In order to pass the course, you need to do a project. A project proposal, a project presentation, and final project report need to be delivered. Grades will be based on the report and presentation. Normally, projects should be done in groups of two.
Project proposalA project proposal needs to be submitted by deadline. The proposal should include
- The goal of the project
- Relevance to language-based security
- Overview of the planned work
- Schedule (intermediate goals and time to reach them). Note that your time frame for project work is from project proposal approval to the project deadline: work on the project should be started in parallel to work on the labs.
- Target grade: 3, 4, or 5 for Chalmers and G or VG for GU. If the target grade is 4, 5, or VG, you need to clearly motivate why such a project would deserve it. To get a higher grade, the project must involve a practical experimental part. Note that a top grade is not possible when failing to play the opponent role during the project presentations.
- If for some serious reason you are unable make it to one of the presentation slots (see the schedule for the slots), please indicate it.
Project ideasThe intention is that projects are open-ended. Below are some alternatives for inspirations, but don't feel constrained by these suggestions.
- Empirical study on web security in WebViews
- Download Android apps and analyse their WebViews with respect to web security. Answer for example questions like: How are WebViews embedded, which content is served and from where? Which kind of web attacks are possible and what is done to protect against them (usage of HTTPS, CSP header,...)?
- Tools for race detection
- Experiment with tools for race detection in threaded programs. For example, Java Race Detector and Healer appears to be an interesting candidate. Discuss the types of races caught and not caught by the tool, compare the different tools on false positives and negatives, and experiment with the tools on benchmarks implementing different application scenarios.
- Language-based security for mobile computing
- This may be an investigation of secrecy protection, integrity guarantees or obfuscation techniques used in mobile phones. You might want to focus on concrete topics as Android app security or location privacy in mobile apps.
- Web language security
- Constructing secure mashups
- Identify interesting scenarios and implement the scenarios with the emphasis on mashup security. Based on the experiments, discuss programming patterns and discuss possibilities and limitations for building secure mashups.
- Implement secure multi-execution in your favorite language
- Secure multi-execution enforces secure information flow by initiating multiple runs, one for each security level, and carefully controlling communication among the different runs. Implement the idea for your favorite language.
- Case study in a security-typed language like Jif, Paragon, or Fabric
- This may involve implementing a security critical system, and investigating security guarantees in the style of this case study. Comparing the different languages/tools would be also interesting.
- Security protocols
- Implement a demonstration of attacks on security protocols. This can be both protocol-level and implementation-level attacks. Try to make your demonstration both instructive and fun. You can adapt the style of the course's labs, demonstrating attacks on a vulernable implementation and securing it.
- Java security
- Conduct an investigation of security in the Java language. One way for this project is to follow the idea of the previous one and come up with attacks and overview protection mechanisms.
- Advanced SQL injection attacks and protection
- A rich topic that has direct relevance to language-based security. If you go for this project, make sure that this goes well beyond the kind of simple attacks in the WebAppSec lab.
- Advanced cross-site scripting (XSS) attacks and protection
- The plague of today's web, and an area where language-based security has a lot of potential. Again, if you go for this project, make sure that this goes beyond the kind of simple attacks in the WebAppSec lab.
- Language-based obfuscation techniques
- A hot area and one that is hard to get right!
- Security review
- Get hold of an open source system (such as php discussion forum or Java petshop) and scrutinize the code for vulnerabilities discussed in the course. The analysis should address both general principles of security design (see the lectures) as well as concrete issues such as races, random number generation, the use of cryptography, access control, etc. Hint: pick a fresh target (rather than an established system), to increase changes of finding interesting vulnerabilities.
- Pick an area in language-based security and prepare a thorough survey. Recall that practical experiments will need to be a part of the survey to get a higher grade.
- Your own project
- As open-ended as you can get. Be careful in making your proposal concrete - it is easy to aim for a project that is not feasible within the course's time frame.
Project presentationWatch out for the presentation and opposition schedule on the main page. The opponents are expected to ask at least two questions. A rough structure of your talk should be as follows:
Include the names of everyone in the project group.
- The goal of the project
Describe the goal of the project. Include the necessary background.
- What you have done
Give a brief overview and focus on some interesting concrete parts. Emphasize your own ideas.
Did you achieve the goal? Describe your results. Finish by crucial insights (coming out of your project) you want to share with the others.
Project reportA project report needs to be submitted by deadline. The project report should be well-structured. Below is a template that you might want to use. Note that different projects might benefit from different structures.
- Description of work
If this is an implementation project, describe the conceptual part and code documentation part separately. In the code documentation part, describe the structure of the code and what each of the submitted files contains. If appropriate, include the results of test runs. Also, include instructions on how your programs should be tested.
- Appendix: Detail the contribution of each person in the group.
There is no requirement on the number of pages. Typically, projects that are heavy on implementation use less pages for reports than projects heavy on conceptual studies. On average, reports tend to be around 20 pages long, but the deviation depends on the subject.