a pen, and signing their initials with a wave of the phone, thereby proving that they're participating. Again, a robust evaluation of security and usability is needed.
University of Cambridge
JJ Thomson Avenue
Cambridge CB3 0FD, England
Tel: +44 1223 33 47 33
Fax: +44 1223 33 46 78