Computer Laboratory

Kieron Ivy's Dissertation Project Ideas

Technology-Enabled Domestic Abuse ("Tech-abuse")

  • Analysis of online forum discussion about how to execute tech-abuse. Can broaden existing work looking at infidelity forums to get a wider range of opinions; existing paper on this to guide methodology if desired.
  • Analysis of escalation/deescalation of abuse discussions on online forums. It is suggested in prior research that most discussions help people be more abusive, so we can attempt to measure these discussions, or look into ways to deescalate abuse discussions with bots etc.
  • Emergency Safety - the most dangerous phase of an abusive relationship is when the victim/survivor attempts to leave. Additional safety tools during this time would be of great benefit, such as tools which prevent remote access to the devices or accounts, or which help users to lock down their device, similar to iOS lockdown mode.
  • Designing safety mechanisms to access support. There exist some applications which help domestic abuse victims with various things: some provide information about abuse and determining if your relationship is abusive, some log evidence, some help plan an escape. A student can build a secure evidence-gathering application for domestic abuse victims. Requires careful design of features to help users cover their tracks, secure and verify evidence collected so that it is admissible in court, and allows victim-survivors to provide an alternative application display to avoid suspicion and possible negative consequences. Will run a user study to test effectiveness of application towards the end of the project.
  • De-escalation tech - it may be possible to design an application that aids users in some way once an abuser has discovered their use of technological support mechanisms, such as evidence collection or abuse information apps. This could involve some way of hiding evidence from a user's phone (overlapping with Vault App projects) or otherwise providing aid to de-escalate abuse.
  • Detecting spyware/dual use apps. Spyware (or dual-use apps) can take various measures to hide themselves on a phone once installed. A project could design an app/system process that searches for these applications, which will likely overlap with traditional rootkit discovery.
  • Browser safety features: as an extension to the quick exit buttons study, it would be possible to design safety mechanisms into the browser. These could include versions of exit buttons that clear history, launching a set of tabs to disguise history, or storing a set of sites which are never recorded to history.
  • Any variants of existing projects or papers: I recommend reading research by Leonie Tanczer's Gender and Tech group at UCL, and the IPV Tech Research group at Cornell/NYU.
  • [Other project ideas currently taken for this year; I'll add more here soon. Variants of taken projects are possible as long as they are distinct]

Security & Hacking

  • Security analysis of IoT devices. I previously worked on Smart Locks for my MEng dissertation, and can help with analysing systems through various means including reverse engineering and black-box testing. In particular, I have experience with and would be happy to supervise projects which attack:
    • Anything with an Android mobile app, as it can be reverse-engineered to look for vulnerabilities
    • WiFi-based products
    • BLE products (or regular Bluetooth, though it is less common and more awkward to work with)
    • RFID cards and tags
    • Physical Security systems like locks or safes
  • MITM detection tool for known vulnerable systems (and possibly constructing defences against detected attacks). I'm primarily thinking of evil twin attacks on WiFi, MITM attacks on Bluetooth and BLE, or exploits on these technologies which allow for MITMs like the KRAck attack on WPA. Would likely involve traffic analysis or identifying signs of these attacks, like multiple systems announcing the same network to identify evil twin or a spam of Bluetooth device announcements used to initiate Bluetooth MITM attacks.
  • Lockpicking robot. It is easy to learn to pick lots of types of locks*, and it is theoretically possible to make a robot which intelligently picks them in the same manner as humans do. Current semi-automated unlocking tools include electric bump guns (which bounce pins repeatedly until the lock happens to open) or brute-force safecracking machines. Using sensors and a robot arm to control tension and pick the pins could allow for fully automated lock picking. Would need to be co-supervised (or primarily supervised) by a robotics expert.
    * I have plenty to learn on if you want to borrow any!
  • Key reverse engineering. A known attack is taking a photo of someone's key where you can see the bitting and then identifying the key cuts from this so you can clone the key. This could be improved upon by making a system that uses computer vision to identify the key and it's position, then measuring the bitting and providing an estimate of the key bitting. Extensions would include analysing different types of key or analysing a video feed instead of a static image.

Proposed Student Projects 2023-2024

  • Steph Braid [Undergrad - Part II]Designing possibly Dual-Use Apps to restrict abuse. Some applications can be used for both good and bad purposes (e.g. child monitoring/parental controls), but are not designed to avoid the malicious use case. A project could aim to build one of these apps in a way which restricts the application to its intended purpose.
  • Summer Leigh [Undergrad - Part II] Designing access control mechanisms for an adversarial home environment. Smart homes are often designed to allow parents some control over children's devices etc with access control mechanisms restricting what they can do with the smart home; abusers are then using this to control their victims. An interesting research project would explore different ways in which you could design a smart home around an adversary in the home, possibly including mechanisms to revoke or regain privileges, or enabling multiple superusers, or having an extra level of superuser that the device owners cannot access for use in this scenario.

Student Projects 2022-2023

  • Dani Foldi [Undergrad - Part II] Website vulnerability scanner. There are a great many common vulnerabilities in websites, so you could make a tool that looks for one or more vulnerabilities. This could be a detailed project on one vulnerability with a wide range of specific attacks (XSS, SQLi...) or a combination of more small vulnerabilities.
  • Web server misconfiguration detection. Identify when a server is has configuration issues that could lead to other attacks, including:
    • Not using HTTPS / using invalid certificates for HTTPS
    • Absence of automatic redirect to HTTPS pages
    • Identify missing / badly set up HTTP headers, such as HSTS, CORS, CSP
    • Not using DNSSEC
    • Find leaked credentials in public webpages
    • Identify poor access control leaking information such as private Git repos
  • Saomiyan Mathetharan [Undergrad - Part II] Network security tool and firewall probing. This will include:
    • Identifying vulnerable services on a machine i.e. port scanning
    • Testing parameters of firewalls on systems, which are intended to restrict or prevent port scanning, and attempting to work around them.
    • Possibly identifying systems in a network and attempting to identify them. Can use arp/ping scans, traffic analysis etc to find systems, then different forms of fingerprinting to identify them.
  • Oliver Shapcott [Masters - MPhil] (Co-supervised) Automation of IoT Malware Binary classification in automatically identifying Command and Control Infrastructures. Automates as much of the process of reverse-engineering C&C malware as much as possible, allowing automated identification of the type of malware and likely sources of it.