Upload
leminh
View
232
Download
0
Embed Size (px)
Citation preview
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 1
Homeworks (and thesis) for the course Computer Security (01KRQ)p y ( )of the Politecnico di Torinoacademic year 2011-2012
Prof Antonio LioyProf. Antonio Lioy
< lioy @ polito.it >
version 1.01 of 13/01/2012
Homework max grade:
27 for the writeen
3 for the oral presentation (optional)
report:
use Latex (see example at the web site)
about 20-30 pages
(optional) PPT slides for a brief talk (15-20’)
can be delivered at any time but – to record the grade in a certain session –MUST compulsory be delivered respecting the following deadlines:
20/2/12 for recording the grade in March 2012
18/6/12 for recording the grade in June 2012 (only "laureandi")
10/9/12 f di th d i S t b 2012 10/9/12 for recording the grade in September 2012
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 2
Homework outline meet your tutor to define your workplan
write down your workplan and send it to
your tutor and the instructor
for approval
send periodic updates to the tutor and the teacher
brief (no more than 30 lines)
with clear reference to the workplan (items completed)
it's possible to deliver ONE (at most TWO) draft version of the report to get feedback from the tutor/teacher:
assuming that the draft is delivered well in advance of the deadline for the final versione
once the final report is delivered it will be graded without any chance to further once the final report is delivered, it will be graded without any chance to further amend it
teacher / tutors NOT available during August
Report skeleton introduction and state-of-the-art
description of the new technique / analyzed solution
advantages and disadvantages
residual risks
(when applicable) experimental performance analysis
if the homework included the development or use of some programming code:
user manual (how-to for installation and use)
programmer manual (program logic, data and functions, how-to build)
bibliography / sitography
SHOULD DEMONSTRATE KNOWLEDGE OF COURSE'S TOPICS (without l titi )useless repetitions)
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 3
Picking up an homework contact the tutor to evaluate:
your real understanding of the subject
pre-requisites
homeworks already assigned are marked with one or more X in the title (one X per person, up to the maximum number of people allowed for the homework)
Note about homeworks with several students the role of each student must be clear (to get individual evaluation)
at the same time, it must be clear the benefit of having done a joint homework (i.e. some common part such as a common introduction or a joint experiment)
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 4
Homework and graduation work (thesis) your homework may be the first part of your final graduation work (a.k.a.
thesis)
if you want to do your thesis in the computer security area then let the the teacher know this before getting the homework
in this case do NOT select a specific hoemwork but select a thesis project and in this case do NOT select a specific hoemwork but select a thesis project and contact the teacher for getting a suitable subject inside the project
each thesis has a possible direct connection with a job at one of the project's partners
Elenco dei progetti di tesiElenco dei progetti di tesi
/
Possible projects for thesis
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 5
Thesis projects (I) STORK project (www.eid-stork.eu)
large (15 M Euro) EU project for interoperability of e-ID
possible subjects:
digital identity (SAML, XACML, id federation)
public-key certificates, digital signatures, PKI
smart-cards
e-government applications
requirements:
C or Java programming
web programming
environment:
Linux (preferred) or Windows
contact: LIOY or BERBECARU / [email protected]
Thesis projects (II) POSECCO project (www.posecco.eu)
medium (7 M Euro) EU project for security design and audit of large networked systems
partners: SAP, Crossgate, Deloitte, IBM, Thales, Atos, Polito, U.Bergamo, U.Berna, U.Eindhoven, U.InnsbruckU.Berna, U.Eindhoven, U.Innsbruck
possible subjects:
security ontologies and automatic reasoning
automatic network and system configuration of security parameters
security optimization
requirements:
C or Java programming
environment: environment:
Linux (preferred) or Windows
contact: LIOY or BASILE / [email protected]
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 6
security configuration securitysystem
securitypolicy
Policy-based security management
securitycapabilities
securitychecker
configurationgenerator
securitytechnology
mapper
securityaudit
systemdescription
securitydeployment
engine
securitycontrols
Thesis projects (III) TCLOUDS project (www.tclouds-project.eu)
medium (7.5 M Euro) EU project for secure cloud computing based on trusted computing techniques
partners: IBM, Elect. do Portugal, Technikon, Philips, Sirrix, Osp. S.Raffaele, Polito, U.Darmstadt, U.Lisbona, U.Oxford, …Polito, U.Darmstadt, U.Lisbona, U.Oxford, …
possible subjects:
trusted network connections
trusted logs
programming trusted applications
remote attestation
requirements:
C or Java programming C or Java programming
environment:
Linux (preferred) or Windows
contact: LIOY or RAMUNNO / [email protected]
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 7
Trusted Computing, i.e. what is my trust foundation? in my network are there only my computers?
my computers are running only the sw selected by me?
is the sw configured in the proper way?
when I use a public network (e.g. Internet) rather than a private network, am I really connected to the expected node?really connected to the expected node?
when I am connected to a server, how can I verify its application sw is the “good” one or it has been altered?
answers: Trusted Computing (and Trusted Network Connection)
TPM for desktop MTM for mobile (or equivalent solutions)
TRUST & INTEGRITY
TPM for desktop, MTM for mobile (or equivalent solutions)
TC-enhanced Linux + trusted virtualization
remote attestation & TLS
Components of a TC system
isolationexecution in separate
d i / /local / remote attestation
domains / compartments /environmentsproof of configuration
(whole sw stack)
protected memoryp yhw key containerdata encryption
data sealing
secure I/Otowards the user
among various components
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 8
Thesis projects (IV) Webinos project (www.webinos.org)
large (10 M Euro) EU project for secure and ubiquitous platform for “personal” devices (e.g. smartphone, netbook, in-car media&comm centre, home appliance, …)
partners: Fraunhofer-Fokus, BMW, Deutsche Telekom, Sony-Ericcson, partners: Fraunhofer Fokus, BMW, Deutsche Telekom, Sony Ericcson, Samsung, Telecom Italy, TNO, W3C, Polito, U.Oxford, …
possible subjects:
security APIs
risk analysis
security policy definition and enforcement
requirements:
Javascript programmingp p g g
web programming
environment:
embedded OS (with JS VM)
contact: LIOY or ATZENI / [email protected]
Thesis projects (V) not directly related to a project
Poste Italiane (contact: LIOY)
OWASP web / XML application scanner
patch mgmt, i.e. after a patch is applied
are all components active?
are all data exchanges correct?
network and application scanning
innovative crypto solutions (contact: CESENA / [email protected])
automatic crypto optimization
high-speed crypto libraries
elliptic-curve cryptography
network security (contact: LIOY)
XML firewall = CHEGEN
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 9
Elenco delle tesine (e tesi) proposteElenco delle tesine (e tesi) proposte
/
Possible homeworks (and thesis)
UEFI and secure boot tutor: Marco VALLINI ([email protected])
topic:
UEFI (Unified Extensible Firmware Interface)
malware attacks could modify critical operating system components (e.g., bootloader)
UEFI secure boot proposal aims to validate the bootloader (before starting it) to ensure that its image is authorized to run on the platform
people: 1
references:
selected documents (papers + specifications)
objectives:
analysis of specifications, criticisms and recommendations considering organizational/compatibility and security aspects (e g Setup Mode Platformorganizational/compatibility and security aspects (e.g. Setup Mode, Platform Ownership)
comparison with other technologies (e.g. Trusted Boot)
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 10
Contactless smart-card (XX) tutor: CAMERONI / [email protected] / 7192
topic:
security analysis of contactless smart card and NFC systems
people: up to 2 = Sansone (177850) + Sticco (177849)
example references:
http://www.chi-publishing.com/samples/ISB0903HH.pdf
http://www.smartcardalliance.org/pages/activities-councils-contactless-payments-resources
outline:
describe contactless smart card security issues and countermeasures
Innovative authentication protocol analysis tutor: ATZENI / [email protected] / 7192
topic:
the J-PAKE protocol is an innovative protocol based on Password-Authenticated Key Exchange, with a presently available implementation in OpenSSL and OpenSSH. Purpose of this homework is to present the feature and implement aOpenSSH. Purpose of this homework is to present the feature and implement a demo of what offered by J-PAKE
people: 1-2
example references:
grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
outline:
protocol analysis and comparison with other authentication mechanisms
analysis of libraries provided by OpenSSL and OpenSSHy p y p p
implementation of a test program using those libraries
description of the work done in a programming manual
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 11
File encryption analysis tutor: ATZENI / [email protected] / 7192
topic:
Increasing threat attempts to privacy and confidentiality, as well as the proliferation of powerful but easy-to-steal or to-lose devices (e.g. smartphone) increase as well needs of confidential storage. Along this line, this homeworkincrease as well needs of confidential storage. Along this line, this homework goal is to analyse and evaluate the performance and the security provided by most common “secure” storage solutions, detailing the suitability in constrained environments (e.g. smartphones)
people: 1-2
example references:
http://en.wikipedia.org/wiki/List_of_cryptographic_file_systems
example references:
l ti f it bl fil t selection of suitable file systems
definition and deployment of the test environment
testing of the selected solutions
analysis of the selected solutions (i.e. comparison with pros and cons)
Thesis: network optimization tools tutor: BASILE/VALLINI ([email protected] /7173)
PoSecCo project (www.posecco.eu)
topic:
manually deriving configurations for security mechanisms in distributed systems is a complex and error prone task
automated tools can give a tangible improvement (move from “satisfactory” configurations to “the best” configuration)
people: 1-2
references:
selected documents (papers + project internal documents)
project (details to be agreed with the tutor):
(1) definition of advanced techniques to select the “best” configurations for filtering devices (firewalls)devices (firewalls)
(2) develop a methodology to generate optimal configurations for channel protection policies (IPsec + SSL/TLS)
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 12
Thesis: ontology-based policy refinement tutor: BASILE ([email protected] /7173)
PoSecCo project (www.posecco.eu)
topic:
high-level security requirements (close to natural language) are a common way to specify a policy, however they need to be translated to be enforced by security
h imechanisms
smart techniques can “emulate” the behaviour of skilled administrators avoiding the typical human errors (careless mistakes, inattentions, etc.)
people: 1
references:
selected documents (papers + project internal documents)
project (details to be agreed with the tutor):
use ontology to reason about policies (ontologies can be seen as a more use ontology to reason about policies (ontologies can be seen as a more expressive and sophisticated OO paradigm)
Thesis: conflict analysis in distributed systems tutor: BASILE ([email protected] /7173)
PoSecCo project (www.posecco.eu)
topic:
detect and resolve misconfigurations in large heterogeneous networked environmentsenvironments
the (long term) objective is to allow composition of security mechanisms as electrical resistances (parallel and serial)
people: 1
references:
selected documents (papers + project internal documents)
project (details to be agreed with the tutor):
extend the conflict analysis model developed by the TORSEC group to support extend the conflict analysis model developed by the TORSEC group to support new security functionalities
e.g., channel protection, NAT and reverse proxy
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 13
Thesis: VANET tools tutor: BASILE/[email protected] /7173
with Panos Panadimitratos from KTH Stockholm
topic:
VANET (Vehicular Ad hoc NETwork) is an emerging standard. It may offer new services to drivers on the other hand it may create privacy issuesservices to drivers, on the other hand it may create privacy issues
a privacy solution has been proposed using pseudonyms
people: 1-2
references:
selected documents (papers + project internal documents)
project (details to be agreed with the tutor):
(1) testing the privacy model
(2) id A ( i ) b d l ti ( id t t ti (2) provide new Apps (services) based on location (accident reconstruction, highway code violations)
Android's applications danger level evaluator (thesis) tutor: ATZENI / [email protected] / 7192
topic:
development of an evaluation system for Android's application, capable to evaluate the dangerousness of a download app. The thesis will be inserted into a running project within Telecom Italia LABrunning project within Telecom Italia LAB
static and dynamic analysis of the Android apps people: 2
co-work with Telecom Italia Lab
outline:
analysis of the state-of-the-art for application security evaluation
prototypization of the downloaded system
implementation of a practical computer tool implementation of a practical computer tool
testing of the tool through automatic download of application from app stores
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 14
Mobile applications danger level evaluator (thesis) tutor: ATZENI / [email protected] / 7192
topic:
design and prototypization of an evaluation system for mobile system (iOS or Windows or RIM) application, capable to evaluate the dangerousness of a downloaded appdownloaded app
people: 1
co-work with Telecom Italia Lab
outline:
analysis of the state-of-the-art for application security evaluation
design and development and prototypization of the downloaded system
implementation of a practical computer tool
testing of the tool through automatic download of application from app stores testing of the tool through automatic download of application from app stores
“Smart” honeypot (thesis) tutor: ATZENI / [email protected] / 7192
topic:
development of an honeypot targeted for smartphone (or tablet) and for a specific smartphone service
people: 1 people: 1
co-work with Telecom Italia Lab
outline:
analysis of the state-of-the-art of honeypot in mobile environments
Identification of a suitable “smart” service
implementation of an honeypot mimicking the identified service
collection and analysis of the breach attempts to the implemented service
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 15
Short Malware Service (SMS) analysis (thesis) tutor: ATZENI / [email protected] / 7192
topic:
design, development and evaluation of a system specific for SMS analysis, to identify abuse of SMS for malware and SPAM spreading
people: 1 people: 1
co-work with Telecom Italia Lab
outline:
analysis of the state-of-the-art of SMS security and countermeasures
definition of testing architecture (likely, PC based through SIM integrated in Internet keys)
development of SPAM and Malware trap for SMS system
testing and evaluation (i e gathering and classification of SMS to identify testing and evaluation (i.e. gathering and classification of SMS to identify malicious SMS and current trends of abuse)
Practical DNS protection (thesis) tutor: ATZENI / [email protected] / 7192
topic:
the jdshape project of Telecom Italia Lab is a practical approach to protect DNS service, characterized by performance constraints. In this scope, different and more optimized algorithms should be tested and developed to improve systemmore optimized algorithms should be tested and developed to improve system performance
people: 1
co-work with Telecom Italia Lab
example references:
www.telecomitalia.com/content/dam/telecomitalia/it/archivio/documenti/Innovazione/NotiziarioTecnico/2010/fd_numero03/Sicurezza.pdf
en.wikipedia.org/wiki/Aho%E2%80%93Corasick_string_matching_algorithm
outline:
analysis of of DNS security and countermeasures state of the art
analysis of jdshape system
implementation of prototypal application
performance evaluation and conclusion
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 16
Thesis: webinos secure coding tutor: ATZENI ([email protected] /7192)
webinos project (http://webinos.org/)
topic
mobile and convergent software development (e.g. javascript) lacks of secure g ( g j )coding methodologies and testing. In webinos, the development of security bug-free code, is required to avoid presence of disconcerting security flaws.
people: 1-2
references:
selected documents (papers + project internal documents)
project (details to be agreed with the tutor):
(1) development of best-practices shaped for mobile secure coding, application ( ) p p p g ppto a subset of the webinos software core (2) analysis of available methodologies for automated code check and application to webinos environment
Thesis: verification of webinos authn protocols tutor: ATZENI ([email protected] /7192)
webinos project (http://webinos.org/)
topic
Webinos plan to introduce some novel authentication methods, that should at the same time introduce user friendly SSO and preserve user privacy Thesesame time introduce user-friendly SSO and preserve user privacy. These methods needs to be developed and (formally) verified
people: 1-2
references:
selected documents (papers + project internal documents)
project (details to be agreed with the tutor):
(1) analysis and formal testing of webinos authentication mechanisms introduced so far
(2) development and verification of new ones
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 17
Identity Service in OpenStack: KeyStone tutor: Paolo Smiraglia / [email protected] / 7192
topic:
evaluate and configure the KeyStone service of OpenStack
people: 1
example references:
http://www.openstack.org/
https://launchpad.net/keystone/
outline:
describe the security features provided by the identity service in OpenStack
identify its requirements
configure a secure identity service in OpenStack
Secure Syslog tutor: Paolo Smiraglia / [email protected] / 7192
topic:
install and configure a secure syslog
people: 1
example references:
http://www.rsyslog.com/
outline:
evaluate the security features of rsyslog
install a remote rsyslog server
harden the installation and secure the network communications
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 18
Web Server High-Availability tutor: Emanuele Cesena / [email protected] / 7173
topic:
study and test high-availability techniques for web server and their relationship/impact to security mechanisms, e.g. TLS
focus on DoS attacks focus on DoS attacks
people: up to 2
example references:
http://highscalability.com/
outline:
configure apache for high availability (single instance, redundant instances with a load balancer)
test reaction to hardware failures/requests flood test reaction to hardware failures/requests flood
note:
possible extension to a thesis
Cloud Log Services tutor: Davide Vernizzi / [email protected]
topic:
compare security features of log services and configure them in several flavours
people: up to 2
example references:
http://loggly.com/
https://papertrailapp.com/
outline:
compare log services features, with particular focus on security aspects
configure a reference server to store logs on a remote log service (e.g. system syslog, apache logs, ...)
l t it i d id l ti evaluate security issues and provide a solution
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 19
OWASP top 10 risks for web applications (X –) tutor: Davide Vernizzi / [email protected]
topic:
study of the main risks for web applications. Create examples to show the attacks
people: up to 2 = Milazzo + ??? people: up to 2 = Milazzo + ???
example references:
https://www.owasp.org/index.php/Top_10
outline:
study the most common attacks to web applications
write a comprehensive report
create a test application prone to some attacks and implement countermeasures
Reputation Analisys of Web Devel Frameworks tutor: Emanuele Cesena / [email protected] / 7173
topic:
evaluate the security of web devel frameworks (e.g. Yii, Django) through reputation analisys
people: 1 people: 1
example references:
idea: https://freeside.trust.cased.de/apt-sec (applied on Debian packages)
outline:
select a number of interesting frameworks
go through all the vulnerabilities
evaluate their reputation computing relevant metrics
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 20
Clickjacking: examples and tutorial (X) tutor: Emanuele Cesena / [email protected] / 7173
topic:
study of the clickjacking attack
people: 1 = Zegeye (173025)
example references:
http://en.wikipedia.org/wiki/Clickjacking
outline:
describe clickjacking attack, its requirements (i.e. vulnerabilities) and effects
realize a tutorial with examples of pages triggering clickjacking
XSS and Session Hijacking Attacks on Mobile tutor: Davide Vernizzi / [email protected]
topic:
test applications written with phonegap against XSS and Session Hijacking
people: 2
example references:
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Session_hijacking
http://phonegap.com/
outline:
implement a dummy app with phonegap prone to XSS and session Hijacking
run on a mobile device/emulator
test the attacks
test countermeasures
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 21
Javascript Cryptography tutor: Davide Vernizzi / [email protected]
topic:
study the state-of-the-art cryptography in javascript
people: 1
example references:
http://code.google.com/p/crypto-js/
http://www.matasano.com/articles/javascript-cryptography/
outline:
study the state-of-the-art cryptography in javascript
evaluate performance of the javascript library
note:
possible extension to thesis
XML Sig Wrapping Attack: examples and tutorial tutor: Emanuele Cesena / [email protected] / 7173
topic:
study of the XML Signature Wrapping attack
people: up to 2
example references:
http://clawslab.nds.rub.de/wiki/index.php/XML_Signature_Wrapping
outline:
describe XML Signature Wrapping attack and its requirements (i.e. vulnerabilities)
realize a tutorial with examples
testing with Apache axis
t d th l i t l t d tt k XML E ti W i extend the analysis to related attacks, e.g. XML Encryption Wrapping
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 22
TrouSerS Testsuite for Windows tutor: Davide Vernizzi / [email protected]
topic:
port the TrouSerS testsuite to Windows
people: up to 2
example references:
http://trousers.sourceforge.net/
http://security.polito.it/trusted-computing/trousers-for-windows/
outline:
understand the TCG Software Stack and TrouSerS implementation
study the TrouSerS testsuite
port the testsuite to Windows (it currently works only under Linux)
TPA-DAA tutor: Emanuele Cesena / [email protected] / 7173
topic:
implement the DAA support in our TPA library
people: up to 2
example references:
http://en.wikipedia.org/wiki/Direct_anonymous_attestation
http://security.polito.it/trusted-computing/trusted-platform-agent/
outline:
understand DAA scheme at high level
implement support for DAA join, sign, verify protocols
note:
the code for DAA is already available/working
skills in Linux and C programming required
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 23
Smashing the Stack in 2012 (XX) tutor: Emanuele Cesena / [email protected] / 7173
topic:
port Smashing the Stack in 2010 on Android, Windows 8 and/or Lion
people: up to 2 = Barba (174254), Sardella (176781)
example references:
http://insecure.org/stf/smashstack.html
http://www.mgraziano.info/docs/stsi2010.pdf
outline:
review the work done in 2010 (check with Linux 3)
history of Android security
port the code to Android
(if more than 1 person, similar tasks on another platform)
note:
skills in Linux and C programming required
Elliptic Curve Cryptography in Android (X) tutor: Emanuele Cesena / [email protected] / 7173
topic:
evaluate ECC libraries (OpenSSL, Java...) on Android
people: 1 = Hoang (172303)
outline:
understand ECC
install ECC-enabled libraries on Android
perform performance analisys and comparisons
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 24
OpenSSL AES-NI and SSL/TLS tutor: Emanuele Cesena / [email protected] / 7173
topic:
test the performance boost in SSL/TLS using Intel AES-NI instructions
people: 1
example references:
http://www.openssl.org/
http://en.wikipedia.org/wiki/AES_instruction_set
outline:
configure OpenSSL enabling AES-NI instructions
test performance for plain AES
evaluate impact on SSL/TLS
WAF – Web Application Firewall (XX) tutor: LIOY / [email protected] / 7021
topic:
configure and use an open-source WAF
people: up to 2 = Battista (169894) + Avila (177121)
example references:
http://www.modsecurity.org/
http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
outline:
describe required features for a WAF
study and test these features with modsecurity over Apache
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 25
EKMI + SKMS tutor: LIOY / [email protected] / 7021
subject:
OASIS enterprise key mgmt + symm. key mgmt.
people: up to 2
references:
www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi
www.strongkey.org (open-source sw to be tested)
outline:
description of the formats and protocols for EKMS and SKMS
experimental trial of the StrongKey solution
Secure NTP tutor: LIOY / [email protected] / 7021
subject:
secure NTP (with symmetric / asymmetric crypto)
people: 1 (may also be a thesis)
references:
IETF
http://www.cis.udel.edu/~mills/ntp.html
outline:
protocol description and security analysis
description of available implementations
tracing the client-server exchange
(thesis) deployment and experimental evaluation
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 26
Timestamping tutor: LIOY / [email protected] / 7021
subject:
TSP and TST
people: 1 (or 2 if thesis, that would include also secure NTP)
references:
IETF RFC-3161 and successors
openSSL-based TSP tool
outline:
description of the protocol and data formats
experimental evaluation of an open-source implementation
Security of location protocols tutor: LIOY / [email protected] / 7021
subject: security analysis of service location protocols, such as
Multicast DNS (MDNS)
Simple Service Discovery Protocol (SSDP)
Service Location Protocol (SLP, srvloc)
people: 1-2
references:
to be found on the web
outline:
description of the protocol(s) and security risks/features
sample experiments with available open-source tools
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 27
PKI-based e-mail tutor: LIOY / [email protected] / 7021
subjects:
installation and test of a PKI-enabled MSA
installation and test of a PKI-based mailing-list
people: up to 2
MAY be a thesis if implemented with trusted computing
references:
RFC for SMTP over TLS and STARTTLS
MSA/MTA patches for PKI integration
RFC for S/MIME extensions for secure mailing-list
MSA/MTA patches for secure mailing list
outline:
description of the protocol and data formats
experimental evaluation of a cert-based ACL for MSA
PDF security tutor: LIOY / [email protected] / 011-5647021
students: up to 3
for signature creation, signature verification, encryption
topic:
analysis of the PDF format and its support for PKI-based security analysis of the PDF format and its support for PKI based security
object:
study and document the security features of PDF
use a POLITO certificate to sign/encrypt a PDF document
references:
web
tasks:
technical documentation of the PDF security features technical documentation of the PDF security features
how-to manual to use POLITO certificates with Acrobat
prerequisites:
asymmetric crypto
note:
may become a thesis if all work done by a single student
Coursework (and thesis) in the field of Computer Security (AA 2011-2012)
© A.Lioy - Politecnico di Torino (2011) 28
Protection of audio recordings (thesis) tutor: MEZZALAMA / [email protected]
topic:
design a system to protect audio recordings when created and manipulated (e.g. segments extraction)
guarantee that records have not been manipulated (e.g. when used in trial after lawful interception)
tasks:
identify the critical issues in the process, with focus on authenticity, integrity and limited disclosure
design the system
implement a prototype
prerequisites:
i kill programming skills
Final notes look for of updates of this document (e.g. subjects already assigned, addition
of new subjects)
if you are interested in computer security but can’t find a suitable subject in this list (are you kidding me?) then you can propose your own subject