Homeworks (and thesis) for the course Computer Security (02KRQ) of the Politecnico di Torino academic year 2012-2013 Prof. Antonio Lioy < lioy @ polito.it > version 1.03 of 22/01/2013
Homeworks (and thesis) for the course Computer Security (02KRQ)of the Politecnico di Torinoacademic year 2012-2013
Prof. Antonio Lioy< lioy @ polito.it >
version 1.03 of 22/01/2013
Homework max grade:
27 for the writeen 3 for the oral presentation (optional)
report: use Latex (see example at the web site) about 20-30 pages (optional) PPT slides for a brief talk (15-20’)
can be delivered at any time but – to record the grade in a certain session –MUST compulsory be delivered respecting the following deadlines: 22/2/13 for recording the grade in March 2013 12/7/13 for recording the grade in June 2013 13/9/13 for recording the grade in September 2013
Homework outline meet your tutor to define your workplan
write down your workplan and send it to your tutor and the instructor for approval
send periodic updates to the tutor and the teacher brief (no more than 30 lines) with clear reference to the workplan (items completed)
it's possible to deliver ONE (at most TWO) draft version of the report to get feedback from the tutor/teacher: assuming that the draft is delivered well in advance of the deadline for the final
versione once the final report is delivered, it will be graded without any chance to further
amend it teacher / tutors NOT available during August
Report skeleton introduction and state-of-the-art description of the new technique / analyzed solution advantages and disadvantages residual risks (when applicable) experimental performance analysis if the homework included the development or use of some programming code:
user manual (how-to for installation and use) programmer manual (program logic, data and functions, how-to build)
bibliography / sitography
SHOULD DEMONSTRATE KNOWLEDGE OF COURSE'S TOPICS (without useless repetitions)
Picking up an homework contact the tutor to evaluate:
your real understanding of the subject pre-requisites
homeworks already assigned are marked with one or more X in the title (one X per person, up to the maximum number of people allowed for the homework)
Note about homeworks with several students the role of each student must be clear (to get individual evaluation) at the same time, it must be clear the benefit of having done a joint homework
(i.e. some common part such as a common introduction or a joint experiment)
Homework and graduation work (thesis) your homework may be the first part of your final graduation work (a.k.a.
thesis) if you want to do your thesis in the computer security area then let the the
teacher know this before getting the homework in this case do NOT select a specific hoemwork but select a thesis project and
contact the teacher for getting a suitable subject inside the project each thesis has a possible direct connection with a job at one of the project's
partners
Elenco dei progetti di tesi
/
Possible projects for thesis
Thesis projects (I) STORK 2.0 project (www.eid-stork2.eu)
large (58 partrners, ~10 M Euro) EU project for interoperability of e-ID possible subjects:
digital identity (SAML, XACML, id federation) public-key certificates, digital signatures, PKI smart-cards e-government applications
requirements: C or Java programming web programming
environment: Linux (preferred) or Windows
contact: LIOY or BERBECARU / [email protected]
Thesis projects (II) POSECCO project (www.posecco.eu)
medium (7 M Euro) EU project for security design and audit of large networked systems
partners: SAP, Crossgate, Deloitte, IBM, Thales, Atos, Polito, U.Bergamo, U.Berna, U.Eindhoven, U.Innsbruck
possible subjects: security ontologies and automatic reasoning automatic network and system configuration of security parameters security optimization
requirements: C or Java programming
environment: Linux (preferred) or Windows
contact: LIOY or BASILE / [email protected]
securitycapabilities
securitychecker
configurationgenerator
securitytechnology
mapper
securitydeployment
engine
securitycontrols
securityaudit
systemdescription
securitypolicy
Policy-based security management
Thesis projects (III) TCLOUDS project (www.tclouds-project.eu)
medium (7.5 M Euro) EU project for secure cloud computing based on trusted computing techniques
partners: IBM, Elect. do Portugal, Technikon, Philips, Sirrix, Osp. S.Raffaele, Polito, U.Darmstadt, U.Lisbona, U.Oxford, …
possible subjects: trusted network connections trusted logs programming trusted applications remote attestation
requirements: C or Java programming
environment: Linux (preferred) or Windows
contact: LIOY or RAMUNNO / [email protected]
Trusted Computing, i.e. what is my trust foundation? in my network are there only my computers? my computers are running only the sw selected by me? is the sw configured in the proper way? when I use a public network (e.g. Internet) rather than a private network, am I
really connected to the expected node? when I am connected to a server, how can I verify its application sw is the
“good” one or it has been altered?
answers: Trusted Computing (and Trusted Network Connection) TPM for desktop, MTM for mobile (or equivalent solutions) TC-enhanced Linux + trusted virtualization remote attestation & TLS
TRUST & INTEGRITY
Components of a TC system
isolationexecution in separate
domains / compartments /environments
local / remote attestationproof of configuration
(whole sw stack)
protected memoryhw key containerdata encryption
data sealing
secure I/Otowards the user
among various components
Thesis projects (IV) Webinos project (www.webinos.org)
large (10 M Euro) EU project for secure and ubiquitous platform for “personal” devices (e.g. smartphone, netbook, in-car media&comm centre, home appliance, …)
partners: Fraunhofer-Fokus, BMW, Deutsche Telekom, Sony-Ericcson, Samsung, Telecom Italy, TNO, W3C, Polito, U.Oxford, …
possible subjects: security APIs risk analysis security policy definition and enforcement
requirements: Javascript programming web programming
environment: embedded OS (with JS VM)
contact: LIOY or ATZENI / [email protected]
Thesis projects (V) TENACE project
Italian project to be started in 2013 trusted and secure environment for protection of crtifical infrastructures (CI) possible subjects:
security model of CI security policy for a CI automatic analysis / simulation of a CI
requirements: C or Java programming
environment: Linux
Thesis projects abroadand in collaboration with industries
we have good relations with other research groups they are willing to host 1-2 students each for their MSc thesis good english is a pre-requisite joint tutorship with POLITO pre-selection by POLITO currently available hosting institutions:
TUG (Graz, Austria) KTH (Stockholm, Sweden) others might be added (e.g Oxford)
we have also some collaboration with industries, and they are willing to host some students for internship associated to a thesis
joint tutorship with POLITO pre-selection by POLITO currently available hosting companies:
Oberthur (Paris, France) CRF (Centro Ricerche Fiat, www.crf.it) TILAB (Telecom Italia Lab, www.tilab.it)
Elenco delle tesine (e tesi) proposte
/
Possible homeworks (and thesis)
Subjects for thesis at TUG (X –) smartphone security:
malware, security analyses development for IOS, Android, Windows Phone mGovernment
cloud: eID, Single Sign On HTML5 security eGoverment
intelligent security knowledge mining in security related areas: malware detection
digital signatures (Citizen Card) on smartphones
more details at http://goo.gl/g689s "anonymous credentials ..." assigned to S.Ivana
Subjects for thesis at KTH (X –) at most two students hosted at KTH
secure ranging and localization secure localization for global navigation systems security and privacy for vehicular communication systems location and smart spaces privacy privacy for user-centric and social network applications secure routing for Internet and for emerging networks
assigned to D.Giordano secure communication for ad-hoc networks formal analysis of security protocols
Subject for thesis at Oberthur (X) development of a simulation enevironment for security applications in Android
requires knowledge of: Java programming Android programming (at least basic)
site: Colombes (near Paris) grant: about 1000 Euro/month duration: 6 months (starting March or April 2013)
assigned to G.Scavo
(homework) Secure NTP (X) tutor: LIOY / [email protected] / 7021 subject:
secure NTP (with symmetric / asymmetric crypto) people: 1 (may also be a thesis) = Bitonti references:
IETF http://www.cis.udel.edu/~mills/ntp.html
outline: protocol description and security analysis description of available implementations tracing the client-server exchange (thesis) deployment and experimental evaluation
(homework or thesis) Timestamping (X) tutor: LIOY / [email protected] / 7021 subject:
TSP (Time-Stamping protocolo) and TST (Time-Stamping Token) people: 1 (or 2 if thesis, that would include also secure NTP)
homework = G.Banea
references: IETF RFC-3161 and successors openSSL-based TSP tool
outline: description of the protocol and data formats experimental evaluation of an open-source implementation
(homework) Security of location protocols (X – ) tutor: LIOY / [email protected] / 7021 subject: security analysis of service location protocols, such as
Multicast DNS (MDNS) Simple Service Discovery Protocol (SSDP) Service Location Protocol (SLP, srvloc)
people: 1-2 Ferrentino ???
references: to be found on the web
outline: description of the protocol(s) and security risks/features sample experiments with available open-source tools
(homework or thesis) PKI-based e-mail (X –) tutor: LIOY / [email protected] / 7021 subjects:
installation and test of a PKI-enabled MSA installation and test of a PKI-based mailing-list
people: up to 2 MAY be a thesis if implemented with trusted computing
(thesis) Fabrizio PINTUS = trusted & secure mailing-list references:
RFC for SMTP over TLS and STARTTLS MSA/MTA patches for PKI integration
RFC for S/MIME extensions for secure mailing-list MSA/MTA patches for secure mailing list
outline: description of the protocol and data formats experimental evaluation of a cert-based ACL for MSA
(homework) EKMI + SKMS tutor: LIOY / [email protected] / 7021 subject:
OASIS enterprise key mgmt + symm. key mgmt. people: up to 2 references:
www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi
www.strongkey.org (open-source sw to be tested) outline:
description of the formats and protocols for EKMS and SKMS experimental trial of the StrongKey solution
(homework) PDF security tutor: LIOY / [email protected] / 011-5647021 students: up to 3
for signature creation, signature verification, encryption topic:
analysis of the PDF format and its support for PKI-based security object:
study and document the security features of PDF use a POLITO certificate to sign/encrypt a PDF document
references: web
tasks: technical documentation of the PDF security features how-to manual to use POLITO certificates with Acrobat
prerequisites: asymmetric crypto
note: may become a thesis if all work done by a single student
(thesis) Secure Matchmaking in Hybrid Cloud environments
tutor: Cutillo ([email protected] / 7192) TClouds project (https://www.tclouds-project.eu/)
topic: Secure Matchmaking protocols allow users to define a private set of constraints
on the nature of the communicating party which have to be met in order to establish communication
Communication between parties takes place with the help of an external honest but curious matchmaker whose role is to guarantee fairness in the system
people: 1-2 references:
doc (http://ale.sopit.net/pdf/cose.pdf) project (details to be agreed with the tutor):
(1) evaluation of state of the art secret matchmaking algorithms (2) presentation and demonstration of a Secret Matchmaking algorithm,
characterized by the presence of a distributed matchmaker, which preserves anonimity and unlinkability of users against the matchmaker itself and against malicious users too
(thesis) Privacy by Design Cloud Computing tutor: Cutillo ([email protected] / 7192)
TClouds (https://www.tclouds-project.eu/) topic:
Cloud computing operates on Big Data exploitation, and Big Data paradigm leads to Big Risks for the end user
Privacy by design provides privacy as part of the technology rather than as an extra feature to guarantee compliance with data protection laws
people: 1-2 references:
doc (http://www.ipc.on.ca/images/Resources/pbd-NEC-cloud.pdf) project (details to be agreed with the tutor):
(1) Evaluation of Security and Privacy risks in Cloud environments with respect to the Cloud (or Cloud-of-Clouds) specific architecture
(2) presentation and demonstration of a Privacy by Design Cloud architecture allowing users to have full control on both access and use of their data
(thesis) Secure Cooperation Enforcement Mechanisms in Distributed Networks
tutor: Cutillo ([email protected] / 7192) TClouds (https://www.tclouds-project.eu/)
topic: many incentive mechanisms have been proposed to foster cooperation among
nodes in distributed networks, be they either credit or reputation based most of existing solutions rely on the existence of an online centralized authority
that is in charge of a fair distribution and transaction of either credit or reputation such centralized mechanisms mainly suffer from privacy leakage and single point
of failure problems references:
http://www.kevinjhoffman.com/csd-tr-07-013-survey-attacks-defenses-reputation-systems.pdf
http://www.eurecom.fr/fr/publication/3698/download/rs-publi-3698.pdf project (details to be agreed with the tutor):
(1) security analysis and evaluation of current cooperation enforcement mechanisms in distributed networks
(2) presentation and demonstration of a cooperation enforcement mechanism mainly conceived for the preservation of privacy
(homework) Secure Anonymous P2P Resource Sharing (XX)
tutor: Cutillo ([email protected] / 7192) topic:
current Peer-to-Peer networks either fail in providing users’ untraceability or provide it without guaranteeing resource location in ~O(log n) steps
moreover, the setup complexity of current P2P clients discourages users from joining the network
the goal of this homework is to review current P2P web applications, provide details on the security properties they hold (if any), and finally propose improvements to make such solutions meet communication untraceability and user anonymity properties
people: 1-2 = Gonnet (from PC), Annuzzi (from mobile) example references:
project (https://freenetproject.org/) project (http://anomos.info/)
outline: security analysis and evaluation of current P2P web applications identification of the improvements required to provide such applications with
communication untraceability and user anonymity properties.
(homework) Web Reputation Systems Security tutor: Cutillo ([email protected] / 7192) topic:
Reputation is an information used to make a value judgment about an object or a person
A reputation statement, in which a source makes a claim on a target, is the building block of any reputation system
Two actors, users and staff members, take three actions: claim creation, evaluation and removal
The goal of this project is to identify the security issues current web reputation systems suffer from, and propose solutions to face them
people: 1-2 example references:
doc (http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6153140&tag=1) outline:
Security analysis and evaluation of current web reputation systems Improvement proposals
(homework) Image Watermarking (XX)
tutor: Cutillo ([email protected] / 7192) topic:
a watermark consists in an information which is embedded into a digital media content in such a way to result imperceptible to humans and undetectable to machines
while strong watermarks are difficult to remove and usually aim at protecting intellectual property, weak ones are easily removable and aim at detecting content tampering
people: 1-2 Arena (in the spatial domain) Fonti (in the frequency domain)
example references: doc (http://eprints.qut.edu.au/48779/1/RnS_revised_ver_1.4%28IEEEpassed%29.pdf)
outline: Security analysis and evaluation of state-of-the-art image watermarking schemes
The webinos project contact: ATZENI ([email protected] / 7192)
webinos project (http://webinos.org) topic
Secure Web Operating System Application Delivery Environment. project objective
a web platform designed to allow apps to securely run across mobile, homemedia, PC and automotive
thesis and career possibilities work with an international consortium... ...in a pervasively growing environment face with real problems from market leading companies
purpose of the project is to create working results and prototypes (availablefrom February '12!)
The webinos projectToday ~30 parties (founding
and growing set of affiliates) partners from more than 10 countries (mainly EU)
academic + industrial non-polarised cross-domain Growing number of
affiliate members
Tomorrow open (source)
community of academia, industrial and developers driving and using the developments
webinos research objectives development of a flexible, secure and usable open platform.
usable security to achieve both security and usability methodologies to achieve SSO in a privacy preserving way (e.g.
pseudonymity, anonymity) methodologies to develop webinos core securely practical and user-friendly security and privacy policy configuration improvement to state of the art mobile threat analysis and threat mitigation practical platform integrity assurance (e.g. trusted computing techniques)
transparently to the user new thesis topics are always emerging from project development…
check with us if you can find your thesis and be prepared to work in a highly dynamic environment
find (much) more on http://webinos.org
(thesis) webinos secure coding tutor: ATZENI ([email protected] / 7192)
webinos project (http://webinos.org/) topic
mobile and convergent software development (e.g. javascript) lacks of secure coding methodologies and testing. In webinos, the development of security bug-free code, is required to avoid presence of disconcerting security flaws.
people: 1 references:
selected documents (papers + project internal documents) project (details to be agreed with the tutor):
(1) development of best-practices shaped for mobile secure coding, application to a subset of the webinos software core
(2) analysis of available methodologies for automated code check and application to webinos environment
(thesis or homework): implementation and verification of webinos authentication protocols (X) tutor: ATZENI ([email protected] / 7192)
webinos project (http://webinos.org/) topic
Webinos plan to introduce some novel authentication methods, that should at the same time introduce user-friendly SSO and preserve user privacy. These methods needs to be developed and unambiguously verified
people: 1 = Montanaro references:
selected documents (papers + project documents) project (details to be agreed with the tutor):
modelisation and analysis of webinos authentication mechanisms introduced so far (thesis will address the whole webinos architecture, homeworks will address only isolated parts)
(thesis) webinos “penetration testing” tutor: ATZENI ([email protected] / 7192)
webinos project (http://webinos.org/) topic
Webinos is a complex cross-platform architecture. This complexity could conceal security flaws and weak configuration. A practical risk analysis, testing the platform and its application, is thus required.
people: 1 references:
selected documents (penetration testing methodologies + project architectururaldescription and code)
project (details to be agreed with the tutor): (1) development of a suitable methodology to test webinos, (2) practical testing of selected webinos configuration, (3) threat mitigation
(thesis) webinos “usable security” tutor: ATZENI ([email protected] / 7192)
webinos project (http://webinos.org/) topic
In webinos we developed methodologies to address security while considering (theoretically and practically) usability. Since the user base (unaware security people) this aspect have to be refined, mixing up concepts from different disciplines (e.g. cognitive science, user friendliness) to enrich the security model.
people: 1-2 (example) references:
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.89.6079&rep=rep1&type=pdf
http://www.computer.org/portal/web/csdl/doi/10.1109/ARES.2011.115 project (details to be agreed with the tutor):
development and refinement of the webinos usability models (use r artifacts developments, use of artifacts in user’centered security design, privacy preserving interfaces, …)
(thesis) Risk analysis tool development tutor: ATZENI ([email protected] / 7192) topic
analysis of different Risk Analysis methodologies and design and development of a risk analysis tool, based on a critical analysis of the state of the art
people: 1 references:
Pilar: http://www.ar-tools.com/en/index.html Ebios: http://www.ssi.gouv.fr/en/confidence/ebiospresentation.html Cairis: https://github.com/failys/CAIRIS
project (details to be agreed with the tutor): analyse available RA methodologies and computer aiding tools compare the other RA improve available tool or design a new one exploiting the developed concepts
(thesis) Mobile applications danger level evaluator tutor: ATZENI ([email protected] / 7192) topic
design and prototypization of an evaluation system for mobile system (Windows or RIM) application, capable to evaluate the dangerousness of a downloaded app.
people: 1 (on-going work for Android and iOS) co-work with Telecom Italia Lab project (details to be agreed with the tutor and Telecom Italia Lab researchers):
analysis of the state-of-the-art for application security evaluation design and development and prototypization of the downloaded system implementation of a practical computer tool testing of the tool through automatic download of application from app stores
(thesis) “Smart” honeypot tutor: ATZENI ([email protected] / 7192) topic
development of an honeypot targeted for smartphone (or tablet) and for a specific smartphone service
people: 1 co-work with Telecom Italia Lab project (details to be agreed with the tutor and Telecom Italia Lab researchers):
analysis of the state-of-the-art of honeypot in mobile environments Identification of a suitable “smart” service implementation of an honeypot mimicking the identified service collection and analysis of the breach attempts to the implemented service
(thesis) SDR Jammer tutor: ATZENI ([email protected] / 7192) topic
SDR (Software defined radio) allows to develop and program “home-made” jammer without use of too much costly hardware. The thesis aims to develop USRP jammers for GSM and UMTS terminals, using the Telecom Italia Lab test-bed and hardware
people: 1 co-work with Telecom Italia Lab project (details to be agreed with the tutor and Telecom Italia Lab researchers):
analysis of the background (jammer, GSM and UMTS protocols, SDR, ...) analysis of the available software libraries development of suitable scenarios/ use cases development, configuration, testing (using Telecom Italia Test Plant) of SDR's
jammer
(thesis) NFC threat exploitation tutor: ATZENI ([email protected] / 7192) topic
Study and Apply threats (introduced in Black Hat and DefCon conferences) for NFC-based devices.
people: 1 co-work with Telecom Italia Lab project (details to be agreed with the tutor and Telecom Italia Lab researchers):
analysis of NFC attacks (e.g. Charlie Miller, Eddie Lee Black Hat and DefCon2012)
identification and retrieval of free tools to apply these threats in a controlled environment (e.g. NFCProxy based on libNFC for Android)
development of “in-vitro” analysis (i.e. reproduction in controlled environment, to determine the dangerous level of the threat)
(thesis or homework) Open webOS analysis tutor: ATZENI ([email protected] / 7192) topic
Analysis of the recently released Open webOS (and possibly comparison with webinos)
people: 1 co-work with Telecom Italia Lab project (details to be agreed with the tutor and Telecom Italia Lab researchers):
theoretical analysis of the Open webOS platform (security model, how to use and install/disinstall)
(thesis) Practical analysis to hunt bugs and improve security and usability of the platform
implement ation of concept of the webOS security model in the webinosarchitecture
(homework) innovative authentication protocol (X) tutor: ATZENI / [email protected] / 7192 topic:
the J-PAKE protocol is an innovative protocol based on Password-Authenticated Key Exchange, with a presently available implementation in OpenSSL and OpenSSH. Purpose of this homework is to present the feature and implement a demo of what offered by J-PAKE
people: 1 = Marsicovetere example references:
grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf outline:
protocol analysis and comparison with other authentication mechanisms analysis of libraries provided by OpenSSL and OpenSSH implementation of a test program using those libraries description of the work done in a programming manual
(homework) Smartphone file system encryption tutor: ATZENI / [email protected] / 7192 topic:
proliferation of powerful but easy-to-steal or to-lose devices (e.g. smartphone) increase as well needs of confidential storage. this homework aims is to analyseand evaluate the performance and the security provided by “secure” storage solutions, detailing the suitability in constrained environments (e.g. smartphones)
people: 1 references:
http://en.wikipedia.org/wiki/List_of_cryptographic_file_systems project (details to be agreed with the tutor):
(1) selection of suitable file systems, (2) definition and deployment of the test environment, (3) testing and analysis of the selected solutions analysis of the selected
solutions.
The PoSecCo project contact: BASILE ([email protected] /7173)
PoSecCo project (http://www.posecco.eu/) topic
security policy management in Future Internet project objective
improve security and compliance and lower security management costs thesis and career possibilities
work with an international consortium possibility of periods abroad, stages, PhDs
face with real problems from market leading companies abstract research topics are leveraged by real problems from companies
having high security requirements
PoSecCo Thesis research objectives
automatic or semi-automatic creation a policy chain: from abstract security requirements (business level) down to technical, configuration settings (administration level)
comparison, selection, analysis and implementation of security enforcement mechanisms
new thesis topics are always emerging from project development… …check with us if you can find your thesis
policy refinement automatic transformation of high level directives into actual optimal configurations
policy conflict analysis and management models to understand and remove cause of misconfigurations, attacks from
security configurations
PoSecCo Consortium
58
(thesis) network optimization tools tutor: BASILE/VALLINI ([email protected] /7173)
PoSecCo project (http://www.posecco.eu/) topic:
manually deriving configurations for security mechanisms in distributed systems is a complex and error prone task
automated tools can give a tangible improvement (move from “satisfactory” configurations to “the best” configuration)
people: 1-2 references:
selected documents (papers + project internal documents) project (details to be agreed with the tutor):
definition of advanced techniques to select the “best” configurations for filtering (firewalls) and data protection devices (firewalls) also include management and deployment costs
(thesis) ontology-based policy refinement tutor: BASILE/CANAVESE ([email protected] /7173)
PoSecCo project (http://www.posecco.eu/) topic:
security requirements in natural language are used to specify policies, but they need to be mapped into configuration settings
smart techniques can “emulate” the behaviour of skilled administrators avoiding the typical human errors
people: 1 references:
selected documents (papers + project internal documents) project (details to be agreed with the tutor):
use ontology to reason about policies and support complex scenarios (e.g., proxy, SSO) ontologies can be seen as a more expressive and sophisticated OO paradigm
(homework) conflict analysis in security controls tutor: BASILE ([email protected] /7173)
PoSecCo project (http://www.posecco.eu/) topic:
detect and resolve misconfigurations in security controls the (long term) objective is to support analysis of various device configurations
people: 1 references:
selected documents (papers + project internal documents) project (details to be agreed with the tutor):
customize the TORSEC geometric analysis model to support vendor-specific policy analysis CISCO (1-2), CheckPoint (1), iptables (1), Apache (1), Squid (1), firewall
builder (2), racoon (1) Apache = Morelli
(thesis) conflict analysis in distributed systems tutor: BASILE ([email protected] /7173)
PoSecCo project (http://www.posecco.eu/) topic:
detect and resolve misconfigurations in large heterogeneous networked environments
the (long term) objective is to capture dependencies among security controls in computer systems and identify anomalies
people: 1 references:
selected documents (papers + project internal documents) project (details to be agreed with the tutor):
extend the conflict analysis model developed by the TORSEC group to support new security functionalities (e.g., channel protection, NAT and reverse proxy)
automatic/assisted conflict resolution
(thesis) VANET tools tutor: BASILE/[email protected] /7173
with Panos Panadimitratos from KTH Stockholm topic:
VANET (Vehicular Ad hoc NETwork) is an emerging standard. It may offer new services to drivers, on the other hand it may create privacy issues
a privacy solution has been proposed using pseudonyms people: 1-2 references:
selected documents (papers + project internal documents) project (details to be agreed with the tutor):
(1) testing the privacy model (2) provide new Apps (services) based on location (accident reconstruction,
highway code violations)
(homework) UEFI and secure boot (X) tutor: Marco VALLINI ([email protected]) topic:
UEFI (Unified Extensible Firmware Interface) malware attacks could modify critical operating system components (e.g.,
bootloader) UEFI secure boot proposal aims to validate the bootloader (before starting it) to
ensure that its image is authorized to run on the platform people: 1 = E.Caimotti references:
selected documents (papers + specifications) objectives:
analysis of specifications, criticisms and recommendations considering organizational/compatibility and security aspects (e.g. Setup Mode, Platform Ownership)
comparison with other technologies (e.g. Trusted Boot)
(thesis) security of embedded systems tutor: Antonio LIOY ([email protected]) + researcher(s) from CRF to be performed at CRF (Fiat Research Center, www.crf.it) topics:
security in HTML5 security of web-based embedded applications
people: up to 2 (one subject each) references:
will be provided to candidates objectives:
analysis of the weaknesses of web-based architectures when used inside an automotive system for the entertainment and control objectives
proposal of solutions to counter these weaknesses
Final notes look for of updates of this document (e.g. subjects already assigned, addition
of new subjects) each version is identified as X.Y (major.minor) the major number is changed when new subjects are added the minor number is changed when a subject is assigned to a student
if you are interested in computer security but can’t find a suitable subject in this list (are you kidding me?) then you can propose your own subject