Analyzing security of ECG biometrics (available)

Biometric systems rely on physiological or behavioural characteristics that can be measured by sensors to verify identity. Electrocardiogram (ECG)-based biometrics is one of the new and most promising types. ECG signals measure the electrical activity of the heart and several studies have found them suitable for human identification. To match the signals with the registered … full description “Analyzing security of ECG biometrics (available)”

Author Attribution of Binaries (available)

Attributing binaries, whether malicious or benign, is a difficult and time consuming task however, there is an increase demand for this either for attributing cyber attacks or preventing plagiarism. The goal of this project is to use machine learning to predict authorship of binaries. You will use a corpus of open source software either for … full description “Author Attribution of Binaries (available)”

Automatic Patch-based Exploit Generation (available)

When a vulnerability is found, it generally goes through a responsible disclosure process. This means that the vendor will be contacted to write a fix before the vulnerability is made public. The patch will be pushed to its users and the vulnerability details become public. In theory, this is a safe process for vulnerability exposure … full description “Automatic Patch-based Exploit Generation (available)”

Building a dataset of IoT device firmwares (available)

Performing security analysis of IoT devices is often expensive as it requires purchasing the IoT device, which is not practical at scale. To avoid this some researchers perform security analysis over the apps used by those IoT devices. Although this analysis can be useful it has some limitations as only one element of the ecosystem … full description “Building a dataset of IoT device firmwares (available)”

Building an internal malware repository (available)

The goal of the project is to build a malware repository that can be queried internally by members of S3Lab using a consistent web interface or API, similarly to existing malware repository (e.g., VirusTotal, VirusShare), but for internal use only. In the first phases of the project, the student will need to interact with members … full description “Building an internal malware repository (available)”

Control-flow graphs for Automatic-Exploit Generation (available)

Research has shifted over the years when it comes to binary exploitation. With more accurate and practical implementations of Control-flow Integrity (CFI) [1][2], the question arises as to what attack surface is still available – and how to exploit it. In particular, what attacks can be performed when staying within the boundaries of a (perfect) … full description “Control-flow graphs for Automatic-Exploit Generation (available)”

Detecting broken security in hybrid Android apps (completed)

Many modern Android applications make use of a webview – a component providing easy access to the rendering engine and JavaScript interpreter of a full browser. The content shown by a webview can be loaded from a local resource or a remote server via HTTP and integrates seamlessly with the app. Webviews are popular with developers, … full description “Detecting broken security in hybrid Android apps (completed)”

Disassembling x86 binaries for static analysis and reverse engineering (completed)

The Jakstab static analyser for binaries automatically disassembles x86 binaries for Windows or Linux and reconstructs a control flow graph. It is particularly effective on targets that have been obfuscated with various tricks that throw off regular disassemblers such as IDA Pro. Jakstab disassembles one instruction at a time, translates it into an intermediate language, and then … full description “Disassembling x86 binaries for static analysis and reverse engineering (completed)”

Invisible Malware using Intel SGX Enclaves (completed)

A fundamental security problem when hosting applications on cloud platforms is the increased risk of sensitive data loss (e.g. due to negligent or malicious employees of the cloud provider). An exciting approach to mitigating such attacks are new trusted execution environments (e.g. Intel SGX), recently available on commodity CPUs. Intel SGX allows users to create … full description “Invisible Malware using Intel SGX Enclaves (completed)”

Machine Learning vs Machine Learning in Malware Evasion (available)

Machine learning is a popular approach to signature-less malware detection because it can generalize to new (unseen) malware families. Some recent works have proposed the use of AI/ML-powered malware to bypass machine learning anti-malware systems. The goal of the project is to model the system of malware vs anti-malware systems as two opponents using various … full description “Machine Learning vs Machine Learning in Malware Evasion (available)”

Mitigating Anti-Sandboxing Tricks used by Malware (available)

Aims: Detecting and Mitigating some Evasion Techniques used by Malware Background: Several malware samples exploit advanced tactics to detect whether they are run in a sandboxed/virtual analysis environment. In such cases, malware samples do not perform any malicious actions to evade analysis and detection by security researchers. The goal of the project is to analyse … full description “Mitigating Anti-Sandboxing Tricks used by Malware (available)”

Predicting Debug Symbols for Closed Source Binaries (completed)

Reverse engineering binaries, whether malicious or benign, is made more difficult by the absence of debug information. Variables and functions have had their identifiers “stripped”, so reverse engineers have to manually name them during analysis based on human understanding of the code functionality. The goal of this project is to use machine learning to predict … full description “Predicting Debug Symbols for Closed Source Binaries (completed)”

Security Evaluation of Broadcasting Network – Protecting the Entertainment Media (available)

Project Description With an increase in the use of internet technologies in various fields, the traditional broadcasting industry also started to adopt systems, software and services based on internet technologies to provide their contents to viewers. Most of the connected media devices deployed still tend to have a low-security threshold inherited from the era of … full description “Security Evaluation of Broadcasting Network – Protecting the Entertainment Media (available)”

System Provenance Collection from a Client Workstation (completed)

A client workstation in an enterprise network is used by individual employees. They use this workstation to perform different activities, including accessing the data stored in the enterprise data repositories (i.e., Database). These activities, which relate to accessing the data and then using it on a workstation are the crucial missing element in data compliance … full description “System Provenance Collection from a Client Workstation (completed)”

System Provenance Collection from a Database Server (completed)

A database server is a collection of an Operating System (OS) at its core that hosts a database – accessible from various services and devices in an enterprise network. The activities observed on the database server are of immense importance to show compliance with data governance policies. A crucial element of such a compliance is … full description “System Provenance Collection from a Database Server (completed)”

Virtual Trusted Platform Module (vTPM) Migration in Cloud Environments (completed)

TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate a computer platform. For instance, a TPM can be used to store platform measurements that help ensure that the platform remains trustworthy. Authentication (ensuring that the platform can prove that it is what it claims to be) and … full description “Virtual Trusted Platform Module (vTPM) Migration in Cloud Environments (completed)”

WebAssembly-based microarchitectural covert channel attacks: capabilities, proof-of-concept, and implications (available)

WebAssembly-based microarchitectural covert channel attacks: capabilities, proof-of-concept, and implications   Microarchitectural covert channels are a threat to data confidentiality in multi-tenant environments (cloud platform, mobile phone, etc.). This type of leakage channel aims at tunnelling information across isolation boundaries (sandboxing, censorship, etc.) by exploiting timing variations during program execution. Indeed, the state of microarchitectural components … full description “WebAssembly-based microarchitectural covert channel attacks: capabilities, proof-of-concept, and implications (available)”