Below is a list of project ideas. You can also find a long list of projects in
previous runs of CSE
291 and CSE
227. And, of
course, you are welcome to come up with your own ideas.
- Can we solve :visited once and for all? How much of the Web will we break if we want to have a same-origin policy for history?
- Revisit browser private modes and evaluate tracking protection mechanisms in modern browsers (e.g., Firefox and Brave).
- Evaluate the effectiveness of Spectre-like timing attacks in deployed, noisy systems.
- Evaluate the security guarantees of out-of-browser HTTP clients (e.g., wget, cURL, and Node.js' HTTP client) especially when compared to modern browser security. Are libraries and applications handling security exceptions (e.g., redirects to HTTP) securely?
- Identify if implicictly-shared state in modern browsers can be used to fingerprint users, leak browsing history, etc.
- Evaluate Site Isolation and Cross-Origin Read Blocking implementations.
- Evaluate the effectiveness of DeterFox.
- Implement a boring, secure-by-construction Web framework (e.g., by fleshing out Frankie).
- Revisit binding bugs in Node.js and the findbugs in third-party code (the NPM ecosystem).
- Evalute if Rust
unsafe code in the wild is actually unsafe?
- Are Rust crypto implementations constant-time? Explore macro-based approach to generating constant-time code (much like FaCT).
- Extend Rocket with security enforcement.
- Extend our robust-library sandboxing framework to Rust.
- Does WebAssembly make it easier to address memory and type safety for legacy, unsafe applications?
- Build a secure package manager, potentially using ML or PL techniques to identify malicious install-time behavior.
- Can we sandbox Haskell install-time and compile-time code? (See this for motivation.)
- Measure the effectiveness of off-the-shelf sandboxes (e.g., FireJail) and their policies?
- Extend the Johnny-Five IoT platform with a safety- and security-enforcement layer.
- Evaluate the security guarantees of an existing IoT or CPS device. For example, OpenThings, August lock, Dexcom CGM, or Medtronic insulin pump.
- Evaluate the security of building systems or critical city infrastructure.
- Evaluate the security of vehicle-to-vehicle protocols.