SNE Master Research Projects Web Page

Home Previous years

This page reports the list of student projects with the type (long or short), the contact person for each project ("@" is replaced by "=>"), the status (available or assigned) the warning level (low, medium or high; where high means that is strongly suggested to submit the project proposal head of time to not incur in delays). New projects will be added at the end. All other information related with the projects are available on the course pages on Canvas.

Number and Type Title and Abstract Supervisor Status Warning
1 - short
Security impact of DNS over TLS (DoT) and DNS over HTTPS (DoH)

DNS resolution is a critical and sensitive service. By default, DNS queries and responses are sent in plaintext. There are mainly two recently developed protocols, DNS over TLS (DoT) and DNS over HTTPS (DoH), which are of growing importance aiming to protect DNS privacy. Such encrypted protocols are cleary of benefit by protecting integrity and confidentiality of DNS traffic. However, they can effectively disrupt security controls and network monitoring solutions. The goal of this research is to analyse the security impact of DoT and DoH in order to securely implement encrypted DNS without compromising network security.
Silke Knossen <silke.knossen=>> unavailable
2 - short
Topic: TR-369 research

TR-69 is a commonly used protocol for remote management of modems/routers/gateways, which has been around for 15 years. Until now, this is how most consumer modems are remotely managed at KPN. A new protocol has been developed by the Broadband Forum, which is called TR-369. It is intended to replace TR-69. It offers a new architecture where multiple "controllers" (providers, vendors, or end users) can interact with endpoint devices (modems/routers, wifi controllers, iot etc). It supports multiple transport protocols, including websockets/COAP/MQTT/etc. KPN REDteam recently did a time boxed test on a test setup for a new modem which is controlled through TR369 (in this case, over MQTT), and we found some security issues.

* Review TR369/transport protocol "suite" with regards to security.
* Create tooling/pentesting a modem with TR369 backend infrastructure.


Project available only for a group of two students
Anand Groenewegen <anand.groenewegen=>> and Stef van Dop <stef.vandop=>>
Selected, but open for a second student in case. medium
3 - short
Privacy and Robustness in DP-based (Differential Private based) Federated Learning

Federated learning is a collaborative learning infrastructure in which the data owners do not need to share raw data with one another or rely on a single trusted entity. Instead, the data owners jointly train a Machine Learning model through executing the model locally on their own data and only share the model parameters with the aggregator. While the participants only share the updated parameters, still some private information about underlying data can
be revealed from the shared parameters. To address this issue, Differential Privacy has been used as effective tool to protect information leakage over shared parameters in Federated Learning, say DP-FED. However, it has not yet been investigated whether (and to what extent) the DP-FED is resistant against attacks.

This project aims to evaluate the resistance of DP-FED against different attacks and to explore the possibilities of reducing the success rate of these attacks. To conduct this research, at least three datasets, three different DP-FED techniques, and three different privacy threat models should be selected. Then, a comparison of DP-FED and FED (without DP) should be performed to evaluate how much embedding Differential Privacy in Federated Learning
algorithms makes them robuster.

The following papers are suggested to be studied for this work:
1. Mohammad Naseri, Jamie Hayes, and Emiliano De Cristofaro; Toward Robustness and Privacy in Federated Learning: Experimenting with Local and Central Differential Privacy, CoRR, 2020.
2. Lingjuan Lyu, Han Yu, Xingjun Ma, Lichao Sun, Jun Zhao, Qiang Yan, Philip S. Yu, Privacy and Robustness in Federated Learning: Attacks and Defenses, arXiv, 2022.

3. Ahmed El Ouadrhiri, Ahmad Abdelhadi, Differential Privacy for Deep and Federated Learning: A Survey, IEEE Access, 2022.

4. Malhar Jere, Tyler Farnan, and Farinaz Koushanfar; A Taxonomy of Attacks on Federated Learning, IEEE Security & Privacy, 2021.

5. Xiaoyu Cao, Jinyuan Jia, Neil Zhenqiang Gong, Data Poisoning Attacks to Local Differential Privacy Protocols, CoRR, 2019.

6. Minghong Fang, Xiaoyu Cao, Jinyuan Jia, Neil Zhenqiang Gong; Local Model Poisoning Attacks to Byzantine- Robust Federated Learning, the 29th Usenix Security Symposium, 2020.
Mina Sheikhalishahi <mina.sheikhalishahi=>> available medium
4 - short
Private GAN for Machine Learning

Generative Adversarial Network (GAN) provide a promising direction in research studies where data availability is limited. One common issue in GANs is that due to the high model complexity of deep networks, they are vulnerable in revealing information about training samples. This issue has been addressed in several studies by designing Differentially Private GAN (DPGAN) models, in which DP is adopted in training GANs. While DPGANs serve as effective tools in this regard, still a comprehensive understanding of the utility of this new generated data, with the purpose of being used as the source data of Machine Learning algorithms, is missing. Also, it is not clear how much each DPGAN technique is resistant against privacy threats compared to other DPGAN methodologies.

In this project, we select several DPGAN techniques, several datasets (with different properties), several ML algorithms, and two/three privacy attacks. We first train DPGAN techniques on selected datasets. We next evaluate the utility of data by employing ML algorithms on generated data. We compare the utility of generated data based on ML model accuracy. Also, we analyze how the dataset properties and the ML technique properties affect the effectiveness of data. We then employ privacy attacks on DPGANs and compare the results with GANs to evaluate and compare the robustness of different DPGANs.

The following studies are recommended:

1. Liyue Fan, A Survey of Differentially Private Generative Adversarial Networks, 2021.

2. Liyang Xie, Kaixiang Lin, Shu Wang, Fei Wang, Jiayu Zhou, Differentially Private Generative Adversarial Network, 2018.

3. Chugui Xu, Ju Ren, Deyu Zhang, Yaoxue Zhang, Senior , Zhan Qin, Kui Ren, GANobfuscator: Mitigating Information Leakage Under GAN via Differential Privacy, IEEE Transaction on Information Forensics and Security, 2018.
Mina Sheikhalishahi <mina.sheikhalishahi=>> available medium
5 - Long
Comparison of state-of-the-art endpoint defence solutions to (partially) open-source endpoint defence

Endpoint defence evolved a lot in the last decade and the old anti-malware / anti-virus software a small sub-section of the state-of-the-art endpoint defence solutions. Instead of anti-malware / anti-virus, we are now talking about Endpoint Defense and Repsonse (EDR), Data Loss Protection (DLP), File Integrity Monitoring (FIM) and other fancy words that suppliers have the creativity to come up with. The biggest suppliers on the market are busy expanding their software with new features. This project will allow the students to get access to some vendor trial licences (1 or more) and compare the functionality of the products with free and open-source product offerings. Depending on student ability the project can result in the development of new features into open-source products. A minimum expected deliverable of the project is a comparison report and proposed development path to improve the open-source or proprietary products.

This long project is divided in the following way:

*) Phase 1: building on the RP of Dennis from 2021, further develop an open criteria of assessing and quantifying the effectiveness of a modern EDR (qualitative theoretical study)
*) Phase 2: put this theory into practice by putting several state of the art tools to test, possibly in a specific context (Office IT or possibly SCADA) depending on availability of opportunities
Peter Prjevara <peter=>> unavailable low
6 - Short
Comparison of architectures supporting high integrity and secure data pipelines

Tennet TSO is a leading European grid operator committed providing secure and reliable supply of electricity 24 hours a day 365 days a year, while helping to drive the energy tranisition. As a first cross-border Transmission System Operator (TSO), we design, build maintain and operate 23,900 km of high-voltage electricity grid in the Netherlands and large parts of Germany and facilitate the European energy market, through 16 interconnectors to neighboring countries. As part of this effort some of our teams are committed to deliver a private cloud infrastructure that house the data pipelines we use to interface between our internal departments and with our external partners. In these data pipelines data integrity and security is of high importance, so we must use modern technologies and data architectures that support this data integrity and security. However we also have legacy requirements, which must integrate securely with the modern technologies. Modern technologies we use include k8s and Apahce Kafka and MinIO, while some of the legacy requirements we have is the need for SQL based querying methods, or file based data transfers (SCP / SFTP).We would like to offer a project to SNE students where they explore the possibilities of architecting data pipelines combining these technologies - or even newer / better ones. Some of the questions that can form a basis for research questions are as follows:

- How are these technologies can be best combined to offer maximum data integrity?
- How can the technologies be best used to create long term, highly integer data archiving?
- What are the limits of this integration (on the available hardware to the students)?
- What are the advantages / disadvantages of implementing the architecture as a service-mesh instead of traditional architectures?

As the students will require to build their own test environment, this project is suitable for 2 candidates. Tennet will facilitate engineering support where students will gain insight into what problems the engineers and architects find important during the design of such architectures, and how the Agile teams in Tennet work together to deliver similar systems and architectures.
Peter Prjevara <peter=>> available low
7 - Short
Parser differentials in micro services

Environments that use micro services often have a wide variety of programming languages and frameworks. Therefore, we suspect that parser differentials vulnerabilities are common in micro service architectures. For example how two libraries parse (malformed) JSON, HTTP requests etc. This could lead to interesting vulnerabilities that are hard to find. The goal of this project would be to find such parser differentials in commonly used libraries and see if this could lead to real vulnerabilities.
Daan Keuper <dkeuper=>>
unavailable  medium
8 - Short
Race conditions in web applications

In local applications race conditions are well understood and we have tons of examples that were affected by this vulnerability class. However, in web applications research on this topic seems to be scarce. We’ve found some real life vulnerabilities abusing race conditions (for example, claiming a coupon code more than once), but we suspect that more of such cases could be found. The goal of this project is to find more examples of race conditions  in web applications in real life applications.
Daan Keuper <dkeuper=>>
unavailable  medium
9 - Short
Purple teaming for telecom operators

During the last 5-10 years, a large number of organisations have adopted RED and BLUE teams. A new trend can be seen where these offensive and defensive teams work in harmony. Recent whitepapers affirm this trend[1] and outline the benefits[2]. As the largest telecom operator in The Netherlands, KPN is continuously strengthening the ties between its BLUE- and REDteam. By working together (purple teaming), we increase knowledge and effectiveness on both sides. This research is divided into a theoretical part, what does literature state regarding purple teaming best practices, and a case study by designing/building a purple team CTF combining the studied literature with a telco perspective.

* Literature study on purple team
* Design a purple team capture the flag


Project available only for a group of two students
Anand Groenewegen <anand.groenewegen=>> and Stef van Dop <stef.vandop=>> unavailable medium
10 - Long
XDP-based DNS hot cache

The eBPF and specifically XDP paradigms enable for processing of packets in the Linux kernel without touching the full network stack and user space.  While the flexibility of, and resources available to such XDP programs are limited, simple programs can reduce system load significantly. In DNS for example, if we can determine we can not or will not answer a DNS query at such a very early stage, we do not need to bother the software running in user space with it.

For this project, the goal is to design, develop and assess a BPF/XDP program that serves as a DNS Hot Cache, serving answers to often asked queries from kernel space.

# Part 1: design and development

In the first part of the project, the students familiarize themselves with the BPF/XDP paradigm and tool chain. At NLnet Labs, we have experience with using XDP for DNS, so we will be up to speed quickly. The final program will need to store DNS answers coming from user space, and re-use them to answer subsequent queries from kernel space directly. In preparation for part 2, we deploy the program at an actual nameserver/resolver, gathering measurements for assessment and the final report.

# Part 2: assessment of measurement results, reporting

At this stage, the developed XDP program has been running for several months, generating data such as log entries and measurements. Based on the collected insights, the students assess if and to what extent the program has affected the performance of the DNS service. (A possible outcome could be an advice on which parameters require fine-tuning for certain use-cases or networks.)

Luuk Hendriks <luuk=>> and Willem Toorop <willem=>>
available  low
11 - Short
What are the practical implementation limits of eBPF (programs)?

eBPF (which is no longer an acronym for anything) is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in a privileged context such as the operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules." -

eBPF sounds like the holy grail for developing 'user space'-like applications inside kernel space in a safe manner, but what can and can't you achieve as a developer of eBPF programs?

- What categories of applications can and cannot be implemented in eBPF?
- What are technical limitations that are preventing the developer of creating an application of such a category?
- What can be done to remove this limitation?
Serge van Namen <serge.van.namen=>> and Chris Hendriks <chris=>>
unavailable  low
12 - Short
What is the current security posture of eBPF and implied risk of using eBPF programs?

eBPF (which is no longer an acronym for anything) is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in a privileged context such as the operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules." -

- What is the current security posture?
- What are the current risks of running eBPF programs?
- What are the attack surfaces?
- What is the impact upon compromise?
- How can these programs be protected?
Serge van Namen <serge.van.namen=>> and Chris Hendriks <chris=>> Unavailable.
13 - Short
The security state of Kubernetes

Kubernetes is becoming more and more the 'universal controle plane' for (cloud) computing. Inherent to significant growth in a technology domain is the decision of not degrading security when migrating workloads to new technology.

- What is the current security posture of Kubernetes with regards to container runtime e.g. selinux, seccomp, etc in contrast to usability?
- What can be improved?
- How can this be improved?
- What is the impact of these improvements on the usability of Kubernetes?
Serge van Namen <serge.van.namen=>> and Chris Hendriks <chris=>> available  low
14 - Short
eBPF based Malware

eBPF (which is no longer an acronym for anything) is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in a privileged context such as the operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules." -

- What types of malware can be developed inside an eBPF program?
- How can eBPF based malware be detected?
- How can a system be hardened against eBPF based malware?
- What persistency capabilities does eBPF facilitate for malware?
Serge van Namen <serge.van.namen=>> and Chris Hendriks <chris=>> unavailable  medium
15 - Long
EPI - Enabling Personalized Interventions

We propose the EPI* Framework to enable secure data sharing within the healthcare context. The framework addresses multiple concerns across different levels; namely: policy level, data level, application level, and network level. Within this project proposal, we mainly focus on the last network level. To abide by security requirements at the low level of packets, we instantiate and provision Virtualised Network Functionalities (VNF) on the fly. Moreover, we containerise said VNF for higher efficiency and easier deployment. As a result, we bridge any existing security gap between the end nodes of the data-sharing session via containerised VNF or Bridging Functions (BF’s).

The framework utilises Kubernetes to orchestrate and schedule resources to run microservices across distributed clusters of proxy nodes. The goal of this project is to evaluate the framework setup via a specific threat model, and define the best practices/ mitigations in terms of security configurations. Moreover, we aim to investigate that by simulating a number of attacks to confirm the evaluation further experimentally.

Potential questions to investigate:
1- There are a number of available threat modelling methods like: STRIDE, LINDDUN, CVSS, etc. Threat models can be software centric, attacker centric, and asset centric depending on what level of security you are investigating. With the goal of evaluating the framework in mind, how to choose the appropriate methodology to use?
2-  Based on that, what threat model to use to create a system abstraction, identify security requirements, potential vulnerabilities, and mitigations while running network-based microservices with Kubernetes? Example: key management, worker node authentication, etc.

*EPI - Enabling Personalized Interventions:

BF chaining and proxy implementation:
Jamila Alsayed Kassem <j.alsayedkassem=>> available  low
16 - Long
Side-channel analysis using on-line statistics

Side-channel analysis is the art of cracking cryptographic implementations by observing unintended signals such as the algorithm’s execution time or the power consumption of a device

Industrial-level side-channel analysis requires lengthy signal measurements over multiple days. Acquiring and processing such a large datasets is a very demanding computational task that must be carried out within specific time constraints.

In this project we will utilize efficient online statistical computations that can pinpoint the useful part of the signal in a very large dataset. To do so efficiently, we will “drill” for useful leakage information through reinforcement learning algorithms. Our final goal is to develop an efficient processing strategy that will maximize our ability to detect and perform side-channel attacks

Statistical formulas: []

Matlab code for statistical formulas(also available in Python): []

1st part: study and utilize online statistics
2nd part: adaptive “drilling” for leakage
Kostas Papagiannopoulos <k.papagiannopoulos=>> available  low
17 - Short
Analysis of Hashicorp Vault Integrated storage (RAFT) back-end

Within (large) distributed environments storing, managing and provisioning your secrets securely can be difficult. There are several secret managers available in the wild that can help tackle life-cycle management of secrets in distributed environments. Vault is an opensource secrets manager created by Hashicorp. Since the 1.4 release of Vault the Integrated storage back-end that uses RAFT as a consensus algorithm for replicating data between Vault instances has been introduced. A secrets manager such as Vault becomes an interesting point of attack for malicious users. When using a tool such as Vault making sure that data stored in and exchanged via Vault is Secure is extremely important.

- How secure are secrets at REST when the Integrated Storage back-end is used?
- How secure is the exchange of secrets via the RAFT consensus algorithm?
- Are there any avenues of attack that can be exploited to retrieve information/secrets?
Maurice Mouw <Maurice.Mouw=>> unavailable  Low
18 - Long
Formal verification of P4_16 for robust data plane programmability

The advent of programmable network switch ASICs and recent developments on other programmable devices (NPUs, FPGAs etc.,) drive the renewed interest in network data plane programmability. Data plane programmability refers to the capability of a network device to expose the low-level packet processing logic to the control plane through a standardized API, to be systematically, rapidly, and comprehensively reprogrammed. Domain specific programming languages such as P4 [1] have emerged, enabling to describe the entire packet processing in a protocol-independent way at a high abstraction level. P4 has gained strong community support, covering both industry and academia. Data plane programmability enables unprecedented network flexibility, but it may come at the cost of robustness. The shift from fixed function to programmable data planes increases the chance of introducing bugs due to incorrect protocol implementations. Such bugs can be easily transformed into vulnerabilities e.g., if exploited towards the violation of network security policies. There have been efforts to overcome this problem by checking if the network satisfies the intended properties use formal verification techniques (e.g., model checking or symbolic execution). For example, Kheradmand and Rosu [2] developed a complete operational semantics for P4 v14 in the K framework, enabling symbolic model checking and deductive verification. As another example, Liu et al. [3] developed a translational semantics from P4_14 to a Guarded Command Language for practical verification.

Within the course of this joint RP1-RP2 project the student will
1. Phase 1: Investigate the state of the art in the area, get familiarized with P4 DSL, analyze, and apply a chosen formal verification technique for P4_14, establish a suite of example programs and verified properties, and construct a migration plan from support P4_14 to P4_16.

2. Phase 2: Execute the migration plan and analyze the soundness, completeness and practicality of the resulting implementation.

-- Enrolled student in master’s program in computer science or related
-- General knowledge on computer networks
-- Affinity with programming language techniques such as compiler construction, formal verification and/or formal operational semantics
-- Some experience with declarative programming, e.g., logical programming (in Prolog) or functional programming (in Haskell)
-- Language skills: English

[1]. Bosshart P, Daly D, Gibb G, Izzard M, McKeown N, Rexford J, Schlesinger C, Talayco D, Vahdat A, Varghese G, Walker D. P4: Programming protocol-independent packet processors. ACM SIGCOMM Computer Communication Review. 2014 Jul 28;44(3):87-95.
[2] Kheradmand A, Rosu G. P4K: A formal semantics of P4 and applications. arXiv preprint arXiv:1804.01468. 2018 Apr 4.
[3] Liu J., Hallahan W., Schlesinger C., Sharif M., Lee J., Soulé R., Wang H., Caşcaval C., McKeown N., and Foster N., P4v: practical verification for programmable data planes. ACM SIGCOMM '18, pp. 490– 503.
Chrysa Papagianni <c.papagianni=>> and Thomas van Binsbergen <l.t.vanbinsbergen=>> available  low
19 - Short Identifying Ghost resources in (multi-cloud/hybrid) distributed environments.

Many companies are adopting cloud or multi-cloud environments containing distributed components that leverage different Cloud services. Over time more resources are accumulated that are not properly cleaned up. In cloud environments this can introduce additional significant cost over time.

Additionally 'ghost' resources can pose a significant security risks if those resources are not patched.
- Are there strategies/frameworks to detect or prevent the creation of ghost resources.
- What or how is a proper baseline determined for identifying if something is a ghost resource/asset?
- Are there tools that can help identify ghost resources (in multi-cloud environments)?
- How can we automate the detection of ghost resources (in a multi-cloud environment)?

The project can be extended to a long project if the students want extend the research with building a prototype for detecting ghost resources
Maurice Mouw <Maurice.Mouw=>>
unavailable  medium
20 - Short
GPU malware

Antivirus is monitoring memory continuously for malicious activity. One possible way to circumvent this, is by utilizing the memory allocated to the GPU. Using the GPU to perform either computationally intensive operations or to hide malware when no actions are required or even executing the malicious code from the GPU. Students are required to have at least some experience with coding in C and OpenCL or CUDA. The latter two programming languages are used in General Purpose Graphics Processing Units programming. The goal of the research would be to expand further upon existing research, as there is some information available, although limited. [1][2] Research questions can be defined at a later stage, an example would be: “What are the limitations of running malware entirely on the GPU?”

Robert Diepeveen <robert.diepeveen=>> and Thomas Ouddeken <thomas.ouddeken=>>
unavailable  medium
21 - Long
Software-defined networking (SDN) and Blockchain in a decentralized environment

During the past years, SDN and Blockchain technologies have demonstrated a great potential to enhance each other [1]. SDN can improve the network availability and performance of the P2P network in the Blockchain, and the Blockchain can also improve the trustworthiness of the SDN controllers. In our recent work, Blockchain has been used in the scientific computing community to share large digital objects and in the trustworthiness of a decentralized service market. Improving the performance of the blockchain P2P network using SDN becomes an urgent topic when such Blockchain is deployed in a large, distributed infrastructure across data centers. In this project, we will investigate a) how SDN can improve the efficiency of decentralized digital object sharing in a Cloud virtual research environment [2], and/or b) how Blockchain improves the trustworthiness of SDN controllers from multiple providers in a service marketplace [3].

The student will first make a literature study on the relevant topic and deliver a technical solution to the VRE framework.


[1] Majd Latah and Kubra Kalkan. 2022. When SDN and blockchain shake hands. Commun. ACM 65, 9 (September 2022), 68–78.
[2] Zhao, Z., Koulouzis, S., Bianchi, R., Farshidi, S., Shi, Z., Xin, R., Wang, Y., Li, N., Shi, Y., Timmermans, J., Kissling, W.D.: Notebook-as-a-VRE (NaaVRE): From private notebooks to a collaborative cloud virtual research environment. Softw Pract Exp. spe.3098 (2022).
[3] Shi, Z., Ivankovic, V., Farshidi, S., Surbiryala, J., Zhou, H., Zhao, Z.: AWESOME: an auction and witness enhanced SLA model for decentralized cloud marketplaces. J Cloud Comp. 11, 27 (2022).

Project for one or two students
Zhiming Zhao <z.zhao=>> available  low
22 - Long
Assess the robustness of a P2P network using graph-based models

In peer-to-peer network (P2P) overlays, there are many problems that a malfunctioning peer can cause that can affect the performance, reliability, and availability of the entire network. While a P2P is generally meant to be set up with participants of equal importance, this is often not the case. More often than not there is an unequal distribution of responsibilities within a P2P network, for instance often a situation that a small percentage of peers answer the majority of queries occurs [1]. Furthermore, certain peers can also be favoured more over others in terms of routing, making some peers more important for the routing of the packages. This is for instance the case when a peer is the fastest gateway between two networks. When a peer in a P2P network malfunctions, it can have a massive impact on the total operability of the network, especially if the peer falls into the category described above. Clear problems that arise are the possibility of long reconfiguration times or partitions when these peers fall away. What is more, the rest of the network might suddenly need to distribute a large quantity of work. Besides, if one of these nodes becomes a bad actor, then it can inject malicious code into a lot of data.

In a perfect world, a P2P network would be perfectly flat, so where every peer has the approximately same responsibilities and importance, yet, that is already not always possible. In blockchain applications, the robustness of the underlying P2P network is crucial for synchronizing ledgers across nodes. If the network got partitioned, or more nodes became malicious (namely Byzantine nodes), nodes may take much longer than expected to achieve consensus on the states of ledgers. It is thus important to identify the potential risks of the P2P network and assess its robustness. So, it is important to be able to locate those peers that are of importance to the reliability, performance, and availability of the net work as a whole. With this information, we can then configure the network to have back-up routes or peers to not allow too much dependence on a small set of peers. It also offers insight into where new peers should be added when they want to join the network.

Currently, there is a lot of research on P2P networks, but not much on peer-based metrics. In this research project, we tackle the problem of creating a metric to be able to assess the ‘importance’ of a peer in a structured P2P network, where we have complete information on the topology of the underlying IP network and the P2P overlay network, the expected traffic over the network and the link capacities. This will be restricted to the most commonly used types of structured P2P networks, but we aim to lay the basis for generalising the metric to assess peer importance in any other given topology. As one of the main difficulties in detecting risks in P2P networks is that they are decentralised, it can also be interesting to look into how
accurate the metric is the information of just one peer or a group of peers working together.

[1] Dennis Trautwein et al. “Design and evaluation of IPFS: a storage layer for the decentralized web”. In: Proceedings of the ACM SIGCOMM 2022 Conference. 2022, pp. 739–752.
Zhiming Zhao <z.zhao=>> unavailable  low
23 - Short
Unlocked popular password managers

Nowadays the use of password managers is ubiquitous and often encouraged by security providers. Password managers store the passwords (and other secrets such as MFA seeds or credit card information) of users in a secure, but reversible way. We know that an unlocked KeePass database [1] poses a threat for the user because it allows the key material to be extracted from memory. This raises the same question for other popular password managers (for instance LastPass, 1Password or Bitwarden) as well. How do they manage secrets in memory? Is it possible to extract the key material from memory for an unlocked database? What about browser extensions?

The student should be familiar with a bit of reverse engineering (language depends on the chosen password manager) as well as programming. The main goal of this research is to uncover what risks there are in leaving password managers unlocked, a cool extra effort would be a tool that extracts the right material from (browser) memory.

Robert Diepeveen <robert.diepeveen=>> and Bart Roos <bart.roos=>> unavailable  medium
24 - Short
Malware leveraging the TEE

Modern devices often include a Trusted Execution Environment (TEE) for handling security sensitive tasks and storing security sensitive assets. Malware, already in control of the Rich Execution Environment (REE), for example Linux, may also compromise the TEE.

You will be studying the current research on Malware leveraging the TEE of a device. The output of this project will be a Proof-of-Concept (PoC) on a real device with a Qualcomm TEE with known vulnerabilities ( We will provide all the required tooling and targets for this project. You will conduct this project remotely from your own premises (e.g. SNE lab).
Niek Timmers <niek=>> unavailable  medium
25 - Short
Reproduce ESP32 glitch attacks using affordable tooling

We demonstrated multiple attacks on Espressif's ESP32 chip with lab-grade Fault Injection tooling (

You will be asked to perform a feasibility study to determine if it's possible to reproduce these attacks using affordable Fault Injection tooling. We will provide all the required tooling and targets for this project. You will conduct this project remotely from your own premises (e.g. SNE lab).
Niek Timmers <niek=>> available  low
26 - Short
Improve library identification

Binary firmware typically include many libraries. Determining the version of these libraries is not always trivial.

You will be studying the state-of-art of library identification tooling (e.g. in order to improve it. The output of this project should be a standalone tool or disassembler plugin for e.g. Ghidra ( You will conduct this project remotely from your own premises (e.g. SNE lab).
Niek Timmers <niek=>> unavailable  low
27 - Short
Threat Modeling OpenBMC

Modern servers are often equipped with a Baseboard Management Controller (BMC) that is used for remote monitoring and management of the host system. An interesting development is the availability of OpenBMC, an open source initiative to create an open source BMC firmware.

You will be studying the functionality of OpenBMC in order to define its attack surface. You will be using the QEMU reference platform and/or an actual device running the OpenBMC firmware. You will conduct this project remotely from your own premises (e.g. SNE lab).
Niek Timmers <niek=>> available  medium
28 - Short
Would a flow based IDS using a neural network in kernel space improve performances over typical IDS?

Simplified versions of flow based IDS have been implemented in kernel space using eBPF and decision trees. This has shown a 20% improvement over similar tasks achieved in user space. However, this is achieved for a simplified IDS algorithms. As the complexity of the algorithm increases, using the specific data types of eBPF creates more overhead and complexity.

- Will the performance advantage persist when using more complex algorithms and for example deep Neural Networks in the case of a kernel-based IDS ?
Nathan Keyaerts <nathan.keyaerts=>> and Serge van Namen <serge.van.namen=>>
available  low
29 - Short
eBPF forensic tools

eBPF is a relatively recent technology that opens a new avenue of attacks and misusages of services. To counteract this, forensic tools are being developed to detect attacks and perform forensic investigations afterwards using Volatility.

- Are these tools exhaustive, or are there still attacks that these tools cannot detect ? 
- Is it then possible to detect these attack ?
Nathan Keyaerts <nathan.keyaerts=>> and Serge van Namen <serge.van.namen=>> unavailable  low
30 - Short
Quantum secure connection to your institution

eduVPN is open source VPN software that is offered by SURF as a service to organizations. Organizations using eduVPN mainly consist of universities and research institutions[1]. Using eduVPN, students and employees can access the organization's network without having to be physically present at the organization. eduVPN also offers a secure VPN connection which can be used to access the internet. Using this VPN connection will prevent people that are listening in on the network from seeing which websites one visits.

The cryptography used by eduVPN is not quantum resistant. When a quantum computer is built that is powerful enough to run Shor's algorithm, VPN traffic could be decrypted and the privacy of users violated.

The goal of the project is to research how to prevent VPN traffic that is stored now from being decrypted later when a quantum computer becomes available, and to build a Proof of Concept demonstrating a quantum-resistant eduVPN. We assume that there is currently no quantum computer that can break classical cryptography. Thus, an active Man in The Middle attack with a quantum computer is out of scope.

The proof of concept will focus on the connection between a user using the Android eduVPN application and the server while using WireGuard.

Because of limited time for the project, some tasks are out of scope:

* eduVPN clients exist for Android, iOS, Windows, macOS and Linux. We will only consider the Android client and leave the other clients out of scope.
* eduVPN support two VPN technologies: OpenVPN and WireGuard. For now, we will only consider WireGuard because OpenVPN support is planned to be removed in the future.
* eduVPN supports high availability deployments. These deployments use multiple servers that connect with each other. The communication between these servers are left out of scope. We will only consider a setup with one server.
* No new post-quantum cryptography will be designed and implemented. Existing post-quantum cryptography will be considered and used.

In case there is time left, the scope can be extended with one of the points above. For example, we could also look at OpenVPN or make sure the VPN connection is protected against an active MITM with a quantum computer.

At the end of the project, the following products will be delivered:

* The code of the modified server and modified Android app that can setup a VPN connection using WireGuard that protects against decryption by quantum computers.
* An explanation of the design and the design decisions.

[1]: See [] ( for a list of organizations using eduVPN.
Rogier Spoor
unavailable  low
31 - short
Placement of 'Security.txt' (RFC 9116) on network devices, by Digital Trust Centre (DTC)

The DTC has recently held a campagne to promote the usage of the new 'Security.txt' standard among its audience (small- and mid-sized enterprises (SMEs)) with great success. As a follow-up research the DTC would like to investigate the possibilities of placing 'Security.txt' on (minimal) internet-facing network devices, such as firewalls.

Questions that emerge during this research are:
- Is it possible to implement this on the devices of the three main brands used by SME companies; for this an analysis of the devices used by the SMEs need to be made that gives insight in which brands are most frequently used by these SMEs. These top three items will be the scope for this research
- (if not,) what are the limiting technical factors?
- (if not,) what technical changes should be made to enable the placement of 'Security.txt' on these devices?
- How can the DTC (government) use its position to force this change among these devices, using both their ability to create new (government) policy, and their communications towards the SMEs, to have these companies also actively demand this from the vendors.
Liesbeth Kruizinga <u.kruizinga2=>> and Erwin Hasenpflug unavailable
32 - short

Security of IaC

The adoption of IaC can help significantly reduce the administrative overhead for IT departments. Managing multiple environments in a multi-cloud setup, however, introduces complexity. Without properly securing and/or pipelining the creation of resources within your cloud environments, it is likely that changes will be made outside of the scope of the defined code. This can lead to (significant) security risks, additional costs, and depending on the tooling used breakage of existing IaC code or applications.

- How can we (effectively) detect configuration drift?

- What methods, tools, and/or frameworks are there for detecting and managing configuration drift?

- What are the caveats for drift detection?

- Can I detect drift outside of the stored state?

- Consider destroying vs detecting and remediating.
  - Note this is limited, e.g. if an object is changed that has dependencies to other objects this is not possible
  - e.g. think of a VPC that has subnets that contain VMs that cannot be destroyed.

Maurice Mouw <Maurice.Mouw=>> unavailable
33 - short
Deanonymization of the Tox peer-to-peer communication protocol

During almost all ransomware incidents, the attackers wish to communicate with the victims, for example to negotiate prices. Often this communication happens trough a web portal in the Tor network, but sometimes attackers want to communicate through the Tox protocol [1]. Tox is a peer-to-peer (P2P), end-to-end encrypted chat protocol that tries to preserve the privacy of its users. Although the TokTok project states that its goals are to try to preserve privacy of its users, it also states the non-goal to preserve anonymity. Which is logical, considering it is a peer-to-peer protocol it should be possible to determine the IP address (and potentially other characteristics) of the partner engaged in communication. Tox is per design when connected to a peer not anonymous [2]. Connecting to a peer is done through a Distributed Hash Table (DHT), the table is distributed over a decentralized network of hosts named bootstrap nodes. The use of a DHT provides the Tox users the ability to find each other and connect in a more
private way.

Privacy and anonymity have different meanings and objectives as described above, within this study we clarify these as terms follows: Privacy is a state in which two peers are communicating and the communication is confidential, confidential being a state where the communication is kept secret and private. Privacy is provided by the Tox protocol [2]. In the context of this study we define the term anonymity in the context of two peers that have a friend relationship (found each other in the DHT) and can engage in communication over the Tox protocol. Even though the peers are connected, anonymity in Tox is present given in the sense that the peers do not know who is on the other side of the connection apart from the information required to establish the session (the Tox ID).

The goal of this study is to attempt to deanonymize the remote partner in a two-party communication using the Tox protocol. The scope of this study includes researching the associated privacy and anonymity components in Tox and an attempt to deanonymize Tox peer-to-peer participants in the identified scenarios of use. If the study indicates any feasible strategy to deanonymize Tox peer-to-peer participants the functional and technical requirements as well as the effectiveness will be considered in order to view a strategy as practically usable.



Robert Diepeveen <robert.diepeveen=>>
34 - short
Detection and propagation of invalid BGP routes in an environment where Route origin validation (ROV) is (partially) used.

ROV is a mechanism that detects when an AS starts to announces a prefix that it does not own itself. Neighboring BGP speakers can choose to not accept this prefix. Not all BGP speakers on the internet have ROV configured and/or enabled to drop invalid prefixes. Some BGP speakers only have ROV enabled to detect invalid routes, but choose to not drop invalid routes to ensure their networks keep working.

Because of the nature of the internet, it can happen that traffic that traverses through a BGP speaker that has ROV enabled and drops invalid routes still ends up at an invalid destination because somewhere along the path to the destination, a router chose to install an invalid route. This research aims to discover a way on how such routers can be discovered.

Goals of this research are:
- Detection of routers that installed invalid routes
- Understanding how these invalid routes propagate throughout the internet
- Measuring the influence of the placement of non-ROV enabled routers on a path
Willem Toorop <willem=>> and Koen van Hove <koen=>>

35 - short
Investigation of FlexAlgo for User-driven Path Control

Flexible Algorithm (FlexAlgo) is an IGP extension that allows to create logical views or slices inside a single IGP domain. FlexAlgo describes a set of constraints on the topology that are to be used to compute the best paths.

We are interested in investigating capabilities and limitations of FlexAlgo and answer the following research questions:

- How can FlexAlgo be implemented in a single SRv6 domain?

- In particular, how can we assess the potential to create low delay paths and steer traffic via low utilization parts of the network?

These features are very important in order to achieve User-driven path control.

2. Hesselman, Cristian, et al. "A responsible internet to increase trust in the digital world." Journal of Network and Systems Management 28.4 (2020): 882-922.
Leonardo Boldrini <l.boldrini=>> and Paola Grosso <P.Grosso=>>
36 - short
Development of a control framework to guaranty the security of a collaborative open-source project.

We're now living in an information society, and everyone is expecting to be able to find everything on the Web. IT developers make no exception and spend a large part of their working hours searching for and reusing part of codes found on Public Repositories (e.g. GitHub, Gitlab ) or web forums (e.g. StackOverflow).

The use of open-source software has long been seen as a secure alternative as the code is available for review to everyone, and as a result, bugs and vulnerability should more easily be found and fixed. Multiple incidents related to the use of Open-source software (NPM, Gentoo, Homebrew) have shown that the greater security of open-source components turned out to be theoretical.

This research aims to highlight the root causes of major recent incidents related to open-source collaborative projects, as well as to propose a global open-source security framework that could address those issues.


Huub van Wieren <vanWieren.Huub=>>
37 - short
TCP-Prague evaluation

Low Latency Low Loss Scalable Throughput (L4S) [1] is a technology intended to reduce queue delay problems, ensuring low latency to Internet Protocol flows with a high throughput performance. The Linux TCP-Prague [2] is the reference implementation for the upcoming L4S Internet service. Other congestion controls that support L4S, such as Nokia’s RT-Prague, Google’s BBRv2, Ericsson’s SCReAM or Apple’s Prague implementation for QUIC and TCP are already available or will be released soon. The task of this project is to compare the performance of TCP-Prague against (some of) these congestion control implementations on at least one of the following criteria: (i) for steady state: fairness, RTT (in)dependence and convergence speed, and for dynamic behavior: fairness, responsiveness, and stability. Further fine-tuning of selected implementation will be performed to line-up the behavior of the congestion controls.

[1] B. Briscoe et al. Low Latency, Low Loss, Scalable Throughput (L4S) Internet Service: Architecture. Internet-Draft draft-ietf-tsvwg-l4s-arch-09. Work in Progress. Internet Engineering Task Force, March 2022.
Chrysa Papagianni <c.papagianni=>> unavailable
38 - short
Implementing Post-Quantum Cryptography in an open-source Certificate Authority

In this project, we will implement Post-Quantum Cryptography (PQC) in an open-source Certificate Authority (CA). The National Institute of Standards and Technology (NIST) in the United States has selected three final algorithms for the next generation of public-key encryption and digital signatures. Source code for these algorithms is readily available and implementing this in a certificate authority allows users to experiment with these algorithms in real-world applications.
Apostolos Fournaris <fournaris=>> and Francesco Regazzoni <f.regazzoni=>>
unavailable low
39 - short
Wi-Fi 7 (IEEE 802.11be): 4K QAM, MLO and OFDMA improvements

The next generation of Wi-Fi is the IEEE 802.11be standard, which is expected to have its final version by early 2024. The new standard, also called Wi-Fi 7, aims to bring improvements to achieve even higher throughput and lower latency than Wi-Fi 6/6E, such as the increase in the maximum modulation order to 4096-QAM (Quadrature Amplitude Modulation), MLO (Multi-Link Operation) and Enhanced OFDMA through preamble puncturing. In 2023 some pre-Wi-Fi 7 devices are already in the market. This project aims to evaluate the overall performance of some pre-Wi-Fi 7 access points supporting multiple radios using MLO and 4096-QAM. It will also contribute to create a framework for physical layer testing of IEEE 802.11be. The aim of the research project is to address the following questions:

1. Can we estimate and/or measure the necessary conditions to achieve 4k-QAM modulation (SNR, RSSI) and at what distance between the AP and client is 4k-QAM not achievable anymore?

2. How will MLO improve throughput and latency using different combinations (6+6 GHz, 6+5 GHz etc)?

3. Will preamble puncturing be able to sustain higher rates even when some RUs are affected by interference?For example, when a 160 MHz is impacted by interference on one of its 20 MHz channels, will it puncture those RUs only?

The research activities can be performed in the RF shielded room in Schiphol-Rijk. We have pre-Wi-Fi 7 access points, 10 GE clients, MATLAB licenses and a R&S Spectrum Analyzer capable to support 160 MHz
Vegt, Arjan van der <avdvegt=>>
unavailable low
65 - short
Advantages of having Sysmon enabled for incident response and forensics

Windows Event logs, enabled by default, may be the most important source of security data on Windows host for incident response. It has its limitations, such as missing events, events not containing important information, or the way it filters these events. This is where Sysmon comes in. Considered an add-on to Windows Event logs, it ensures more detailed information on process creation, network connections, and registry tampering, among others.


KPN is interested in the actual advantage of having Sysmon, and which events present themselves, during incident response and forensic investigations. Sysmon can result in death by data, because of the sheer amount being generated while using a non-tuned Sysmon configuration (an example of a tuned configuration is SwiftOnSecurity's sysmon-config). Besides this, detection rules (sigma) in SIEMs can be tailor-made to Sysmon events. Yamato Security states "you can only use around 10-20% of sigma detection rules with the default Windows audit settings.", while also stating Sysmon can add an additional 24% coverage.



*Literature study on how Sysmon complements Windows Event logs

*Hands-on reviewing Sysmon versus Windows Event Logs during forensic use cases

*If time allows, an advisory on a KPN sysmon-config
Anand Groenewegen <anand.groenewegen=>>
available medium
41 - short
Building an evil phone charging station.

In April 2023, multiple news articles got published stating, quote, "the FBI warns consumers not to use public phone charging stations". This lead to quite some interesting discussion online. With experts divided on the risks involved.
We would like to investigate the actual risks to modern phones in 2023. Some time can be spent on HID (mouse/keyboard) emulation and the impact of USB-Ethernet adapters and such with regards to phone security. However, the focus of this research proposal revolves around the feature that some smartphones have to mirror their display over HDMI.
* perform research on what kind of peripherals are supported on android and ios devices.
* build a setup that charges phones while mirroring the phone screen over HDMI (as discreetly as possible), making video captures in the process.
* Build an image recognition system that extracts the phone PIN and other passwords being entered along with as much other OSINT data as possible.
Stef Vandop <stef.vandop=>> and William Horne <william.horner=>>
unavailable medium
42 - short
Detecting DDoS attacks and reducing attack sizes incoming by applying effective traffic management using XDP, eBPF, iptables

In the complex world of cloud-native environments, organizations are increasingly facing threats from DDoS attacks, which can significantly impact their services and resources. Ensuring the resilience and stability of cloud-based infrastructure in the face of these attacks is critical. This research project aims to investigate the development of a cloud-oriented, open-source DDoS mitigation tool using XDP, eBPF, or iptables that can effectively detect and manage attack traffic in cloud-based infrastructure. The focus of the research will be on understanding the potential of technologies such as XDP, eBPF, and iptables in creating a solution capable of efficiently detecting TCP/UDP-based attacks and applying rate limiting or traffic shaping to mitigate their impact. The project will also explore strategies for accurately detecting incoming attacks while minimizing false positives and negatives, and ensuring compatibility with common
cloud technologies like VirtIO drivers.

By examining these aspects, the research can be a stepping stone for a new open-source project: development of a robust, cloud-focused DDoS mitigation tool that can be seamlessly integrated with various cloud environments, ensuring the protection and resilience of cloud-based infrastructure against DDoS attacks.

How can technologies such as XDP, eBPF, or iptables be utilized to create a cloud-oriented, open-source DDoS mitigation tool that efficiently detects TCP/UDP-based attacks and applies rate limiting or traffic shaping to mitigate their impact?

What strategies can be employed to accurately detect incoming attacks in cloud environments, while minimizing false positives and negatives?

How can this DDoS impact prevention tool be designed to be compatible with VirtIO drivers, commonly used in cloud providers, when and if employing XDP and/or eBPF technologies?

What challenges and limitations must be addressed when designing and implementing such a cloud-focused tool, and how can its performance be optimized
for various network environments and attack scenarios?
Diederik De Zee <>>
unavailable low
43 - short
Impact of latency on stateful databases replication

Geographical separation between availability zones introduces latency, which can significantly impact the performance and consistency of stateful database replication, such as (My/MariaDB/Galera, Percona, Postgre, TiDB)SQL Server replication. This research project aims to explore the effects of latency on stateful database replication across availability zones and identify ways that can be used to mitigate the impact of latency whilst also maintaining high availability standards, ensuring data consistency and optimal performance.

How does geographical separation and the resulting latency affect SQL Server replication performance and consistency in a multi-availability zone (geographical separated datacenters) deployment?
How can we mitigate the impact of latency on stateful database replication and ensure data consistency across availability zones?
Diederik De Zee <>> unavailable low
44 - short
Satellite constellation modelling for cyber security

Satellite constellations are becoming increasingly important since they can carry out missions that are not possible for single entities. The majority of the time, the entities communicate among themselves autonomously, due to lack of ground control stations in a specific area. Also, information can be sent through another member of the constellation to an available ground control station. This approach poses large cyber security risks which are not fully understood. Envision a scenario in which one satellite is compromised and starts to send out falsified data. How can the rest of the constellation know whether the entity is compromised? What actions need to be undertaken by the satellite constellation to not also compromise the mission goal?

For this assignment, agent-based modelling/simulation of satellite constellations is assessed in order to gain insight in satellite constellation operations affected by cyber events.

- Risk analysis of satellite constellations
- Insights into how to model cybersecurity in satellite constellations using agent-based modelling and similar approaches
- (optional) Development of a simulation environment which can be used to develop constellation infection detection algoritms 

Loeve, Wouter <> and Lie, Sonny <Sonny.Lie=>> available low
45 - short
Secureboot for satellites

The number of small satellites in space have increased drastically over the past few years. Small satellites can range from 50-200 kilograms, but even smaller, so called nanosatellites, with a mass of 1 to 10 kilograms have made their way into the space industry. CubeSats are a special type of nanosatellites and follow a standardized dimensions of 10 cm x 10 cm x 10 cm (1U). Typical sizes range from 1U to 12U.
Many of these nanosatellites are used in LEO missions. Commercial of the shelf (COTS) products such as processors and memory have become more popular in these nanosatellites, as it reduces cost and development time of the satellite.
This could lead to security vulnerabilities which are also present in (conventional) computer systems.

With cyber threats becoming more relevant in the space domain, more research is needed into how to secure the firmware of these devices. With recent advances and implementation of (hardware) root-of-trust methods like secureboot, the question arises whether this is development also should carry over to the satellite domain. Wolfboot is an open source secure bootloader which provides secure boot functionality. We would like to find out the benefits and vulnerabilities of this mechanism and how to make its implementation resistant to future developments in (post-quantum) cryptography.

The objective of the assignment is analyse firmware security on small satellites and develop a strategy on how to implement existing secureboot implementation in the space-domain. We consider the following results from this research project:
- Risk assessment of firmware security of small satellites
- Strategy or isnights into implementation of secure boot functionality on satellites
- (optional) Testbed with wolfboot

Loeve, Wouter <> and Lie, Sonny <Sonny.Lie=>>
unavailable low
46 - short
Payload isolation in satellites

The number of small satellites in space have increased drastically over the past few years. Small satellites can range from 50-200 kilograms, but even smaller, so called nanosatellites, with a mass of 1 to 10 kilograms have made their way into the space industry. CubeSats are a special type of nanosatellites and follow a standardized dimensions of 10 cm x 10 cm x 10 cm (1U). Typical sizes range from 1U to 12U.
Many of these nanosatellites are used in Low Earth Orbit (LEO) missions. Commercial of the shelf (COTS) products such as processors and memory have become more popular in these nanosatellites, as it reduces cost and development time of the satellite.
This could lead to security vulnerabilities which are also present in (conventional) computer systems.

Payload isolation is a critical aspect of satellite design and operation that aims to prevent interference between different payloads and ensure their reliable and secure operation. With the introduction of satellites-as-a-service architectures, in which a single satelite may host multiple payloads, payload isolation is becoming increasingly important. ESA's OPS-sat is a research satellite project which also can be emulated. It has already been shown that it is possible to hack the payload and put malicious files on the satellites' on-board computer. In this project, we would like to investigate payload isolation techniques on the OPS-sat platform and prevent the previously mentioned attacks.


Loeve, Wouter <> and Lie, Sonny <Sonny.Lie=>> unavailable low
47 - short
Efficacy of cloud-native sandboxing technologies in containing security threats

With the increasing reliance on cloud-native technologies, the efficacy of sandboxing solutions like gVisor, Kata Containers, and Nabla Containers in containing security threats and isolating resources has become critical. This research topic will explore the effectiveness of these cloud-native sandboxing technologies and analyze the trade-offs between performance, reliability, and security when using different sandboxing solutions in cloud-native environments.
How effective are cloud-native sandboxing technologies such as gVisor, Kata Containers, and Nabla Containers in containing security threats and isolating
What are the performance, reliability and security trade-offs when using different sandboxing technologies in a cloud-native environment?
Nathan Keyaerts <nathan.keyaerts=>> unavailable low
48 - short
Enhancing OS performance through Machine Learning-based resource allocation and task scheduling

Operating systems play a critical role in managing computer resources and facilitating the execution of tasks. Effective resource allocation and task scheduling are key factors in achieving optimal system performance. Traditional methods of resource allocation and task scheduling often rely on fixed algorithms, which may not adapt well to varying workloads and system requirements. Machine learning algorithms have the potential to improve these aspects by learning from system usage patterns and adapting their behaviour accordingly, potentially leading to enhanced system performance.

This project aims to investigate the integration of machine learning algorithms into operating systems for improved resource allocation and task scheduling. The focus will be on exploring various machine learning models, such as reinforcement learning, to determine their suitability for this application. The project will also evaluate the effectiveness of these algorithms in improving system performance under different workloads and system configurations.
Bart van Dongen <bart.van.dongen=>> available low
49 - short
Streamlining Kubernetes operators development and implementation for a simplified deployment/management of stateful applications and distributed systems

Kubernetes has become the de facto standard for container orchestration, providing a powerful platform for managing containerized applications. However, deploying, managing, and maintaining stateful applications and complex distributed systems within Kubernetes clusters can be challenging. Kubernetes Operators offer a solution to this problem by extending the Kubernetes API and automating operational tasks.

The goal of this project is to look into techniques for expediting the development and deployment of Kubernetes Operators in order to make the process of deploying, administering, and maintaining stateful applications and complex distributed systems within Kubernetes clusters easier. The emphasis will be on identifying best practises, tools, and frameworks that can aid in the creation and deployment of Operators, as well as on exploring novel approaches to automating operational chores and controlling application lifecycle.
Bart van Dongen <bart.van.dongen=>> unavailable low
50 - short
Leveraging advances in containerization and virtualization technologies for efficient and secure operating systems

Technologies like virtualization and containerization have revolutionized how software is created, delivered, and managed. These technologies make it possible to separate and encapsulate applications from the underlying infrastructure, increasing productivity, scalability, and security. Exploring how improvements in containerization and virtualization might aid in the creation of thin and secure operating systems is becoming more and more popular as the need for such systems grows.

The goal of this project is to look into how advancements in containerization and virtualization technologies affect the design and development of more efficient, lightweight, and secure operating systems. The emphasis will be on identifying major advantages of virtualisation techniques in these areas and assessing their potential for improving OS performance, resource utilisation, and security features. Furthermore, the project will investigate novel approaches to incorporating containerization and virtualization technologies into operating system design.
Bart van Dongen <bart.van.dongen=>> available low
51 - short
Evading techniques for eBPF malware

eBPF has the potential to rewrite network packets, as well as attach to kernel space (kprobe) and userspace (uprobe) functions, and write to (writeable) userspace memory. Given these powers, eBPF may in theory be used to make certain files appear non-existent, or make network packets disappear. It can also detect attempts to perform certain actions and log them.

Therefore, it is able to hook on the very specific calls that are used to detect the presence of the eBPF code and change the returned information to hide its presence. This means that the malware can easily evade detection.
Which techniques can be effectively used to achieve this invisibility in diverse scenarios ?
And how can we circumvent these techniques to still be able to detect its presence ?
 Greg Charitonos <greg.charitonos=>> available high
52 - short
Post-Mortem detection of eBPF attacks

Previous RP1 research (#29 - eBPF forensic tools) has shown that it is possible to detect the presence of eBPF code as it runs in the kernel. However, the limitation is that the code has to still be present to be detectable. Would it be possible to expand this detection period and achieve a detection in a post-mortem situation, through artefacts left on the system ?
Greg Charitonos <greg.charitonos=>> available low
53 - short
eBPF Matrix

eBPF has the potential to rewrite network packets, as well as attach to kernel space (kprobe) and userspace (uprobe) functions, and write to (writeable) userspace memory. Given these powers, eBPF may in theory be used to sandbox a userspace application. E.g. by modifying syscalls to make certain files appear non-existent, or network packets to simulate responses. It can also detect attempts to perform certain actions and log them. This can be useful for defence scenarios (sandboxing), incident response, and reverse engineering (malware analysis). Investigate the use of eBPF for creating a "Matrix" environment that could thwart malicious executables. Compare that against existing defence and reverse engineering techniques. Does eBPF provide a solid benefit in any of these scenarios? How does it compare to other hooking techniques (ptrace, Frida, etc)?
Starting point:
Greg Charitonos <greg.charitonos=>> unavailable low
54 - short
Securing serverless applications in a multi-cloud environment

As serverless architectures gain traction in cloud-native environments, ensuring the security of serverless applications has become crucial. The research project aims to investigate the unique security challenges posed by serverless applications in multi-cloud environments and explore strategies and best practices for securing these applications.

What are the unique security challenges associated with serverless applications in a multi-cloud environment, and how can organizations address them?
How can technologies, such as Secure Serverless Framework, be used to secure serverless applications in a multi-cloud environment?
What strategies can be employed to ensure the security of serverless applications in a multi-cloud environment?
How can organizations continuously monitor and assess the security posture of their serverless applications in a multi-cloud environment, and what are the
challenges in adopting these practices?
What is a proper framework or testing mechanism for security scanning and/or pen testing serverless deployments?
Diederik De Zee <>> unavailable low
55 - short
Collaborative Edge-Cloud Computing for Efficient Resource Utilization

Edge computing reduces latency and increases data privacy by bringing computation closer to the data source. In contrast to cloud servers, edge devices frequently have constrained resource availability. The effectiveness and performance of applications can be greatly enhanced by balancing the resource use between edge and cloud computing. Achieving this balance depends on knowing how edge and cloud computing resources may work together to serve varied application requirements. The goal of this project is to investigate a cooperative edge-cloud computing system that meets application requirements while effectively utilizing resources. The proposed architecture would use Kubernetes to offload workloads between edge and cloud environments while taking into account variables like computing requirements, existing edge workloads, and other pertinent criteria. To reduce latency, reduce energy use, and ensure application performance, the main goal is to balance edge and cloud computing optimally.
Nathan Keyaerts <nathan.keyaerts=>> unavailable low
56 - short
Leveraging eBPF for Building Advanced and Effective Honeypots

Honeypots have long been a crucial tool in cybersecurity research and defense, providing insightful data regarding the actions and strategies of attackers. However, conventional honeypots may lose their ability to trick attackers as those become more skilled. A feature of the Linux kernel called eBPF enables flexible and effective packet filtering as well as improved kernel-level observability. The goal is to investigate how eBPF might be used to create sophisticated honeypots that are better at attracting and capturing attackers. This research is inspired by the finding of a previous OS3 research project. (#14 - eBPF based Malware)
Greg Charitonos <greg.charitonos=>> unavailable medium
57 - short
Identify and prevent lateral movement Kubernetes environments running in the public cloud

After acquiring initial access, cyberattackers can travel laterally to explore a network in search of useful information or to try to infiltrate further systems. Due to their complexity and dynamic nature, Kubernetes environments, particularly those running in public clouds, are vulnerable to such attacks. To reduce the effect of cyber threats, such as ransomware attacks, and safeguard sensitive data and systems, it is essential to recognize and stop lateral movement. In the public cloud-based Kubernetes environments, this project will attempt to create a method for detecting and inhibiting lateral movement through network segmentation, access control rules, and real-time alerting systems.
Nathan Keyaerts <nathan.keyaerts=>> available low
58 - short
Proactive incident detection in Kubernetes clusters

Due to its scalability, flexibility, and robustness, Kubernetes has emerged as a popular platform for orchestrating containerized applications. However, it can be difficult to identify and diagnose issues before they lead to performance degradation or system failures. This is due to the complexity of Kubernetes environments and the dynamic nature of containerized applications. In these contexts, traditional monitoring systems would not be able to foresee or detect problems in real time.

This study aims to investigate proactive problem detection techniques in Kubernetes clusters, with a particular emphasis on approaches that can spot possible problems before they develop into serious failures or performance bottlenecks. The project intends to develop solutions that improve the resilience and dependability of Kubernetes-based systems, assuring smooth and effective operation, by examining cutting-edge monitoring, analytics, and machine learning technologies.
Nathan Keyaerts <nathan.keyaerts=>> available low
59 - short
Research into operational AI/ML models for the SURF network

SURF is investigating the possibility of leveraging AI and ML algorithms in the operations of its network. As part of this work we are attempting to create a realistic model of a node on the network, but also of the network as a whole. As part of an RP the student should investigate how SURF can create a model of the network. During this research the Student could start with a PCA or T-SNE of all metrics that describe the network. From the results of that analysis the student could start building the layers of the model. Furthermore the results would help us understand what inputs can be used to best describe the behaviour of our network.
Peter Boers <peter.boers=>> unavailable low
60 - short
Investigating notification efforts and effectiveness around coordinated vulnerability disclosure at scale

Coordinated Vulnerability Disclosure is complicated. Individual professionals and research institutes alike employ notification approaches to contact responsible parties about vulnerabilities in their systems. With the introduction of laws around CVD, the process is made more legally safe for researchers. However, research institutes performing CVD on a large scale experience multiple challenges that all relate to a larger (sociotechnical) issue. The sheer volume of data that is processed causes the consumers of this data to limit or even avoid intake of this data and (sociotechnical) systems to misidentify traditional notification efforts over email as malicious. Additionally, bottlenecks in the process caused by the scale of the disclosure induce delays. These observations combined limit the impact of notification campaigns as notifications are either ignored or lost in filtering. This calls for a specialized approach to information sharing about vulnerabilities on a larger scale supported by both practice and theory, which is what this study aims to distill.
Ralph Horn <r.horn=>>
Jaap van Ginkel <jaap.vanginkel=>>
unavailable low
61 - short
Security evaluation of MPC generated root CA certificates

The private key used in CA signing operations is highly confidential and often stored in a hardware security module. Thet key is sharded and distributed among different custodians.
The process of creating sub-CA’s or signing CRL’s with the root key requires all custodians to come together in a single location, which can be a time-consuming process.
Can multi-party-computation be used to make this process more efficient and do on-demand signing without physically bringing the different shards together- and how does this compare to the traditional process?

<RPielage=>> unavailable low
62 - short
Understanding and AddressingSupply Chain Vulnerabilities in Automated Application Builds using CI/CD

Danger that could come up during the software development process is the possibility of malicious code being added during the building process without the developers' or security teams' knowledge. The malicious code is embedded in the cryptographic hash, which is used to check the software product's integrity and is calculated immediately after the CI/CD pipeline has completed the product assembly. Due to the attackers' ability to alter the integrity verification process, supply chain attacks on software products may become much harder to identify and prevent. Research have looked at previous attacks in great detail, but it is less common for studies to prove new prospective attacks. However, doing this is advantageous since it introduces defensive mechanisms that decrease the attack surface and recommended practices. The research goal is to look into ways to tamper with the (automated) software development process. To find weaknesses, threats, and evasive tactics that attackers can employ to add malicious code and initiate a supply chain attack are investigated. The findings will provide mitigation recommendations for organizations.

Pieter Ceelen and Cedric van Bockhaven

available high
63 - short

Supervisor unavailable low
64 - short
Cloud based Incident Response

Organizations move more and more to cloud services, this resulted in a 48% increase in cloud-based cyber attacks in 2022. Moving to the cloud also changed the attack surface for attackers. Those new
techniques require different methods for defenders, the indicators of compromise are stored in different locations and might not be accessible. The security community provides multiple community-based standardized detection frameworks that can be translated into Security Incident and Event Management (SIEM) rules. The two most commonly known standardized solutions are Sigma and Yara. Sigma provides standardized detections to detect malicious processes in log data.
Yara is a similar solution, the difference is that Yara focuses on files and the signatures that files have. This research will investigate the value that community-based detection frameworks can
Korstiaan Stam (Invictus Incident Response)
Vincent Breider <vincent=>>
unavailable low
40 - short

The plan is to conduct research into the security implications of using Server Message Block protocol (SMB), a well-known file sharing protocol, over QUIC in a (corporate) network environment. The focus is on offensive possibilities offered by the implementation, in a red teaming context.
The goal of this project is to analyse the network and host-based visibility of Microsoft’s implementation. If time allows, an additional goal of this project is to research (and possible develop a PoC of) an implementation of SMB over QUIC as a communications channel for malware implants.

Cedric van Bockhaven <info=>>

unavailable low
66 - short
A Comparative Analysis of Routing Policies in BGP and SCION

Scalability Control and Isolation in Next-Generation Networks (SCION) is an emerging technology that has the potential to address many of the challenges of the current Internet. It is being developed with a focus on improving scalability, security, and isolation, which are critical areas where the current Internet architecture faces limitations.

Compared to the current Border Gateway Protocol (BGP) based Internet, SCION introduces a different routing architecture where the source has control over the end-to-end path. Routing in SCION follows a decentralized hierarchical model that introduces the concepts of Isolation Domains (ISDs) and Autonomous Systems (ASes), and separating the control plane from the data plane. The routing concept in SCION has two levels, intra-ISD and inter-ISD, and the path creation differs between them.

Within the current BGP-based Internet routing policies are used to influence the path selection process, an organization conveys their routing policy per their BGP Autonomous System. Within BGP, path selection criteria are often opaque and based on local decisions, this leads to suboptimal routing and limits support for multipath routing. As for SCION the path selection mechanism is transparent, and it can use explicit path selection attributes, for example: latency, bandwidth, and trustworthiness. Additionally, SCION supports multipath routing, load-balancing, and leverages cryptography extensively to ensure integrity, authenticity, and confidentiality.

The goal of this research is to compare common routing policies implemented by Internet Service Providers (ISPs) in the current BGP-based Internet to how these could be implemented within the SCION architecture. Specifically, this research aims to determine whether current BGP routing policies would be desirable in SCION or if a different approach is needed to ensure optimal routing in this new architecture. The primary goal is to investigate and evaluate how these distinct routing policies address the challenges associated with scalability and isolation in network communication. The research examines the applicability and usability of common routing policies implemented in BGP and SCION, highlighting the advantages and disadvantages of these policies, including the differences that may exist between intra- and inter-ISD paths in SCION.

The research comprises a theoretical analysis of common current BGP-based routing policies implemented by ISPs, a comparison with regards to implementing these routing policies in SCION, and practical experiments of implementing these SCION routing policies using the SCION testbed provided by SURF. Additionally, the research examines differences in the effects of these policies in both BGP and SCION architectures.

1. Laurent Chuat et al. The Complete Guide to SCION: From Design Principles to Formal Verification. en. Information Security and Cryptography
2. Corine de Kater, Nicola Rustignoli, and Aian Perrig. SCION Overview. draft-dekater-panrg-scion-overview-03. Mar. 2023. URL:
Marijke Kaat
Ralph Koning
unavailable low
67 - short
Using Detection frameworks in cloud based Incident Response

Organizations move more and more to cloud services, this resulted in a 48% increase in cloud-based cyber attacks in 2022. Moving to the cloud also changed the attack surface for attackers. Those new
techniques require different methods for defenders, the indicators of compromise are stored in different locations and might not be accessible. The security community provides multiple community-based standardized detection frameworks that can be translated into Security Incident and Event Management (SIEM) rules. The two most commonly known standardized solutions are Sigma and Yara. Sigma provides standardized detections to detect malicious processes in log data.
Yara is a similar solution, the difference is that Yara focuses on files and the signatures that files have. This research will investigate the value that community-based detection frameworks can
bring to incident response cases.
Korstiaan  <korstiaan=>>
Vincent <vincent=>>
unavailable low
68 - short
Performing CPA on the implementation of Dilithium in Cortex-M3

Side Channel Analysis (SCA) is a passive hardware attack that exploits the
physical leakage of a device, used to break the implementation of an encryption
scheme. For this research, we would like to focus on the physical leakage in the
polynomial multiplication of post-quantum algorithms with correlation power
analysis (CPA). Dilithium is a post-quantum digital signature algorithm that
was one of the selected algorithms in the post-quantum cryptography competi-
tion hosted by the United States’ National Institute of Standards and Tech-
nology (NIST) in 2022 [5]. As it is selected to be standardised, some im-
plementations have already been made. Greconici et al. [3] have created an
implementation for the Cortex-M3 and Cortex-M4 cores.
The papers of Chen et al. [1] and Fournaris et al. [2] both researched the
exploitation of the Dilithium algorithm using a non-profiled side-channel attack,
the correlation power attack (CPA). Both algorithms were implemented on the
Cortex-M4. Our research will look into the leakage traces of the Cortex-M3.
While the Cortex-M4 and Cortex-M3 cores are similar, the main difference is
that the Cortex-M4 core supports Digital Signal Processing, whereas the Cortex-
M3 does not have this capability. This will make the Cortex-M3 slower in Fast
Fourier Transform (FFT) running compared to the Cortex-M4.

1. Creating a basic mathematical knowledge of the inner workings of Dilithium.
2. Implement the Dilithium algorithm on Cortex-M3 according to the paper
of Greconici et al. [3].
3. Perform SCA on the Cortex-M3 implementation of Dilithium.

Our main question is the following: “How does the Correlation Power Analysis
affect the Dilithium algorithm on the Cortex-M3?”

To answer this question we have created the following subquestions:
1. Which phases in the Dilithium implementation on the Cortex-M3 core
create leakages?
2. What data can be deduced from the SCA?
3. How does the SCA on the Cortex-M3 differ from the Cortex-M4 described
in Chen et al. [1]?
4. How can we mitigate this type of attack?

[1] Zhaohui Chen et al. “An efficient non-profiled side-channel attack on the
CRYSTALS-Dilithium post-quantum signature”. In: 2021 IEEE 39th In-
ternational Conference on Computer Design (ICCD). IEEE. 2021, pp. 583–
[2] Apostolos P Fournaris, Charis Dimopoulos, and Odysseas Koufopavlou.
“Profiling dilithium digital signature traces for correlation differential side
channel attacks”. In: Embedded Computer Systems: Architectures, Model-
ing, and Simulation: 20th International Conference, SAMOS 2020, Samos,
Greece, July 5–9, 2020, Proceedings. Springer. 2020, pp. 281–294.
[3] Denisa OC Greconici, Matthias J Kannwischer, and Amber Sprenkels.
“Compact dilithium implementations on Cortex-M3 and Cortex-M4”. In:
IACR Transactions on Cryptographic Hardware and Embedded Systems
(2021), pp. 1–24.
[4] Vincent Migliore et al. “Masking Dilithium: efficient implementation and
side-channel evaluation”. In: Applied Cryptography and Network Security:
17th International Conference, ACNS 2019, Bogota, Colombia, June 5–7,
2019, Proceedings 17. Springer. 2019, pp. 344–362.
[5] National Institute of Standards and Technology. Post-Quantum Cryptog-
raphy: Selected Algorithms 2022. 2022. url:
Supervisor available low
69 - short
Meta heuristics on the signal processing pipeline for Side Channel Analysis

During side channel analysis the evaluator faces the choice between multiple components
for the signal processing pipeline such as denoising, dimensionality reduction and classification.
These decisions influence significantly the viability of the evaluation. However, exhaustive search
is often not possible due to a combinatorial explosion. Therefore, the goal of this project is to
identify, implement and evaluate hyper parameter optimization algorithms that can be used for tunning
a side channel analysis pipeline. Additionally, the project aims at the creation of an extensible
automation framework that is meant to improve reproducibility and decrease the evaluator's effort in
pipeline definition.

Kostas Papagiannopoulos <k.papagiannopoulos=>> unavailable low
70 - short
Does the oscillation protection mechanism of a hard disk drive provide enough vibration data to recover low-quality, audible voice data from their physical environment?

In 2014, Michalevsky et al. researched the ability to use pattern recognition to recover voice data from very low-quality oscillation signals. In 2017, Ortega revealed at a conference that hard disks can function as basic gyrophone using their oscillation protection feature. In 2018, Bolton et al. discussed this demonstration in a paper. However, up until now, no scientific research has been carried out to show if it is possible to use this behavior to recover low-quality voice data. We would like to see someone researching this question. If there is enough time and the student has the ability to do it: a proof of concept would be a "nice-to-have", but this is not a requirement.
mslik <Maarten.vanderSlik=>> available low
71 - short
Segmentation and Security in Virtual Networks

As security experts find themselves in an increasingly exhausting arms race with adaptive and inventive attackers, automation efforts are looking towards tried and tested paradigms that evolved to deal with similarly complex scenarios; biological immune systems must contend with an effectively infinite range of attackers, yet they have proven sufficiently resilient for the continued existence of macroscopic life. Modeling automated security responses along this paradigm, work is already underway on both solutions that parallel the functionality of the immediate autoimmune response in the form of automated security response research [2], and the adaptive immune system as seen in self-learning adaptive networks [1]. However, while cutting edge advancements will improve the resilience of those with the funds and knowledge to operate and train self-learning security systems, to protect those with fewer resources, it may be valuable to look for a parallel to herd immunity, whereby the success of effective immune systems is leveraged to protect weaker members of the herd. One such potential solution involves taking the concepts of networks as a software construct (virtual networks) [3] overlaid across the internet as a whole, which then support MultiDomain, overlapping, nested SARNETs. The flexibility and level of control of virtual networks allows them to be logically constructed according to a nested n-dimensional matrix, where each axis represents relevant network properties such as administrative, judicial, trust, geographic, service, or criticality distinctiveness. As SARNETs learn and develop attack mitigations, they can then effectively
disseminate these within peered domains. This research intends to perform an initial analysis of this solution by answering the following questions:

1. How do the choice of segmentation dimensions and level of nesting affect the ability of SARNETs to effectively block remote at tackers with limited collateral impact?
2. How do the choice of segmentation di mensions and level of nesting affect the ability of SARNETs to propagate attack mitigations across trusted peer networks?

[1] Ralph Koning et al. Automating network security. 2020.
[2] Roy van Leeuwen. “Cyber-Attack Containment through Actionable Awareness”.
[3] Makkes, M.X. et al. “Virtual internets”. PhD thesis. url: https : / / dare.uva .nl/personal/pure/en/publications/ virtual - internets(5b8f5d4d - 1d37 -48a3-ae3a-1c938377f95f).html
Bart Gijsen <bart.gijsen=>> unavailable low
72 - short

When a powerful enough quantum computer is built, DNSSEC signatures can be forged. To prevent forged signatures, post-quantum signatures should be implemented into DNSSEC. As all post-quantum signature schemes that are currently going to be standardized have public key sizes or signature sizes that are larger than what would be ideal for DNSSEC[1], research is necessary to evaluate the usability of new post-quantum signature schemes. SQISign is a new post-quantum digital signature scheme with smaller public keys and signatures than existing post-quantum signature schemes, signing time is however rather long.

Main question: How suitable is SQISign for DNSSEC?

To answer this question the following sub-questions will be answered:

Which signing speed is necessary for DNSSEC?
What is the impact of using SQISign in DNSSEC?
How can SQISign be implemented into existing software?

Roland van Rijswijk-Deij >r.m.vanrijswijk=>>;  Joeri de Ruiter <> unavailable low
73 - short
Cloud native IR automation

Organizations are moving to the cloud, some organizations go for a hybrid setup and some
go full cloud. From an incident response perspective the cloud offers some great possibilities
(and challenges). For this research we are looking for one or more students that want to continue researching Amazon AWS Incident Response in the cloud using cloud native solutions. The previous research group developed (Invictus-AWS), which is a tool that automatically enumerates configuration/logging from an AWS environment. The next step is using the acquired data for forensic analysis purposes using cloud-native solutions (e.g. Amazon Athena)
Korstiaan Stam <korstiaan=>> available low
72 - short
The Ransomware problem

In the past years Ransomware has been one of the leading causes of disruption for organizations and billions of damages all around the world. There is no easy fix for ransomware, but from an incident response perspective there are shortcuts we can take to identify an (ongoing) ransomware attack. This is due to the fact that a lot of the ransomware groups go through the same techniques, tactics and procedures (TTPs). In this research one or more students will analyze available reporting on ransomware attacks to identify most commonly used TTPs using a combination of quantitative and qualitative research. Ultimately the goal is to come up with ways to prevent ransomware from entering your environment and to detect (ongoing) ransomware attacks earlier in the attack chain.
Korstiaan Stam <korstiaan=>> available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low
XX - short

Supervisor available low