SNE Master Research Projects 2016 - 2017

2004-2005 2005-2006 2006-2007 2007-2008 2008-2009 2009-2010 2010-2011 2011-2012 2012-2013 2013-2014 2014-2015 2014-2015 2015-2016 2016-2017
Contact TimeLine Projects LeftOver Projects Presentations-rp1 Presentations-rp2 Objective Process Tips Project Proposal


Cees de Laat, room: C.3.152
And the OS3 staff.
Course Codes:

Research Project 1 MSNRP1-6 53841REP6Y
Networking Research Project 2 MSN2NRP6 53842NRP6Y
Security Research Project 2 MSN2FRP6 53842SRP6Y


RP1 (January):
  • Wednesday Sep 21, 2016, 10h15-13h00: Introduction to the Research Projects.
  • Wednesday Nov 02, 2016, 10h15-13h00: Detailed discussion on chosen subjects for RP1.
  • Monday Jan 9th - Friday Feb 3th 2017: Research Project 1.
  • Friday Jan 13th: (updated) research plan due.
  • Monday Jan 23, 16h00, progress meeting (not mandatory).
  • Monday Feb 6, 2017 13h00-17h00: Presentations RP1 in B1.23 at SP 904.
  • Tuesday Feb 7, 2017 10h00 - 17h00: Presentations RP1 in B1.23 at SP 904.
  • Sunday Feb 12th 24h00: RP1 - reports due
RP2 (June):
  • Wednesday May 10, 2017, 10h15-12h15, B1.23 Detailed discussion on chosen subjects for RP2.
  • Tuesday May 23, 2017, 16h00-17h00, B1.23 Detailed discussion on chosen subjects for RP2.
  • Tuesday Jun 6th - Friday Jun 30, 2017: Research Project 2.
  • Friday Jun 9th: (updated) research plan due.
  • Monday Jun 19, 16h00 progress meeting (not mandatory).
  • Monday Jul 3 2017, 13h00-17h00: presentations in C0.110 @ SP904.
  • Tuesday Jul 4 2017, 10h00-17h00: presentations in C0.110 @ SP904.
  • Sunday July 9th 24h00 2017: RP2 - reports due.


Here is a list of student projects. Find here the left over projects this year: LeftOvers.
In a futile attempt to prevent spam "@" is replaced by "=>" in the table.
Color of cell background:
Project available Presentation received. Confidentiality was requested.
Currently chosen project. Report received. Blocked, not available.
Project plan received. Completed project. Report but no presentation
Outside normal rp timeframe


supervisor contact



Automated migration testing.

Unattended content management systems are a serious risk factor for internet security and for end users, as they allow trustworthy information sources on the web to be easily infected with malware and turn evil.
  • How can we use well known software testing methodologies (e.g. continuous integration) to automatically test if available updates to software running on a website that fix security weaknesses can be safely implement with as minimal involvement of the end user as possible?
  • How would such a migration work in a real world scenario?
In this project you will at the technical requirements for automated migration testing, and if possible design a working prototype.
Michiel Leenaars <michiel=>nlnet.nl>




Virtualization vs. Security Boundaries.

Traditionally, security defenses are built upon a classification of the sensitivity and criticality of data and services. This leads to a logical layering into zones, with an emphasis on command and control at the point of inter-zone traffic. The classical "defense in depth" approach applies a series of defensive measures applied to network traffic as it traverses the various layers.

Virtualization erodes the natural edges, and this affects guarding system and network boundaries. In turn, additional technology is developed to add instruments to virtual infrastructure. The question that arises is the validity of this approach in terms of fitness for purpose, maintainability, scalability and practical viability.
Jeroen Scheerder <Jeroen.Scheerder=>on2it.net>


Efficient delivery of tiled streaming content.

HTTP Adaptive Streaming (e.g. MPEG DASH, Apple HLS, Microsoft Smooth Streaming) is responsible for an ever-increasing share of streaming video, replacing traditional streaming methods such as RTP and RTMP. The main characteristic of HTTP Adaptive Streaming is that it is based on the concept of splitting content up in numerous small chunks that are independently decodable. By sequentially requesting and receiving chunks, a client can recreate the content. An advantage of this mechanism is that it allows a client to seamlessly switch between different encodings (e.g. qualities) of the same content.
The technique known as Tiled Streaming build on this concept by not only splitting up content temporally, but also spatially, allowing for specific areas of a video to be independently encoded and requested. This method allows for the navigation in ultra-high resolution content, while not requiring the entire video to be transmitted.
An open question is how these numerous spatial tiles can be distributed and delivered most efficiently over a network, reducing both unnecessary overhead as well as latency.
Omar Niamut <omar.niamut=>tno.nl>



What is the effectiveness of monitoring darknet fora to predict possible hacking attempts against, for example, Dutch targets (banks, critical infrastructure, etc)?

The purpose of the research is that in theory, a well built system might have foreseen the DDOS attack against Ziggo's nameservers a few months ago based on chatter on hiring a botnet to "target a Dutch ISP". It may have been enough to at least take preparations against such an attack.

We reference the OS3 paper of Diana Rusu, which is titled "Forum post classification to support forensic investigations of illegal trade on the Dark Web".

As for an introduction of both of us: we are not experts on the machine learning part, but are enthusiastic to learn new subjects. Machine learning is becoming more important these days due to the growth of data, so we think learning this skill is a good investment. We both like to program in different languages.

The exact research question could be slightly changed if need be, for example if it seems that the research question is too broad.


System Security Monitoring using Hadoop.

It involves looking into data mining of system and network logs using Hadoop and then focusing on system security. This research will investigate a real time ’streaming’ approach for monitoring system security - so streaming data through hadoop (e.g. via spark streaming) and then identifying and storing possible incidents. As an example of visualization you could think of a real-time map of the world displaying both failed and successful login attempts. In any case an important first part of the project would be investigating what others have done in this field and which systems and techniques they used. This to get an overview of all the possibilities. Finally implementing a small proof of concept based on ‘best-practice’ or cutting edge tools/API’s would be a great final result.
Machiel Jansen <machiel.jansen=>surfsara.nl>
Mathijs Kattenberg <mathijs.kattenberg=>surfsara.nl>


Qualitative analysis of Internet measurement methods and bias.

In the past year NLnet Labs and other organisations have run a number of measurements on DNSSEC deployment and validation.  We used the RIPE Atlas infrastructure for measurements, while other used Google ads where flash code runs the measurements.  The results differ as the measurement points (or observation points) differ: RIPE Atlas measurment points are mainly located in Europe, while Google ads flash measurements run global (or with some stronger representation of East-Asia).

Question is can we quantify the bias in the Atlas measurements or qualitative compare the measurements, so we can correlate the results of both measurement platforms.  This would greatly help interpret our results and the results from others based on the Atlas infrastructure. The results are highly relevant as many operational discussions on DNS and DNSSEC deployment are supported or falsified by these kind of measurements.
Willem Toorop <willem=>nlnetlabs.nl>


Thinking in possibilities for federated Log Out.

SURFnet runs a federated infrastructure for Single Sign On for the higher education and research community, called 0SURFconext. This uses the SAML 2.0 protocol over HTTP to provide access to hundreds of web-based cloudservices using your university account. Currently about 400.000 logins are processed daily.

Single Sign On is very convenient for users, but in contrast Single Sign Off has been a troublesome topic. The SAML standard has a provision called Single Log Out, but this is so complicated that it does not work in practice. Federations seem to have given up on the topic as "impossible", but users understandably want to be able to log out to services they have logged into. We would like to start from a positive approach: what techniques can we think of that *are* possible, and might they solve (at least part of) the problem?

The project aims to identify possible approaches to this problem, create a report with their pros and cons and a recommendation; and potentially implement a proof of concept of the most promising one. Basic knowledge of HTTP is required, prior experience with federated authentication is not necessary.
Thijs Kinkhorst <thijs.kinkhorst=>surfnet.nl>
Joost van Dijk <joost.vandijk=>surfnet.nl>

Marcel den Reijer <Marcel.denReijer=>os3.nl>
Fouad Makioui <Fouad.Makioui=>os3.nl>


Leader election and logical organization in inter-cloud virtual machines.

The objective of the project is to create a service that is deployed on every VM of a distributed cluster which allows the cluster of VMs to elect a leader. This can be extended further so that the cluster of VMs can have different groups with each group having its own leader.
When considering highly distributed volatile systems as those that can be created using virtual machines from different cloud providers, mapping distributed applications to the virtual machines is not a trivial task. The basic necessities for having a functioning distributed system can not be taken for granted. E.g. networking between nodes on different providers can quickly get out of hand. Another issue is logical organization of the nodes into groups with leaders. Many application mapping scenarios require temporary leaders to e.g. coordinate replication or coalesce monitoring information. Without any central node this leader needs to be elected just-in- time in a distributed fashion. It is convenient that virtual machines be equipped with a service that help organize themselves into logical groups where every group elects a leader. The volatile cloud environment means that virtual machines come and go thus the service must be dynamic enough to ensure a leader is elected in every scenario. With such a service running on each VM, an application can query the service to request the leader IP or other ID information and use this info to further optimize the application scheduling.
This area has been studied for a long time and there are various algorithms to achieve consensus and leader election. The most common are Paxos and Raft algorithms where Raft is simpler. Also, of research interest is blockchain consensus which has been popularized by bitcoin and is aimed at achieving consensus on untrusted nodes.
Yuri Demchenko <y.demchenko=>uva.nl>
Reggie Cushing <r.s.cushing=>uva.nl>


Building an open-source, flexible, large-scale static code analyzer.

Background information
Data drives business, and maybe even the world. Businesses that make it their business to gather data are often aggregators of client­side generated data. Client­side generated data, however, is inherently untrustworthy. Malicious users can construct their data to exploit careless, or naive, programming and use this malicious, untrusted data to steal information or even take over systems.
It is no surprise that large companies such as Google, Facebook and Yahoo spend considerable resources in securing their own systems against would­be attackers. Generally, many methods have been developed to make untrusted data cross the trust­boundary to trusted data, and effectively make malicious data harmless. However, securing your systems against malicious data often requires expertise beyond what even skilled programmers might reasonably possess.
Problem description
Ideally, tools that analyze code for vulnerabilities would be used to detect common security issues. Such tools, or static code analyzers, exist, but are either out­dated (http://rips­scanner.sourceforge.net/) or part of very expensive commercial packages (https://www.checkmarx.com/ and http://armorize.com/). Next to the need for an open­source alternative to the previously mentioned tools, we also need to look at increasing our scope. Rather than focusing on a single codebase, the tool would ideally be able to scan many remote, large­scale repositories and report the findings back in an easily accessible way.
An interesting target for this research would be very popular, open­source (at this stage) Content Management Systems (CMSs), and specifically plug­ins created for these CMSs. CMS cores are held to a very high coding standard and are often relatively secure. Plug­ins, however, are necessarily less so, but are generally as popular as the CMSs they’re created for. This is problematic, because an insecure plug­in is as dangerous as an insecure CMS. Experienced programmers and security experts generally audit the most popular plug­ins, but this is: a) very time­intensive, b) prone to errors and c) of limited scope, ie not every plug­in can be audited. For example, if it was feasible to audit all aspects of a CMS repository (CMS core and plug­ins), the DigiNotar debacle could have easily been avoided.
Research proposal
Your research would consist of extending our proof­of­concept static code analyzer written in Python and using it to scan code repositories, possibly of some major CMSs and their plug­ins, for security issues and finding innovative ways of reporting on the massive amount of possible issues you are sure to find. Help others keep our data that little bit more safe.
Patrick Jagusiak <patrick.jagusiak=>dongit.nl>
Wouter van Dongen <wouter.vandongen=>dongit.nl>


Mobile app fraud detection framework.

How to prevent fraud in mobile banking applications. Applications for smartphones are commodity goods used for retail (and other) banking purpose. Leveraging this type of technology for money transfer attracts criminal organisations trying to commit fraud. One of many security controls can be detection of fraudulent transactions or other type activity. Detection can be implemented at many levels within the payment chain. One level to implement detection could be at the application level itself. This assignment will entail research into the information that would be required to detect fraud from within mobile banking applications and to turn fraud around by building a client side fraud detection framework within mobile banking applications.
Steven Raspe <steven.raspe=>nl.abnamro.com>


Malware analysis NFC enabled smartphones with payment capability.

The risk of mobile malware is rising rapidly. This combined with the development of new techniques provides a lot of new attach scenarios. One of these techniques is the use of mobile phones for payments. In this research project you will take a look at how resistant these systems are against malware on the mobile. We would like to look at the theoretical threats, but also perform hands-on testing.
NOTE: timing on this project might be a challenge since the testing environment is only available during the pilot from August 1st to November 1st.
Steven Raspe <steven.raspe=>nl.abnamro.com>


Transencrypting streaming video.

Common encryption (CE) and digital right management (DRM) are solutions used by the content industry to control the delivery of digital content, in particular streaming video. Whereas DRM focusses on securely getting a CE key to a trusted piece of user equipment, trans-encryption has been suggested as a technical alternative. Transencryption transforms the encryption of content without decrypting it. So encrypted content that can be decrypted with private key A is transformed into encrypted content that can be decrypted with private key B. This solution enables a content provider to outsource the transencryption of a piece of content to an untrusted third party in order to get the content cryptographically targeted to a single specific piece of user equipment.
In this project, you will investigate the technical viability of transencrypting streaming video by building an implementation. Your implementation should answer the following questions for at least the implemented configuration.
·         Is it possible to implement transencryption on commercial-of-the-shelff computer equipment?
·         Can the implementation handle transencryption of streaming video of 2 Mb/s?

Oskar van Deventer, <oskar.vandeventer=>tno.nl>
Abe Wiersma <Abe.Wiersma=>os3.nl>


Research MS Enhanced Mitigation Experience Toolkit (EMET).

Every month new security vulnerabilities are identified and reported. Many of these vulnerabilities rely on memory corruption to compromise the system. For most vulnerabilities a patch is released after the fact to remediate the vulnerability. Nowadays there are also new preventive security measures that can prevent vulnerabilities from becoming exploitable without availability of a patch for the specific issue. One of these technologies is Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) this adds additional protection to Windows, preventing many vulnerabilities from becoming exploitable. We would like to research whether this technology is efficient in practice and can indeed prevent exploitation of a number of vulnerabilities without applying the specific patch. Also we would like to research whether there is other impact on the system running EMET, for example a noticeable performance drop or common software which does not function properly once EMET is installed. If time permits it is also interesting to see if existing exploits can be modified to work in an environment protected by EMET.
Henri Hambartsumyan <HHambartsumyan=>deloitte.nl>


Triage software.

In previous research a remote acquisition and storage solution was designed and built that allowed sparse acquisition of disks over a VPN using iSCSI. This system allows sparse reading of remote disks. The triage software should decide which parts of the disk must be read. The initial goal is to use meta-data to retrieve the blocks that are assumed to be most relevant first. This in contrast to techniques that perform triage by running remotely while performing  a full disk scan (e.g. run bulk_extractor remotely, keyword scan or do a hash based filescan remotely).

The student is asked to:
  1. Define criteria that can be used for deciding which (parts of) files to acquire
  2. Define a configuration document/language that can be used to order based on these criteria
  3. Implement a prototype for this acquisition
"Ruud Schramp (DT)" <schramp=>holmes.nl>
"Zeno Geradts (DT)" <zeno=>holmes.nl>
"Erwin van Eijk (DT)" <eijk=>holmes.nl>


Parsing CentralTable.accdb from Office file cache and restoring cached office documents.

The Microsoft Office suit uses a file cache for several reasons, one of them is delayed uploading and caching of documents from a sharepoint server.
In these cache files office partial or complete documents that have been opened on a computer might be available. Also the master database in the file cache folder contains document metadata from sharepoint sites. In this project you are asked to research the use of the office file cache and deliver a POC for extraction and parsing of metadata from the database file, also decode or parse document contents from the cachefiles (.FSD).
Yonne de Bruijn <yonne.debruijn=>fox-it.com>


UsnJrnl parsing for Microsoft Office activity.

In modern Windows versions, the NTFS filesystem keeps a log (the UsnJrnl file) of all operations that take place on files and folders. This can include interesting information about read- and write-operations on files. Microsoft Office programs perform a lot of file-operations in the background while a user is working on a file (think of autosave, back-up copies, copy-paste operations, etc.). While a lot of this activity leaves short-term traces on the file system, they can often only be found in the UsnJrnl after a while. Only little research has been done on the forensic implications of these traces. In this project, you are requested to research which traces are left in the UsnJrnl when using Office applications like Word and Excel and how these traces can be combined into a hypothesis about what activity was performed on a document.
Gina Doekhie <gina.doekhie=>fox-it.com>




The Serval Project.

Here a few projects from the Serval project. Not everything is equally appropriate for the SNE master, but it gives possibly ideas for rp's.

1. Porting Serval Project to iOS

The Serval Project (http://servalproject.org, http://developer.servalproject.org/wiki) is looking to port to iOS.  There are a variety of activities to be explored in this space, including how to provide interoperability with Android and explore user interface issues.

3. C65GS FPGA-Based Retro-Computer

The C65GS (http://c65gs.blogspot.nl, http://github.com/gardners/c65gs) is a reimplementation of the Commodore 65 computer in FPGA, plus various enhancements.  The objective is to create a fun 8-bit computer for the 21st century, complete with 1920x1200 display, ethernet, accelerometer and other features -- and then adapt it to make a secure 8-bit smart-phone.  There are various aspects of this project that can be worked on.

4. FPGA Based Mobile Phone

One of the long-term objectives of the Serval Project (http://servalproject.org, http://developer.servalproject.org/wiki) is to create a fully-open mobile phone.  We believe that the most effective path to this is to use a modern FPGA, like a Zynq, that contains an ARM processor and sufficient FPGA resources to directly drive cellular communications, without using a proprietary baseband radio.  In this way it should be possible to make a mobile phone that has no binary blobs, and is built using only free and open-source software.  There are considerable challenges to this project, not the least of which is implementing 2G/3G handset communications in an FPGA.  However, if successful, it raises the possibility of making a mobile phone that has long-range UHF mobile mesh communications as a first-class feature, which would be an extremely disruptive innovation.
Paul Gardner-Stephen <paul.gardner-stephen=>flinders.edu.au>


SURFdrive security.

SURFdrive is a personal cloud storage service for the Dutch higher education and research community, offering staff, researchers and students an easy way to store, synchronise and share files in the secure and reliable SURF community cloud.

SURFdrive is based on Owncloud, an open-source personal cloud storage product. Our challenge is to make the software environment as safe and secure as possible. Question is:
  • How can we make the environment resistant to future 0-day attacks?
Maybe anomaly detection techniques might be helpful. Research task is to examine which techniques are helpful against 0-day attacks.
Rogier Spoor <Rogier.Spoor=>surfnet.nl>


Extending the range of NFC capable devices.

Recently it has been shown that default and widely available Android devices can be used to effectively perform relay attacks on contact less payments (EMV Contact less). However, these attacks are obviously limited by the maximum range an Android device can read a bank card from a wallet or pocket. As of now, there does not seem to be a business case for large scale fraud as the range is typically limited to 5 cm. Improvements in the range, however, drastically change the business case and make relay attack fraud much more profitable. Reports from a laboratory show that a range up to 28 cm is possible. Another paper reports a simulated antenna with a range up to 55 cm. Students can research what the practical limit is, and what resources are needed to extend the range of NFC capable devices.
Jordi van den Breekel <vandenBreekel.Jordi=>kpmg.nl>
Jarno van de Moosdijk <vandeMoosdijk.Jarno=>kpmg.nl>

Sandino Moeniralam <Sandino.Moeniralam=>os3.nl>
Bart Hermans <Bart.Hermans=>os3.nl>


Comparison of security features of major Enterprise Mobility Management solutions

For years, Gartner has identified the major EMM (formarly known as MDM) vendors. These vendors are typically rated on performance and features; security often is not addressed in detail.
This research concerns an in-depth analysis of the security features of major EMM solutions (such as MobileIron, Good, AirWatch, XenMobile, InTune, and so forth) on major mobile platforms (iOS, Android, Windows Phone). Points of interest include: protection of data at rest (containerization and encryption), protection of data in transit (i.e. VPN), local key management, vendor specific security features (added to platform API's),
Paul van Iterson <vanIterson.Paul=>kpmg.nl>


Partitioning of big graphs.

Distributed graph processing and GPU processing of graphs that are bigger than GPU memory both require that a graph be partitioned into sections that are small enough to fit in a single machine/GPU. Having fair partitions is crucial to obtaining good workload balance, however, most current partitioning algorithms either require the entire graph to fit in memory or repeatedly process the same nodes, causing the partitioning to be a very computationally intensive process.

Since a good partitioning scheme depends on both the number of machines used (i.e., the number of partitions) and the graph itself, this means that precomputing a partitioning is unhelpful. It would mean that incrementally updating the graph becomes impossible, we therefore need to do partitioning on-the-fly, preferably distributedly. This project involves investigating 1 or more possible partitioning schemes and developing prototypes. Possible starting points:
  • Partitioning that minimises cross-partition communication
  • Fine-grained partitioning that allows easy recombining of partitions to scale to the appropriate number of machines.
  • Distributed edge-count based partitioning that minimises communication.
Expected deliverables:
  • One or more partitioning prototypes
  • Write-up of the partitioning scheme and it's benefits
Merijn Verstraaten <M.E.Verstraaten=>uva.nl>


Analysing ELF binaries to find compiler switches that were used.

The Binary Analysis Tool is an open source tool that can automate analysis of binary files by fingerprinting them. For ELF files this is done by extracting string constants, function names and variable names from the various ELF sections. Sometimes compiler optimisations move the string constants to different ELF sections and extraction will fail in the current implementation.

Your task is to find out if it is possible by looking at the binary to see if optimisation flags that cause constants of ELF sections to be moved were passed to the compiler and reporting them. The scope of this project is limited to Linux.

Armijn Hemel - Tjaldur Software Governance Solutions
Armijn Hemel <armijn=>tjaldur.nl>


Designing structured metadata for CVE reports.

Vulnerability reports such as MITRE's CVE are currently free format text, without much structure in them. This makes it hard to machine process reports and automatically extract useful information and combine it with other information sources. With tens of thousands of such reports published each year, it is increasingly hard to keep a holistic overview and see patterns. With our open source Binary Analysis Tool we aim to correlate data with firmware databases.

Your task is to analyse how we can use the information from these reports, what metadata is relevant and propose a useful metadata format for CVE reports. In your research you make an inventory of tools that can be used to convert existing CVE reports with minimal effort.

Armijn Hemel - Tjaldur Software Governance Solutions
Armijn Hemel <armijn=>tjaldur.nl>


Automatic comparison of photo response non uniformity (PRNU) on Youtube.

In recent years a lot of research has been done in the field of Photo Response Non Uniformity (PRNU). PRNU refers to the non uniformity of pixels in photo sensors of digital cameras. Each sensor has small defects causing certain pixels to be darker or lighter then others. This can be used to determine a unique fingerprint for each digital camera. Re- search has shown that PRNU patters can be used to prove if a photo or video was made with a cer- tain camera. We are now interested in a tool to match the PRNU of larger amounts of YouTube videos against reference material from a suspect camera. This project will focus on automating the PRNU extraction from YouTube videos and com- paring them against a reference video file. The software for PRNU extraction and comparison is available at NFI, however the question is how can large numbers of video files from YouTube be pro- cessed based on this method and the amount of data transferred limited.

Goal :
  • This project would like to compare the different files available on Youtube and compare the PRNU patterns in a fast way.
Approach :
  • The software for PRNU extraction and comparison is available at NFI, however the question is how we can process large numbers of video files from Youtube based on this method and limit the amount of data transferred
Result :
  • Report and demonstrator for this approach
  • code
Zeno Geradts (DT) <zeno=>holmes.nl>

Marcel Brouwers <Marcel.Brouwers=>os3.nl>
Rahaf Mousa <rahaf.mousa=>os3.nl>


RedStar OS reverse engineering.

During 32C3 conference, two researchers showed that Redstar OS - North Koreas OS - implements custom cryptography in the pilsung.ko kernel module. Reverse engineer this module, understand the difference in the pilsung implementation of AES compared to normal AES. Is there some kind of backdoor or weakness in pilsung?
Note that we expect that deep understanding of assembly/reverse engineering and the Linux kernel is required to successfully research this topic.

for more info on RedStar OS reversing.
Tim van Essen <TvanEssen=>deloitte.nl>
Henri Hambartsumyan <hhambartsumyan=>deloitte.nl>


Efficient networking for clouds-on-a-chip.

The “Cloud” is a way to organize business where the owners of physical servers rent their resources to software companies to run their application as virtual machines. With the growing availability of multiple cores on a chip, it becomes interesting to rent different parts of a chip to different companies. In the near future, multiple virtual machines will co-exist and run simultaneously on larger and larger multi-core chips.
Meanwhile, the technology used to implement virtual machines on a chip is based on very old principles that were designed in the 1970's for single-processor systems, namely the use of shared memory to communicate data between processes running on the same processor.
As multi-core chip become prevalent, we can do better and use more modern techniques. In particular, the direct connections between cores on the chip can be used to implement a faster network than using the off-chip shared memory. This is what this project is about: demonstrate that direct use of on-chip networks yield better networking between VMs on the same chip than using shared memory.
The challenge in this project is that the on-chip network is programmatically different than "regular" network adapters like Ethernet, so we cannot use existing network stacks as-is.
The project candidate will thus need to explore the adaptation and simplification of an existing network stack to use on-chip networking.
The research should be carried out either on a current multi-core product or simulations of future many-core accelerators. Simulation technology will be provided as needed.

Raphael 'kena' Poss <r.poss=>uva.nl>


Secure on-chip protocols for clouds-on-a-chip.

The “Cloud” is a way to organize business where the owners of physical servers rent their resources to software companies to run their application as virtual machines. With the growing availability of multiple cores on a chip, it becomes interesting to rent different parts of a chip to different companies. In the near future, multiple virtual machines will co-exist and run simultaneously on larger and larger multi-core chips.
Meanwhile, the technology used to implement virtual machines on a chip is based on very old principles that were designed in the 1970's for single-processor systems, namely the virtualization of shared memory using virtual address translation within the core.
The problem with this old technique is that it assumes that the connection between cores is "secure". The physical memory accesses are communicated over the chip without any protection: if a VM running on core A exchanges data with off-chip memory, a VM running on core B that runs malicious code can exploit hardware errors or hardware design bugs to snoop and tamper with the traffic of core A.
To make Clouds-on-a-chip viable from a security perspective, further research is needed to harden the on-chip protocols, in  particular the protocols for accessing memory, virtual address translation and the routing of I/O data and interrupts.
The candidate for this project should perform a thorough analysis of the various on-chip protocols required to implement VMs on individual cores, then design protocol modifications that provide resistance against snooping and tampering by other cores on the same chip, together with an analysis of the corresponding overheads in hardware complexity and operating costs (extra network latencies and/or energy usage).
The research will be carried out in a simulation environment so that inspection of on-chip network traffic becomes possible. Simulation tools will be provided prior to the start of the project.
Raphael 'kena' Poss <r.poss=>uva.nl>


Multicast delivery of HTTP Adaptive Streaming.

HTTP Adaptive Streaming (e.g. MPEG DASH, Apple HLS, Microsoft Smooth Streaming) is responsible for an ever-increasing share of streaming video, replacing traditional streaming methods such as RTP and RTMP. The main characteristic of HTTP Adaptive Streaming is that it is based on the concept of splitting content up in numerous small chunks that are independently decodable. By sequentially requesting and receiving chunks, a client can recreate the content. An advantage of this mechanism is that it allows a client to seamlessly switch between different encodings (e.g. qualities) of the same content.
There is a growing interest from both content parties as well as operators and CDNs to not only be able to deliver these chunks over unicast via HTTP, but to also allow for them to be distributed using multicast. The question is how current multicast technologies could be used, or adapted, to achieve this goal.
Ray van Brandenburg <ray.vanbrandenburg=>tno.nl>


Generating test images for forensic file system parsers.

Traditionally, forensic file system parsers (such as The Sleuthkit and the ones contained in Encase/FTK etc.) have been focused on extracting as much information as possible. The state of software in general is lamentable — new security vulnerabilities are found every day — and forensic software is not necessarily an exception. However, software bugs that affect the results used for convictions or acquittals in criminal court are especially damning. As evidence is increasingly being processed in large automated bulk analysis systems without intervention by forensic researchers, investigators unversed in the intricacies of forensic analysis of digital materials are presented with multifaceted results that may be incomplete, incorrect, imprecise, or any combination of these.

There are multiple stages in an automated forensic analysis. The file system parser is usually one of the earlier analysis phases, and errors (in the form of faulty or missing results) produced here will influence the results of the later stages of the investigation, and not always in a predictable or detectable manner. It is relatively easy (modulo programmer quality) to create strict parsers that bomb-out on any unexpected input. But real-world data is often not well-formed, and a parser may need to be able to resync with input data and resume on a best-effort basis after having reached some unexpected input in the format. While file system images are being (semi-) hand-generated to test parsers, when doing so, testers are severely limited by their imagination in coming up with edge cases and corner cases. We need a file system chaos monkey.

The assignment consists of one of the following (may also be spawned in a separate RP:
  1. Test image generator for NTFS. Think of it as some sort of fuzzer for forensic NTFS parsers. NTFS is a complex filesystem which offers interesting possibilities to trip a parser or trick it into yielding incorrect results. For this project, familiarity with C/C++ and the use of the Windows API is required (but only as much as is necessary to create function wrappers). The goal is to automatically produce "valid" — in the sense of "the bytes went by way of ntfs.sys" — but hopefully quite bizarre NTFS images.
  2. Another interesting research avenue lies in the production of /subtly illegal/ images. For instance, in FAT, it should be possible, in the data format, to double-book clusters (aking to a hard link). It may also be possible to create circular structures in some file systems. It will be interesting to see if and how forensic filesystem parsers deal with such errors.
"Wicher Minnaard (DT)" <wicher=>holmes.nl>
Zeno Geradts <zeno=>holmes.nl>


Large scale Log Analytics.

Central log analysis is a "Big Data" challenge at Vancis. We have thousands of servers, devices and applications logging  data. We'd like to retrieve intelligent (or preferably, actionable) information from logs by applying machine learning techniques. We expect that you select and apply methods that should (substantiated by research) deliver a tangible result. The initial business question is intentionally broad. We expect you to narrow the scope such that you are left with a final research question that can be answered in the limited time you are given. You can focus on a particular type of data (e.g. system-, audit-, network-, application- logs) or combine different sets.

We expect you to demo your solution (algorithm, code-pieces) on both a small set of data (<1TiB) and a large set of data (>TiB) and proof that the solution scales. A big bonus would be if the chosen method delivers a tangible business outcome (e.g. security is improved, the speed of finding the cause for a failing service is increased, etc).

We are facilitating a ready-to-use cluster including Hadoop/Spark, ElasticSearch, LogStash & related technologies. During the project you are free to add applications if necessary to execute your task. We are more than happy to interact with you to scope the research question and support you by supplying data that you need to execute the case.
Anthony Potappel <Anthony.Potappel=>vancis.nl>
Patrick Beitsma <Patrick.beitsma=>vancis.nl>


Android Application Security.

Recent Android releases have significantly improved support for full disk encryption, with it being enabled by default as of version 5.0. As we have seen on iOS full disk encryption is not fully effective (powering on the device decrypts the disk). With disk encryption potentially not fully effective there may be need for encryption on the application level that developers can include in their app. Research the possibility for secure encryption per app, either via loadable libraries in the app, or perhaps a encryption layer between OS and app. Make a proof-of-concept implementation if the time allows for it. Note that dynamic code loading comes with its own set of application security tradeoffs.
  • Sufficient programming skills are needed.
Rick van Galen <vanGalen.Rick=>kpmg.nl>


(In)security of java usage in large software frameworks and middleware.

Java is used in almost all large software application packages. Examples such packages are middleware (Tomcat, JBoss and WebSphere) and products like SAP and Oracle. Goal of this research is to investigate on the possible attacks that exists on Java (e.g. RMI) used in such large software packages and develop a framework to securely deploy (or attack) those.
Martijn Sprengers <Sprengers.Martijn=>kpmg.nl>


Building an IPS solution for inline usage during Red Teaming.

Repurposing defensive technologies for offensive Red Team operations.

Abstract:  Customize an existing IDS sensor device in a way that can be used as an IDS/IPS during Red Teaming Operations inline between the attackers (red team) and the client's network (defensive team), that will pre-emptively alert and block known attack patterns used by the RTO. Additionally the device should monitor potential scans performed by the defensive team and targeting the attacker (red team) systems, for example to fingerprint the attackers (red team). Signatures that you should think of are ones to detect man-in-the-middle attacks, port scans and commonly used attacks such as PSEXEC/WMIEXEC with(out) pass-the-hash.

Area of expertise: Red Teaming Operations
Ari Davies <ADavies=>deloitte.nl>

Arne Zismer <Arne.Zismer=>os3.nl>
Kristiyan Mladenov <Kristiyan.Mladenov=>os3.nl>


Text mining on the basis of Natural Language Processing.

This project involves using Natural Language Processing  (NLP) to analyse registrant data, e.g. to identify false information and other abuses promptly when a new domain name is registered.
More info:
Marco Davids <marco.davids=>sidn.nl>
Cristian Hesselman <cristian.hesselman=>sidn.nl>


Virtual reality interface for data analysis.

This project involves designing and developing a virtual reality (VR) interface for the analysis of large volumes of DNS data. The virtual world should enable the user to explore the data on an intuitive basis. The VR interface should also aid the recognition of irregularities and interrelationships.
More info:
Marco Davids <marco.davids=>sidn.nl>
Cristian Hesselman <cristian.hesselman=>sidn.nl>


Usage Control in the Mobile Cloud.

Mobile clouds [1] aim to integrate mobile computing and sensing with rich computational resources offered by cloud back-ends. They are particularly useful in services such as transportation, healthcare and so on when used to collect, process and present data from physical world. In this thesis, we will focus on the usage control, in particular privacy, of the collected data pertinent to mobile clouds. Usage control[2] differs from traditional access control by not only enforcing security requirements on the release of data by also on what happens afterwards. The thesis will involve the following steps:
  • Propose an architecture over cloud for "usage control as a service" (extension of authorization as a service) for the enforcement of usage control policies
  • Implement the architecture (compatible with Openstack[3] and Android) and evaluate its performance.
[1] https://en.wikipedia.org/wiki/Mobile_cloud_computing
[2] Jaehong Park, Ravi S. Sandhu: The UCONABC usage control model. ACM Trans. Inf. Syst. Secur. 7(1): 128-174 (2004)
[3] https://en.wikipedia.org/wiki/OpenStack
[4] Slim Trabelsi, Jakub Sendor: "Sticky policies for data control in the cloud" PST 2012: 75-80
Fatih Turkmen <F.Turkmen=>uva.nl>


Security and Performance Analysis of Encrypted NoSQL Databases.

It has been shown that encryption over SQL data gives a performance penalty
of the range 6-26% [1,2,6]. In return, the SQL databases ensures confidentiality/privacy against malicious users such as "curious database admins" by protecting not only data but also the logs [3]. In this thesis, we will look at the same problems from the window of NoSQL databases. NoSQL databases are frequently used in Big Data applications thanks to their scalability in certain types of data (often less structured) [4].
There are many freely available NoSQL databases such as MongoDB[5] and Cassandra[6] that support "encryption at rest". We will try to answer the following questions over the selected databases in this  thesis:
  • What are the possible weaknesses and strengths in terms of security?
  • What is the performance of the selected databases over a variety of encryption schemes?
  • What are the possible remedies/optimizations to the first two questions?
[1] http://www.databasejournal.com/features/mssql/article.php/3815501/Performance-Testing-SQL-2008146s-Transparent-Data-Encryption.htm
[2] Raluca A. Popa, Catherine M. S. Redfield, Nickolai Zeldovich, Hari Balakrishnan: CryptDB: protecting confidentiality with encrypted query processing. SOSP 2011: 85-100
[3] https://en.wikipedia.org/wiki/NoSQL
[4] https://www.mongodb.org/
[5] http://cassandra.apache.org/
[6] https://people.eecs.berkeley.edu/~raluca/
Fatih Turkmen <F.Turkmen=>uva.nl>

Abe Wiersma <abe.wiersma=>os3.nl>
Max Grim <max.grim=>os3.nl>


Detection of DDoS Mitigation.

Recent rise in DDoS issues have given rise to a wide range of mitigation approaches.

An attacker that seeks to maximize impact could be interested in predicting potential success: is a potential target "protected" or not? Deciding this question  probably involves measurements, and reasoning about measurement results -- heuristics? -- among other things.  How to?  To what extent can an attacker expect to succeed in detecting the presence/absence of protective layers on the intermediate network path?

For more information in Dutch: SURFnet Project DDos
Jeroen Scheerder <js=>on2it.net>


Automated asset identification in large organizations.

Many large organizations are struggling to remain in control over their IT infrastructure. What would help for these organizations is automated asset identification: given an internal IP range, scan the network and based on certain heuristics identify what the server's role is (i.e. is it a web server, a database, an ERP system, an end user, or a VoIP device).
Rick van Galen <vanGalen.Rick=>kpmg.nl>


Automatic phishing mail identification based on language markers.

Phishing mails are still a large threat for organizations. Phishing mails are hard to identify from end users' perspective. Quite often even, internal organizations send mails around that are very similar to phishing mails. Security operations centers often miss these emails as they are not caught by spam filters. What identifiers are included in phishing mails that can be used for automatic alerting of security teams in organizations?
Rick van Galen <vanGalen.Rick=>kpmg.nl>


Forensic investigation of smartwatches.

Smartwatches are an unknown area in information risk. They are an additional display for certain sensitive data (i.e. executive mail, calendars and other notifications), but are not necessarily covered by organizations' existing mobile security products. In addition, it is often much easier to steal a watch than it is to steal a phone. What is the data that gets 'left behind' on smartwatches in case of theft, and what information risks do they pose?
Rick van Galen <vanGalen.Rick=>kpmg.nl>



IoT security aspects and testing methodology.

The internet-of-things world has a security problem, that much is clear. But what security problems are specific to IoT, and, given the large amount of different standards being followed, what is the proper testing methodology to test these?
Rick van Galen <vanGalen.Rick=>kpmg.nl>


Pentest auditability 2.0: Digging into the network.

During security tests, it is often difficult to achieve great accountability of actions. Systems may be disrupted by a security test, or may be disrupted by unrelated bugs and administration within the organization. To prove accountability of certain actions, one must keep good records of pentest activities. One such method is to simply log and analyze network traffic. But is it feasible to do this? Does one log all network traffic, or only meta-information? And is it feasible to do this given storage requirements?
Rick van Galen <vanGalen.Rick=>kpmg.nl>


WhatsApp end-to-end encryption: show us the money.

WhatsApp has recently switched to using the Signal protocol for their messaging, which should provide greatly enhanced security and privacy over their earlier, non end-to-end encrypted propietary protocol. Of course, since WhatsApp is closed source, one has to trust WhatsApp to actually use this Signal protocol, since one cannot review the source code. What other (automated) methods are there to verify that WhatsApp actually employs this protocol? This research is about reverse engineering Android and/or iOS apps. 
Rick van Galen <vanGalen.Rick=>kpmg.nl>


Attacks on Android 7 File Based Encryption.

Some level of disk encryption has been available since Android 3.0.  This was realised as encryption of the data partition at a sector level.  The most recent Android release (7.0) has brought about a new scheme  for disk encryption, file based encryption. This encryption scheme is  implemented on a filesystem level rather than a block level. Is this new  encryption scheme susceptible to the same attacks as the previous scheme?
Rick van Galen <vanGalen.Rick=>kpmg.nl>

Marwin Baumann <marwin.baumann=>os3.nl>
Ronan Loftus <ronan.loftus=>os3.nl>


Applocker and SoftwareRestrictionPolicies review.

Applocker and SRP are Microsoft technologies for application whitelisting.  These solutions however strongly depend on the policies and configurations. There are various ways to bypass applocker  (e.g. powershell, Word Macro’s)
Goal of this project is to review app locker security and develop a policy that prevents or detects various applocker bypass mechanisms.

In this research project the students should:
  •  Implement a test deployment of Applocker
  •  Create an overview of mechanisms that can be used to circumvent application whitelisting technology (e.g. http://en.wooyun.io/2016/01/28/Bypass-Windows-AppLocker.html)
  •  Review options for limiting specific attack vectors (e.g. disallow powershell) and check if they block correctly
  •  Create rules and triggers to detect specific attacks based on audit logs and audit settings (e.g. someone tries to stop app locker service)
Marc Smeets <marc=>outflank.nl>


Analysis of tactics, techniques and procedures in targeted attacks.

Starting with the Mandiant report on APT1 we see more and more information being published by researchers on targeted attacks by state actors, hacking groups and determined individuals. This gives us more insight in the juicy details of the Tactics, Techniques and and Procedures (TTPs) used in these attacks. But with several dozens of these reports published, we are seeing significant variations in the sophistication of the attacks. An easy example is the use of 0-days in the attacks: some do, some dont. Another is the use of specific tools like mimikatz and powershell: some seem to like default tools while others rely heavily on customised tools. Another is the sophistication used (or needed) per business sector.

But with enough information out there, what we lack at the moment is a more structured and detailed overview of the TTPs of the attacks (info such as https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/ is not enough). While some corporations provide periodic trend reports, these lack the technical details and are of questionable independence. Once the overview is gained we want to know if its possible to make trend analyses that help us in better understanding these types of attacks:
  • Are there sector or country specific trends?
  • How do attacks evolve over time?
  • How much overlap is there amongst techniques being used by different actors?
  • Can you classify what TTPs belong to a low sophisticated attack, and what to an advanced?
Although this research mostly consist of desk studying, we welcome any effort to spice it up with any relevant technical research you can think of. Be creative!
Marc Smeets <marc=>outflank.nl>


Various projects @ Deloitte.

Please follow the link below and look specifically for the one month projects. Inform me (CdL) which one you want to do an we create a separate project number for that.

Topic: Adding some new tests to our existing QuickScan vulnerability scanner.
Area of expertise: Development / Hacking.
Abstract: We are in the process of updating our existing QuickScan vulnerability scanner. It currently scans for issues such as improperly configured certificates, existence of admin interfaces, vulnerabilities such as Heartbleed, etc. We would like to add some tests, such as a check for Shellshock, HttPoxy, support for Perfect Forward Secrecy and Secure Renegotiation.
Duration: 1 month

Topic: Evaluating various executable packers (MS Windows) and understanding how A/V products behave
Area of expertise: Red Teaming Operations
Abstract:  An executable packer is a software that modifies the actual executable code while maintaining the files behavior. Commonly used to reduce the file size of large executables for added portability or most commonly to obfuscate them and make reverse engineering an complicated and costly or intensive process. There are multiple legitimate and underground software packers. The purpose of this research is to identify the most common of them and evaluate them against a number of common Antivirus (A/V) products in order to understand the particularities between different A/V products, signature based detection and heuristic algorithms.
Duration: 1 month

Topic: Building an A/V assessment platform
Area of expertise: Red Teaming Operations
Abstract:  Using common tools such as Puppet, Docker or other mass-deployment solutions create a Windows and Linux blended solution that enables the automatic creation of a virtualized test lab for the evaluation of a potential malware across multiple Antivirus (A/V) products concurrently and securely. This does not involve analysis of the potential malware in a sandbox such as Cuckoo sandbox but the evaluation of an executable across multiple free and commercial A/V products.
Duration: 1 month

Topic: How to remain undetected in an environment with Microsoft Advanced Threat Analytics (ATA)
Area of expertise: Red Teaming Operations
Abstract: In 2015 Microsoft launched an on-premises platform that protects Microsoft-driven environments from advanced targeted attacks by automatically analyzing, learning and identifying normal and abnormal behavior of users, devices and resources. This platform can detect a number of attacks commonly used during Red Teaming  engagements such as Pass-the-Hash and abnormal usage of the Kerberos Golden Ticket within a domain. The purpose of this research is to figure out how to identify one or more of the following items; the usage of ATA within a network, the location of the "beacons" that can be used to detect an attack and to investigate what specific Windows events, network signatures or other events (could) trigger an alert.
Duration: 1 month
"van Essen, Tim (NL - Amsterdam)" <TvanEssen=>deloitte.nl>


Developing a public permissioned blockchain.

Blockchain technology is getting much attention triggered by the popularity of the bitcoin cryptocurrency. Ethereum (https://ethereum.org/) is a blockchain-based computer that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference. However, the unlimited openness of Ethereum poses risks. For example, bad actors can permanently put illegal content or applications on such a blockchain. This risk, and the associated legal liability will refrain legitimate businesses from running applications or supporting such an infrastructure. Permissioned blockchains, see e.g.
allow for certain parties to have more control in who can do what and, therefore, can help mitigate this risk. The hypothesis is that such permissioned blockchains can retain many of the benefits of blockchain technology.

In this project, you will investigate the hypothesis by
  • Performing a brief risk analysis, identifying the most prominent risks of permissionless blockchains
  • Performing a brief analysis of the main (quantifiable) benefits of permissionless blockchains
  • Developing permission requirements for managing the identified risks and relating those to the (potential) loss of benefits (e.g., openness, censorship resistance).
  • Implementing a permissioned blockchain (for example by using technology provided by Eris (https://erisindustries.com/) or Tendermint (http://tendermint.com/)).
  • Demonstrating the functionality of the system with a test application
  • Evaluating the system
Oskar van Deventer <oskar.vandeventer=>tno.nl>
Maarten Everts <maarten.everts=>tno.nl>


Automated gadget injection for reverse engineering iOS and Android applications.

Because root detection measures implemented in mobile applications may slow down reverse engineers, we would like to develop a new method for dynamic analysis of mobile applications by injecting a so-called gadget into the existing (compiled) application. The gadget allows to perform any operation within the sandbox of the current mobile application such as accessing files within the local application directory, or hooking functions. This method not only allows to work around root detection measures, but also allows dynamic analysis of applications that are compiled for iOS or Android versions that have no available jailbreak or root method.
Cedric Van Bockhaven <cvanbockhaven=>deloitte.nl>

Marwin Baumann <marwin.baumann=>os3.nl>
Leandro Velasco <leandro.velasco=>os3.nl>


Advantages of anomaly detection between a controlling unit and its process devices for Industrial Control Systems.

During security reviews, industrial systems have revealed flaws in their communications that may lead to physical damage. We are interested to find out how SCADA systems can be set-up in a closed control loop.
  • What sensors could be used to detect tampering, and how could they be hacked?
We can provide the materials to build a SCADA set-up for mixing liquids, working with robotic arms, changing traffic lights, or something else.

The git with our source code: https://github.com/ricklahaye/ics-ids
Coen Steenbeek <csteenbeek=>deloitte.nl>
Dima van de Wouw <dvandewouw=>deloitte.nl>

Rick Lahaye <rick.lahaye=>os3.nl>
Anouk Boukema <Anouk.Boukema=>os3.nl>



Dynamic profiles for malware communication.

Malware has communication possibilties to a (de)central c&c. To hide this traffic we use profile, so it looks like legit traffic. However these profiles are static, making it possible to fingerprint them and detect them. Making these profiles dynamic will make it harder to detect the hidden traffic and makes it harder to create signatures for monitoring tools.
Cedric van Bockhaven <CvanBockhaven=>deloitte.nl>
Ari Davies <adavies=>deloitte.nl>

Joao Carlos de Novais Marques <joao.marques=>os3.nl>
Mick Cox <mick.cox=>os3.nl>


Visualising security boundaries and POIs in virtualised environments.

Because infrastructure is increasingly dynamic we want to have an automated scanner which is capable of collecting data from host systems and map out security boundaries between guests and the network itself. Taking into account guest and host firewall settings. Ideally it would run as some agent to collect the data and then compiling a simple network graph which highlights hosts and paths between systems to find points of interests or certain super nodes which may pose a security risk if compromised.

For the project the scope would be limited to identifying services and possible security risks that occur from a network topology point of view. Preferably it would function for both para-virtualised and fully virtualised environments or even jail environments like FreeBSD jails. Although taking into account all possible firewall software stacks and the different configurations possible this would probably stretch the scope. An alternative could be running the tool on all nodes and collecting data by just trying to punch holes and seeing if it works or not. so decentralised network scanning and graphing and adding some measure of evaluating risk impacts.
Esan Wit <esan=>bunq.com>

Marcel Brouwers <marcel.brouwers=>os3.nl>


Mobile device fingerprinting from App land.

Mobile device registration/binding can be an effective security measure in securing mobile Apps.

In this project you will investigate the technical possibilities to fingerprint mobile devices from the App sandbox?

Can a solution be designed that Apps can use to uniquely identify Android and/or iOS devices?

Such a solution might be used to strengthen authentication solutions or in the fight against mobile banking malware.
David Vaartjes <david.vaartjes=>securify.nl>
Jurgen Kloosterman


Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and HTTP/2.

The TOR Anonymity network is vulnerable for website fingerpring attacks, which is confirmed by various research papers.

In this project you will investigate the technical possibilities to prevent/hinder an adversary which is interested in identifying TOR users that visit a small, specific set of targeted (fingerprinted) pages.


How can the fingerprint from a (e.g. hidden) website can be changed/randmomised for each load via e.g. TOR-browser plugins (client side) or Webserver Modules (server side) to render fingerprinting attacks "useless".
David Vaartjes <david.vaartjes=>securify.nl>
Jurgen Kloosterman

Kees Halvemaan <Kees.Halvemaan=>os3.nl>
Tako Marks <tako.marks=>os3.nl>


A hooking framework for security research on apps build on the Xamarin framework.

Xamarin (https://www.xamarin.com) is a popular framework for building cross platform mobile application using C#.

In this project you will investigate the security internals of the Xamarin framework via reverse engineering.

More specifically, how to hook/patch the Xamarin framework to speed up security research (pentesting) of Apps build in Xamarin.

Some examples: disable Certificate Pinning, log all Crypto, Keychain, Storage and Network operations.
David Vaartjes <david.vaartjes=>securify.nl>
Jurgen Kloosterman


Hijack video stream via malicious Thunderbold adapter (mimicking a display).

Apple Macbooks (amongst others) have multi Thunderbold ports which can be used to attach ethernet adapters, displays, storage devices etc. When attaching a display it will be automatically mirrored without any visible indication for the user.

In this project you will investigate if this behavior can be used to silently hijack (mirror) the video output of a target laptop/user by plugging in a crafted Thunderbold device, which internally mimics a display to silently forward the video output to an external (hacker controlled) system.
David Vaartjes <david.vaartjes=>securify.nl>
Jurgen Kloosterman


Calculating the carbon footprint of individual hosting packages on a hosting cluster.

Greenhost is a small idealistic company that focuses on sustainable web hosting and cloud services built around preserving human rights. We host many websites on a hosting cluster with separate machines for MySQL servers, storage and computing power. We want to be able to tell a client how much energy his hosting package (website) is using.

In this project, the available website data (CPU usage, memory usage and disk read/write usage) must be used to calculate an estimation of how much energy is used by only that website. To be able to achieve this, we provide data of the energy consumption of the machines in the data center as well. The rough outline of steps needed to complete this project is as follows:
  • Aggregate usage data of all customers per bare metal machine (in a privacy-friendly manner)
  • Make (or train) a calculation of how usage statistics contribute to the power consumption of the bare metal machines
  • Use this calculation to calculate the amount of power "used" by one website
For more information (data formats, information on the structure of the hosting cluster, etc.) please do not hesitate to contact us. For signing up for the position, please also contact us!

Please let me know if you need any additional information.
Maarten de Waard <maarten=>greenhost.nl>

Anouk Boukema <Anouk.Boukema=>os3.nl>


Techniques for detecting compromised IoT devices.

DDoS attacks have for a long time been performed using reflection/amplification attacks. The mechanisms for this type of attack are well known. Research has been done on detecting these types of attacks and various projects exist that monitor these types of attacks. The biggest DDoS attacks up until now have been around 400Gbps.

However, recently the infosec blogger Brian Krebs has been hit with a record-setting attack that had a volume of over 660Gbps, a few days later, web hosting company OVH has reportedly been hit with a DDoS of over 1Tbps. These attacks are unprecedented in volume but more interestingly they are not using reflection/amplification but direct attacks instead.

The attacks are leveraged using hacked Internet of Things devices like IP-cameras and DVR boxes and other linux-based internet connected devices. These devices have a telnet daemon with a very simple password. These devices get infected with malware by simple telnet dictionary attacks and are made part of a botnet, after which they are used in DDoS attacks.

The research project:
  • Which detecting techniques are feasible in order to detect the 'spreading' of the infected IoT devices in an early phase.
Once a technique has been chosen, research the following:
  • Is it possible to gain information on attacks such as victims, duration, volume etc.?
  • Is it possible to gain information on which botnets exist? And how they compete?
  • Is it possible to gain information on command and control infrastructure?
  • Is it possible to capture the malware for further analysis?
  • Further information.....?
Possible further study:
  • Which other IoT devices can be misused?
  • Is it possible to use other means like for example hacked wordpress sites in order to create large attacks?
Rogier Spoor <Rogier.Spoor=>surfnet.nl>

Ivo van der Elzen <Ivo.vanderElzen=>os3.nl>
Jeroen van Heugten <Jeroen.vanHeugten=>os3.nl>


A hybrid system for automatic exchanges of routing information.

The goal of this project is to examine if it is possible to design a decen- tralized system that will automatically exchange routing policies between autonomous systems, in order to mitigate the above concerns. A distributed approach will reduce the load and supply information that is always accu- rate up to that point of time. Security is going to be taken into account as well, focusing on how we can authenticate the originator of a routing policy.

The main research question that arises is:
  • Is it possible to design a decentralized system to automatically exchange routing policies for BGP configurations?
To answer the main research question, the following sub-questions had been formed:
• Which would be the benefits by designing a decentralized approach?
• What is the potential of this decentralized system in terms of scalability and efficiency?
• What security aspects should this decentralized system employ?
Stavros Konstantaras <s.konstantaras=>uva.nl>
Stamatios Maritsas <stamatios.maritsas=>os3.nl>


Detection of Android apps with Drammer/Rowhammer payload.

The very recent bug discoveries such as Drammer (https://vvdveen.com/publications/drammer.pdf) and Rowhammer results in multiple questions.
  • Will vendors issue a patch?
  • And will this patch actually solve the underlying problem?

It will just be a matter of time before an app will be released that will actively try to exploit a device for malicious purposes.

In this research project we want you to find a way to create a rogue app and secondly to find (forensic) patterns in order to discover and detect the presence of such an application
Jurgen Kloosterman



Windows Security log manipulation.

In-depth knowledge about windows internals required.
On Windows not even administrators can clean or modify the logs without getting noted. Defenders trust the integrity of the Windows event logs and use it as an important part for tracking down attacker’s actions. We want students to research possibilities for generic (low level) manipulation of windows security event logs. Could be alteration, dilation or adding of log rules, without the Microsoft provided API to do so. Possible ways for manipulation are raw file access and kernel patching. But we encourage any other way that gets the job done.
Marc Smeets <marc=>outflank.nl>


Effective Automated Windows Lab Deployment.

We want students to research the best ways for automating the deployment and configuration of a Windows based (test) lab. Many options exist, like specific Powershell modules, puppet, vagrant and Microsoft native tools like DSC and SCCM. But its unclear what (combination) of techniques results in the fastest and easiest deployment of a 10-20 windows servers. Demands are: relatively fast deployment, multiple domain controllers, AD sites, user accounts, possibility for other core Windows server roles like SMB, IIS, Exchange, etc. Focus should not be on the hardware or virtualisation aspect of the setup.
Marc Smeets <marc=>outflank.nl>

Vincent van Dongen <Vincent.vanDongen=>os3.nl>
Fons Mijnen <Fons.Mijnen=>os3.nl>


Reliable Library Identification Using VMI Techniques.

Virtual Machines are widely used to share common physical resources in cloud environments. The isolation of the virtual machine layer is considered good enough to allow VMs from multiple businesses to reside on one machine. From a security perspective, Cloud Providers treat these machines as black boxes they only able to observe its in and output and don't have any idea on whats happening inside. VM introspection such as provided by libvmi[1] allows the cloud provider to get insight in the low level calls that a VM makes. This may be useful to enhance security of the Cloud provider, leading to the following question:
  • Can VM introspection help securing cloud providers against certain attacks?
Think about preventing a rowhammer/flip-feng-shui [2] attack early on, or to enforce that VMS enable security features e.g. SELINUX.
  1. http://libvmi.com
  2. https://www.vusec.net/projects/flip-feng-shui/
Ralph Koning <R.Koning=>uva.nl>
Ben de Graaff <C.B.deGraaff=>uva.nl>

Leandro Velasco <Leandro.Velasco=>os3.nl>
Nick de Bruijn <nick.debruijn=>os3.nl>


Real-time Video Stream filtration for Data and Facial Anonymization.

The NI-1772C are cameras that are used frequently in healthcare settings. Often it is required that the video streamed frames are sent after removing all metadata and facial characteristics are anonymised too. This research project aims at building a lightweight solution that investigates novel methods of video stream data and facial information anonymisation.

This project can be of great value if implement rightly.

The supervisor is available full time over Skype for consultation for students.
Junaid Chaudhry <xunayd=>gmail.com>

Sandino Moeniralam <Sandino.Moeniralam=>os3.nl>


SURFWireless Energy Consumption.

Wireless Local Area Networks (WLANs) provide flexibility in connectivity for mobile devices. It is a solution for wireless Internet that satisfies most communication requirements in current environments. Similar to Ethernet technologies, WLAN has evolved and protocol improvements provide higher and higher speeds. Protocols like 802.11n, 802.11ac, and the research of  802.11ax makes it a viable alternative for Wired Ethernet.

SURFnet offers a service called SURFWireless, a distributed solution that provides WLANs for institutions. The WLANs are created by deploying dedicated Access Points (APs) in all areas that require coverage for wireless stations (STAs). The APs are monitored and managed from a central location, but do not depend on a controller for traffic flow control.

Currently, it is unknown how much energy the whole wireless infrastructure consumes spread over many locations. The research aims to find solutions that will decrease the energy utilization of all components of SURFWireless e.g. Access Points and management/monitoring. Current research indicates techniques like exploiting Software Defined Networking (SDN) to estimate network bandwidth requirements and turn off idle APs or the concept of Radio-on-Demand (ROD). Insight in the energy usage and hopefully decreasing can be beneficial for the future of existing and new WLANs.

The student is asked to research the following:
  • How much energy do the distributed components of SURFWireless consume and which aspects affect the amount of power consumption. The measurements must take place in a realtime situation during production of the SURFWireless service.
  • Once the consumption is clear, techniques to improve the energy efficiency of SURFWireless will be investigated.
  • Experiments of the effectiveness of the solutions will be done in a test environment and in a work environment with a realtime situation.
Frans Panken <frans.panken=>surfnet.nl>
Marijke Kaat <Marijke.Kaat=>surfnet.nl>

Jeroen van Leur <jeroen.vanleur=>os3.nl>


Browser forensics: Adblocker extensions. .

Ad-blocking plugins for web browsers have seen a large increase in use over the past years. They usually work on the basis of white- and/or blacklists to block iframes and other elements that show (intrusive) advertisements on websites. Depending on the plugin that is used, these pieces of add-in software might (temporarily) store relevant information for digital forensics. The goal of this project is to determine what information is stored by such plugins, in which format and how it could be incorporated in forensic investigations of computers.
Johannes de Vries <jdevries=>fox-it.com>

Willem Rens <Willem.Rens=>os3.nl>


Apple File System (APFS).

Apple recently introduce APFS with their latest version of OS X, Sierra. The new file system comes with some interesting new features that either pose challenges or opportunities for digital forensics. The goal in this project is to pick one or more relevant features (i.e. encryption, nanosecond timestamps, flexible space allocation, snapshot/cloning, etc.) and reverse engineer their inner workings to come up with a proof-of-concept parsing tool that provides useful input for forensic investigations of Apple systems.
Yonne de Bruijn <yonne.debruijn=>fox-it.com>


vmdk snapshot support for DfVFS.

DfVFS is a back-end library that provides read-only access to file system objects from various storage media types. In this day and age, virtual machines are becoming more and more common in company infrastructures. This project aims at analyzing the vmdk snapshot structure and the implementation of the vmdk snapshot structure in DfVFS.
Yonne de Bruijn <yonne.debruijn=>fox-it.com>


Share digital objects with Persistent Identifiers (PID) in cloud using ICN.

Information Centric Networking (ICN) is a new network paradigm for content delivery. Instead of routing information based on nodes and hosts like in IP networks, ICN routes data content based on unique identifiers assigned to data objects, caching them at selected points in the delivery path from source to destination based on e.g., the frequency of requests. In research data infrastructures, data preservation and the use of Persistent Identifiers (PIDs) to identify specific datasets (and versions of datasets) are important functional requirements for curation prior to and after formal publication, in particular for time series observations. ICN provides a natural architecture for delivering research data products that use PIDs to researchers. 

This project focuses on technical challenges in applying ICN in big data infrastructures. The goal of this project is therefore to evaluate the current Cloud-based ICN solutions and to compare their performance for distributing different PID-augmented objects. This will involve:
  1. Constructing a literature review on technologies, requirements and challenges in applying ICN in big data infrastructures.
  2. Setting up a Cloud-based ICN environment for experiments.
  3. Characterizing the performance of sharing digital objects in different contexts using existing caching strategies.
Zhiming Zhao <z.zhao=>uva.nl>
"D'Acunto, L. (Lucia)" <lucia.dacunto=>tno.nl>
Paul Martin <p.w.martin=>uva.nl>

Rahaf.Mousa <Rahaf.Mousa=>os3.nl>


Collecting, cataloguing and searching performance information of Cloud resources.

Precise information about cloud resource types, service level agreements (SLAs) and provisioning constraints is crucial when developing cloud applications.  Automated discovery of relevant cloud resource information from a pool of available providers, including maintaining an up to date cloud information catalogue, may be of great use in a number of applications; however, such a service is currently not available. Relevant cloud information includes:
  1. Static information collected from cloud providers, including information about the CPU,  memory, and storage available to different kinds of virtual machine (VM) instance. It will be necessary to do some investigation about how to fetch this information (we have set up an example framework to do this).
  2. Performance information including the provisioning overhead for different VM instances and the network performance in one data centre or across different data centers. This information generally cannot be directly retrieved from cloud providers, but is very important for cloud customers wishing to choose the best cloud provider for their particular application and to organize their virtual resources on the Cloud (we have developed an example benchmark to test resources on Amazon EC2.)
The envisaged information catalogue aims to provide a service that can deliver the most up to date cloud resource information to cloud customers to help them use Cloud better. The goal of this project is therefore to:
  1. Investigate the state of the art for cloud performance information retrieval and cataloguing.
  2. Evaluate different methods for obtaining performance information.
  3. Provide a prototype for a cloud information catalogue. 
Zhiming Zhao <z.zhao=>uva.nl>
Arie Taal <a.taal=>uva.nl>

Olaf Elzinga <Olaf.Elzinga=>os3.nl>


Virtual infrastructure partitioning and provisioning under nearly real-time constraints: Arie Taal, Zhiming Zhao

A complex cloud application often requires resources from different data centres or providers, e.g., because of the geographical location of some specific components, particular physical elements in the Internet of Things or a sensor network, or because of limits on the available resources for optimizing system performance or for balancing workloads. Instead of letting cloud providers do the provisioning, some developers need to plan infrastructure directly, and oversee the provisioning in order to optimize system performance or cost based on their own requirements and understanding of their application. Mapping a complex infrastructure on different data centre or providers basically involves several steps: partitioning the graph of the infrastructure, provisioning sub-graphs, and connecting the interstitial network. This project focuses on the first phase of the problem: how to effectively partition an infrastructure graph based on the constraints of data centres, application characteristics, and locations of non-Cloud components. This project therefore focuses on the graph-partitioning problem.

The students will:
  1. Review the state of the art of the problem and the existing algorithms.
  2. Evaluate the key algorithms based on characteristics of specific applications, cloud providers and quality of service (QoS) constraints.
  3. Test a prototype with the parallel provisioning components developed by a researcher in another concurrent project.
Zhiming Zhao <z.zhao=>uva.nl>
Arie Taal <a.taal=>uva.nl>


IoT DOS prevention and corporate responsibility.

The Dyn DOS attacks shows a fundamental problem in internet connected devices. Huge swathes of unpatched and improperly configured devices with access to high bandwidth are misused to bring down inter  What technical prevention and detection methods can organizations employ to make sure that they are not a contributor to this problem? And what can they do once it does appear they are inadvertently contributing to this problem? This would focus on literary research combining research in DoS prevention, asset management, patch management and network monitoring.
Rick van Galen <vanGalen.Rick=>kpmg.nl>


Practical blockchain on mobile devices.

Blockchain technology is currently something that requires a steady source of internet and power, since to be synchronized with the grander blockchain requires frequent receiving  and processing of blockchain data to keep in sync. This currently prevents blockchain technology to be effective in mobile devices, somewhat limiting its use. How would practical blockchain on mobile actually look? And how can this be accomplished? What are the relevant security aspects for this? This goal of this research is to provide a literary overview of the different aspects of making blockchain tech practical on mobile.
Rick van Galen <vanGalen.Rick=>kpmg.nl>


Penetration test dashboarding.

A penetration test is a difficult thing for both penetration tester as the penetration tested. How does the penetration tested really know what is going in their penetration test, and keep in control? How can the tester himself stay up to date on what his/her team members are actually doing?
Penetration testing is a creative process, but it can be dashboarded to some degree. The data is there – mostly in log files – but it requires an extraordinary amount to make this log data understandable in human terms. But, making this understandable can be an automated process using penetration test tooling. But – what information is in fact required to be displayed in this dashboard, and what is the best way of actually showing this data? This research would combine literary research and interviews with the development of a small proof-of-concept.
Rick van Galen <vanGalen.Rick=>kpmg.nl>


Forensic investigation of wearables.

Wearables and especially smartwatches are an unfamiliar area in information risk because of their novelty. At the moment, primary concerns are aimed at privacy issues, but not at information risk issues. However, these devices are an additional display for certain sensitive data (i.e. executive mail, calendars and other notifications), but are not necessarily covered by organizations' existing mobile security processes and technology. In addition, it is often simply much easier to steal a watch or another wearable than it is to steal a phone.

This research focuses on the following question: what value could a wearable have to cyber criminals when it is stolen? What is the data that gets 'left behind' on smartwatches in case of theft, and what information risks do they pose?
Rick van Galen <vanGalen.Rick=>kpmg.nl>


Does a healthy lifestyle harm a cyber healthy lifestyle?

With the “recent” health trend of fitness apps and hardware such as fitbits, combined with the /need/ to share results with friends, family and the world through facebook, runkeeper, strava and other sites we have entered into an era of potential cyber unhealthiness. What potentially valuable information could be retrieved from the web or through bluetooth about people to influence health insurance rates of individuals? Note: this is a broad question, and it is up to the student to choose his/her own liking (e.g. focus on bluetooth security of fitbits/mi’s; identification of individuals through strava/runkeeper posts; quantifying the public sharing of health information; etc. etc.).
Ruud Verbij <Verbij.Ruud=>kpmg.nl>


Internet transport protocol: mdtmFTP across distance at a 100Gb/s.

Internet transport protocol: mdtmFTP is a middleware solution developed by Fermilab to transfer large volumes of data, that may be contained in lost of small files, across long distances using the concept of a Data Transfer Node. At KLM a DTN has been connected to Netherlight allowing experiments with national and international institutes. A research project deploying DTN's to share Big Data is for example the Pacific Research Platform project in which UvA participates. This project should evaluate the capabilities of mdtmFTP across short and long distance and compare it with other of FTP implementations (e.g GridFTP). It should also investigate if the middleware could be adopted to serve other Big Data type applications, e.g. allow data replication in a Hadoop File System across distance.

For more info on mdtmFTP see:
Leon Gommans <Leon.Gommans=>klm.com>


Autonomous Response Orchestration Function for programmable networks

Given the complexity and continuously evolving threat landscape and the speed at which cyber-attacks occur, automation to aid human analysis or execute defensive actions at machine-speed is more and more seen as prerequisite for an effective and efficient approach to cyber resilience. Within the SARNET project, UVA, KLM, Ciena and TNO, are working towards Security Autonomous Response with programmable NETworks (http://delaat.net/sarnet/).

As part of this project, you will work in TNO’s NFV/SDN lab on development of a self-protection module for automatically instantiating network based responses to cyber-attacks (e.g. rerouting traffic and instantiate advanced monitoring, automated containment and recovery of systems). The focus will be on the network orchestration function, although there is also the possibility to work the analytical part for determining the best response to a particular cyber-attack (or security state). In addition, you will work on visualisation for situational awareness and demonstration purposes.
Frank Fransen <frank.fransen=>tno.nl>
Piotr Zuraniewski <piotr.zuraniewski=>tno.nl>

Ronan Loftus <ronan.loftus=>os3.nl>
Arne Zismer <arne.zismer=>os3.nl>


Inventory of smartcard-based healthcare identification solutions in Europe and behond: technology and adoption.

For potential international adoption of Whitebox technology in the future, in particular the technique of patients carrying authorization codes with them to authorize healthcare professionals, we want to make an inventory of the current status of healthcare PKIs and smartcard technology in Europe and if possible also outside Europe.

Many countries have developed health information exchange systems over the last 1-2 decades, most of them without much regard of what other countries are doing, or of international interoperability. However, common to most systems developed today is the development of a (per-country) PKI for credentials, typically smartcards, that are provided to healthcare professionals to allow the health information exchange system to identify these professionals, and to establish their 'role' (or rather: the speciality of a doctor, such as GP, pharmacist, gyneacologist, etc.). We know a few of these smartcard systems, e.g., in Austria and France, but not all of them, and we do not know their degree of adoption.

In this project, we would like students to enquire about and report on the state of the art of healthcare smartcard systems in Europe and possibly outside Europe (e.g., Asia, Russia):
  • what products are rolled out by what companies, backed by what CAs (e.g., governmental, as is the case with the Dutch "UZI" healthcare smartcard)?
  • Is it easy to obtain the relevant CA keys?
  • And what is the adoption rate of these smartcards under GPs, emergency care wards, hospitals, in different countries?
  • What are relevant new developments (e.g., contactless solutions) proposed by major stakeholders or industry players in the market?
Note that this project is probably less technical than usual for an SNE student, although it is technically interesting. For comparison, this project may also be fitting for an MBA student.

For more information, see also (in Dutch): https://whiteboxsystems.nl/sne-projecten/#project-2-onderzoek-adoptie-health-smartcards-in-europa-en-daarbuiten
General introduction
Whitebox Systems is a UvA spin-off company working on a decentralized system for health information exchange. Security and privacy protection are key concerns for the products and standards provided by the company. The main product is the Whitebox, a system owned by doctors (GPs) that is used by the GP to authorize other healthcare professionals so that they - and only they - can retrieve information about a patient when needed. Any data transfer is protected end-to-end; central components and central trust are avoided as much as possible. The system will use a published source model, meaning that although we do not give away copyright, the code can be inspected and validated externally.

The Whitebox is currently transitioning from an authorization model that started with doctor-initiated static connections/authorizations, to a model that includes patient-initiated authorizations. Essentially, patients can use an authorization code (a kind of token) that is generated by the Whitebox, to authorize a healthcare professional at any point of care (e.g., a pharmacist or a hospital). Such a code may become part of a referral letter or a prescription. This transition gives rise to a number of interesting questions, and thus to possible research projects related to the Whitebox design, implementation and use. Two of these projects are described below. If you are interested in these project or have questions about other possibilities, please contact <guido=>whiteboxsystems.nl>.

For a more in-depth description of the projects below (in Dutch), please see https://whiteboxsystems.nl/sne-projecten/
Guido van 't Noordende <g.j.vantnoordende=>uva.nl>


Decentralized trust and key management.

Currently, the Whitebox provides a means for doctors (General Practitioner GPs) to establish static trusted connections with parties they know personally. These connections (essentially, authenticated TLS connections with known, validated keys), once established, can subsequently be used by the GP to authorize the party in question to access particular patient information. Examples are static connections to the GP post which takes care of evening/night and weekend shifts, or to a specific pharmacist. In this model, trust management is intuïtive and direct. However, with dynamic authorizations established by patients (see general description above), a question comes up on whether the underlying (trust) connections between the GP practice (i.e., the Whitebox) and the authorized organization (e.g,. hospital or pharmacist) may be re-usable as a 'trusted' connection by the GP in the future.

The basis question is:
  • what is the degree of trust a doctor can place in (trust) relations that are established by this doctor's patients, when they authorize another healthcare professional?
More in general:
  • what degree of trust that can be placed in relations/connections established by a patient, also in view of possible theft of authorization tokens held by patients?
  • What kind of validation methods can exist for a GP to increase or validate a given trust relation implied by an authorization action of a patient?
Perhaps the problem can be raised to a higher level also: can (public) auditing mechanisms -- for example, using block chains -- be used to help establish and validate trust in organizations (technically: keys of such organizations), in systems that implement decentralized trust-base transactions, like the Whitebox system does?

In this project, the student(s) may either implement part of a solution or design, or model the behavior of a system inspired by the decentralized authorization model of the Whitebox.

As an example: reputation based trust management based on decentralized authorization actions by patients of multiple doctors may be an effective way to establish trust in organization keys, over time. Modeling trust networks may be an interesting contribution to understanding the problem at hand, and could thus be an interesting student project in this context.

NB: this project is a rather advanced/involved design and/or modelling project. Students should be confident on their ability to understand and design/model a complex system in the relatively short timeframe provided by an RP2 project -- this project is not for the faint of heart. Once completed, an excellent implementation or evaluation may become the basis for a research paper.

See also (in Dutch): https://whiteboxsystems.nl/sne-projecten/#project-2-ontwerp-van-een-decentraal-vertrouwensmodel
General introduction
Whitebox Systems is a UvA spin-off company working on a decentralized system for health information exchange. Security and privacy protection are key concerns for the products and standards provided by the company. The main product is the Whitebox, a system owned by doctors (GPs) that is used by the GP to authorize other healthcare professionals so that they - and only they - can retrieve information about a patient when needed. Any data transfer is protected end-to-end; central components and central trust are avoided as much as possible. The system will use a published source model, meaning that although we do not give away copyright, the code can be inspected and validated externally.

The Whitebox is currently transitioning from an authorization model that started with doctor-initiated static connections/authorizations, to a model that includes patient-initiated authorizations. Essentially, patients can use an authorization code (a kind of token) that is generated by the Whitebox, to authorize a healthcare professional at any point of care (e.g., a pharmacist or a hospital). Such a code may become part of a referral letter or a prescription. This transition gives rise to a number of interesting questions, and thus to possible research projects related to the Whitebox design, implementation and use. Two of these projects are described below. If you are interested in these project or have questions about other possibilities, please contact <guido=>whiteboxsystems.nl>.

For a more in-depth description of the projects below (in Dutch), please see https://whiteboxsystems.nl/sne-projecten/
Guido van 't Noordende <g.j.vantnoordende=>uva.nl>



ILA with Docker to create an overlay network.

ILA [1] [2] is an IPv6 based addressing scheme proposed as an alternative to the general way overlay networks are created nowadays - tunneling i.e. transporting original packets as a payload of another protocol.
A student is expected to evaluate the feasibility of using ILA with Docker ecosystem to create an overlay network.
Furthermore focusing on assessing ILA performance in regard to existing overlay approaches e.g. Docker overlay driver [3], Weave [4], Flannel [5]

Lukasz Makowski <l.s.makowski=>uva.nl>
Paola Grosso <P.Grosso>uva.nl>

Tako Marks <Tako.Marks=>os3.nl>


Parallelization of BGP for route server functionality.


To scale peering and make it easier for new customers to immediately exchange traffic over the exchange, AMS-IX operates two instances of a so called route server (RS). A RS can be seen as a route reflector for eBGP. The basic functionality is such that each participant of the RS advertises the prefixes under its control (Network Layer Reachability Information (NLRI)). The route server performs standard BGP path calculations and advertises received prefix reachability to its participants. As the route server does not take part in the actual traffic forwarding, with each route a NEXT HOP is advertised. For further information on RS see the links at the bottom of this document.

Problem Statement: Scaling of RS with number of RS peers

The current implementation of RS at AMS-IX are based on BIRD. For resilience reasons we are currently looking into another implementation based on GoBGP. Both implementations have as a limitation that they are build as single threaded applications, which is more or less inherent to the BGP protocol itself. Because of this, the current implementations reach their usability limits on AMS-IX as the number of adjacencies to the RS keeps growing. Specifically the UPDATE process when for example a large part of the peers need to re-establish a session can take very long and is increasing (> 20 minutes).
In the last couple of years a number of studies has been performed that have looked at parallelisation of the BGP process and sometimes specifically at the UPDATE process. One such study has been references below.

Research project:

AMS-IX would like have researched the possibilities of massive parallelisation of the RS process in order to further scale this service in the future. The research should study existing studies on BGP parallelisation and see if these are applicable to BGP as a RS. If the research concludes that scaling RS functionality this way is feasible the results of the study should also define what need to be done to get to an actual implementation. The actual implementation itself will be a later project.

For information on AMS-IX route server see
Route Server Implementations
Some examples of studies on parallelisation of BGP
Stavros Konstantaras <stavros.konstantaras=>ams-ix.net>
Aris Lambrianidis <aristidis.lambrianidis=>ams-ix.net>

Jenda Brands <Jenda.Brands=>os3.nl>
Patrick deNiet <Patrick.deNiet=>os3.nl>


EBPF based container networking.

Cilium [1] [2] is the project aiming at leveraging Linux kernel EBPF (Extended Berkeley Packet Filtering) mechanism to improve on the container networking complexity and performance. It is expected to provide a higher packet processing rates than the current linux-bridge or iptables based approaches. We are interested in evaluating this technology in the context of performance and multitenancy. In specific, we would like to analyze its ability to express the traffic policies for multitenant environments i.e. assuring the isolation between the flows and preventing the "noisy neighbor" problem.

[1] https://github.com/cilium/cilium
[2] https://docs.google.com/presentation/d/12c4232nkg6i62GDB3IJuWOaolyPCT14aaoqr33TyIE4
Lukasz Makowski <l.s.makowski=>uva.nl>
Paola Grosso <P.Grosso>uva.nl>

Nick de Bruijn <Nick.deBruijn=>os3.nl>


High Bandwidth Network Diagnostics.

Most of the bandwidth generation tools, like iPerf or PKTGEN, are capable of generating high bandwidth (40Gb/s or more) traffic streams. In order to reach maximum throughput most of the bandwidth generation tools rely on UDP to generate traffic in high volumes, and even then have innate limitations to exceed moderately high bandwidth thresholds. When it comes to session oriented protocols, it is even harder to generate a high bandwidth.
Some tools, like PKTGEN, are capable of exceeding the 40Gb/s threshold, but to do so they fore-go offering any meaningful insight or statistics, like re-ordering, jitter or integrity. Other tools do offer some of that insight, but only during a time window of the test, not within a (noisy) base-line environment.
Current tools only test the infrastructure towards a destination. On arrival, the NIC discards the traffic. However, iPerf is client - server based, the traffic is still discarded on arrival. No sessions are kept in memory. The result is the same. The infrastructure is tested and the destination doesn’t have to handle the traffic. 
So the question is: what is needed to perform high bandwidth session based throughput tests and how to go beyond pure network infrastructure testing.
David Groep <davidg=>nikhef.nl>
Tristan Suerink <tsuerink=>nikhef.nl>

Bram ter Borch <Bram.terBorch@os3.nl>



Freenet is an anonymous distributed information storage and retrieval system [1]. Content gets uploaded to nodes which get mirrored over the network. The unique feature of Freenet is that the original uploading node can go offline and users will still be able to access content as it is mirrored on the various research nodes. This decentralised storage makes it difficult for content to be removed from the network. A user will send a request for a file to a node which will then forward it through the network until the file has been found. The nodes do not know if the request has been handed to it by a user or by another node. A node can connect to peers through either the 'opennet' and/or the 'darknet' systems. The former involves a centralised approach where nodes locations are announced to the world, and in the latter decentralised approach a node will only connect to a peer if both sides trust the connection [2]. The darknet should have a higher level op privacy as not all nodes are publicly available.

Both passive (harvesting) and active (DOS) attacks are possible on the network [3] [4]. Conducting measurements in the opennet are feasible despite Freenet's obfuscation techniques [3]. However, no such method has been found for darknet. The research project will focus on finding techniques to map a Freenet darknet network. Possible starting points would be to look at the trusting friends-of-friends setting, protocol analysis and/or source code analysis.
  1. Clarke, I., Sandberg, O., Wiley, B., & Hong, T. W. (2001); Freenet: A distributed anonymous information storage and retrieval system. In Designing Privacy Enhancing Technologies (pp. 46-66). Springer Berlin Heidelberg.
  2. Clarke, I., Sandberg, O., Toseland, M., & Verendel, V. (2010); Private communication through a network of trusted connections: The dark freenet Network.
  3. Roos, S., Schiller, B., Hacker, S., & Strufe, T. (2014, July). Measuring freenet in the wild: Censorship-resilience under observation. In International Symposium on Privacy Enhancing Technologies Symposium (pp. 263-282). Springer International Publishing.
  4. Evans, N. S., GauthierDickey, C., & Grothoff, C. (2007, December). Routing in the dark: Pitch black. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual (pp. 305-314). IEEE.
Yonne de Bruijn <yonne.debruijn=>fox-it.com>
Lennart Haagsma <haagsma=>fox-it.com>

Kees Halvemaan <Kees.Halvemaan=>os3.nl>


Protocol agnostic bruteforce detection across many servers.

Bruteforcing of credentials and the current trend of credential testing using data from breaches is a problem for many organizations. Logging of successful and failed attempts will help but probably still hard to detect bruteforce attempts over multiple systems or services.

A network sensor (for example using Bro) can extract login attempts easily from network traffic (eg: HTTP Basic Auth, Kerberos/NTLM) and can be easily extended using custom policies for other sources. The idea is that when you can detect successful and failed login attempts and you log this to a central system you could determine if a specific account is being bruteforced and maybe even determine if a one or more source addresses are bruteforcing other accounts as well.

For example, the opensource project weakforced is aimed to accomplish this.
Excerpt from the project:
The goal of 'wforce' is to detect brute forcing of passwords across many servers, services and instances. In order to support the real world, brute force detection policy can be tailored to deal with "bulk,  but legitimate" users of your service, as well as botnet-wide slowscans of passwords.

The goal is to research/implement the feasibility of weakforced or maybe some other tool in combination of logs feeded from a network sensor to detect bruteforce accross multiple servers.

Use cases
  1. Case 1
    • Company X provides a website and mobile application where customers can login. However a large amount of login attempts are coming from the internet against the server that handles the mobile application. After analysis it seems that someone is performing credential testing over multiple source ip addresses. After days of analysis the attacker was blocked, however the attacker later continued his efforts on the website itself. The analysts had problems determining which ip addresses were malicious, and was also hard to tell which were actually "compromised". A central system could have helped with the investigation and maybe even already provide a list of malicious ip addresses and accounts that are compromised by the attacker.
  2. Case 2 
    • Company Y's internal network seems to have been breached, after some weird activity on the network it seems that an attacker gained access by using compromised VPN credentials. When looking at the logs it seems that the compromise could have been detected way earlier as the attacker's tried to login using multiple different accounts in a short time period using the same ip address.
Yun Zheng Hu <hu=>fox-it.com>


Behavioral analysis through the hypervisor

Dynamic analysis is often used to gain more insight into the functionality and behavior of malicious (or not-so-malicious) samples. Most sandboxes and dynamic analysis solutions use various hooking techniques or the OS debugging APIs to for example monitor API calls or interact with the execution flow. Various issues arise:
  • the confidentiality and integrity of the analysis tooling and its output can’t be guaranteed
  • analyzing kernel-mode code from tooling running on top of that kernel doesn’t work too well
The goal is therefore to research and develop a monitoring and instrumentation API using hypervisor-level debugging functionality.
Mitchel Sahertian <sahertian=>fox-it.com>


Bitcoin intelligence collection.

Intelligence collected from a large number of sources help to provide context and insight in various scenarios, for example:
•    Contextual querying in (Forensic) Investigations
•    Activity of malicious actors are tracked and subsequently turned into indicators of compromise that can be used to detect and counter malicious activity.
The decentral and anonymous Bitcoin currency is exploited by actors with malicious intentions. The goal is to research the metadata that is available on a node within the Bitcoin network, and to develop code that structures and provides a real-time feed of this metadata.
Mitchel Sahertian <sahertian=>fox-it.com>


Fingerprinting DDoS attack and determining the threat actor behind the attack.

Fox-IT has access to a system that observes ongoing DDoS attacks. The current system is able to identify the intended target of the attack but is unable to detects its origin nor link multiple attacks to a single attacker.
The goal of the research is to identify ‘features’ / characteristics in the DDoS packets that combined, can be used to link various attacks together as being generated from the same botnet / boot service / attack script. These characteristics can be fed back into the DDoS observer to classify future and historical attacks. For this research Fox-IT will provide snippets of DDoS traffic in from of PCAP data for the researcher to study.  The focus will be on reflective amplification attacks, such as: DNS. Chargen, Portmap, SNMP, SSDP etc.
Lennart Haagsma <haagsma=>fox-it.com>

Fons Mijnen <Fons.Mijnen=>os3.nl>
Max Grim <Max.Grim=>os3.nl>


Research into darkweb scraping.

The darkweb contains among others tons of information about illegal activity, which might be interesting from an intelligence perspective. The intelligence can be used to monitor activity related to specific high profile organizations, or specific threat actors. Since there are a lot of different types of websites, with sometimes unique subscriber requirements it is hard to scrape these websites. In some cases an existing member has to vouch for a new member, users have to post at least once a month a message on the website (otherwise they will be banned), you have to pay in bitcoins to get access etc.
The goal of this research project is to come up with a theoretical framework for scraping (potentially) interesting darkweb websites, taking into account the different kind of subscription models and subscriber requirements. For this research project it is not required to develop a PoC.
Krijn de Mik <mik=>fox-it.com>


LDBC Graphalytics.

LDBC Graphalytics, is a mature, industrial-grade benchmark for graph-processing platforms. It consists of six deterministic algorithms, standard datasets, synthetic dataset generators, and reference output, that enable the objective comparison of graph analysis platforms. Its test harness produces deep metrics that quantify multiple kinds of system scalability, such as horizontal/vertical and weak/strong, and of robustness, such as failures and performance variability. The benchmark comes with open-source software for generating data and monitoring performance.

Until recently, graph processing used only common big data infrastructure, that is, with much local and remote memory per core and storage on disk. However, operating separate HPC and big data infrastructures is increasingly more unsustainable. The energy and (human) resource costs far exceed what most organizations can afford. Instead, we see a convergence between big data and HPC infrastructure.
For example, next-generation HPC infrastructure includes more cores and hardware threads than ever-before. This leads to a large search space for application-developers to explore, when adapting their workloads to the platform.

To take a step towards a better understanding of performance for graph processing platforms on next-generation HPC infrastructure, we would like to work together with 3-5 students on the following topics:
  1. How to configure graph processing platforms to efficiently run on many/multi-core devices, such as the Intel Knights Landing, which exhibits configurable and dynamic behavior?
  2. How to evaluate the performance of modern many-core platforms, such as the NVIDIA Tesla?
  3. How to setup a fair, reproducible experiment to compare and benchmark graph-processing platforms?
Alex Uta <a.uta=>vu.nl>
Marc X. Makkes <m.x.makkes=>vu.nl>


ICS/SCADA monitoring system.

Interconnected ICS/SCADA systems around the world are exposed to risk due to lack of security countermeasures or misconfiguration issues. This project aims to regularly perform online scanning on the country i.e. (Netherlands) to identify permanent or mistakenly interconnected ICS/SCADA systems by recognizing default ICS ports, vendors’ interfaces and online search engines’ results.

Required area of expertise: Hacking

More info: http://werkenbijdeloitte.nl/cyber-graduate

"van Essen, Tim (NL - Amsterdam)" <TvanEssen=>deloitte.nl>

Kenneth van Rijsbergen <Kenneth.vanRijsbergen=>os3.nl>


Normal traffic flow information distribution to detect malicious traffic.

In the era of an increasingly encrypted communication it is getting harder to distinguish normal from malicious traffic. Deep packet inspection is no longer an option, unless the trusted certificate store of the monitored clients is altered. However, Netflow data might still be able to provide relevant information about the parties involved in the communication and the traffic volumes they exchange. So would it be possible to tell apart ill-intentioned traffic by looking only at the flows and using a little help from the content providers, like for example website owners and mobile application vendors?

The basic idea is to research a framework or a data interchange format between the content providers, described above, and the monitoring devices. Both in the case of a website and a mobile application such a description can be used to list the authorised online resources that should be used and what is the relative distribution of the traffic between them. If such a framework proves to be successful, it can help in alerting for covert channel malware communication, cross-site scripting and all other types of network communication not initially intended by the original content provider.

Kristiyan Mladenov <kristiyan.mladenov@os3.nl>


Segment routing in container overlay networks.


Segment routing is aimed at simplifying control over forwarding paths, without requiring additional protocols or path signaling.  It can be used to implement traffic engineering, network service chaining, and other SDN-like features on MPLS and IPv6 data planes.  Vendors such as Cisco and Juniper offer services like VPNs based on segment routing.

Cilium is a Linux native engine for providing transparent and secure connectivity between containers. It offers a single flat layer 3 network which can span multiple clusters.  Currently its overlay networks are based on VXLAN/Geneve/GRE.

The aim of this project will be to:

  • Research the applicability of segment routing/SRv6 in the context of container overlay networks
  • Building a proof-of-concept using Cilium/eBPF


  • http://www.segment-routing.net/
  • https://github.com/cilium/cilium
NB: RP84 is looking at the current implementation of Cilium. However, I don't think there would be a lot of overlap between our projects.  My intention is to simply use it as an experimentation platform.
Marijke Kaat <Marijke.Kaat=>surfnet.nl>

Ben de Graaff <ben.degraaff=>os3.nl>


Unintended information leakage via metadata.

Metadata can contain an abundance of information about an organization (such as detailes about the creation of files, usernames, software, file location, etc.). The goal of this research is to examine what kinds of metadata from Dutch governmental and semi-governmental websites such as those of ministries, municipalities, educational organizations and hospitals can be found online by parsing documents published on their websites. After gathering that information from hundreds of (semi-)governmental websites, it is analyzed and quantified;
  • How much information does the government leak in general?
Eventually, I will interpret the results and come up with recommendations. For example:
  • What could bad attackers do with this information (i.e. can they, for example, use the information to pinpoint weak spots in the Dutch government)?
  • How "good" or "bad" is the current situation?

Previous work, added value of the research.

Although metadata analysis tools do exist and research has been done in how it can be used for bad purposes, no prior research has been done to examine the metadata of the Dutch government. In fact, it is impossible to even find any research analyzing metadata of any foreign government, either. This research can help the Dutch government understand what their current state of affairs is, and, in times of cyber espionage and cyber warfare, help build the digital defense of the Netherlands as a nation. The techniques used, and the analysis and recommendations proposed in this research are made fully open source, so that it is also directly applicable to non-governmental organizations, or foreign governments, who can use this as a starting point for examining their own metadata exposure.
Auke Zwaan <Auke.Zwaan=>os3.nl>




I hereby would like to invite you to the annual RP2 presentations, where the SNE students will be presenting their research. Considering the wide variety of presentations the day promises to be very interesting and we hope you will join us.
Program (Printer friendly version: HTML, PDF) :
The event is stretched over two days: Wednesday-Thursday July 5-6, 2017. Wednesday July 5, 2017, Auditorium C0.110, FNWI, Sciencepark 904, Amsterdam.
Time D #RP Title Name(s) LOC
RP #stds

Welcome, introduction. Cees de Laat

10h20 20

10h40 20

11h00 20

11h20 25

11h45 25



13h00 25

13h25 20

14h45 25

14h10 15
bio break

14h25 20

14h45 25

15h10 25

15h35 15

15h50 25

16h15 20

16h35 25



Thursday July 6, 2017, Auditorium C0.110, FNWI, Sciencepark 904, Amsterdam.
Time D #RP Title Name(s) LOC
RP #stds

Welcome, introduction. Cees de Laat

10h20 20

10h40 20

11h00 20

11h20 25

11h45 25



13h00 25

13h25 20

14h45 25

14h10 15
bio break

14h25 20

14h45 25

15h10 25

15h35 15

15h50 25

16h15 20

16h35 25




Program (Printer friendly version: HTML, PDF) : Monday feb 6th, 13h00 - 1700 in B.1.23 at Science Park 904 NL-1098XH Amsterdam.
(all presentations are 20 minutes for single and 25 minutes for pairs of students.)

Time D #RP Title Name(s) LOC
RP #stds

Welcome, introduction. Cees de Laat

13h05 25 19
Extending the range of NFC capable devices. Sandino Moeniralam, Bart Hermans KPMG 1
13h30 25 45
Attacks on Android 7 File Based Encryption. Marwin Baumann, Ronan Loftus KPMG 1
13h55 25 24
Automatic comparison of photo response non uniformity (PRNU) on Youtube. Marcel Brouwers, Rahaf Mousa NFI 1
14h20 20
bio break

14h40 25 63
Automated Windows testlab deployment. Vincent van Dongen, Fons Mijnen Outflank 1
15h05 25 37
Security and Performance Analysis of (Encrypted) NoSQL Databases. Abe Wiersma, Max Grim SNE 1
15h30 25 52
Dynamic profiles for malware communication.
Joao Carlos de Novais Marques, Mick Cox Deloitte 1
15h55 15

16h10 25 55
Defenses against tor website fingerprinting deanonymization attacks. Kees Halvemaan, Tako Marks Securify 1
16h35 25 59 Techniques for detecting compromised IoT devices. Ivo van der Elzen, Jeroen van Heugten SURFnet 1


Tuesday feb 7th, 11h00 - 15h05 in room B1.23
at Science Park 904 NL-1098XH Amsterdam.
Time D #RP Title Name(s) LOC RP #stds

Welcome, introduction. Cees de Laat

11h05 25 33
Building an IPS solution for inline usage during Red Teaming..
Arne Zismer, Kristiyan Mladenov Deloitte 1
11h30 25 51
Advantages of anomaly detection between a controlling unit and its process devices for Industrial Control Systems Rick Lahaye, Anouk Boukema Deloitte 1


13h00 20 58
Using a SIM card to authenticate for eduroam. Alexander Blaauwgeers SURFnet 1
13h20 20 67
Browser forensics: Adblocker extensions. Willem Rens Fox-IT 1
13h40 25 64 Reliable Library Identification Using VMI Techniques. Leandro Velasco, Nick de Bruijn SNE 1
14h05 15
bio break

14h20 20 71
Collecting, cataloguing and searching performance information of Cloud resources. Olaf Elzinga SNE 2
14h40 25 7 Thinking in possibilities for federated Log Out. Marcel den Reijer, Fouad Makioui SURFnet 1


Out of normal schedule presentations:
Room B1.23
at Science Park 904 NL-1098XH Amsterdam.
Date Time Place D #RP Title Name(s) LOC RP #stds
2016-11-23 15h00
B1.23 20 60
A decentralized system for automatic exchange of policies for BGP configurations.
Stamatios Maritsas NLNET
2016-12-22 11h00
B1.23 20 66
SURFWireless Energy Consumption. Jeroen van Leur

B1.23 20