This page presents challenges for the Mobile Systems Security (MSS) course. These challenges involve programming and represent one day of work on average. They contain mandatory and optional tasks. Successfully realizing the mandatory tasks is sufficient for a challenge to be completed. The purpose of these challenges is two fold:
- If you get a perfect grade for MSS assignments and complete at least 2 of the following challenges, you will get a letter from Professor Asokan stating your outstanding achievements in the MSS course.
- Each challenge belong to different research topics we are currently working on in the Secure Systems research group. These topics are indicated by the colored labels located under each challenge (e.g. PLATSEC). By completing challenges associated with a specific research topic, you may be considered for realizing a special assignment or a MSc thesis with our group. All currently available topics for MSc thesis and special assignments can be consulted here. Each of them is also associated with one or several research topics. If you are interested in one of these master thesis or special assignments, we invite you to complete the challenge(s) corresponding to the same research topic. Also, if you complete any challenge and find it interesting, please consult our research topics page to see if you are interested in any of the available ones. We recommend to attempt solving all tasks of a given challenge to be considered for getting a research topic.
Challenge 1: Improving the security of one-time passwords with (Open-)TEE (L4)
One-Time Passwords (OTP) are often used often as a second authentication factor to strengthen user authentication. OTP schemes typically require a user to enter a short single-use code at the time of authentication. The code is usually generated by a local application (e.g., on the user's smartphone) which shares a secret key with the authentication server. The shared secret key is agreed upon ahead of time between the server and the local application. Thereafter, whenever the user needs to authenticate to the server, he can generate a one-time code using the local application. Standard schemes for generating one-time codes include HOTP  and TOTP . Usually the local application stores the shared secret key on its local storage, where it may be vulnerable to malware. One way to harden the security of such applications is to separate the security-sensitive parts of the application into a "Trusted Application" (TA) that can run within a Trusted Execution Environment (TEE).
Open-TEE  provides a 'virtual TEE' that is compliant with the GlobalPlatform TEE specifications  and can be used to develop realistic TAs in a regular GNU/Linux environment.
Objective: The objective of this challenge design and implement a One-Time Password scheme using Open-TEE and the GlobalPlatform TEE APIs. Completing tasks 1&2 is sufficient to validate this challenge. Task 3 is optional.
* Open-TEE (source code and documentation is available on the project's homepage at https://open-tee.github.io/)
* Repository with OTP library (
libotp) and TA skeleton
- Develop a Trusted Application that generates one-time passwords for HOTP and/or TOTP (your choice) using Open-TEE and ensures that the plaintext shared secret key remains within the TA during operation. Implement a Client Application (CA) that exercises the OTP functionality you've implemented.
- Extend your TA to allow the shared secret to be provisioned to the TA in a manner in which the plaintext shared secret key is never available to the CA. Implement an authentication server that validates generated one-time codes and that allows the shared secret to be transmitted securely to the TA.
Note: Please implement your solution to tasks 1 & 2 using a regular GNU/Linux environment. You may base your solution to the challenge on the OTP API provided as part of the supplementary material. The API accomodates different designs, so please document the design choices you make *clearly* in a README file included in your solution together with usage instructions for the CA and authentication server. The authentication server may communicate with the CA in any manner you see fit.
- Port your solution to Android by providing JNI for
libotpand implement the CA as an Android application.
Note that Open-TEE is currently only supported on Android Lollipop (v5.0.x - v5.1).
 IETF RFC4226, HOTP: An HMAC-Based One-Time Password Algorithm https://tools.ietf.org/html/rfc4226
 IETF RFC6238, TOTP: Time-Based One-Time Password Algorithm https://tools.ietf.org/html/rfc6238
 Open-TEE https://open-tee.github.io/
 GlobalPlatform Device Specifications https://www.globalplatform.org/specificationsdevice.asp
Challenge 2: SGX (L4)
Intel SGX is one implementation of Trusted Execution Environments. In this challenge it is required to build an application using SGX SDK. The idea of the application is simple: it should contain an enclave that generates a key and performs signing of input data. Additionally, it should be able to share the signing key with another application. The sharing should be done by establishing a secure channel between the two enclaves and then sending the key over this channel. It is not allowed to share the key by sealing it to MRSIGNER and unsealing it in the second enclave.
Objective: Get hands-on experience with Intel SGX SDK by implementing a simple application. Completing tasks 1&2 is sufficient to validate this challenge. Task 3 is optional.
- Repository with skeleton code.
- Install SGX SDK. Download the project from the repository. It contains Makefile where you need to specify the location of the SDK. Then it can be compiled. Implement an enclave that generates an EC key at startup. Use this key to generate a signature of the user input data. You don't need to implement the crypto algorithms. Use the SGX SDK crypto library for cryptographic operations. Seal the key, shutdown the enclave and start it again. When re-starting the enclave load the key from the sealed data.
- Implement another enclave that securely communicates (performs local attestation) with the first one. The first enclave should contain the measurement of the second one and only continue the communication session if the measurement obtained in the local attestation process matches with the hard-coded value. When the first enclave verified that it is contacted by a legitimate enclave it should send the key. Optional: the second enclave should seal the key to be able to unseal it when after its restart. The sealing should be done with MRENCLAVE derived sealing key.
- Assume that only one of the two enclaves should be allowed to use the key at any given time. That is: after obtaining the key from the first enclave it should be usable only by the second one. Implement the functionality of sending the key back to the first one and the locking mechanism that prevents two enclaves from using the same key. I.e. after sending the key to the second enclave, the first enclave should erase it. The second enclave should do the same if the key is sent back.
 SGX SDK
 Innovative Technology for CPU Based Attestation and Sealing
 Sample enclave tutorial
Contact: If you are interested in this challenge send an email to Arseny Kurnikov lachlan.gunn(at)aalto.fi
Challenge 3: Machine Learning (L8)
ML & SEC
Objective: The goal is to evaluate the applicability of a image completion technique for use in automotive scenarios. Completing tasks 1&2 is sufficient to validate this challenge. Task 3 is optional.
- A Ubuntu virtual machine with all required packages to perform the tasks.
- part1.zip containing the training data for this challenge (source KITTI road evalution benchmark )
- part2.zip containing the test data for this challenge (source KITTI road evalution benchmark )
- part3.zip containing MultiNet (KittiSeg) – a neural network-based road segmenter on Tensorflow 
- part4,zip containing an implementation of image completion using GANs (currently )
- part5.zip containing helper files (e.g. resizing images using openCV)
- Run the original training data images on the KittiSeg classifier (part3.zip). Choose the unmarked road benchmark. Discuss where the classifier makes mistakes. Report the performance metrics for the system.
- Train the GAN-based reconstruction algorithm (part4.zip) to complete training images (part1.zip) where the centermost 100x100 region has been removed (runtime about 3 hours). Qualitatively compare the reconstructions to the original images. Discuss how an adversary could misuse mistakes done by the reconstruction.
- Use the GAN-based algorithm to create reconstructions for the test data images (part2.zip). Resize the reconstructed test images using the helper files (part5.zip) and your own scripts and feed these through the KittiSeg classifier (part3.zip). Use same settings as in step 1. Report the performance metrics and where the system makes mistakes. Discuss how realistic is it to use such a system on autonomous vehicles or a drone.
 KITTI Road evaluation. http://www.cvlibs.net/datasets/kitti/eval_road.php
 MultiNet (KittiSeg), currently #22 on the https://github.com/MarvinTeichmann/KittiSeg#kittiseg
Challenge 4: IoT Security & Machine Learning (L8 & L9)
ML & SEC
Objective: The goal of this challenge is to build a classification system able to distinguish several IoT devices by analyzing their communications during setup. Completing tasks 1 and 2 is sufficient to validate this challenge, task 3 is optional.
- A Ubuntu virtual machine (VirtualBox) with all required packages to perform the tasks (username: MSS-student / password: mss)
- An archive “part1.zip” containing 20 pcap files (deviceX_Y.pcap) for 5 different devices (50 files). They each capture 2 minutes of traffic representing the setup of each device.
- An archive “part2.zip” containing 20 pcap files (deviceX_Y.pcap) for 4 other devices (40 files). They each capture 2 minutes of traffic representing the setup of each device.
- A skeleton python script “feature_extract.py” that processes a pcap file and returns a feature vector in a CSV file format (runs with python2).
- A skeleton python script “classify.py” taking a dataframe as input and producing classification accuracy results (runs with python3).
- Define relevant features to distinguish IoT devices from the “part1.zip” archive based on their setup communication traffic. Implement the script “feature_extract.py” accordingly to return a feature vector from the pcap file. Use python modules “scapy”  for pcap file processing. Comment your code with the description of each feature you compute.
- Select and use one or several relevant supervised machine learning algorithm to build a classifier having the task to distinguish devices contained in “part1.zip” (one class per device i.e. 5 classes). Use python package “scikit-learn”  for this purpose. Train and test the classifier accuracy using a 5-fold stratified cross-validation procedure (80% dataset for training / 20% for testing). Implement the whole procedure in “classify.py” that will return Accuracy, Precision, Recall and F-Measure as a result.
- Apply the same procedure as in 1) and 2) but including devices from part2.zip (classification task for 9 devices now). Compare accuracy results to the one obtained in 2), if they are lower, make a new version of the scripts “feature_extract2.py” and “classify2.py” to get better accuracy results.
 Scapy documentation http://scapy.readthedocs.io/en/latest/
 Pandas Dataframe documentation. http://pandas.pydata.org/pandas-docs/stable/dsintro.html
 Scikit-Learn supervised learning documentation. http://scikit-learn.org/stable/supervised_learning.html#supervised-learning
Contact: If you are interested in this challenge send an email to Samuel Marchal samuel.marchal(at)aalto.fi