CSE 227: Computer Security


The goal of this class is to expose you to computer security research, and the best way to learn about computer security research is to do it. In this class, you will undertake your own research project, which you will present at the end of the course.

Groups must consist of 4 or 5 people. You may come up with your own project or you may choose from one of the project ideas below.

Inportant dates

  • Jan 15: Form project groups.
  • Jan 29 (8 am): Submit project proposal (1 page max).
  • Mar 17 (8 am): Preset project (15 mins).
  • Mar 19 (9 pm): Submit Project report (6 pages max).

Project proposal

Your project proposal should describe what you plan to do, why it is interesting, how you plan to do it, and what you are not sure about. Also describe what resources you think you will need to carry out the project. The proposal should be no longer than one page.

Project report

Your report should be written like a research paper on par with the papers read in class. The report should be no longer than 6 pages.

Project ideas

  • Sound and Vision
    • Video-conferencing filter that obscures identity but looks natural (autotune for faces)
    • Identifying individuals in crowd scenes via non-traditional cues (e.g. bad of the head recognition)
    • Watermarking 3D models
    • Meaningful visualization of security data (e.g., spam, net, etc.)
    • Seeing through privacy glass or 3M privacy screens?
    • Fingerprint capture at a distance via live video
    • Automated mapping of spy satellites
    • Skype keystroke capture (side channel) and cancellation (privacy protection)
  • Privacy
    • How well can you reconstruct Web logs from Netflow data?
    • Study of exploitable PII exposure on flickr, myspace, etc (e.g. credit cards, check routing numbers, SSNs, name/address)
    • Check which sites you’ve visited recently via DNS lookup timing (was entry in cache?)
    • Build a Flash “scrubber” that integrates with Tor to prevent flash-based information leakage
    • Privacy analysis of Chatroulette (i.e., can you tell who these people are?)
    • Tie FAA flight database with network log data to infer which users are travelling and where they came from
    • What does your TiVo box know about you?
  • Malware
    • Build system to identify the kinds of information being targeted by different kinds of malware
    • Evaluate time-to-detect for commercial malware
    • Build IDA plug-in to locate particular “kind” of code in binary (e.g., AES code, CRC code, etc.)
  • Spam and E-Crime
    • Relate use of domain names in various scams to price of domain offered by registrar
  • Machine Learning
    • Predict which code changes will produce software vulnerabilities
    • Repeat Ma’s on-line URL classification study using Web page content
    • Apply receiver-reputation idea to Web visits (reputation of sites depends on who visits them)
    • Can we predict which Torrents are malicious?
  • Vulnerabilities
    • Measurement study of code pointers in memory
    • Measurement of compiler-based defense use in popular Linux distributions
  • Miscellaneous
    • Detection of Bots in MMPORGs
    • Automation for “attack surface” estimation
    • Analysis of Taser authentication
    • Fuzz testing of embedded devices (e.g. Cameras)
    • Location verification via “audio-print” (indeed, any way of proving location)
    • Analysis of on-line poker (fair deal or not?)
    • AppEngine Cartography (repeat Amazon study on AppEngine)
    • Hardware support for self-destructing data
    • Detecting pirated hardware IP (e.g., mp3 or PCI blocks) via unique side-effects
    • Security analysis of campus power grid
    • Security vulnerabilities the Kindle?
    • Repeat Ozment/Schechter’s Milk/Wine study on vulnerability generation w/another system
    • Evaluate how people respond to different kinds of warning messages
    • Are there vulnerabilities in Digital FM radio?
    • Identify “anomalous” file contents to mitigate file format vulnerabilities (esp Flash, QuickTime and PDF)
    • Attacks against smart batteries (drain beyond ability to recharge or make explode)
    • Driver detection (infer identity of driver via driving behavior)
    • Build a JavaScript or Flash reference monitor
    • Explore use of differential privacy to protect data for interesting network or security trace analysis problem (e.g., pick any of George Varghese’s recent papers and see if it can be done with DP)
    • Build an interactive biometric system (e.g., proof of presence via eye-tracking) to prevent simple replay attacks
    • Design a CAPTCHA that is difficult to outsource to low minimum-wage solvers
    • SMART disks will move data from failing sectors to spare sectors. Consequently the data on these failing sectors may not be erased when the associated data is erased. Explore if this actually happens and the correct way to erase a disk
    • Analyze data breach incidents (sources: datalossdb.org, CA DoJ, Privacy Rights Clearinghouse)