Suggested
Projects:
Below is a tentative list of suggested projects. This list is subject to
change. The description below is very terse. More details
will be given in class. Projects may be added in the coming weeks. In
addition, teams are welcome to propose their own security-related
projects. These proposals will of course be subject to approval of the
course staff.
Analyzing
and preventing Ajax attacks
(Amdocs, 2-4 students)
General
Description: Ajax
(Asynchronous Java script and XML) is becoming very popular in modern
web applications. Ajax usage in web applications may raise some special
security vulnerabilities that require special attention by Ajax
developers and application security experts. There aren’t many security
tools in the market to help securing Ajax screens. This project goal is
to create a tool to help securing Ajax applications.
Topics to be
handled by this tool:
-
CSRF – Cross Site Request Forgery. Preventing this kind of
attack by sending and checking for a random token, needs special
attention in Ajax screens
-
Java script code obfuscation and code encryption
-
Code signing
We expect the
student(s) to study and analyze Ajax Security, research to find what
tools are available in the market today and come up with a list of
features to develop in this tool. From this list, we will select
together topics that we’d like to see in this tool.
Goals:
To develop an Ajax
security tool that mitigates Ajax vulnerabilities as part of a web
application at run time.
Prerequisites:
Java development
background, Application security knowledge, Knowledge of Web
application technologies.
File
Upload Validator Project
(Amdocs, 2-3 students)
General
Description: Many
applications take advantage of the band width available today and allow
users to upload file, either for storage or usage within the flow of
the software. This allows the software to be more appealing and
interactive with the user. With this great advantage comes a big
problem. The uploaded file is a “jack in the box”. It may convey all
sorts of trouble within, from viruses to extremely large sizes or
injected malicious code. The file is actually a comfortable entry point
of the hacker into the application. A “Swiss knife” utility to handle
different file types is required. This utility should be the gate
keeper for uploaded files into the software and be able to check
malicious content, legitimacy, size and any other factors that would
indicate the file is safe to use.
Goals:
Develop a utility
that covers a wide range of files. The utility checks file extension
and the correlation between file extension and file content It also
checks for malicious code injection and viruses.
Example of things
to check.
·
File size
·
File content
·
File extension
·
Target folder for uploads
·
Signature on files
Prerequisites:
Java development
background, Application security knowledge, Knowledge of Web
application technologies.
GlassBox - Scanning web-applications for security
vulnerabilities from the inside out (IBM, 2-4 students)
Background: Automatically
scanning for web application security vulnerabilities is traditionally
performed either using a White-box approach (static analysis) or using
a Black-box approach (dynamic analysis). Each of the two approaches has
it pros and cons. An exciting new technology called Glass-box is
emerging as a way to enjoy the benefits of both approaches and beyond.
Glass-box technology allows observing the behavior of the application
“from within” while scanning the application, providing the missing
bridge between Black-box and White-box. The ability to examine the
application from both perspectives at once allows Glass-box to detect
security issues that were previously not possible to detect.
A major component in the Glass-box scanner is an agent, which is
deployed on the application under test (AUT). The agent is able to
inspect the behavior of the AUT and even change its behavior if
necessary. The agent communicates with the Black-box scanner, providing
it with necessary information (which may not be reflected in the plain
HTTP communication).
The Project: The project
requires strong students with previous development experience
(preferably in JAVA). The students will participate in the
implementation of major components in the solution. The implementation
requires high skills in JAVA and involves using top of the art
instrumentation technologies. The students will be required to provide
both technological and algorithmic solutions to problems encountered.
Any web application security knowledge will be provided by the Rational
application security group, which will work closely with the students.
The static analysis group will provide the students with support for
the code inspection aspects.
Detecting and protecting against regular expression denial of service
attacks (ReDos)(IBM, 2 students)
Background:
A denial-of-service attack (DoS attack) or distributed denial-of-service attack
(DDoS attack) is an attempt to make a
computer resource unavailable to its intended users. Although the means
to carry out, motives for, and targets of a DoS
attack may vary, it generally consists of the concerted efforts of a
person or people to prevent an Internet site or service from
functioning efficiently or at all, temporarily or indefinitely.
Perpetrators of DoS attacks typically target
sites or services hosted on high-profile web servers such as banks,
credit card payment gateways, and even root nameservers.
Regular expressions (regexes) provide a concise and flexible means for
identifying strings. Common use of regular expressions in web
applications is in validation user input to match defined expression
such as name, password, email, telephone number and etc. Validation
using regexes can be used in either client side or server side. While DoS in the client side will only crash the user's
browser, DoS in the server side is a huge threat
to an application.
In computer science regular expression is defined as a regular
language. Matching a word (string) to a regular language has linear
time algorithm, therefore regular expression in their simple definition
are not considered a computation problem.
Though, regular expression engines support the backreference
option. Backreference refers to a substring
previously encountered in the target text. Adding the backreference option converts the language to be
NP-Complete language. The best known algorithm to match a word (string)
to a NP-complete language is exponential in the worst case.
Regular expression engines in all web languages (Perl, Python, C++, C#,
Java, PHP) use an "exponential in the worst case" algorithm,
even when the expression itself does not contain backreference
option. Due to this property of regular expression engines matching
algorithm, there exist Unsafe Regular Expressions. Unsafe regex is an
expression that has a payload that the engine run in exponential time,
with respect to the payload's length, when trying to match this
payload.
Simple example:
Unsafe regex: ^(a|aa)*$
Worst case payload: a{N}1 ('N' times
the a character follows with the character 1)
Number of matching tries for this
payload is exponential in 'N', therefore the regex engine will run in
exponential in 'N' time.
Trying to match a payload of 'a{99}1' will stuck the regex engine forever.
The main use of backreference is due to its simplicity rather than
to its abilities. Therefore, in most cases, a backreference
expression can be replaced with a "simple" regular
expression.
The
project: The project
will include both research and implementation parts.
Detect and correct unsafe regular expression – 1 student.
Currently there is no automatic way
to identify unsafe regular expressions, though it is clear there are
deterministic characteristics for such expression.
The first goal of this part is to
create a method for identifying unsafe regular expression.
In addition, any unsafe regular
expression that is not using backreference
should have a matching safe implementation. The second goal of this
part is to create a conversion method from an unsafe expression to a
safe implementation of the expression.
Create a safe regex library for Java users – 1 student
Currently there exists a java library
called Jakarta for working with regular expression as automata. The
goal of this part is create an open source regex engine library based
on Thompson NFA linear algorithm for a public use.
For more reading please refer to the
following article: http://swtch.com/~rsc/regexp/regexp1.html
Prerequisites:
·
Algorithms
(67504)
·
Computation
and formal languages (67521)
Improving TLS firewall
interception mechanism
(3-4 students)
The common method by
which current firewalls inspect the contents of secured TLS connections between clients inside the
firewall and servers outside the firewall is the following: The client
(unknowingly) sets up the TLS session with the firewall, and the
firewall sets up a different session with the server. This mechanism
has many drawbacks, both on the usability side and on the security
implications for the client and server.
In this project, we want to implement an
alternative approach, where the client explicitly gives the firewall
the ability to inspect its secured TLS session, by giving it the
encryption key for this session. The idea is to have the client access
the SSL/TLS session encryption key from the browser, and safely
transport this key to the firewall via a separate secure channel with
the firewall.
More specifically, the project is to:
·
Implement a service or a
browser plugin for Windows/Linux that extracts (in real time) all
generated SSL/TLS session
keys, and forwards them to the firewall
·
Set up a firewall/intrusion detection
system that supports TLS man-in-the-middle
·
Add to the firewall the
feature of receiving the session keys, matching them to their TLS
sessions and decrypting the traffic
·
Measure the performance.
The results, if appropriate,
might become part of a research publication describing this solution.
Secure database on the cloud
(3-4 students)
When you store something on the cloud, you can’t assume that its
privacy or integrity will be ensured. Hackers, malicious insiders or
just lack of security measures can result in leakage of your most
sensitive information. The goal of this project is to implement a
secure and encrypted database such that the client is capable of
querying the database without exposing the decryption key to the cloud
provider or anyone else. Moreover, the client is able to test whether
the cloud still stores all his data in a very efficient way.
The idea is to implement the
protocol over existing database (e.g. MySQL, Amazon SimpleDB).
The solution should be based on previous works, including http://www.eecs.harvard.edu/~michaelm/postscripts/acns2005.pdf and/or http://cs.ucla.edu/~rafail/PUBLIC/74.pdf for encrypted databases that support encrypted
queries, and http://cseweb.ucsd.edu/~hovav/dist/verstore.pdf and http://eprint.iacr.org/2008/175.pdf
for proofs of possession.
Schreiber’s Wall of Sheep
(1-2 students)
People often do not know how
much they sacrifice their privacy in public environments. Many
Bluetooth devices are left open, laptops are configured to connect to
any access point in the area, passwords are sent in clear-text, etc.
In this project you will
implement a system that will alert about such weaknesses. Check http://www.wallofsheep.com.
General secure multi-party computation protocol (2-3 students)
Secure multi-party computation is a cryptographic paradigm that allows
a set of mutually distrustful parties to perform some joint computation
in a way that guarantees correctness of the outputs along with secrecy
of local data (to the maximum possible extent). Our current ongoing
project works on inputs of circuits, and assumes communication channels
are in order. We want to improve those two weaknesses, specifically we
want to implement:
1.
A compiler that takes a
program written in C-like language and produces a matching circuit.
2.
A reliable broadcast channel
or a semi-trusted public board
Smart-phones for Security
Assessment (1-3
students)
The power of smartphones keeps growing every day. And as those powerful
“computers” are common, one may use them to assess security. In
example, check BTLocate (http://btlocate.com), where a nokia
smartphone can be used as a low-tech surveillance system.
One possible project is to
extend BTLocate to other devices and the do
some large experiments with it. A different project could be to write
some basic penetration tools for smartphones (e.g., HTTP sniffer that
presents the webpage in real-time, add GUI to Metasploit). Other ideas are welcome.
Your suggested
project!
|
