| # |
title
summary |
supervisor contact
students
|
R
P |
1
/
2 |
8
S |
PersLink Security.Perslink is a phone directory
website containing information that you won't find in your average white
pages. It is the little black book of Dutch journalism. This is the
place where journalists and producers find their collegues,
spokespersons, top level managers, politicians and experts in all kinds
of fields. The data consists of about 10.000 organisations and 25.000
people. The need for a completely secure environment is evident.
A new version is now ready for deployment. Although the
creators of the website are confident about the security, they have not
actually performed a formal audit. They would love to be proven wrong
and use that proof to strengthen their security.
|
Jo Lahaye <Jo=>HollandOpen.nl>, Martijn Stegeman <stegeman=>uva.nl>
Eleonora Petridou <Eleonora.Petridou=>os3.nl>
Pascal Cuylaerts <pascal.cuylaerts=>os3.nl>
|
R
P
|
2 |
9
NS |
Comparing TCP connection performance over VPN-tunnels vs non-tunneled traffic.A
single TCP connection over a gigabit LAN can easily achieve a
performance of over 900 Mbps without special TCP stack tuning. If a VPN
tunnel is created on Linux using the 'tun' or 'tap' device the
performance drops to less than 400 Mbps, with or without encryption. The
root cause of this performance drop is unknown, but it is suspected
that it is a Linux kernel inefficiency. It could also be caused by the
fact that TCP offloading is not available for the tun/tap drivers. The
main goals of this project are:
- determine the root cause of the aforementioned performance hit on Linux
- determine what can be changed in the VPN client software (e.g. OpenVPN) to circumvent this behaviour
- investigate whether the same performance hit is found on other platforms (e.g. Windows, NetBSD)
Note that over a 100 Mbps Ethernet connection this
performance drop is NOT seen: both a non-tunneled connection and a VPN
connection can easily saturate the network (~94 Mbps).
|
Jan Just Keijser <janjust=>nikhef.nl>
Berry Hoekstra <berry.hoekstra=>os3.nl>
Damir Musulin <Damir.Musulin=>os3.nl>
|
R
P
|
2 |
11
SF |
Large scale GPU based password cracking.Recent
research (also by OS3 students) has shown a notable increase of power
for password cracking when GPU cards are used compared to traditional
CPU based password cracking. However, when putting this into practice
several significant downsides appear of which the immaturity of the
tools, the lack of scalability and the many unsupported hash types are
the most important. Currently, KPMG has achieved great results with a
CPU based password cracking cluster: 1 server + 30 desktops operated by a
MPI patched version of John The Ripper combining dictionary attacks,
rainbow tables and brute force cracking via an easy to use interface. At
the side a GPU server is used. But ideally the GPU power should be
included in the cluster and possibly the cluster members should be
equipped with GPU power.
Research the possibilities for integration of the CPU based
password cluster with GPU possibilities and advice on the optimal
password cracking strategy per common hash types. The selection of hash
types will be focused on hash types much used in enterprises and decided
at the start of the research.
|
Marc Smeets <Smeets.Marc=>kpmg.nl>
Jochem van Kerkwijk <jochem.vankerkwijk=>os3.nl>, Aleksandar Kasabov <Aleksandar.Kasabov=>os3.nl>
|
R
P
|
1 |
13
SNF |
Synergy of social networks defeat online privacy.Many
papers and articles have been written about the dangers of online
social networks like LinkedIn, FaceBook, Twitter, Flickr, etc. Although
the general conclusion is that no info is safe, many papers stay without
proof. Also it still is unclear to what extend information about a
person is revealed when you put the info from different networks
together. What if we take info together from tags and GPS coordinates on
Flickr and Twitpic, list of connections on LinkedIn but not on FaceBook
(and vice versa) and the mapping of different usernames for one person
on the net? Do we only know who his friends are, his girlfriend is and
what food he buys for his cat? Or can we also reveal more detailed info
on the location of his house, his way and whereabouts of his daily
commute and travelling, his sleeping pattern and his nighttime life as a
superhero?
Research the synergy of the info about a person on these
social networks and illustrate what targeted intelligence on a person's
online social life can reveal. It is preferred to make a proof of
concept tool that can support in this structured search. Finally,
recommendations should be made that can help in the safeguarding of your
online identity.
|
Marc Smeets <Smeets.Marc=>kpmg.nl>
Eleonora Petridou <Eleonora.Petridou=>student.uva.nl>,
Marek Kuczynski <Marek.Kuczynski=>student.uva.nl>
|
R
P
|
1 |
17
SNF |
DNS anomaly detection.Most Internet communication
starts with one or more DNS lookups. Command and control traffic used by
malware is no exception to this behavior.
Some types of C&C traffic such as IRC is often blocked by
internal corporate firewalls making it invisible for border IDS systems.
In these cases infections could probably still be detected by analyzing
DNS requests originating from the corporate network.
Examine the feasibility of detecting malware infected systems
using DNS log data and develop a scheme for detecting these anomalies in
DNS traffic. This could include anomalies in the actual content of the
request (e.g. hostnames, RR) and meta-information such as timing and
reoccurrence of specific lookups. Develop a simple proof of concept
capable of processing text based output from our DNS logger.
|
Bart Roos <roos=>fox-it.com>,
Sander Peters <peters=>fox-it.com>
Nick Barendregt <Nick.Barendregt=>os3.nl>, Hidde van der Heide <hidde.vanderheide=>os3.nl>
|
R
P
|
1 |
19
S |
DNSSEC Certificate validation.Remote trust on the web
but also in systems like mail servers is mostly handled by so called
Certificate Authorities, companies, government bodies or other types of
organisations that users go to to obtain their own certificates. There
is a significant leap of faith involved: why should you blindly trust
the hundreds of Certificate Authorities preloaded in your browser to not
abuse their root certificates, when many Certificate Authorities are
organisations you don't know anything about - which means you might not
want to trust them for all purposes, certainly not if you can avoid it.
What if the websites and services you care about can publish the
certificates they use safely and authoritatively through the DNS?
Historically, the answer was that DNS itself was not safe enough. With
DNSSEC you get a chain of trust from the signed root of the internet to
the service you want to connect to. This opens the way for many new
exciting opportunities for humans and computers to exchange information
safely. You will implement a working proof of concept that shows the
potential of an certificate less internet, through a browser, mail
server or IM client plugin that checks for the availability of valid
certificates over DNS using DNSSEC, and where relevant uses them and/or
compares them with regularly available certificates.
|
Michiel Leenaars <michiel=>nlnet.nl>
Pieter Lange <pieter.lange=>os3.nl>
Danny Groenewegen <danny.groenewegen=>os3.nl>
|
R
P
|
1 |
20
S |
Automatic SSH public key fingerprint retrieval and publication in DNSSEC.When
a user logs into a remote shell through the SSH protocol through a user
name and password for the first time, he or she is offered a public key
and a key fingerprint by the destination system (or a system imposing
as such). In such a situation, there is no automatic way to check if
this public key or its fingerprint is actually legitimate because most
of the times there is no public record of them a machine could retrieve
by itself. Currently a user has to manually check the fingerprint of the
keyfile using ssh-keygen, where the public key is handed over in a
separate way by the system administrator of the machine. Other methods
fail because an eavesdropper can sent you a malicious server key with
matching fingerprint of the malicious key. Of course this creates an
unnecessary vulnerability in situations where a sysadmin is forced to
change a key. In your project you will investigate and recommend a
mechanism for system administrators to automatically push public keys in
the DNS, and you will write concept code for OpenSSH to automatically
handle these keys once they are retrieved (of course using DNSSEC). This
will allow 'unmanned' yet secure use of SSH.
|
Michiel Leenaars <michiel=>nlnet.nl>
Marc Buijsman <Marc.Buijsman=>os3.nl>, Pascal Cuylaerts <pascal.cuylaerts=>os3.nl>
|
R
P
C
|
1 |
21
S |
Android Market monitoring.Android is a popular open
source operating system, that runs on mobile devices like cell phones
and tablets. In most devices on the market system administration tasks
through the so called Android Market are handled over XMPP, through
which a remote operator takes over full control over a phone and
remotely installs and updates all software. This is a serious security
concern for some users: the same invisible mechanism that may be
desirable for use by 'trusted parties' might be abused by others - for
instance for stealing GPG-keys, browser certificates, passwords or other
forms of abuse. Cell phones are increasingly used beyond mere human
communication, and business usage (like sysadmin tasks) demand a more
proactive monitoring of security of devices - otherwise end users cannot
trust their device to the extent they need. During your assignment you
will investigate the remote admin technology used by Google and create a
proposal for a prototype application ("Android Guardian") - an app that
can monitor and (when required) block all activities of remote
operators.
|
Michiel Leenaars <michiel=>nlnet.nl>
Bastiaan Wissingh <Bastiaan.Wissingh=>os3.nl>, Thorben Krueger <Thorben.Krueger=>os3.nl>
|
R
P
|
1 |
25
NF |
Analysis of network measurement data.RIPE Atlas
(https://atlas.ripe.net/) is a prototype service for a new, large scale
internet measurement network officially stared in November 2010. It has
the potential to organise thousands or even tens of thousands of
measurement nodes distributed around the Internet.
In this project, students should analyse measurement data
coming out of the system and work on one or more of the following tasks:
- find interesting events, research their background and
explain them; potentially using other information sources such as BGP
information, known network events, etc.
- develop methods for automatically recognising such events
- evaluate correlations between clusters of similarly
behaving nodes from the same provider, different providers in the same
geographic area, or geographically diverse providers
- explore similarities between different oddly behaving
nodes; correlate these with their common geographical, topological or
other properties
|
Robert Kisteleki <robert=>ripe.net>
Emile Aben <emile.aben=>ripe.net>
Roy Duisters <roy.duisters=>os3.nl>, Damir Musulin <Damir.Musulin=>os3.nl>
|
R
P
|
1 |
26
SF |
Exploiting Jailbrakes.Recently new ?bootrom? level
exploits have been published in iPhone and iPad hardware. These exploits
allow all existing iPhone?s and iPad?s to be ?jailbroken?, allowing
users to install unofficial apps. In theory these same exploits could
also be used to obtain information from a stolen or lost iPhone or iPad
without knowing the security PIN code. We would like the student to
verify whether these exploits can be used in this manner and which
information can be obtained in this way. Using this information we can
better advice our clients related to the security of iPhone and iPad
systems in practice. We would also like the student(s) to evaluate the
effectiveness of various counter measures (such as using dedicated
security software on the device).
|
Gijs Hollestelle <ghollestelle=>deloitte.nl>, Derk Wieringa <dwieringa=>deloitte.nl>
Jochem van Kerkwijk <jochem.vankerkwijk=>os3.nl>
|
R
P
|
2 |
27
N |
Effectiveness of Automated Application Penetration Testing Tools.In
the market we see that a lot of different tools are used for automated
penetration testing. We also identify that companies rely more and more
on the automated tools for internal usage. However, we also see that a
lot of false positives are generated by the tools that are used, that
need to be assessed manually afterwards. Therefore we would like the
students to perform an analysis on various tools that are available for
the testing of web applications and the reliability of the analysis that
is performed by these tools.
The following should be performed:
- Create or setup a realistic (web) application (including
vulnerabilities) that can be used to compare the various tooling that
is available;
- Define and perform various tests that can be used to compare the results of the automated testing tools.
|
Coen Steenbeek <csteenbeek=>deloitte.nl>,
Derk Wieringa <dwieringa=>deloitte.nl>
Harald Kleppe <harald.kleppe=>os3.nl>, Alexandre.Miguel Ferreira <Alexandre.MiguelFerreira=>os3.nl>
|
R
P
|
1 |
29
SN |
Measuring DNSSEC Validation.Introduction:
In July 2010 the root zone of the DNS was signed using DNSSEC.
Since then, DNSSEC deployment has taken off on a larger scale with many
top-level domains signing their zones and making secure delegations
available to their registrars and registrants. Many people are signing
their zones and measurements on the SURFnet resolver infrastructure
shows a steady climb in the validation rate (i.e. the percentage of
queries that can be validated). This rate has now risen to about 3%
(November 2010).
Problem statement:
We have a pretty good insight into the deployment of signed
zones across the Internet. It is, however, much harder to determine
whether or not people are actually validating queries on their
resolvers. Resolvers that request DNSSEC information set the so-called
'DO' bit in a query. Unfortunately, this is not a good way to measure
the amount of validating resolvers; a lot of resolver software now sets
this 'DO' bit by default even if they don't actually validate the
signatures returned in the answer (BIND, for instance, has the DO bit
enabled in the default resolver configuration since version 9.6).
Goal:
The goal of this assignment is to find a good way to determine
the amount of clients on an authoritative name server that perform
DNSSEC validation. If time allows it, it would be very welcome if a
simple tool/proof-of-concept can be developed as part of the assignment.
Prerequisites:
It is helpful to have knowledge about the DNS(SEC) protocol
and wire format, some familiarity with tools like tcpdump and Wireshark
is probably also warranted.
|
Roland van Rijswijk <roland.vanrijswijk=>surfnet.nl>
Niels Monen <Niels.Monen=>os3.nl>
|
R
P
|
2 |
32
N |
Emulating network latency on high speed networks.The
netem or Network emulator is a component of the Linux kernel that allows
emulation of properties of wide area networks. While netem has been
around for a while and has been proven to work reliable on relatively
low bandwidth setups, the emergence of new high speed network interfaces
requires more insight on its capabilities. We are interested in
evaluating netem as a tool to emulate latency on very high speed
networks. This would allow us to research the effects of latency on
various applications without using expensive long distance links. The
efficiency of netem greatly depends of the timer resolution provided by
the Linux kernel and therefore the research should focus on differences
between the vanilla kernel and the real time version (linux-rt) in terms
of system throughput. Is linux-rt usable in such a setting or is the
performance hit unacceptable for 10Gbit/s+ speeds?
|
Cosmin Dumitru <c.dumitru=>uva.nl>, Ralph Koning <r.koning=>uva.nl>
Niels Monen <Niels.Monen=>os3.nl>,
Berry Hoekstra <berry.hoekstra=>os3.nl>
|
R
P
|
1 |
33
S |
Power measuremeents in DAS4.The GreenClouds project
studies how to reduce the energy footprint of modern High Performance
Computing systems (like Clouds) that are distributed, elastically
scalable, and contain a variety of hardware (accelerators and hybrid
networks). The project takes a system-level approach and studies the
problem of how to map high-performance applications onto such
distributed systems, taking both performance and energy consumption into
account. We will explore three ideas to reduce energy:
- Exploit the diversity of computing architectures (e.g.
GPUs, multicores) to run computations on those architectures that
perform them in the most energy-efficient way;
- Dynamically adapt the number of resources to the application needs accounting for computational and energy efficiency;
- Use optical and photonic networks to transport data and computations in a more energy-efficient way.
The project will create the GreenClouds Knowledge Base
System (GKBS) based on semantic web technology, which will provide
detailed information on the energy characteristics of various
applications (e.g., obtained from previous execution runs) and the
different parts of the distributed system, including the network. Also,
the project will study a broad range of applications and determine which
classes of applications can reduce their energy consumption using
accelerators. Finally, it will study energy reductions through dynamic
adaptation of computing and networking resources. The project will make
extensive use of the DAS-4 infrastructure, which is a wide-area testbed
for computer scientists, to be equipped with many types of accelerators,
a photonic network, and energy sensors.
In this RP a study and baseline testing will be made of the
power measurement capabilities of DAS4 and recommendations for more
precise measurements will be made.
See also: http://www.delaat.net/smartgreen/
|
Ralph Koning <r.koning=>uva.nl>, Paola Grosso <p.grosso=>uva.nl>
Vesselin Hadjitodorov
<vesselin.hadjitodorov=>os3.nl>
|
R
P
|
1 |
40
SFN |
Security of IPv6 and DNSSEC for penetration testers.In
the infrastructure level we have seen new and more secure new arise:
DNSSEC and IPv6. For both technologies there are known insecurities
already. But these new technologies also provide the penetration testers
with challenges in the inventory scanning and vulnerability phases of
his work (e.g. scanning a /64 IPv6 range takes a while and existing
tools need to adept to IPv6). We want you to:
- Provide an overview of known security errors in IPv6 and DNSSEC.
- Provide an overview for the penetration tester of
different techniques that can be used to still perform the inventory
scanning phase.
By the way: IPv6 and DNSSEC are far from entirely
researched. If there is time during the RP we encourage further research
on protocol weaknesses.
|
Jaap van Ginkel <J.A.vanGinkel=>uva.nl>
Vesselin Hadjitodorov <Vesselin.Hadjitodorov=>os3.nl>
|
R
P
|
2 |
43
SNF |
Passive LAN information gathering.On corporate LAN's
the local area network is full of broadcast traffic from various
protocols (application protocols like HTTP, SSDP, SMB, etc but also
network protocols like STP, HSRP, ARP, etc). By simply listening to
these 'free' packets one can gather a lot of information
about the setup of the network and about the main systems in the network.
Students are asked to:
- research the broad set of information that can be gathered by sniffing these protocols passively
- create proof-of-concept tooling that gathers the data, interpreters the data and presents it in a usable form.
The PoC can be for example in the form of metasploit
module or as a stand-alone OS. This goes beyond the level sniffing of
clear text protocols in search for credentials. Students should be
educated in the many different protocols that you find on a LAN prior to
the start of the project. We will help the students on identifying
protocols to focus on.
|
Marc Smeets <Smeets.Marc=>kpmg.nl>
Roy Duisters <Roy.Duisters=>os3.nl>
|
R
P
|
2 |
44
SN |
A mapping daemon for the Locator/ID Separation Protocol (LISP).The
Locator/ID Separation Protocol (LISP) is a protocol that is currently
being developed by a Working Group in the Internet Engineering Task
Force (IETF). LISP is a network architecture and a protocol that
implements a new approach to addressing and routing on top of regular
IP. In a nutshell: LISP separates the 'where' and the 'who' in
networking and uses a mapping system to couple the routing location
(where) and endpoint identifier (who).
A non-propriatory Linux implementation of LISP is in
development, but there currently is no opensource control-plane
software. During the RP, the candidate will work on the development of
an opensource MapServer/MapResolver that can become an essential part of
the LISP ecosystem.
|
Job Snijders <job=>intouch.eu>
Rager Ossel <rager=>intouch.eu>
Marek Kuczynski <Marek.Kuczynski=>student.uva.nl>
|
R
P
|
2 |
46
N |
BufferBloat detection.Bufferbloat, or the oversized
buffer problem, is caused by too large buffer sizes in all sorts of
network devices. People also argue that large buffers alone are not the
reason for this phenomena. The argument is that large buffers are needed
to absorb short, intensive bursts in traffic. But large buffers which
are generally filled and not managed by for ex AQM will provoke
"bufferbloat".
We will look into identifying the symptoms of bufferbloat and
research ways to identify the device (router or switch) that causes the
problem.
Given a link,
Source ==== Buffer --?-- Buffer --?-- Buffer --?-- Destination
Where bufferbloat is observed, would we look into methods of
identifying which of the "unknown" links causes the problem.
|
Michiel Leenaars <michiel=>nlnet.nl>
Harald Kleppe <harald.kleppe=>os3.nl>
Danny Groenewegen <danny.groenewegen=>os3.nl>
|
R
P
|
2 |
48
SN |
CurveCP protocol efficiency.The author of CurveCP
(Dan Bernstein) makes a number of claims about various features of his
protocol. In general, these can be divided into the following topics:
Security (http://curvecp.org/security.html):
- mandatory server authentication (can't be disabled)
- optional client authentication
- no man-in-the-middle attacks possible
- no replay attacks possible
- forward secrecy (both active and passive)
Availability (http://curvecp.org/availability.html):
- no RST attacks on TCP sessions (such as SSH) possible
- protection against traffic prediction by randomness in transmission schedule
- enforced packetlengths and other policies in client/server handshakes to not amplify the resources of an attacker
- server does not allocate memory before handshake complete, protection against "SYN flooding"-inspired attacks
- worst case cpu loads kept very small -> performance not CPU-bound but network-bound
Efficiency (http://curvecp.org/efficiency.html):
- CurveCP packet has more overhead than TCP packet
- for short connections, less traffic than HTTPS
- for short connections, much less traffic than SSH
Decongestion (http://curvecp.org/decongestion.html)
- CurveCP tries to minimize packet-loss AND significant
increases in latencies (claims to decongest routers and minimize
bufferbloat)
- CurveCP scheduler keeps track of long-term congestion statistics
- CurveCP scheduler achieves tolerable share of bandwidth even running alongside an aggressive competing (TCP) scheduler.
- CurveCP distinguishes between (e.g.,) lossy wireless and
congestion-induced packet loss to use wifi connection with reasonable
efficiency.
Addressing (http://curvecp.org/addressing.html):
- multiple CurveCP servers can share a single IPv4 address and port
- CurveCP servers inherently anti-aliased from (IP) addresses
- Rapid failover to redundant server if original is down
- CurveCP session/connection not invalidated if client changes IP addresses
In this research project we concentrate on verifying
claims about protocol efficiency and addressing. To this end, we propose
to create a CurveCP-enabled remote shell/copy utility, which can then
be used to benchmark CurveCP against SSH-based TCP sessions. In
particular, we propose to pursue the following questions:
- In an ideal setting (no competing traffic), how does CPU usage relate to used bandwidth?
- How do SSH and CurveCP handshakes compare in terms of exchanged pakets (and their sizes)?
- How large is the general (packet) overhead of CurveCP over TCP (theory vs practice)?
- How do latencies between CurveCP and TCP-based sessions compare?
- How much bandwidth can a fresh CurveCP session achieve alongside a (saturating) TCP file transfer (on the server/client side)?
- How much bandwidth can a fresh TCP session achieve alongside a (saturating) CurveCP file transfer (on the server/client side)?
- How feasible is the possibility of using a single IP address and port for multiple servers?
- How feasible are persistent CurveCP sessions when switching client IPs?
- In failure situations, how does the failover happen and what are the parameters involved?
And if time allows:
- Investigate how to reproducibly simulate a lossy network and perform above mentioned measurements under such conditions as well.
|
Jeroen Scheerder <js=>xs4all.nl>
Jeroen Scheerder <jeroenscheerder=>on2it.net>
Thorben Krueger <Thorben.Krueger=>os3.nl>
|
R
P
|
2 |
