02239 - Data Security, Autumn 2016.

Examination Projects

In this course, you must write a final report on a chosen topic instead of sitting an ordinary written exam. You can choose any one of the following tasks as the topic for your report. The report is individual. When you have chosen which task you want to do, send an e-mail with "02239 examination project" in the subject to both Christian D. Jensen and Sebastian A. Mödersheim, saying who you are (your name and student number) and which task you have chosen.

Your report must be handed in through Campusnet no later than Friday December 22 at 12.00. Reports may also be sent by ordinary mail (addressed to one of the course teachers), in that case the post stamp should indicate that it has been sent no later than 22 December. Please hand in two copies of the report if you hand in by surface mail and don't forget that in this case the examination regulations require you personally to sign your paper reports!

Rules

Your report is expected to be a full report on the topic you have chosen, including:

An introduction, explaining the aim and scope of the task.
A number of technical sections, describing your solution.
A conclusion, which summarises the main points and results.
A list of references.

If you wish to include extensive program documentation, reference material, test output or program source code, you are recommended to include it as an appendix.

Each project must present an independent solution to the chosen problem. Although you are encouraged to look on the Internet for relevant information, you must give a clear reference to the source of any material which you have not written yourself, which you actually include in your report. Do not copy-paste from other sources like Wikipedia or your collegues. Please write your own individual report.

Links have been provided for some of the project proposals. These links have been provided as a starting point and should not be considered an exhaustive list of relevant information.

Evaluation

The report will be evaluated by the course teachers. The grade is one overall mark, which incorporates both the final report (counts around 60%) and the mandatory lab. exercises (count around 40%). Grades will be on the 7-scale.

Queries

There will be a general opportunity to ask questions about the report tasks before the oral course evaluation on Wednesday 6 December. If you have questions about specific tasks, you are advised to contact the teacher who set the task directly. The relevant teacher is indicated by his initials:

CDJ: Christian D. Jensen, room 210, B.324.
SAMO: Sebastian A. Mödersheim, room 160, B.324.

A. Security in Health-care Applications (CDJ)

Modern health-care functions make use of devices connected by wireless Communications, either based on one mobile telephony protocols, such as GSM, UMTS or LTE or wireless networking standards, such as the IEEE 802.11 series of protocols or on Bluetooth.

Examples of wireless communications in health-care are:

An apparatus for measuring blood-pressure and blood oxygen content for a single patient may be connected to a central computer (which may be connected to a central patient database) via a wireless network. The central computer can handle several such devices (on different patients) at the same time.
A health worker is visiting a patient at home may carry a hand-held computer (e.g., a PDA or similar), which via a wireless link can collect the patient's medical data, medication requirements and other information from a central database at the local health center.
Implanted sensors, medicine pumps or pacemakers are increasingly being equipped with wireless communication capabilities to allow them to communicate with health-care professionals. A few years ago, scientists demonstrated a deadly WiFi pacemaker hack which could give patients a jolt that might ultimately kill the patient. More recently, a vulnerability was discovered in an insulin pump, which would allow an attacker to control the pump and possibly administer a deadly dose of insulin to the patient.

Discuss the security requirements for such systems, bearing in mind the legal requirements for protection of personal information, and the security risks associated with the possible use of wireless networks. The discussion may focus on a single application, e.g. the defibrilator mentioned above, or it could be a broader discussion of security in healthcare environments, such as the security requirements for an IT system at a general practitioner, a small health clinic or a hospital. If time allows, you should make a proposal for how to avoid any of the identified security problems in such systems.

B. Security in Smart Cities (CDJ)

A number of technologies have been proposed for smart cities, which will allow better management of services provided by the local councils, e.g. intelligent traffic management will monitor the current traffic flows and control trafic lights in the most optimal ways. Such smart city systems will combine information from new and existing sensors, through a sensor network, and actuators that control different aspects of the city wide services through a control network. Some aspects of smart cities may be implemented using existing supervisory control and data acquisition (SCADA) technologies, while others may require new technology, such as vehicular networks to measure and coordinate traffic. Identify general security and/or privacy issues that arise in smart cities focusing particularly on the information and communication technologies required to build smart cities, e.g. communication technology (wired or wireless), sensor technology, authentication (key management), etc. The identification of security issue may focus on a particular technology, e.g. communication technologies proposed for smart cities (including Li-Fi), it may focus on secure solutions to particular smart city problems, e.g. SCADA systems, or it may focus on the integration of diverse technologies from different scenarios in a single smart city service.

Analyse the security and/or privacy issues identified above and identify threats and propose appropriate counter measures that can be implemented in the a smart city environment. The analysis may target a single element of the value chain or a single technology component, e.g. you could look at privacy in intelligent traffic monitoring systems or security issues in smart meters (or SCADA systems in General), or you could focus on security and/or privacy in a specific technology, such as the BlipTrack or the parking payment system introduced by Copenhagen City Council (only in Danish).

C. Intrusion Resistance Evaluation (CDJ)

Make an investigation of a computer system to which you have access, with a view of investigating how resistant it is to intrusion by unauthorised persons. You should analyse as many aspects of intrusion as possible, including misuse of the password system, poor network security and openness to known exploits. You should make use of available methods of security analysis, including available tools for security evaluation.

Note: If you wish to do this project, you must obtain written permission from the managers of the system which you are evaluating. The following template (in Danish) has been approved by the legal department at DTU.

Declaration to be signed by students and system owners (Word, PDF).

D. Protection of Whistleblowers's Identity (CDJ)

A number of professions, such as doctors, lawyers, priests and journalists, have a duty by law to protect the confidentiality of their clients, by not revealing information about them without their explicit consent or a clear legal reason. For journalists, this means that they should never reveal sources of confidential information, nor provide enough of the raw information to allow their sources to be identified.

The lifes of Edward Snowden and Chelsea Manning have changed significantly after they have become identified as the sources of leaked confidential information. Most journalists, however, are ill equipped to deal with information leaks that give rise to major police investigations, e.g. David Miranda, the partner of journalist Glenn Greenwald who wrote about the leaked Snowden files, was arrested by the Metropolitan Police at London's Heathrow Airport under Schedule 7 of the Terrorism Act 2000, while he was traveling home from Berlin. His belongings were seized, including an external hard drive said to be containing sensitive documents relevant to Greenwald's reporting. The hard drive was encrypted with TrueCrypt, but Miranda was not released before he gave up the encryption keys to the police. Not all countries give such powers to the police, so it could be argued that David Miranda should have chosen a different route from Berlin back to Brazil.

This illustrates the need to protect information sources in all phases of the creation of a news story:

during the initial contacts, reception and confirmation of authenticity of the leaked data,
during the period when information is stored by the news organisations, and
in the reporting of the news story which should not allow inference about the information source.

Several whistleblower systems have been developed to achieve (part of) the first goal, but annonymizing communication technologies are rarely used when journalists communicate with their sources, which means that government agencies may seize phone records (or network logs kept by the service provider) to find the source of a leak. Information stored by journalists should be adequately protected, which may include the use of steganographic file systems to provide journalists with a source of less sensitive information that may be given up to the authorities, while the real leaked data is hidden in a layer underneath. Finally, the reporting of the story should prevent inference about the source, which means that the anonymity set should be sufficiently large throughout the reporting.

This project should provide a broad overview of the issues involved in protecting the identity of whistleblowers from a potentially very strong adversary, e.g. agencies of a national government. The project should then focus on one of the three phases outlined above and provide an in-depth discussion of the requirements, techniques and technologies for protecting whistleblowers when they communicate with journalists, when journalists store the raw data or when journalists report their stories based on this leaked information.

E. Privacy (SAMO)

There are several protocols that are meant to protect the privacy of their users. Here are a few examples:

The Geopriv family of protocols that allow to hide, or selectively reveal, one's location.
Electronic voting protocols try to protect the privacy of the voters. A quite simple one is the FOO protocol described in this paper.
ANODR is an anonymous routing protocol for ad-hoc networks.

Your task is to pick one or two of these examples and analyze their privacy. It is not necessary to have a precise formal analysis, you may use intuitive descriptions. Please do think about, and discuss, the following questions:

What is the scenario/attacker model that the protocol tries to guard against?
What is the intuition/idea of that protocol? What techniques are used?
What assumptions does the protocol have, and which of them are relevant for protecting privacy?
How could one describe the goals of the protocol? This does not need to be formal, you may for instance discuss what makes it so hard to describe the goals precisely.
Where are the (deliberate) boundaries of the protocol, i.e., are there any interesting privacy properties that the protocol does not provide?
Are there any known attacks or did you find any?

F. Security Protocols (SAMO)

The AVISPA library is a collection of security protocols from various application areas such as classical authentication, mobility, and e-Commerce. For each protocol, there is a short description including a rough Alice-and-Bob-style message exchange, known attacks (if any), references to the protocol standard or research papers, as well as a formalization in AVISPA's own language HLPSL. Your task is to choose two or three of these protocols and make your own analysis of these protocols. (Note that the Geopriv protocols in the AVISPA library fit better with task (E) above.) For each chosen protocol, use the various resources (AVISPA library, standards, research papers) to find out what the protocol tries to achieve, how it does that, what it assumes, what the known weaknesses are, and what simplifications had to be made for formal analysis. You may make your own experiments using formal analysis tools like the AVISPA-platform or AnB/OFMC, but it is not strictly necessary.

G. Software Vulnerabilities (SAMO)

Make an investigation of software vulnerabilities, chosen from the CWE list discussed in the lecture.

An example could be to choose three vulnerabilities like SQL-Injection, Cross-Site Scripting and Cross-Site Request Forgery. However you may also choose just one or two vulnerabilities and go more into depth.

For each vulnerability you choose, your report should include:

a discussion of a practical example how to exploit the vulnerability. This can either be an attack reported in the media, or an experiment either on your own computer.
an investigation how it can be detected/identified at the attacked site, and
which counter measures exist.
an assessment of how critical the chosen vulnerabilities are, and how easy the countermeasures can be applied.