Why a Project?
This course covers a very large discipline, and - perhaps more so
than many other areas of computer science - the discipline of
computer security runs through many other areas. Because the class
has a very limited amount of time, we will only touch the surface
of many topics. The project gives you an opportunity to explore one
of these topics, or some other area or application of computer
security that interests you, in some depth. The specific goal of
the project is to produce a paper. The paper may document software
(or hardware) work, so you may choose that kind of project. The
paper must either be of publishable quality, or be publishable
should some (small amount) of additional work be done. You are free
to work singly or in groups. Groups should have between 2 and 4
people; if you want to have more than 4, please check with me
Suggestions for How to Proceed
First, choose a topic. Good ways to find a topic are to think about
an area of computer science you enjoy, and try to relate it to
computer security (or vice versa); talk to some other graduate
students and see if what they are doing suggests any ideas; think
of ways security of the system you're working on could be made
better; go to the library and browse for an interesting-looking
paper; and so forth. The major computer security journals are
Computers & Security,
the Journal of Computer Security
and the ACM Transactions on Information and System Security,
but articles appear in almost all journals; the major conferences are
the IEEE Symposium on Research in Security and Privacy,
the National Computer Security Conference
(also known as the National Information System Security Conference),
Annual Computer Security Applications Conference.
If you need more help or have questions, feel free to talk to me.
Some Suggestions for Project and Report Topics
The following are just to get you thinking. You will need to do
much refinement for each!
- Analyze your favorite Internet or network protocol with respect
to specific security requirements. Is it adequate, or should changes
be made to enhance its ability to meet stated goals?
- UC Davis has an electronic mail security policy. Is it reasonable
or realistic? What are the legal implications? Could you improve
it from the point of view of system administration?
- Look at attack signatures and derive a little language to capture
some class of them. Can you generalize your language to include as
many attacks as possible? Focus on the temporal aspects.
- Add temporal logic to the Take-Grant Protection Model.
- The non-interference and non-deducibility results are related
to multi-level security used to protect confidentiality. Can you
either extend those results to the Biba integrity model, or set up
a similar notion for integrity-based or availability-based models?
- How would you look for non-secure settings of environment
variables in an executing program? Can you develop a wrapper that
will check those values whenever a subprocess is spawned? (The
motive here is that we may not have access to the source code, but
can wrap the program so when it executes, the wrapper controls
execution and can stop the wrapped program to check state.) You may
need to hack a kernel to do this.
- Pick a class of vulnerabilities, analyze it, and design tools
to check for those problems in program. Substantiate any claims of
success by implementing a prototype and using it.
- Take a popular security tool and improve it by adding to it,
simplifying the user interface, or in some other fashion. Support
your claim of having improved it with some tests to demonstrate the
new tool does work better.
- Or whatever you think you will find interesting ...
What Is Due When
All submissions are to be made through MyUCDavis.
- Tuesday, April 13
By this time you should have chosen your project. Turn in
a 2-3 paragraph write-up of what you want to do, and why; list
several sources (at least 3), and describe how you plan to go
about completing the project.
- Tuesday, June 8
Your completed project is due.
Here is a PDF version of this document.