SNE Master Research Projects 2013 - 2014- LeftOvers


# title
supervisor contact



Virtualization vs. Security Boundaries.

Traditionally, security defenses are built upon a classification of the sensitivity and criticality of data and services. This leads to a logical layering into zones, with an emphasis on command and control at the point of inter-zone traffic. The classical "defense in depth" approach applies a series of defensive measures applied to network traffic as it traverses the various layers.

Virtualization erodes the natural edges, and this affects guarding system and network boundaries. In turn, additional technology is developed to add instruments to virtual infrastructure. The question that arises is the validity of this approach in terms of fitness for purpose, maintainability, scalability and practical viability.
Jeroen Scheerder <Jeroen.Scheerder=>on2it.net>


Efficient delivery of tiled streaming content.

HTTP Adaptive Streaming (e.g. MPEG DASH, Apple HLS, Microsoft Smooth Streaming) is responsible for an ever-increasing share of streaming video, replacing traditional streaming methods such as RTP and RTMP. The main characteristic of HTTP Adaptive Streaming is that it is based on the concept of splitting content up in numerous small chunks that are independently decodable. By sequentially requesting and receiving chunks, a client can recreate the content. An advantage of this mechanism is that it allows a client to seamlessly switch between different encodings (e.g. qualities) of the same content.
The technique known as Tiled Streaming build on this concept by not only splitting up content temporally, but also spatially, allowing for specific areas of a video to be independently encoded and requested. This method allows for the navigation in ultra-high resolution content, while not requiring the entire video to be transmitted.
An open question is how these numerous spatial tiles can be distributed and delivered most efficiently over a network, reducing both unnecessary overhead as well as latency.

Ray van Brandenburg <ray.vanbrandenburg=>tno.nl>




Portable RFID/NFC “Bumping” Device.

In regards to physical social engineering there are two main ways of gaining entry to targeted premises either via tail-gating, that is to follow a valid employee/visitor right behind them as they’ve opened a door or via lockpicking, which implies the use of specialised tools to pick physical locks.
As more organisations are replacing traditional entry systems with RFID card controlled entry points and even turnstiles, the use of tail-gaiting and lockpicking is becoming increasingly more difficult, especially when coupled with increased security awareness of employees and security staff. It has long been discussed the ability to read a target’s RFID access card and use that information to replicate it onto a different card of similar make, thus effectively cloning it. Although possible on many occasions this is a multiple step process which requires both time and materials.

There are primarily two different types of cards; cards which support security keys and cards which don’t. Many HID cards or MIFARE Ultralight cards (such as the ones used in disposable OV-chipkaart tickets) do not support a security handshake or encryption, unlike Anonymous/Personal OV-chipkaart tickets that use the MIFARE Classic 4K chips which use security keys. It is woth noting that MIFARE Classic chips have also been cracked (http://www.ru.nl/ds/research/rfid/) but these more elaborate systems require offline analysis. Most organisations with recent RFID implementations on their premises also use MIFARE Classic chips.

System have been designed since mid-2000 (http://www.wired.com/wired/archive/14.05/rfid.html) for “bump” cloning basic/non-encrypted RFID cards but no serious research has been made into designing a portable solution that can on-the-spot 1) clone multiple technologies and 2) clone RFID cards that support security keys. – Such a platform could also be potentially programmed to also read and clone other NFC protocols such as ones used in mobile phones and debit/credit cards and could warrant further research.
Henri Hambartsumyan <HHambartsumyan=>deloitte.nl>




Automated vulnerability scanning and exploitation (part 2).

Automated vulnerability scanning is often used in professional development environments to find critical security issues. But what if those techniques are applied to scripts available on the internet? Many scripts are shared on sites like Sourceforge and GitHub, but security might not have been a priority during their development.

Last RP period Thijs Houtenbos and Dennis Pellikaan researched this topic[1]. They developed a completely automated approach in which a large number of these scripts were downloaded, analyzed for vulnerabilities, tested, and finally websites using these scripts were identified. Combining the information gathered during all these steps in this approach, a list could be generated of web servers running vulnerable code and the parameters needed to exploit these.

Their paper suggest a few subjects on which future research is needed to improve the methodology that was developed. This research project is intended to extend or improve the previous work done.

[1] http://rp.os3.nl/2012-2013/p91/report.pdf

Bart Roos <bart.roos=>ncsc.nl>
Jop van der Lelie <jop.vanderlelie=>ncsc.nl>




Electro magnetic fault injection Characterization.

Fault injection attacks are active and either non-invasive (voltage, clock) or semi-invasive attacks (laser) based on the malicious injection of faults. These attacks have proven to be practical and are relevant for all embedded systems that need to operate securely in a potentially hostile environment. Electromagnetic fault injection is a new fault injection technique that can be used during security evaluation projects. The student working on this project will be using the tooling provided by Riscure.

A previously conducted RP project, by Sebastian Carlier, focused on the feasibility of EMFI (see: http://staff.science.uva.nl/~delaat/rp/2011-2012/p19/report.pdf). Another previously conducted RP project, by Albert Spruyt, focused on understanding fault injected in the powerline (see: http://staff.science.uva.nl/~delaat/rp/2011-2012/p61/report.pdf). This project will focus on extending the work performed by Sebastian and Albert.

The goal of this project is:
  • Create a EMFI fault injection setup (Sebastian's work)
  • Extend the fault injection framework (Albert's work)
  • Correlate results with Albert's results
Research question: Are faults introduced using EMFI comparable to faults injected in the powerline?

The following deliverables are requested from the student:
  • A clear description of the performed tests and their results
  • Recommendations for future testing
Topics: Fault injection, EMFI, low level programming, assembly, microcontroller, electronics.
Note: This project can be combined with "Optical fault injection characterization".
Niek Timmers <Timmers=>riscure.com>


Automatic services composition in GEMBus/ESB based Cloud PaaS platform.

This project will investigate Cloud Platform as a Service (PaaS) implementation based on GEMBus (GEANT Multidomain Bus) and ESB (Enterprise Service Bus) and look for solutions to automatically compose and deploy services. ESB is a widely adopted SOA platform for Enterprise Information System (EIS) and GEMBus is ESB extension for distributed multi-domain services.
The project will require investigating one of the ESB platforms, e.g. FUSE ESB, and finding which functional and configuration components need to be added to the ESB platform to support automated services composition and dynamic configuration.
Simple services composition scenario and prototype need to be demonstrated.
This work will contribute to the on-going project and may be resulted in a joint paper or conference presentation.
Yuri Demchenko <y.demchenko=>uva.nl>


Load balancing in ESB based service platform.

This project will investigate load balancing solutions provided by major existing Enterprise Service Bus (ESB) implementation such as Fuse ESB or Apache ServiceMix, writing and running simple test program and collecting statistics. ESB is a widely adopted SOA platform for Enterprise Information System (EIS).
The project will require investigating one of the ESB platforms, e.g. FUSE ESB in particular those that are responsible for load balancing and intelligent message queuing Normalised Message Router and ActiveMQ.
Simple load balancing scenario for installation of a few services depending on different message traffic patterns need to be demonstrated.
This work will contribute to the on-going project and may be resulted in a joint paper or conference presentation.
Yuri Demchenko <y.demchenko=>uva.nl>


Security intelligence data mining.

In modern Security Operations it is becoming crucial to be able to mine information published on public sites, such as social networks and “pastebins”, in order to generate security intelligence. However, the lack of natural language capabilities of most of the existing parsing engines creates difficulties processing the mined information, as capturing the sentiment is something difficult to implement. Moreover, most of the existing technologies work with occidental language support, being other interesting alphabets (Cyrillic, Chinese, etc) not frequently supported.
Your research will provide with a practical architecture to be able to mine security related information from public websites, criteria for the data mining, and the ability to perform false positive reductions based on language and context interpretation, with the ability to further scale and support non occidental alphabets. Given this setup will provide value when successfully implemented, technical feasibility as well as a founded financial case with detailed CAPEX and OPEX expected for the architecture is a desired outcome. As expected in any other data mining, the ability to deal with unstructured data as well as structured, data normalization and categorization, as well as storage requirements, is an expected outcome of your research.
Henri Hambartsumyan <HHambartsumyan=>deloitte.nl>


Android Pattern Unlock.

Android provides an unlock mechanism which is not based on the traditional pincode, but visual patterns for unlocking. Drawing the correct pattern unlocks the phone. This is an efficient way of creating easy to remember “passwords” which are hard to brute force. You will research different possibilities to bypass this security. We are especially interested in conceptually breaking this (e.g. brute forcing in an efficient way) rather than using an implementation error in certain implementations. You will get an Android device which you can use as you want during your research.
Henri Hambartsumyan <HHambartsumyan=>deloitte.nl>
Martijn Knuiman <MKnuiman=>deloitte.nl>
Coen Steenbeek <CSteenbeek=>deloitte.nl>


Modelling IT security infrastructures to structure risk assessment during IT audits.

As part of annual accounts IT Audits are executed to gain assurance on the integrity of the information that forms the annual statement of accounts. This information is accessible from an application layer, but also from a database layer. An audit focusses on different parts of the infrastructure to get sufficient assurance on the integrity of information. Different parts of the infrastructure are dependent on each other and because of this there is correlation possible between the different layers.

This research project focusses on the correlation between different infrastructure layers and the automation of performing an IT audit. By making use of reporting tools like QlikView, we would like to create a PoC to verify if specific audit approaches can successfully be automated.
Coen Steenbeek <CSteenbeek=>deloitte.nl>
Derk Wieringa <DWieringa=>deloitte.nl>
Martijn Knuiman <MKnuiman=>deloitte.nl>


Multicast delivery of HTTP Adaptive Streaming.

HTTP Adaptive Streaming (e.g. MPEG DASH, Apple HLS, Microsoft Smooth Streaming) is responsible for an ever-increasing share of streaming video, replacing traditional streaming methods such as RTP and RTMP. The main characteristic of HTTP Adaptive Streaming is that it is based on the concept of splitting content up in numerous small chunks that are independently decodable. By sequentially requesting and receiving chunks, a client can recreate the content. An advantage of this mechanism is that it allows a client to seamlessly switch between different encodings (e.g. qualities) of the same content.
There is a growing interest from both content parties as well as operators and CDNs to not only be able to deliver these chunks over unicast via HTTP, but to also allow for them to be distributed using multicast. The question is how current multicast technologies could be used, or adapted, to achieve this goal.
Ray van Brandenburg <ray.vanbrandenburg=>tno.nl>



More and more videos are being published on YouTube that contain content which is such that you want to find it soon after upload. The metadata associated with videos is often limited. Therefore, the selection has to be based on the visual content of the video.

Develop a demonstrator that automatically downloads and analyses the latest YouTube videos. The demonstrator should operate in a two stage process: first, make a content-based selection of the most relevant video material using the screenshot that YouTube provides for every new video. In case the video is considered relevant, download the entire video for full analysis. Use available open source tools such as OpenCV.

Demonstrator for the YouTube-scanner.
Mark van Staalduinen <mark.vanstaalduinen=>tno.nl>


Project-X monitor.

Friday night 21 September, 2012 the village of Haren was the scene of serious riots. The riots followed a Facebook invitation for a “sweet 16” party. The activities on Twitter surrounding this Project-X event can provide clues on the course of events turning a birthday party into a fighting ground. Maybe, thorough analysis can help to prevent such escalations in the future, or at least influence the course of events, using a live monitoring system.

TNO has performed a first analysis on the more than 700.000 tweets around Project-X. Use the results of this analysis (plus additional information you extract yourself from the tweets using data mining techniques), to develop a concept for a live monitoring system that generates an alert when alarming Twitter activity is detected surrounding a scheduled event. Examples include retweet-explosions, tweets from influential Twitter accounts, certain use of language and hash tags, hoaxes, etc.

Presentation of the concept for a live Twitter monitoring system.

REQUIREMENT: good knowledge of the Dutch Language!
Martijn Spitters <martijn.spitters=>tno.nl>


Cross-linking of objects and people in social media pictures.

Automatically cross-link persons and objects found in one social media picture to the same persons and objects in other pictures.

Develop a concept and make a quickscan of suitable technologies. Validate the concept by developing a demonstrator using TNO/commercial/open-source software. Investigate which elements influence the cross-linking results.

Presentation of the concept and demonstrator.
John Schavemaker <john.schavemaker=>tno.nl>



Federated microblogging benchmark.

Microblogging is a type of service where short public text messages are published on the internet, and semi-private messages can be exchanged between internet users through an intermediary. Popular services include market leaders Weibo, Twitter.com as well as corporate solutions like Yammer. Many of these are centralised commercial services very limited in scope by their business model. The services are increasingly controversial because of the closed nature of the services, their volatility in API's for developers (not based on published standards, sometimes crossing the line of platform provider and competing directly with external developers), the lack of openness for external developers and the fact that in many cases privacy-infringing user data from both users and their followers is being sold and/or exploited in the background. Typically it is not possible to communicate outside of the closed network.

Decentralised federated microblogging solutions like Pump.io, Status.net, Buddycloud and Friendica hold significant promise to improve the situation, especially when these free and libre solutions become part of the standard hosting/access package of internet users. If we can make the technology automatically available to every internet user through their ISP's and/or hosting providers, adopting the same user credentials they use with email, it would allow for automatic discovery across the internet and zero configuration integration with existing tools (e.g. mail clients, instant messaging software) as well as 'identity ownership' for the end user. This opens the possibility of being able to automatically 'follow' users of any email address (provided they belong to the 23% of users that want this), allow closed user groups, hidden service discovery and serious user-determined cryptography.

The research project looks into the various (open source) technologies which are available, and makes recommendations for inclusion into the project. What are the most mature solutions, in features and in implementation quality? To what extent are upcoming standards such as OStatus (suffiently) supported? What important features are not yet standardised? What are the performance characteristics of the current federated microblogging solutions? What could be good, horizontally scalable deployment strategies?
Michiel Leenaars <michiel=>nlnet.nl>


Migration models for hosting companies.

In this project you will look at the typical setup of different classes of hosting companies.
  • What is their technical architecture?
  • How is responsibility for maintenance delegated, and what are the biggest maintainance costs?
  • What are their business requirements for an upgrade of the software part of their technical infrastructure?
Given that their server racks will be underpovisioned and oversubscribed, can we devise any models to migrate such a business with minimal extra dependencies? For instance a cloud supported migration model where some or all services are temporarily moved to PaaS providers. How would such a model look, and how can we successfully demonstrate that such an approach is feasible?
Michiel Leenaars <michiel=>nlnet.nl>


Privacy aspects for LDAP service.

It is possible for domain owners to publish contact information and structured business information in LDAP, using a simple SRV record in DNS. One thing is missing: control of who can access what information. With proper control, we even envision moving towards a contact-relationship model that could for the basis for federated social media, in a modular and self-controlled fashion.

When using a pseudonym composed of a username under a domain, one typically wants to offer a controlled amount of information to remote peers who query for it. Specifically, it is not desired that a simple LDAP search yields all pseudonyms, but once a pseudonym is known to someone it should be possible to access all information related to it.

What this means is that not all LDAP attributes are public to everyone. There is a place for attributes that only show up when matched exactly with the base DN or the search filter. Examples may be mail (spammers should not be able to retrieve all mail addressed from your LDAP) and uid (which provide a hint to attackers) but in general it should be configurable. There will be some impact due to the way search filters are constructed in LDAP.

In this research project you will first design a test suite that can properly determine the desired characteristics. You will then create a proof of concept "overlay" plugin for OpenLDAP implementing this facility, and if possible demonstrate that previously feasible but undesirable retrievals are avoided.
Michiel Leenaars <michiel=>nlnet.nl>


Using iCalendar across domains, without going mad.

Many in-house calendaring solutions exist that allow for complex appointments with delegations etc., however planning an appointment with someone from an external party does not work flawlessly. Although the specifications of iCalendar and iTIP (iCalendar Transport-Independent Interoperability Protocol) do provide the framework for successful cross-domain calendaring, the implementations hinder a good user-experience as follows. iMIP (iCalendar Message-Based Interoperability Protocol) uses email as a carrier by attaching .ics files to emails. Handling the attached content always requires manual action by the user. This is furthermore mostly done without authentication/authorization. CalDAV uses a a stateless protocol (http) as carrier and requires the client software to constantly poll the calendars, making it slow and unsuitable as a truly interactive solution.

This proposal implements iTIP directly over TLS-protected TCP, which we like to call iTIPs; it uses certificates on both client and server ends of an exchange, and uses this to establish authorization over calendaring. The student has to come up with two suitable APIs. One for managing iCalendar objects in the way iMIP and CalDAV do. The second API has to enable support for possible user-interactive plugins to approach a user (e.g. through XMPP) with iCalendar proposals.

This work will be conducted in Python.
Michiel Leenaars <michiel=>nlnet.nl>
Rick van Rein <rick=>openfortress.nl>


Creating your own Internet Factory.

One of the biggest problems in computer networks is the lack of flexibility to support innovation. It is widely accepted that new network architectures are required. Given the success of cloud computing in the IT industry, the network industry is now driving the development of software-based networks. Software-based networks allow deployment and management of network architectures and services through resource virtualization. Ultimately, a program can describe the blueprint of the software-based network, i.e. its deployment, configuration, and behavioral aspects.

At TNO/UvA, we created a prototype of an Internet factory, which enables us to produce networks on-demand at many locations around the globe. In this work, we will develop a program using our prototype that produces Openflow networks (using OpenVSwitch, Daylight, and Floodlight). We will produce a number of interesting networks, e.g. one that finds better paths than Internet routing, one that is robust on failures of network elements, and one that offers larger capacity by combining multiple paths. Is is possible to capture years of experience and best practices in network design, deployment, and operations into a compiler?

Rudolf Strijkers <strijkers=>uva.nl>


Mobile app fraud detection framework.

How to prevent fraud in mobile banking applications
Applications for smartphones are commodity goods used for retail (and other) banking purpose. Leveraging this type of technology for money transfer attracts criminal organisations trying to commit fraud. One of many security controls can be detection of fraudulent transactions or other type activity. Detection can be implemented at many levels within the payment chain. One level to implement detection could be at the application level itself.
This assignment will entail research into the information that would be required to detect fraud from within mobile banking applications and to turn fraud around by building a client side fraud detection framework within mobile banking applications.
Steven Raspe <steven.raspe=>nl.abnamro.com>


Malware analysis NFC enabled smartphones with payment capability.

The risk of mobile malware is rising rapidly. This combined with the development of new techniques provides a lot of new attach scenarios. One of these techniques is the use of mobile phones for payments.
In this research project you will take a look at how resistant these systems are against malware on the mobile. We would like to look at the theoretical threats, but also perform hands-on testing.
NOTE: timing on this project might be a challenge since the testing environment is only available during the pilot from August 1st to November 1st.
Steven Raspe <steven.raspe=>nl.abnamro.com>


Access rights and Access control lists in mailboxes within Exchange 2007 and 2010.

Mailboxes and mailbox folders in exchange have the possibility to granular add rights or access to individual folders or containers. From a forensic point of view there is no easy way to determine these individual rights as an administrator. These access rights should be somewhere in the EDB database file of the exchange server.

How can we determine the exact access rights to each item, or folder within a mailbox. And can we determine changes in these access rights in time. i.e. can we see differences in ACL's throughout different backups of the EDB's.
- Do research on the exact location of the ACL's in the databases.
- Create a POC tool to extract these ACL's for a given mailbox, or all mailboxes within an EDB.
Kevin Jonkers <jonkers=>fox-it.com>



DANE is an internet standard [1] for embedding certificate information in DNS records. With DANE, either the public key or entire certificate (or a hash) is put inside a record labelled TLSA that specifies the certificate or public key to be used for a connection. Through DNSSEC, there is an independent chain of trust to protect the validity of this information.

The RFC identifies a significant number of different variants in which information about a certificate can be stored, and while a number of independent implementations exist there is no unified test suite that allows these implementations to make sure that their software works as intended and does not allow false positives or false negatives. The project is to design a complete test suite covering the DANE specification with both valid and broken examples.

[1] http://tools.ietf.org/html/rfc6698
Michiel Leenaars <michiel=>nlnet.nl>



DNS analysis (anomaly analysis, covert channels).

Sjoerd Peerlkamp <S.Peerlkamp=>shell.com>
Johannes IJkel <Johannes.IJkel=>shell.com>


Research MS Enhanced Mitigation Experience Toolkit (EMET).

Every month new security vulnerabilities are identified and reported. Many of these vulnerabilities rely on memory corruption to compromise the system. For most vulnerabilities a patch is released after the fact to remediate the vulnerability. Nowadays there are also new preventive security measures that can prevent vulnerabilities from becoming exploitable without availability of a patch for the specific issue. One of these technologies is Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) this adds additional protection to Windows, preventing many vulnerabilities from becoming exploitable. We would like to research whether this technology is efficient in practice and can indeed prevent exploitation of a number of vulnerabilities without applying the specific patch. Also we would like to research whether there is other impact on the system running EMET, for example a noticeable performance drop or common software which does not function properly once EMET is installed. If time permits it is also interesting to see if existing exploits can be modified to work in an environment protected by EMET.
Henri Hambartsumyan <HHambartsumyan=>deloitte.nl>


Triage software.

High-level requirement: Blokken lezen in volgorde van belangrijkheid, passend in een werkproces waarin vele servers geautomatiseerd moeten worden veiliggesteld

Detail eigenschappen:
  • Tools die delen van een disk lezen in volgorde van belang.
  • Configureerbaar naar criteria zoals
  • Tijdstempels
  • Paden
  • Afmeting
  • User-ids..
  • Etc
  • Alleen headers van..
  • Specifieke filenames.
  • Etc
Here are 3 possible rp subjects that need further specification. Please discuss with Jaap or Zeno if you are interested (and understand the Dutch words below).
"Zeno Geradts (DT)" <zeno=>holmes.nl>
Jaap van Ginkel <J.A.vanGinkel=>uva.nl>

76 OpNET statistical sampling (pcap); detection of malware
* DNS analysis (anomaly analysis, covert channels)
* Client to Client anomalies using OpNET (netflow)
* An analysis on a year of Symantec Endpoint Protection logs (can we link this to behavior of people)
Sjoerd Peerlkamp <S.Peerlkamp=>shell.com>
Johannes IJkel <Johannes.IJkel=>shell.com>