Kieron Ivy's Dissertation Project Ideas
Technology-Enabled Domestic Abuse ("Tech-abuse")
-
Online forums - either using CrimeBB / Other CCC Datasets or collecting own data for a project:
- Analysis of online forum discussion about how to execute tech-abuse. Can broaden existing work looking at infidelity forums to get a wider range of opinions; existing paper on this to guide methodology if desired.
- Analysis of escalation/deescalation of abuse discussions on online forums. It is suggested in prior research that most discussions help people be more abusive, so we can attempt to measure these discussions, or look into ways to deescalate abuse discussions with bots etc.
-
Emergency Safety - the most dangerous phase of an abusive relationship is when the victim/survivor attempts to leave. Additional safety tools during this time would be of great benefit, such as:
- Tools for preventing remote access to the devices or accounts, or which help users to lock down their device, similar to iOS lockdown mode.
- Evidence collection tools - either building a specialised and improved version of the Vault Apps that we discuss in our paper, or developing a more unique tool ala HeHop or DocuSAFE.
- Emergency support tools, allowing covert access to helpful information (e.g. BrightSky) or allowing more secure communication with emergency services, such as this policing tool or a similar concept for domestic abuse charities, taking into account possible shared phone usage etc.
- Browser safety features: as an extension to the quick exit buttons study, it would be possible to design safety mechanisms into the browser. These could include versions of exit buttons that clear history, launching a set of tabs to disguise history, or storing a set of sites which are never recorded to history.
- De-escalation tech - it may be possible to design an application that aids users in some way once an abuser has discovered their use of technological support mechanisms, such as evidence collection or abuse information apps. This could involve some way of hiding evidence from a user's phone (overlapping with Vault App projects) or otherwise providing aid to de-escalate abuse.
- Detecting spyware/dual use apps. Spyware (or dual-use apps) can take various measures to hide themselves on a phone once installed. A project could design an app/system process that searches for these applications, which will likely overlap with traditional rootkit discovery.
- IoT safety / abuse prevention. We recently completed a project understanding how people learn to use IoT for abuse (paper under review; can share upon request), and the natural follow-up is to take this, alongside Chatterjee et al. papers on IoT abuse [1][2][3], to design ways to impede the abusive use of these technologies. This could focus on a specific device, a controlling hub-like system for multiple devices, or a broader design with test implementation and a user study.
- Any variants of existing projects or papers: I recommend reading research by Leonie Tanczer's Gender and Tech group at UCL, the IPV Tech Research group at Cornell/NYU, and Rahul Chatterjee's group at Wisconsin-Madison.
- [Other project ideas currently taken for this year. Variants of previous years' projects are possible as long as they are distinct]
Security & Hacking
-
Security analysis of IoT devices. I previously worked on Smart Locks for my MEng dissertation, and can help with analysing systems through various means including reverse engineering and black-box testing. In particular, I have experience with and would be happy to supervise projects which attack:
- Anything with an Android mobile app, as it can be reverse-engineered to look for vulnerabilities
- WiFi-based products
- BLE products (or regular Bluetooth, though it is less common and more awkward to work with)
- RFID cards and tags
- Physical Security systems like locks or safes
- MITM detection tool for known vulnerable systems (and possibly constructing defences against detected attacks). I'm primarily thinking of evil twin attacks on WiFi, MITM attacks on Bluetooth and BLE, or exploits on these technologies which allow for MITMs like the KRAck attack on WPA. Would likely involve traffic analysis or identifying signs of these attacks, like multiple systems announcing the same network to identify evil twin or a spam of Bluetooth device announcements used to initiate Bluetooth MITM attacks.
-
Lockpicking robot. It is easy to learn to pick lots of types of locks*, and it is theoretically possible to make a robot which intelligently picks them in the same manner as humans do. Current semi-automated unlocking tools include electric bump guns (which bounce pins repeatedly until the lock happens to open) or brute-force safecracking machines. Using sensors and a robot arm to control tension and pick the pins could allow for fully automated lock picking. Would need to be co-supervised (or primarily supervised) by a robotics expert.
* I have plenty to learn on if you want to borrow any! - Key reverse engineering. A known attack is taking a photo of someone's key where you can see the bitting and then identifying the key cuts from this so you can clone the key. This could be improved upon by making a system that uses computer vision to identify the key and it's position, then measuring the bitting and providing an estimate of the key bitting. Extensions would include analysing different types of key or analysing a video feed instead of a static image.
- Any other hacking/security focused project; I am mostly experienced in cryptogaphy and reverse engineering, but have experience with web hacking, binary exploitation, and side channels too.
Proposed Student Projects 2024-2025
- Aneesah Khan [Undergrad - Part II]TBC - likely either browser safety or online forums.
Student Projects 2023-2024
- Steph Braid [Undergrad - Part II]Designing possibly Dual-Use Apps to restrict abuse. Some applications can be used for both good and bad purposes (e.g. child monitoring/parental controls), but are not designed to avoid the malicious use case. A project could aim to build one of these apps in a way which restricts the application to its intended purpose.
- Summer Leigh [Undergrad - Part II] Designing access control mechanisms for an adversarial home environment. Smart homes are often designed to allow parents some control over children's devices etc with access control mechanisms restricting what they can do with the smart home; abusers are then using this to control their victims. An interesting research project would explore different ways in which you could design a smart home around an adversary in the home, possibly including mechanisms to revoke or regain privileges, or enabling multiple superusers, or having an extra level of superuser that the device owners cannot access for use in this scenario.
Student Projects 2022-2023
- Dani Foldi [Undergrad - Part II] Website vulnerability scanner. There are a great many common vulnerabilities in websites, so you could make a tool that looks for one or more vulnerabilities. This could be a detailed project on one vulnerability with a wide range of specific attacks (XSS, SQLi...) or a combination of more small vulnerabilities.
-
Web server misconfiguration detection. Identify when a server is has configuration issues that could lead to other attacks, including:
- Not using HTTPS / using invalid certificates for HTTPS
- Absence of automatic redirect to HTTPS pages
- Identify missing / badly set up HTTP headers, such as HSTS, CORS, CSP
- Not using DNSSEC
- Find leaked credentials in public webpages
- Identify poor access control leaking information such as private Git repos
-
Saomiyan Mathetharan [Undergrad - Part II] Network security tool and firewall probing. This will include:
- Identifying vulnerable services on a machine i.e. port scanning
- Testing parameters of firewalls on systems, which are intended to restrict or prevent port scanning, and attempting to work around them.
- Possibly identifying systems in a network and attempting to identify them. Can use arp/ping scans, traffic analysis etc to find systems, then different forms of fingerprinting to identify them.
- Oliver Shapcott [Masters - MPhil] (Co-supervised) Automation of IoT Malware Binary classification in automatically identifying Command and Control Infrastructures. Automates as much of the process of reverse-engineering C&C malware as much as possible, allowing automated identification of the type of malware and likely sources of it.
- © 2024 Computer Laboratory, University of Cambridge
Information provided by Kieron Ivy Turk