Skip to end of metadata
Go to start of metadata



Available research topics for students in the Secure Systems Group 

This page lists the research topics that are currently available in the Secure Systems group or with our industry partners. Each topic can be structured either as a special assignment or as an MSc thesis depending on the interests, background and experience of the students. If you are interested in a particular topic, send e-mail to the contact person (as well as the professor responsible: either N. Asokan or Tuomas Aura) listed explaining your background and interests.

All topics have one or more of the following keywords: 

PLATSEC Platform Security

NETSEC Network Security

ML & SEC Machine learning and Security/Privacy

USABLE Usable security and stylometry

OTHER Other systems security research themes




ROP-gadget finder for PA-protected binaries  PLATSEC

Return-oriented programming [1,2] is an exploitation technique that enables run-time attacks to execute code in a vulnerable process in the presence of security defenses such as W⊕X memory protection policies (e.g. a NX bit). In ROP, the adversary exploits a memory vulnerability to manipulate return addresses stored on the stack, thereby altering the program’s backward-edge control flow. ROP allows Turing-complete attacks by chaining together multiple gadgets, i.e., adversary-chosen sequences of pre-existing program instructions ending in a return instruction that together perform the desired operations. Identifiying suitable ROP-gadget chains useful in attacks can be automated using gadget-finding tools such as ROPGadget [3] or ROPgenerator [4].

More advanced defenses that are effectively against ROP and other control-flow hijacking attacks are becoming commonplace, and modern processor architectures even deploy hardware-assisted defenses designed to thwart ROP attacks. An example is the recently added support for pointer authentication (PA) in the ARMv8-A processor architecture [5], commonly used in devices like smartphones. PA is a low-cost technique to authenticate pointers so as to resist memory vulnerabilities. It has been shown to enable practical protection against memory vulnerabilities that corrupt return addresses or function pointers. However, current PA-based defenses are vulnerable to reuse attacks, where the adversary can reuse previously observed valid protected pointers. Current implementations of PA-based return address protection in GCC and LLVM mitigate reuse attacks, but cannot completely prevent them [6].

The objective of this topic is to design and implement a ROP-gadget finder that takes into account PA-based defenses such as GCC's and LLVM's -msign-return-address (GCC < 9.0) [7] / -mbranch-protection=pac-ret[+leaf] (GCC 9.0 and newer) [8]. These defenses cryptographically bind the return addresses stored on the stack to the stack pointer value at the time the address is pushed to the stack. To exploit PA-protected return addresses in a ROP-chain, the adversary must obtain signed return addresses that correspond to the value of the stack pointer when the ROP-gadget executes it's return instruction using the reused protected address.

NOTE: Part of this topic will be performed as a special assignment, which is a pre-requisite for an eventual  thesis topic.

Required skills:

  • Basic understanding of control-flow hijacking and ROP attacks
  • Basic understanding of the C runtime environment, assembler programming and debugging tools (GDB).
  • Strong programming skills with one or more of the following programming languages:  C/C++, Python, Ruby, Rust, Go, Java, Perl (C and/or Python preferred)

Nice to have:

  • Prior experience with ARMv8-A assembler programming (AArch64 instruction set).
  • Prior experience with Capstone disassemby framework programming [9].
  • Basic understanding of ARM Pointer Authentication.

References:

[1]: Shacham. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). 
      In Proceedings of the 14th ACM conference on Computer and communications security (CCS '07). ACM, New York, NY, USA, 552-561. 2007.
      DOI: https://doi.org/10.1145/1315245.1315313
[2]: Kornau. Return Oriented Programming for the ARM Architecture. MSc thesis. Ruhr-Universität Bochum. 2009.
[3]: https://github.com/JonathanSalwan/ROPgadget
[4]: https://github.com/Boyan-MILANOV/ropgenerator
[5]: Qualcomm. Pointer Authentication on ARMv8.3. Whitepaper. 2017.
[6]: Liljestrand et al. PAC it up: Towards pointer integrity using ARM pointer authentication.
      In 28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, pages 177–194, 2019
[7]: Using the GNU Compiler Collection (GCC 7.10): 3.18.1 AArch64 Options. [Retrieved 2019-09-10]
[8]: Using the GNU Compiler Collection (GCC 9.10): 3.18.1 AArch64 Options. [Retrieved 2019-09-10]
[9]: https://www.capstone-engine.org/

For further information: Please contact Thomas Nyman (thomas.nyman@aalto.fi), Hans Liljestrand (hans.liljestrand@aalto.fi) and prof. N. Asokan.


Byzantine fault tolerance with rich fault models  OTHER

Byzantine fault tolerance (BFT) has seen a resurgence due to the popularity of permissioned blockchains.  Unlike with Bitcoin-style proof-of-work-based consensus, BFT provides immediate confirmation of requests/transactions.  Existing BFT protocols can generally tolerate a third of participants being faulty, unlike Bitcoin, which can tolerate attackers controlling up to a third of hash rate.

We are working to build a BFT system that can tolerate a richer variety of failure modes, for example:

  • Up to f nodes are malicious (this is the classical BFT)
  • Nodes with CPU power at most are malicious (this is like Bitcoin)
  • All nodes running software X are malicious (e.g. a zero-day vulnerability is found in some piece of software)
  • All nodes owned by company X become malicious (e.g. someone steals administrator credentials)
  • ...Several of the above with different thresholds...

In this project, you will develop BFT protocols using our C++-based consensus platform that can tolerate more "real-world" types of fault like these, and gain experience in the development of distributed systems.

Requirements:

  • Basic knowledge of C++

Nice to have:

  • Experience with network programming
  • Theoretical distributed systems knowledge

References:

1: M Castrov, B Liskov, "Practical Byzantine fault tolerance", Proceedings of OSDI'99.
2: D Malkhi, M Reiter, "Byzantine quorum systems", Proceedings of STOC'97.

For further information: Please contact Lachlan Gunn (lachlan.gunn@aalto.fi) and Prof. N. Asokan.


Tor hidden service geolocation  OTHER

Tor is the most well-known and most-used anonymity system, based on onion routing: data is relayed through several nodes with multiple layers of encryption. Each node strips a layer of encryption and routes the message to the next node in the chain until it reaches its destination.

Most users use Tor to provide client anonymity, but it can also provide server anonymity using a feature known as hidden services. This allows anyone to connect to a server using an onion address like abcdef123456789.onion. The address gives no information on the location of the server, but the time that it takes to communicate with it does.

In this project, you will build tools to measure the round-trip-times to hidden services, as well as within the Tor network. You will then build a statistical model of transit times through the network, which you will then use to estimate and visualise hidden service locations.

Requirements: Basic knowledge of probability and statistics.

Nice to have:

  • C programming skills.

  • Familiarity with some cloud computing platform.

  • Familiarity with network programming.

Resources:

[1]: Lachlan J. Gunn, Heiki Pikker, Olaf Maennel, Andrew Allison, Derek Abbott (2017). " Geolocation of Tor hidden services: Initial results".  3rd Interdisciplinary Cyber Research Workshop, Tallinn, Estonia, pp.   67  69.
[2]: Nicholas Hopper, Eugene Y. Vasserman, and Eric Chan-Tin (2010). "How Much Anonymity does Network Latency Leak?". ACM Transactions on Information and System Security, 13(2), pp. 13:1–13:28.
[3]: Frank Cangialosi Dave Levin Neil Spring (2015). "Ting: Measuring and Exploiting Latencies Between All Tor Nodes". Proceedings of the 2015 Internet Measurement Conference, pp. 289–302.

For further information: Please contact Lachlan Gunn (lachlan.gunn@aalto.fi) and Prof. N. Asokan.


Research Topics with our Industry Partners


Huawei Internship/Thesis position: IoT secure lifecycle management   NETSEC      


The intern to Mobile Security Laboratory, Huawei, Finland will participate in a research project where the target is to secure the lifecycle management (manufacturing, setup, pairing, use, and revocation) of IoT devices in the context of home IoT network. In the recent years, IoT capable home appliances have grown tremendously. Most of these appliances pair with smart phones, which play a central role as a command and control center for these appliances. Typically, the pairing protocols along with the command and control protocols between an IoT device and a smart phone are proprietary. As a result, users are required to install dedicated Apps to access/control each of these appliances. The project shall look into available specifications, like EAP-NOOB and LwM2M to achieve easy-to-use protocols and mechanisms, based on standards, for setting (i) up an IoT device into a user’s home network; (ii) operating the device from an authorized (controller) devices inside the home network as well as over the internet; and (iii) managing the devices.

In this project, the student will participate in the study of available industry standards, design protocols and communication stacks, and document them. Furthermore, a proof-of-concept will be implemented over a selected set of devices.

This internship can constitute a Master’s thesis work or a PhD internship. Therefore, we especially look for students who have completed all of MSc courses and are searching for an MSc thesis topic, or students with even further experience in networking designs and IoT. The internship can commence earliest 1.9 2019

We are looking for:

  • A person who has completed most of his/her M.Sc. courses (CS/E.Eng).

  • IoT / peer-to-peer networking experience

  • Protocol design or evaluation experience

  • Coding experience with some programming language preferably C and Java

  • Sufficient skills to work and interact in English

  • Good teamwork skills

The following we count as advantage

  • Background (courses) in platform security, cryptography or equivalent

  • An interest to do research and explore new challenges.

The Mobile Security Laboratory in Huawei, Helsinki drives renewal and mastery in the field of platform / device related security technologies for primarily the mobile device. Our topical expertise is in hardware-assisted isolation and system protection (hypervisor, TEE, Linux kernel hardening) as well as functions like device key management, access control, device attestation and integrity protection. We also conduct research in topics related to run-time / memory protection of compiled code and the distributed aspects of security in consumer IoT – platform security for sensors and actuators as well as security protocols and mechanisms for context setup and lifecycle management in home IoT.

Contact persons: sandeep.tamrakar@huawei.comphilip.ginzboorg@huawei.com




Huawei: Pointer Authentication in the Linux kernel PLATSEC 

This M.Sc. topic is in collaboration with the Mobile Security Laboratory, Huawei, Finland and is a part of a larger research project where the target is to use the recent ARMv8-A Pointer Authentication (PA) additions for memory safety. In this work, our aim is to prevent attacks that violate the integrity of in-kernel memory pointers. PA allows the embedding Pointer Authentication Codes into pointers, thereby providing a method to detect corrupted pointers and prevent their use. We will leverage current work which already implements a research prototype that uses PA, but is limited to user-space processes [1]. This MSc thesis work will focus on applying this protection to kernel-space and adapting the kernel to accommodate PA.

The work will allow the candidate to get a deep insight into modifications to the mobile kernel boot process and module loading. Existing PA kernel patches must also be modified to support PA management in the hypervisor or secure monitor. Finally, our existing research prototype will likely require modifications due to the difference between an OS kernel and how applications are structured and run. We are looking for a candidate with an interest in embedded platform security, with C programming skills and some familiarity with the kernel and/or LLVM.

You will work with our in-house experts as well as with collaborating industrial and academic partners on the subject, but the topic is selected to be a M.Sc. thesis, i.e. we will adapt the scope and timeframe to suit a thesis work, and possibly an academic publication.

Requirements:

- A M.Sc. student close to finishing (CS/E.Eng).
- System / embedded coding experience in C/C++
- Sufficient skills to work and interact in English
- Good team-working skills

Advantage:

- Background (courses) in systems programming, platform security, or equivalent 
- An interest to do research and explore new challenges.

References:

[1]: Liljestrand et al. "PAC it up: Towards Pointer Integrity using ARM Pointer Authentication", arXiv, 2018. https://arxiv.org/abs/1811.09189

For further information: Please contact Hans Liljestrand (hans.liljestrand@aalto.fi) and Jan-Erik Ekberg (jan.erik.ekberg@huawei.com)

The Mobile Security Laboratory in Huawei, Helsinki drives renewal and mastery in the field of platform / device related security technologies for the mobile device. Our topical expertise is in hardware-assisted isolation and system protection (hypervisor, TEE, kernel hardening) as well as functions like device key management, attestation and integrity.


Huawei: Application Memory-Space Isolation for Execution  PLATSEC 

In this internship with the Mobile Security Laboratory, Huawei, Finland you will participate in a research project where the target is to prototype isolation contexts in mobile phones within an application memory space. This is already available in servers using the intel SGX, but the ARM architecture provides a set of features (MMU management, execute-only memory) and company internal solutions where the ARM EL2 hypervisor mode is used as enforcement for memory protection ibn the kernel and applications) that we believe can be combined to achieve a similar, in-place isolation model inside the application for security-critical functionality.

You will work with Huawei in-house experts as well as with collaborating industrial and academic partners to explore these ideas with the goal to build a proof-of-concept of the architecture. This will contain a PoC on a mobile phone, but may also touch on development tools to achieve code separation needed for running the solution.

This work topic will involve exploring processors and the code execution fabric at a high level of detail. Therefore we do expect, from the applicants, a basic level of familiarity with the operation of a modern CPU (e.g. memory management, interrupt handling, privilege levels, as well as how the firmware and OS operates in their support for the application ecosystem.

We believe that this internship, although formulated as a M.Sc. thesis work, can produce results that, if properly published and refined, later could be published and be counted towards graduate studies.

Requirements:

- A candidate with most courses towards his/her M.Sc. completed (CS/E.Eng).
- System / embedded coding experience in C, ARM/X86 assembler
- Experience in bare-metal programming / processor design or equivalent
- Sufficient skills to work and interact in English
- Good teamwork skills
The following we count as advantage
- Background (courses) in platform security, cryptography or equivalent
- An interest to do research and explore new challenges.

For further information: Please contact Jan-Erik Ekberg (jan.erik.ekberg@huawei.com) and Hans Liljestrand (hans.liljestrand@aalto.fi)

The Mobile Security Laboratory in Huawei, Helsinki drives renewal and mastery in the field of platform / device related security technologies for the mobile device. Our topical expertise is in hardware-assisted isolation and system protection (hypervisor, TEE, kernel hardening) as well as functions like device key management, attestation and integrity.



Huawei: Hardware-assisted application attestation and authentication in Android  PLATSEC 

This M.Sc. topic in the Huawei Mobile Security Laboratory Finland consists of participation in a research project where the target is to apply DICE (Device Identifier Composition Engine) to a mobile phone use case. DICE is an emerging standard for “a family of hardware and software techniques for hardware-based cryptographic device identity, attestation, and data encryption”, especially targeted for IoT but also applicable to mobile phone ecosystems. This topic focuses on leveraging DICE in an application attestation scenario in a mobile phone, where we aim to build a proof-of-concept in which a networked service can attest its phone application counterpart in a straight-forward, easy manner.

The thesis subject touches on mobile phone (Android) system security, including the Android framework and Linux kernel, but also includes a service (networked) aspect. We are looking for a candidate with an interest in embedded / phone platform security, with both programming skills and a background in security / cryptography.

You will work with our in-house experts as well as with collaborating industrial and academic partners on the subject, but the topic is selected to be a M.Sc. thesis, i.e. we will adapt the scope and timeframe to suit a thesis work, and possibly an academic publication.

Requirements:

- A M.Sc. student close to finishing (CS/E.Eng).
- System / embedded coding experience in C, Java (Android)
- Sufficient skills to work and interact in English
- Good team-working skills

Advantage:

- Background (courses) in platform security, cryptography or equivalent
- An interest to do research and explore new challenges.

For further information: Please contact Jan-Erik Ekberg (jan.erik.ekberg@huawei.com) and Hans Liljestrand (hans.liljestrand@aalto.fi)

The Mobile Security Laboratory in Huawei, Helsinki drives renewal and mastery in the field of platform / device related security technologies for the mobile device. Our topical expertise is in hardware-assisted isolation and system protection (hypervisor, TEE, kernel hardening) as well as functions like device key management, attestation and integrity.



Huawei: Write-once memory subsystem for microcontrollers  PLATSEC 

This thesis work with the Huawei Mobile Security Laboratory extends an ongoing research project for write protection in Linux and mobile device kernels into microcontrollers and you will work with our in-house experts on this topic. The fundamental issue that we are solving in this work is that (data) write-protection provided by e.g. MPUs and MMUs is reversible, and can be undone in the case of a kernel attack. This is a likely avenue for the next generation of kernel attacks, when many other avenues of attack has been hindered by recent advances in memory protection. The use case is to ascertain that we can keep also IoT devices, such as sensors, functional and operating within parameters during their operational lifecycle.

This M.Sc. work implies making a proof of concept for write-only memory subsystems in microcontrollers. Depending on the targeted hardware platforms, it consists of a minimal hardware block change that implements the write-filtering of memory for a suitable microcontroller, and implementing the software framework (i.e., the write-once memory allocator) for the selected operating system.

Requirements:

- A M.Sc. student close to finishing (CS/E.Eng)
- System / embedded kernel coding experience in C/C++
- Sufficient skills to work and interact in English
- Good team-working skills

Advantage:

- Background (courses) in systems programming, platform security, or equivalent
- Linux kernel coding experience, course-work on RTOS, or equivalent
- Experience or interest in FPGA work

For further information: Please contact Jan-Erik Ekberg (jan.erik.ekberg@huawei.com) and Hans Liljestrand (hans.liljestrand@aalto.fi)

The Mobile Security Laboratory in Huawei, Helsinki drives renewal and mastery in the field of platform / device related security technologies for the mobile device. Our topical expertise is in hardware-assisted isolation and system protection (hypervisor, TEE, kernel hardening) as well as functions like device key management, attestation and integrity.



Huawei: First reference of the GP TPS security standard  PLATSEC 

In this internship with Mobile Security Laboratory, Huawei, Finland you will participate in a research project where the target is to prototype a new security API (under standardization) for Mobile phone and IoT use. The Global Platform (GP) has provided multiple specifications on about Secure Components (SC), such as Trusted Execution Environments (TEE), or Secure Element (SE). There exists also other types of non-GP SCs like TPM and HSMs. Adoption of these technologies, especially in consumer devices, has been surprisingly slow. One of the biggest reason for slow adoption is that application developers do not have consistent ways to use SCs. One exception is Google’s Android KeyStore, which provides wide range of SC functionality to REE (Android) developers via Java Cryptography Architecture (JCA), but unfortunately only for Android phones. As a consequence, the TPS Committee in GP is developing a new keystore solution, with emphasis on that the new key store will be

1) based on industrial standard not on a specification from a single vendor
2) lightweight and therefore applicable also for IoT endpoint devices

The Mobile Security Laboratory in Huawei is one of the driving forces in this new standardization activity, and we propose a thesis work with the intent to make a world-first prototype implementation of the TPS specification on a mobile phone. As master thesis writer you will work in a small team with local experts to design and implement TPS KeyStore API. The implementation work consists of one or several of the individual tasks:

1) To implement the Android Java TPS API binding, supporting all necessary algorithms and cryptographic modes, but also a design that is extendable and maintainable over time. 
2) Development of a System translation library, that converts cryptographic Java calls to native (serialized) TPS KeyStore calls for different SCs. This library is linked to the application code.
3) Implementation of a TPS KeyStore Trusted Application inside the Huawei TEE

Requirements:

- Almost completed coursework for a M.Sc. (CS / E.Eng).
- System / embedded coding experience in C, Android programming background counted as a plus.
- Sufficient skills to work and interact in English
- Good teamwork skills

Advantages:

- Background (courses) in platform security, cryptography or equivalent
- Experience with smart cards or trusted execution environments 
- An interest to do research and explore new challenges.

For further information: Please contact Jan-Erik Ekberg (jan.erik.ekberg@huawei.com) and Hans Liljestrand (hans.liljestrand@aalto.fi)

The Mobile Security Laboratory in Huawei, Helsinki drives renewal and mastery in the field of platform / device related security technologies for the mobile device. Our topical expertise is in hardware-assisted isolation and system protection (hypervisor, TEE, kernel hardening) as well as functions like device key management, attestation and integrity.




Huawei: M.Sc. thesis: ARM TrustZone-M support in RTOS  PLATSEC 


The intern to Mobile Security Laboratory, Huawei, Finland will participate in a research project where the target is to secure Internet of Things (IoT) devices. One of the leading technologies in IoT security is Arm TrustZone for Cortex-M [1]. The Arm TrustZone divides the microcontroller into two modes, according to memory address, called Secure (Trusted) and Non-Secure (Non-trusted) worlds. The secure world isolates its resources such as memories and peripherals to protect code and data loaded inside it to protect against Non-secure world. Code running inside secure world can access both secure and non-secure memories and peripherals. However, code running at Non-secure world is limited to access only non-secure memory and peripherals.

In this project, the student shall use Huawei LiteOS [2] as the real time operating system (RTOS) for IoT devices. Huawei LiteOS is an open-source lightweight OS for designed for IoT devices with Arm Cortex-M microcontrollers. At present, LiteOS does not include support for TrustZone Cortex-M technology. Therefore, the primary task of this project is to enhance the security of LiteOS by adding TrustZone support for which the student will be involved in:

  • Exploring Arm TrustZone for Cortex-M technology at high level of detail. Therefore we expect from the applicants, a basic familiarity with the operation of a modern microcontrollers.
  • Designing and implementation of
    • Boot sequence that initializes both the Secure and Non-secure world for LiteOS on Arm TrustZone based Cortex-M device.
    • An application that runs within a Secure world.
    • APIs for accessing Secure world functionality from a Non-secure world application.
  • Demonstrating how a Non-secure world application can call Secure world functionality.

This internship can constitute a Master’s thesis work. Therefore, we especially look for students who have completed the bulk of their MSc courses and are searching for an MSc thesis topic.

Requirements:

  • A person who has completed most of his/her M.Sc. courses (CS/E.Eng).

  • Coding experience for embedded systems in C, ARM assembler

  • Experience in bare-metal programming or equivalent

  • Sufficient skills to work and interact in English

  • Good teamwork skills

Advantage:

  • Background (courses) in platform security, cryptography or equivalent

  • An interest to do research and explore new challenges.

References:

[1]: Arm TrustZone  https://developer.arm.com/technologies/trustzone 
[2]: 
Huawei LiteOS  https://www.huawei.com/minisite/liteos/en/

For further information: Please contact Jan-Erik Ekberg (jan.erik.ekberg@huawei.com) and Hans Liljestrand (hans.liljestrand@aalto.fi)

The Mobile Security Laboratory in Huawei, Helsinki drives renewal and mastery in the field of platform / device related security technologies for the mobile device. Our topical expertise is in hardware-assisted isolation and system protection (hypervisor, TEE, kernel hardening) as well as functions like device key management, attestation and integrity.




Reserved Research Topics


  • No labels