Computer Laboratory

Kieron Ivy's Dissertation Project Ideas

Technology-Enabled Domestic Abuse ("Tech-abuse")

  • Analysis of online forum discussion about how to execute tech-abuse. Can broaden existing work looking at infidelity forums to get a wider range of opinions; existing paper on this to guide methodology if desired.
  • Analysis of escalation/deescalation of abuse discussions on online forums. It is suggested in prior research that most discussions help people be more abusive, so we can attempt to measure these discussions, or look into ways to deescalate abuse discussions with bots etc.
  • Designing safety mechanisms to access support. I've done some work looking at quick-escape mechanisms for support service sites and worked with the police on safe web chats, but there is room for other things in this space. One thing not yet analysed in detail are applications which help domestic abuse victims with various things: some provide information about abuse and determining if your relationship is abusive, some log evidence, some help plan an escape. Could analyse existing apps or design safety features for them.
  • Designing access control mechanisms for an adversarial home environment. Smart homes are often designed to allow parents some control over children's devices etc with access control mechanisms restricting what they can do with the smart home; abusers are then using this to control their victims. An interesting research project would explore different ways in which you could design a smart home around an adversary in the home, possibly including mechanisms to revoke or regain privileges, or enabling multiple superusers, or having an extra level of superuser that the device owners cannot access for use in this scenario.

Security & Hacking

  • Security analysis of IoT devices. I previously worked on Smart Locks for my MEng dissertation, and can help with analysing systems through various means including reverse engineering and black-box testing. In particular, I have experience with and would be happy to supervise projects which attack:
    • Anything with an Android mobile app, as it can be reverse-engineered to look for vulnerabilities
    • WiFi-based products
    • BLE products (or regular Bluetooth, though it is less common and more awkward to work with)
    • RFID cards and tags
    • Physical Security systems like locks or safes
  • MITM detection tool for known vulnerable systems (and possibly constructing defences against detected attacks). I'm primarily thinking of evil twin attacks on WiFi, MITM attacks on Bluetooth and BLE, or exploits on these technologies which allow for MITMs like the KRAck attack on WPA. Would likely involve traffic analysis or identifying signs of these attacks, like multiple systems announcing the same network to identify evil twin or a spam of Bluetooth device announcements used to initiate Bluetooth MITM attacks.
  • Lockpicking robot for various types of locks (though someone else will have to help supervise the robotics element).

Previous Student Projects

  • Website vulnerability scanner. There are a great many common vulnerabilities in websites, so you could make a tool that looks for one or more vulnerabilities. This could be a detailed project on one vulnerability with a wide range of specific attacks (XSS, SQLi...) or a combination of more small vulnerabilities.
  • Web server misconfiguration detection. Identify when a server is has configuration issues that could lead to other attacks, including:
    • Not using HTTPS / using invalid certificates for HTTPS
    • Absence of automatic redirect to HTTPS pages
    • Identify missing / badly set up HTTP headers, such as HSTS, CORS, CSP
    • Not using DNSSEC
    • Find leaked credentials in public webpages
    • Identify poor access control leaking information such as private Git repos
  • Network security tool. This will include:
    • Identifying vulnerable services on a machine i.e. port scanning
    • Possibly identifying systems in a network and attempting to identify them. Can use arp/ping scans, traffic analysis etc to find systems, then different forms of fingerprinting to identify them.
    • Possibly attempting automated exploitation of vulnerabilities on services found, combining the functionality of NMAP and Metasploit
  • (Idea used by student with another supervisor) Key reverse engineering. A known attack is taking a photo of someone's key where you can see the bitting and then identifying the key cuts from this so you can clone the key. This could be improved upon by making a system that uses computer vision to identify the key and it's position, then measuring the bitting and providing an estimate of the key bitting. Extensions would include analysing different types of key or analysing a video feed instead of a static image.