Course Project

Introduction

In order to pass the course, you need to do a project. A project proposal, a project presentation, and final project report need to be delivered. Grades will be based on the report and presentation. Normally, projects should be done in groups of two.

Project proposal

A project proposal needs to be submitted by deadline. The proposal should include Project proposals should be in ASCII or PDF format and no longer than one page. Please include your FIRE group number on the title page.

Project ideas

The intention is that projects are open-ended. Below are some alternatives for inspirations, but don't feel constrained by these suggestions.
Tools for race detection
Experiment with tools for race detection in threaded programs. For example, Java Race Detector and Healer appears to be an interesting candidate. Discuss the types of races caught and not caught by the tool, compare the different tools on false positives and negatives, and experiment with the tools on benchmarks implementing different application scenarios.
Language-based security for mobile computing
This may be an investigation of secrecy protection, integrity guarantees or obfuscation techniques used in mobile phones. You might want to focus on concrete topics as Android app security.
Location privacy
Location-based services are becoming increasingly popular, thanks to the ubiquity and mobility of smartphones. But these services raise privacy concerns. Studying how location information can flow to other users and services is an interesting direction for a project.
Web language security
Study in depth the security aspects of languages like JavaScript an frameworks like Django.
Constructing secure mashups
Identify interesting scenarios and implement the scenarios with the emphasis on mashup security. Based on the experiments, discuss programming patterns and discuss possibilities and limitations for building secure mashups.
Practical information flow control
Information flow control allows tracking propagation of information in programs. Many exciting projects are possible here: for example, around the JSFlow tool for JavaScript, around
secure multi-execution, which you can implement for favorite language, or doing a fiCase study in a security-typed language like Jif, Paragon, or Fabric, similar to this.
Security protocols
Implement a demonstration of attacks on security protocols. This can be both protocol-level and implementation-level attacks. Try to make your demonstration both instructive and fun. You can adapt the style of the course's labs, demonstrating attacks on a vulernable implementation and securing it.
Java security
Conduct an investigation of security in the Java language. One way for this project is to follow the idea of the previous one and come up with attacks and overview protection mechanisms.
Advanced SQL injection attacks and protection
A rich topic that has direct relevance to language-based security. If you go for this project, make sure that this goes well beyond the kind of simple attacks in the WebAppSec lab.
Advanced cross-site scripting (XSS) attacks and protection
The plague of today's web, and an area where language-based security has a lot of potential. Again, if you go for this project, make sure that this goes beyond the kind of simple attacks in the WebAppSec lab.
Language-based obfuscation techniques
A hot area and one that is hard to get right!
Security review
Get hold of an open source system (such as php discussion forum or Java petshop) and scrutinize the code for vulnerabilities discussed in the course. The analysis should address both general principles of security design (see the lectures) as well as concrete issues such as races, random number generation, the use of cryptography, access control, etc. Hint: pick a fresh target (rather than an established system), to increase changes of finding interesting vulnerabilities.
Survey
Pick an area in language-based security and prepare a thorough survey. Recall that practical experiments will need to be a part of the survey to get a higher grade.
Your own project
As open-ended as you can get. Be careful in making your proposal concrete - it is easy to aim for a project that is not feasible within the course's time frame.

Project presentation

Watch out for the presentation and opposition schedule on the main page. The opponents are expected to ask at least two questions. A rough structure of your talk should be as follows:

Project report

A project report needs to be submitted by deadline. The project report should be well-structured. Below is a template that you might want to use. Note that different projects might benefit from different structures. Be careful to fulfill the requirements of what needs to be provided (see the descriptions above). Name the documentation file report.txt or report.pdf (the report should be either in ASCII or PDF), make sure to include your FIRE group number on the title page, and submit it together with the rest of the files necessary for grading the project (and testing your programs).
There is no requirement on the number of pages. Typically, projects that are heavy on implementation use less pages for reports than projects heavy on conceptual studies. On average, reports tend to be around 20 pages long, but the deviation depends on the subject.

Project report draft

Report drafts need to be supplied to the "opponents" by the respective deadline. The draft does not have to be polished, it should be intelligible and sufficiently clear for the opponents to assess the main contributions.