CS 6431: Security and Privacy Technologies

Lecture notes



Vitaly Shmatikov

Project proposals are due October 1. A proposal should be 2-3 pages long and include the following:

  • Names of team members (at most 2 students per team).
  • Description of the system or network protocol that you are planning to analyze or implement, or the tool that you will be building or extending.
  • Security properties you intend to investigate.
  • Tools and/or analysis techniques you are planning to use.
  • Clear description of project deliverables. Possible deliverables are a software prototype, a substantial case study, or, in the case of a purely theoretical project, proofs (manual or machine-assisted).

Here are some project ideas. These are only suggestions; you are encouraged to propose your own project topic.

  • Add privacy protection to an augmented reality, computer vision, or image recognition application.
  • Design and implement a fuzzing or program analysis tool for finding security bugs in multi-protocol stacks.
  • Investigate privacy issues in genomic computation and design privacy-preserving techniques for genetic data mining.
  • Study security and privacy of a modern networking protocol such as QUIC or SPDY.
  • Implement a novel containment mechanism and/or reference monitor for untrusted applications. Possibilities include virtual machines, privilege separation, run-time sandboxes that restrict usage of system resources, etc.
  • Investigate side channels in encrypted, seachable databases.
  • Build a system for censorship-resistant communication that hides information in BitTorrent or other P2P traffic.
  • Develop a tool for automatically finding errors in Web applications' security logic.
  • Design a method for verifying whether Android APIs correctly check applications' permissions.
  • Build a tool for verifying whether the observed behavior of a program, security library, or network protocol complies with its specification.
  • Build a system for preventing uninintended information flows between guest OSes in a hypervisor.
  • Study security and privacy aspects of some networked consumer device: for example, Kinect or Up by Jawbone.
  • Investigate whether aggressive compiler optimizations can unintentionally introduce memory corruption vulnerabilities into compiled code.
  • Develop an enforcement mechanism for enterprise privacy policies based on decentralized information flow control.
  • Automatically discover a large number of low-capacity covert channels and use them to implement ultra wide-band steganography.
  • Build a system for privacy-preserving Web browsing that would be secure against timing attacks.
  • Analyze security requirements of attached network storage and propose a practical method for achieving these requirements.
  • Design a new distributed application that takes advantage of tamper-proof "trusted computing" hardware.
  • Define what HTTP security means and implement a network filter for securing HTTP communications.
  • Design a practical logging system to support secure audit and forensic analysis.
  • Add security and privacy protections to a realistic RFID application.
  • Implement a tool for inferring the global "security perimeter" of the network from the local policies of firewalls, intrusion detection systems, and so on.
  • Design a defense against distributed denial of service attacks staged by zombie "botnets" that does not require any modifications to the existing TCP/IP clients and servers.
  • Using a formal verification tool or manual analysis, either prove a network protocol secure or discover security flaws. Examples of protocols:
    • Dissent anonymous messaging
    • Protocols for accessing cloud services such as Amazon EC2
    • Cross-origin authentication in Web applications
    • Secure voice-over-IP protocols (for example, Skype)
    • 802.11i wireless security
    • Secure multicast and group key management
    • Authentication in Bluetooth
    • Secure location verification for mobile devices
    • Secure routing in ad-hoc networks
  • Investigate algorithmic aspects (decidability, complexity, etc.) of some legally mandated privacy policy. For example, what does it take to enforce HIPAA for medical data, or Gramm-Leach-Bliley for financial data?
  • Develop a cryptographic proof of security for a network protocol such as TLS, IKE, or Kerberos.
  • Apply algorithmic techniques for efficient analysis of large datastreams to the detection of distributed botnet activity.