Objective: The goal of the final project is to produce a deep security solution in an existing large-scale system, as well as high quality class presentations of the project.
Form: Students in this project work in a group (up to four students). You need to notify our TAs of your group members and the topic before working on the project. Please send email to cs5231ta@googlegroups.com.
Topic: A set of research topics are suggested (see below). You can also propose your own topics in which you are interested. However, please discuss with me before getting started if your group work on your own topic.
Components: You are expected to write a project proposal, a progress report, deliver a final report, and give a final project presentation. A well-prepared presentation is necessary since this could be one of your chances to convince me and your classmates how good your project is.
Grading Criteria: Be clear that plain summary or introduction papers won't be considered as a good output. Reports with good (comprehensive and systematic) insight and analysis on the issues are welcomed. The project grade will be based on project proposal (10%), progress report (10%), final report (60%), and presentation (20%). The grading will mainly base on the novelty, solidity, and completeness of the conducted work.
Honor Code: The papers are expected to include your own ideas in your own words. Please do not attempt to cut-and-paste or borrow others ideas without adequate and clear citations. The soft copies of your submissions need to go through NUS's turn-it-in service. For more information about this service and plagiarism prevention, as well as NUS policies on plagiarism, please refer to http://www.cit.nus.edu.sg/plagiarism-prevention/.
Our TAs are prepared in supporting projects in the following directions. For other directions, please make sure you have enough knowledge or support in carrying out the projects.
Direction 1: System Security
Base System and Tools:
In this project, you are expected to build an event interceptor and use it to analyze and sandbox the behavior of some malware. You can choose the targeted platform: Linux, Windows, Browsers, Android, or even iPhone (if you can).
Related resources:
Janus: An Approach for Confinement of Untrusted
Applications
Isolated Program Execution:
An Application Transparent Approach for Executing Untrusted
Programs
Source code of
Alcatraz
Source code of Etrace, the system call tracing
utility used by Alcatraz
You can either use LXC to build you own container platforms with your own taste in security, or find and exploit vulnerabilities in existing container platforms.
Related resources: LXC security Docker security NCC Group Whitepaper: Understanding and Hardening Linux Containers
Direction 2: Software Security and Binary Analysis
Base System and Tools:
Suppose we already know a program is vulnerable, and have an exploit input to demonstrate the vulnerability. Our tool TEMU can produce a trace of all instructions executed by the vulnerable program during the attack, but the trace is hard for manual analysis. In this step, you need to create a tool to visualize the trace structure to help developers to diagnose the vulnerability.
Resources:
TEMU installation and user manual
Direction 3: Mobile Security
Base System and Tools:
Resources:
Android Setup on Google Galaxy Nexus
Analyzing HTML-based mobile applications HTML-based mobile applications are getting popular. Frameworks support such applications include PhoneGap. Design a dynamic or static solution to analyze such applications for malicious behaviors or security vulnerabilities.
Resources:
Chromium
Webkit Developer Repository
Android WebView
PhoneGap Attacks on PhoneGap application Open source PhoneGap plugins Vulnerable Android apps
Rust is a newly developed programming language featuring built-in memory safety practices and fast execution speed. An open-source project based on Rust, rust-sgx-sdk, is trying to ease the effort on writing secure enclave code with the language-level benefits from Rust.
Resources:
Intel SGX
Rust programming language
Baidu rust-sgx-sdk