CSE543/Fall 2006 - Course Project Options

Below are the options for projects in CSE 543 in the Fall 2006 semester. The idea is to review the information available regarding the projects to select a choice by 9/14/2006. The projects will be performed in groups of 3 and the plan is for one group per project. To resolve conflicts, please choose 3 project options which you may be interested in.

We will discuss these projects in class prior to the selection date. If you have any questions, please contact the course TA or instructor (contact information is available at the course homepage).

Topic Background Description Side Benefit

Client VMs

Informal discussion

About 30 years ago, operating systems security mechanisms and policies were developed to control the access of multiple users to files on the same machine. These systems were called multiuser systems. Today, we have very few multiuser systems, but we still have multiuser access control. This project aims to create a client environment based on isolation with coarse-grained sharing (subversion repositories, web, email). I am curious if this is a viable approach.

Another Crazy Idea

User-level Password Cracking

Informal Discussion

Keyloggers use excess authority to capture key strokes. This project asks whether an unprivileged program can be written to capture keystrokes. The idea is to write an unprivileged program that uses the timing behaviors caused by cache misses to detect the keystrokes made during system unlock.

Johns Hopkins

Remote Attestation

Linux IMA.

The goal is to extend the Linux IMA mechanism to support information flow (see PRIMA) and enable privacy (see Bloom Filters) in remote attestation.

IBM Research

Trust from Secure Hardware

Trusted Computing Group

Bootstrap trust in a system's ability to enforce an access control policy based on the secure hardware mechanisms of the TCG TPM. The goal is to construct IPsec certificates that enable a remote party to setup an IPsec channel associating the TPM with the channel.

IBM Research

Playpen Vulnerability Testing

Overview

We aim to build a vulnerability testing environment, called the Playpen, where we can collect information about a system to be tested, configure a compatible VM system on the Playpen, and destructively test that system (e.g., based on CERT vulnerabilities). Would apply to Windows configurations.

Business Idea

Attesting Obligations

Obligation Policy Abstract

We use attestations to justify the integrity of systems. Integrity means that the system behaves as expected. Here, we look to extend integrity measurement to include the obligations of a system. For example, we want to ensure that one principal (e.g., government) helps another (e.g., fire department) by sharing information under exceptional circumstances.

MITRE (US Citizen)

AppArmor Policy Analysis

Novell AppArmor for Linux

Novell is a major Linux distributor (SuSE Linux). Novell's access enforcement service is called AppArmor. In this project, we aim to extend an existing policy management prototype, Gokyo, to perform analyses, such as determining which principals can write a file another principal can execute.

Novell AppArmor

Java Information Flow Browser

Mozilla GECKO Embedding API

Java information flow is a Java language extension for enabling information flow control in applications. Web browser clients have been fraught with security problems. For example, browsers are compromised via phishing attacks to leak secret information and compromised via data-driven attacks to compromise integrity. In this project, we plan to build a portion of a web browser client that enforces secrecy and integrity information flow requirements to prevent such attacks.

DTO Proposal

Configure SELinux for Postfix

SELinux

RedHat Linux uses SELinux as its access enforcement mechanism. SELinux is a comprehensive, powerful security module, but it is non-trivial to configure. In this project, we will examine how to configure a particular application, a privilege-separated mail server system, Postfix.

SELinux

MLS Network Control in Linux

Labeled IPsec

Linux access control was recently extended (in Linux 2.6.16) to support fine-grained control of network communication by labeling IPsec communication channels. Further extensions have been necessary to support full multi-level security (MLS) enforcement. In this project, we will examine how to use these MLS network controls to implement services in xinetd.

IBM Linux Technology Center

GoToMyPC.com

GoToMyPC.com

The GoToMyPc.com service from Citrix claims that you can access your base computer from any computer on the Internet using a web browser client and their service. This approach implies that the web browser client software behaves correctly, so I am curious what changes need to be made to a web browser client to trick a user into believing that s/he is accessing her/his base computer.

Break Software

"Layered" IPsec

Shamon Architecture

IPsec is a point-to-point protocol that enables the construction of secure communication channels between the two points. Layering of secure communciation is enabled by a "tunnel" mode that permits intermediate points (e.g., gateways) to establish secure communication paths within the complete path. The layering of secure communication is stateless in that the communication guarantees of the tunnels may be independent of the upper layers. However, independent layering is not sufficient for access control, where lower layers (e.g., VM) must be aware of the higher layers (e.g., OS) to ensure correct enforcement. This project will explore mechanisms to enable the network access controls of Linux Labeled IPsec to be extended to enable layering of access control guarantees.

IBM Research

Mobile phone security

opensource.motorola.com

Six cell phone companies announced a mobile Linux initiative over the summer. My impression is that the differences between mobile phone systems and typical client systems are diminishing, but this project aims to examine how secrecy and integrity guarantees on mobile phone systems may be achieved and proven to other parties. Leveraging of SELinux and remote attestation are likely.

Motorola/Samsung

Bioinformatics

Remote Surgery

An extreme application for integrity is one of remote medicine. Suppose that you live in a remote location, such that expert medical procedures require access of a doctor from a remote location. Privacy and integrity issues are obvious. Can we establish integrity guarantees that enable fail-safe, effective use of a doctor on a remote computer? Can we generate attestations for them? Also, consider physical security.

Crazy Ideas

Xen/sHype

Xen Security

sHype is a reference monitor implementation for Xen consisting of authorization hooks (i.e., where access checks are necessary), an authorization module (ACM), and an access policy model. IBM Research has developed tools for developing and managing policies, so this project will examine: the security afforded by the sHype architecture and how it can be used to setup access control between VMs. As a prototype, we will consider protecting the secrecy and integrity for a user that reads email and generates documents.

IBM Research and Linux Technology Center

Xen administration controls

Informal discussion

At present, any root process in Xen's privileged VM (dom0) can start, destroy, or migrate any VM. Since different administrative services in dom0 are supposed to implement specific functionality, this coarse-grained control is insufficient. Further, what happens when we need to delegate administrative privileges to user VMs for those VMs that it may create? This project seeks to provide some structure, likely based on role-based access control and/or SELinux, to manage some VM-level functions.

IBM Research and Xensource

Retofit Security

Retrofit Security

An old tenet of security is that you have to design it into the system from scratch. Other than military systems, this is never done, so the question is whether software engineering tools can help us. In this project, you will apply source code analysis tools to real applications to determine if various security properties can be retrofitted.

Wisconsin and Purdue

CSE 543 - Fall 2006

Last modified: Wed Aug 15 17:59:01 EST 2006