|
|
|
Introduction
This course requires a group project. Each project should have
some "research" aspect in that your aim should be to learn something we
couldn't learn just from reading a few papers. As an
example, your project shouldn't be just to build a tool, unless
that tool will have some novel feature - maybe it allows some
measurement or analysis we couldn't do before; maybe it has a
better interface so users are less prone to make errors (but you should
be prepared to give reasons why this is so). Another example
project would be to measure some security-relevant large scale
phenomenon that hasn't been measured before. We'll list some more
ideas below.
Examples
- LaTeX
and MS word style files.
- Four papers that got A marks in previous years: 1, 2, 3,
4. Notice that each paper:
motivates the
problem, cites related work, makes clear what its contribution is
compared to other work, and has simulation or implementation results.
Project Ideas
You may choose any project that interests you as long as it satisfies
the basic requirements listed above and is related to security in some
way. To get an idea for what current research is like in
security, you should look through the last several proceedings from Oakland, CCS, USENIX
Security, Crypto/Eurocrypt/Asiacrypt,
and NDSS.
However,
if you are having trouble coming up with ideas, here are a few generic
examples:
- Implement a security mechanism described in a recent paper
(without giving experimental results). Measure the performance of the
mechanism. (Example mechanisms include secure routing,
pesudonym system, digital rights management, key distribution, an
implementation of 802.11i protocol, Implementation of new modes of
operation and integration with OpenSSL... )
- Implement or extend an attack on a security mechanism
described
in a recent paper. Succesfully deploy the attack against your own machine only.
Measure the performance of your attack.
- Investigate the security of some ad-hoc protocol. For
example, many peer to peer protocols are not designed with security
features in mind. What should be the security goals? Do the
protocols meet them or are there attacks? There are a lot
of open-source projects and standards that lack security analysis.
- Design a better X: a more secure P2P filesharing protocol
(state
your security objectives though!); an anonymous publish/subscribe
system, single-sign on, encrypted keyword search...
- How do you know if
something has been done before? Use google. Three good
resources about published papers are Google Scholar, Citeseer, and ACM Portal. Once you find a
paper on a topic, you can search backward
by following the references in the paper, and forward by finding papers that cite
that one.
Many open-source security projects also maintain lists of TO-DOs or
small research projects, for example the Tor project list.
Here are a few very specific examples, that can be found by carefully
reading some recent research papers:
- Read "How
Much Anonymity Does Network Latency Leak?" - this paper
shows that we can weaken the anonymity provided by Tor simply by
measuring the round-trip time between a Tor client node and its
"first-hop" router. Several interesting questions appear in the
"future work" section, for instance:
- The attack depends on the Murdoch-Danezis "circuit clogging"
attack to find the entry node a client is using. An interesting
setting where this may not be necessary is in the case of Tor 's Hidden
Services. Adapt the attack to this setting and measure how well
it works.
- The attack described relies on the use of network coordinate
systems to measure the distance between a Tor entry node and various
"candidates" for the Tor client. The paper mentions several
alternative possibilities for measuring this distance; implement
them and compare their accuracy.
- Read "Attacking
the Kad Network" - this paper describes an attack on the Kad
distributed hash table used by the eMule filesharing
protocol. Extend the attack to another protocol
implementing the Kademlia DHT, such as BitTorrent.
- Read "Robust
De-anonymization of Large Sparse Datasets (How To Break Anonymity of
the Netflix Prize Dataset)" - this paper describes an approach to
"de-anonymizing" a large public data set. Find another such data
set that is amenable to similar analysis and extend the algorithm to
this case.
Note: I am happy to discuss
project ideas with students or groups at office hours or over
email. The most likely outcome of such a discussion is a
list of suggested references and a list of potential difficulties I
think you might face in writing an A report. This does not mean
you shouldn't pursue the project further. In general, one of the
hardest things about doing original research is finding "the right
thing" to work on in the first place, and I expect that many groups
will spend a significant amount of time and effort (perhaps as much as
20 hours per group member) identifying the problem that they will work
on.
|
|
