Course Project


In order to pass the course, you need to do a project. A project proposal, a project presentation, and final project report need to be delivered. Grades will be based on the report and presentation. Normally, projects should be done in groups of two.

Project proposal

A project proposal needs to be submitted by deadline. The proposal should include Project proposals should be in ASCII or PDF format and no longer than one page. Please include your FIRE group number on the title page.

Project ideas

The intention is that projects are open-ended. Below are some alternatives for inspirations, but don't feel constrained by these suggestions.
Empirical study on web security in WebViews
Download Android apps and analyse their WebViews with respect to web security. Answer for example questions like: How are WebViews embedded, which content is served and from where? Which kind of web attacks are possible and what is done to protect against them (usage of HTTPS, CSP header,...)?
Tools for race detection
Experiment with tools for race detection in threaded programs. For example, Java Race Detector and Healer appears to be an interesting candidate. Discuss the types of races caught and not caught by the tool, compare the different tools on false positives and negatives, and experiment with the tools on benchmarks implementing different application scenarios.
Language-based security for mobile computing
This may be an investigation of secrecy protection, integrity guarantees or obfuscation techniques used in mobile phones. You might want to focus on concrete topics as Android app security or location privacy in mobile apps.
Web language security
Study in depth the security aspects of languages like JavaScript an frameworks like Django.
Constructing secure mashups
Identify interesting scenarios and implement the scenarios with the emphasis on mashup security. Based on the experiments, discuss programming patterns and discuss possibilities and limitations for building secure mashups.
Security evaluation of JavaScript security monitoring
A security JavaScript monitor JSFLow is being developed by us at Chalmers. This project is about security testing the monitor. We have a web-based interface in the style of the information-flow challenges (see the exercises) that allows for systematic testing.
Implement secure multi-execution in your favorite language
Secure multi-execution enforces secure information flow by initiating multiple runs, one for each security level, and carefully controlling communication among the different runs. Implement the idea for your favorite language.
Case study in a security-typed language like Jif, Paragon, or Fabric
This may involve implementing a security critical system, and investigating security guarantees in the style of this case study. Comparing the different languages/tools would be also interesting.
Security protocols
Implement a demonstration of attacks on security protocols. This can be both protocol-level and implementation-level attacks. Try to make your demonstration both instructive and fun. You can adapt the style of the course's labs, demonstrating attacks on a vulernable implementation and securing it.
Java security
Conduct an investigation of security in the Java language. One way for this project is to follow the idea of the previous one and come up with attacks and overview protection mechanisms.
Advanced SQL injection attacks and protection
A rich topic that has direct relevance to language-based security. If you go for this project, make sure that this goes well beyond the kind of simple attacks in the WebAppSec lab.
Advanced cross-site scripting (XSS) attacks and protection
The plague of today's web, and an area where language-based security has a lot of potential. Again, if you go for this project, make sure that this goes beyond the kind of simple attacks in the WebAppSec lab.
Language-based obfuscation techniques
A hot area and one that is hard to get right!
Security review
Get hold of an open source system (such as php discussion forum or Java petshop) and scrutinize the code for vulnerabilities discussed in the course. The analysis should address both general principles of security design (see the lectures) as well as concrete issues such as races, random number generation, the use of cryptography, access control, etc. Hint: pick a fresh target (rather than an established system), to increase changes of finding interesting vulnerabilities.
Pick an area in language-based security and prepare a thorough survey. Recall that practical experiments will need to be a part of the survey to get a higher grade.
Your own project
As open-ended as you can get. Be careful in making your proposal concrete - it is easy to aim for a project that is not feasible within the course's time frame.
Here are examples of presentations from 2006 (please avoid exact repetition!):
20: Static Analysis for Security
16: Internet explorer exploit
10: Bluetooth security
6: Obfuscation techniques for Java
9: Security protocols
30: Automated Evaluation and Estimation of SQL-Injection Vulnerabilities
1: Survey of Software Model Checking
14: Buffer Overruns and Counter Measures in Windows
0: A security analysis of the PHP language
27: Security in IP Telephony (VoIP)

Project presentation

Watch out for the presentation and opposition schedule on the main page. The opponents are expected to ask at least two questions. A rough structure of your talk should be as follows:

Project report

A project report needs to be submitted by deadline. The project report should be well-structured. Below is a template that you might want to use. Note that different projects might benefit from different structures. Be careful to fulfill the requirements of what needs to be provided (see the descriptions above). Name the documentation file report.txt or report.pdf (the report should be either in ASCII or PDF), make sure to include your FIRE group number on the title page, and submit it together with the rest of the files necessary for grading the project (and testing your programs).
There is no requirement on the number of pages. Typically, projects that are heavy on implementation use less pages for reports than projects heavy on conceptual studies. On average, reports tend to be around 20 pages long, but the deviation depends on the subject.

Project report draft

Report drafts need to be supplied to the "opponents" by the respective deadline. The draft does not have to be polished, it should be intelligible and sufficiently clear for the opponents to assess the main contributions.