Digital Security teaching

Topics for Ba/Ma thesis or research internship

Below some ideas for topics for your Bachelor/Master thesis or Research Internship. As you go down the list below, the proposals get older, but they are still useful to get ideas for possible directions: if an older idea appeals to you, there are often possibilities for newer follow-up projects in a similar vein, with the same supervisor or, in the case of external projects, at the same external organisation.

NB You should start talking to people well before - i.e. several months before - you want to start! If you want to do an external project outside the university, you can look for such opportunities by yourself, but staff members of the Digital Security group may also have useful contacts for this, so talk to them. For instance, the companies and organisation listed on the T/Rue website often have options for projects.

For more general info about administrative procedure see the Master Thesis webpage or Research Internship webpage.

Most of the project ideas on this webpage are geared towards students doing the TRU/e master specialisation in Cyber security. If you are doing the Master Information Science also check out the webpage with Information Science projects.

Looking at the personal home pages of staff members in the Digital Security group may also give some ideas. There may also be opportunities at the Radboud iHUB (Interdisciplinary Hub for Security, Privacy and Data Governance) . Some staff members maintain their own list of thesis topics, eg. Jaap-Henk Hoepman.

If you're interested in the organisational side of cyber security, consider joining the PvIB, the Dutch professional organisation for information security. Student membership costs 10 euros and allows free participation of all events, incl. the PvIB Young Professional Events. Nearly all these events are in Dutch, so this is only for Dutchophones.

Other sources of inspiration: the archive of MSc theses and the archive of Bachelor theses.

Possible research intership on Attribute-Based Encryption (ABE).
Attribute-based encryption (ABE) is a cryptographic primitive that allows access control already at the cryptographic level. Unlike public-key encryption, ABE schemes allow encrypting messages to multiple receivers. A plaintext can be encrypted and sent to all parties who can satisfy a policy expressed in terms of attributes.
Since 2004, many schemes have been proposed to improve both the theory and applicability of ABE. On the one hand, theoretical challenges include the modelling of often counter-intuitive concepts around ABE as well as the cryptographic implementation of contrasting requirements. On the other hand, there are many practical challenges. Some content, for instance, stored in the cloud encrypted with some attributes can only be decrypted by the appropriate parties (sometimes only in the future). Also, ABE is relevant in storing medical data. Different parts of such information can be encrypted with different attribute policies, which enables various medical staff to access data that are pertinent for them.
Currently, we are working on a deeper understanding of the entire ABE landscape. In this effort, we systemise all relevant schemes. This is a much needed goal because of the variety of schemes and the confusion that surround ABE. As the field is dynamically evolving while already many established concepts are available, this is a good point in time to create an online, public catalogue of ABE schemes and characteristics.
In this research internship, you will have the opportunity to get acquainted with an important cryptographic research field and to find the best way to represent it on the web. The initial content will already be included in the database. You will also propose an easy and user-friendly way for other researchers to add new ABE schemes in the future.
Contact Greg Alpar g.alpar@cs.ru.nl.
If you're interested in secure multi-party computation (and you liked the Cryptographic Protocols course by Berry Schoenmakers in Eindhoven), talk to Asli Bay in Nijmegen for a possible research internship or master thesis in that area. Asli is in room 03.20 in Mercator; just drop by her office or email her at a.bay@cs.ru.nl.
If you are interested to work on a topic from physical security such as side-channel analysis and countermeasures, fault analysis, etc. several topics are possible depending on your interests. You could be applying e.g. machine learning techniques or implementing countermeasures or simply attacking crypto algorithms on various platforms. The projects can be carried out at the university side (working in our side-channel lab) or at Riscure as internships. Contact: Lejla Batina.
At SURFnet in Utrecht there are typically some possibilities for doing research internships or Master thesis: see SURFnet's project page
If you're interested in both security and in data science, Alex Serban has some topics in using machine learning defensively (to analyse malware) or offensively (to attack systems that use machine learning):
1. Using convolutional neural networks for malware authorship attribution.
  In authorship attribution the goal it to figure out which actor, e.g. which of the known APT groups, has produced some new piece of malware, using similarities with known malware samples. Current techniques use the output of antivirus programs to automatically attribute malware to author groups. This project will investigate using techniques for malware detection on binaries (e.g. Malconv) for malware authorship attribution. We have access to large data set of malware by state actors that can be used for this.
2. Using bayesian optimization methods for black box attacks against machine learning systems.
  Recent developments have seen many methods to attack machine learning systems (e.g. generating adversarial examples design to fool a classifier). However, most techniques assume full knowledge of the system under attack, restricting their use in security contexts. This project will investigate the use of bayesian optimization in creating black box attacks against machine learning models.
For a research internship: define a model to evaluate the security of various solutions for "data vaults" for personal data, such as Digi.me, Ockto.nl, etc. UwKluis, A rigorous comparison also requires coming up with well-defined attacker model as a basis for the evaluation. Contact: Bart Jacobs.
For research internship or MSc thesis Information Science:
Privacy and security are essential for modern high-tech systems, such as cars, trains, and medical devices. These requirements shall be addressed in system architectures without compromising safety. A systematic approach to consider them include identifying relevant stakeholders, system parameters, aspects, and building blocks. Tracing and tracking links between them and agreements between owners of solution elements are important for highlighting how decisions taken in one part impact others.
This assignment focuses on privacy concerns within product security. Exemplary questions include:
- Which privacy patterns exist on the level of architectural templates?
- Can some approaches, like Logical Thinking Process (LTP) that is aimed at focused improvements, contribute to introducing privacy into product development?
- How privacy requirements concern the edge gateway that links systems, such as cars or trains, to the cloud?
- How to reason about distributing or relocating data storage and processing with respect to the gateway? How to deal with privacy/utility/overhead tradeoffs?
This assignment takes in the context of a large EU project. This research project is a part of TNO-ESI (www.esi.nl) and RU collaboration. You will familiarize yourself with Model-based system architecting methodology (MBSA) of TNO and use a corresponding tool for visualization and validation purposes. You could spend 1 day a week at TNO for this. Supervision will be by Zeki Erkin (RU) and Alexsandr Vasenev (TNO). For more info, contact Zeki Erkin, who is in Nijmegen 1 day/week, typically on Mondays.
(Also possible as Research Internship or MSc thesis Information Science): Investigate some representative projects proposing to use blockchains for various applications (e.g. taken from this list of blockchain projects) to analyse if the projects are successful and if the proposed use of the techology makes sense (e.g. in the light of decision schemes for blockchain applications and papers such as this and this)
Talk to Tommy Koens or Erik Poll. (Tommy works at ING and is in Nijmegen as external PhD one a week.)
SIDN, the foundation in charge of the .nl domain, are based in Arnhem. They have a research lab there, called SIDN labs, that works on the security and stability of the internet and new developments for the future internet. The blog of SIDN labs gives a good indication of possible topics.

Irdeto in Hoofddorp has MSc projects in the areas of Penetration testing, Media security, Automotive security, Cloud Security, Reverse Engineering, and Cyber Forensic Investigations. The project would suit students with knowledge of network and security protocols and some familiarity with pentesting or digital forensics, and scripting languages like python. Contact: Amanda Kop
Detecting security vulnerabilities in C-code using machine learning; project at the company Riscure. More info on Harald Vranken's MSc project page. Harald Vranken works at the OU but is in Nijmegen on Fridays. This could be a project at the company Riscure.
Energy analysis of connected and automated vehicles. Project at the Dutch Road Transport agency RDW) More info on Harald Vranken's MSc project page.
Research internship project: Exploring the energy-mix of bitcoin mining
Bitcoin relies on vast amounts of distributed computing power to ensure the integrity of the blockchain that records the history of bitcoin transactions, and hence consumes a huge amount of energy (see e.g. this article by Harald Vranken). Researchers have estimated that bitcoin mining consumes about 1% of the wordwide electricity production.
An interesting question is what the carbon footprint of bitcoin mining is, or phrased differently, what the impact of bitcoin mining is on the environment. Some bitcoin miners obtain their electricity from coal-fueled power plants, while other rely on more sustainable, renewable energy sources such as solar, wind, hydro, or geothermic energy. It is however not clear at the moment what mix of energy sources is used in bitcoin mining. The goal of the research project is to estimate this energy mix.
For more info, contact Harald Vranken who also works at the OU but is in Nijmegen on Fridays.
Also for Information Science students: at RDW (the Road Transport Agency of the Dutch government) there is the option to investigate the energy use of the computation and communication needs of connected and/or automated vehicle. For more info, contact Harald Vranken who also works at the OU but is in Nijmegen on Fridays.
- SURFnet, who use OpenVPN for the eduVPN solution they provide to all students and emplyees of Dutch universities, and
- Fox-IT, who make the open source OpenVPN-NL implementation for the Dutch government's national communications security agency NBV (aka NL-NCSA).
The project could be done externally at SURFnet in Utrecht. Ideally, the results would contribute to an RFC for OpenVPN, that the parties above are working on.
A more practical direction, more for a research internship, would be looking at possibilities to generate some code from specs (e.g. for a more modern alternative to C/C++, such as Go or Rust) or try out/extend new tools such as Hammer parser combinators and Nail to see how convenient a parser can be built with that. Another direction would be to look into formal verification of (aspects of) a specification and/or implementation.
Contact Jan Tretmans or Erik Poll.
Software house InfoSupport has several options; see also here or here.
TNO is looking for students for projects on Automated analysis of cyber-attacks using attack-defence graphs in Groningen and on Autonomous Reponse Orchestration for programmable networks in The Hague.
For Information and Computer Science: NEDAP in Groenlo has several opportunities for thesis projects: More info

Ideas of Hugo Jonker (who works at the OU but is in Nijmegen on Fridays):
- Ensuring security of generated code.
  The Ampersand tool generates an information system from a design. The project, co-supervised by prof. dr. Stef Joosten, consists of investigating and improving security of the generated code, and proving security claims of the generated code.
- Adblock-detection.
  Together with researchers from Rice University (USA), we are investigating the extent to which websites are detecting adblocking, the rate at which adblockers and websites update their tricks to outdo one another, etc.
- Telling a webbrowser from a webcrawler.
  Various researchers and companies are using webcrawlers to gather information from the internet. However, some sites might want to show a crawler (e.g. Google's crawler) a different result than normal users. Other sites might try to ban crawlers, or show them bogus information. This brings to mind various questions: to what extent are websites trying to detect and distinguish webcrawlers from "actual" traffic? Can a webcrawler detect that such measures are in place (i.e., detect when the data it collected is suspect)? Is it possible to distinguish between a headless browser, a scripted browser, and a browser in use? Etc.
- Crawling with fake fingerprints.
  Web sites know more and more about the users who visit them. They tailor their pages to the individual visitor based on this. If a web crawler visits such a page, there might be some adaptation going on as well. This project seeks to investigate such adaptations and augment a web crawling infrastructure to control the fingerprint visible to the visited web site.
Compumatica in Uden develops high-end network security solutions. One topic for an MSc thesis would be exploring the possibilities of a Cavium OCTEON network accelerator, esp. how the multi-core capabilities of this network accelerator can be used in order to maximize the degree of parallelism that can be used when processing packets, incl. ensuring encryption and integrity checks, e.g. using IPSEC. This requires C/C++ programming skils. Another topic would be comparing different open source Mandatory access control (MAC) solutions (e.g. SELinux, grsecurity, apparmor, TOMOYO and Smack) in the context of an embedded firwewall, also wrt. the performance impact in an heterogeneous system that includes a hardware accelerator and other components such as smartcards. Contact Peter Schwabe to get in touch with the folks at Compumatica.

If you want to do your Master thesis at one of the Max Planck insititute in Germany, e.g. the Security & Privacy group in Saarbrucken : there are Radboud Max Planck Internships for this. Talk to Peter Schwabe for more info.
The start-up OpenHealthCare in collaboration with the software house First8 in Nijmegen is developing tablet/smartphone app for patients to interact in medical studies. There are possibilities for a Master thesis looking into security and privacy issues of use case and realisation. Contact Marko van Eekelen (or Martijn Verhoeven of First8 via Marko).
If you're into crypto-protocols using ElGamal and the implementation of them on smartcards: with Morpho (formerly de Staatsdrukkerij SDU, the company that for instance produces the Dutch passports), there are possibilities to look into possibilities to realise authentication schemes using pseudonimisation. This also involves looking into the details of the German eID and the FIDO standard. Contact Eric Verheul.
TNO typically has opportunities for security-related research projects, such as SSL/TLS trust chain for Android (doc), Automated ICT Infrastructure Modeling For Cyber Security Analysis, Detection techniques for cyber attacks, or GMS security. More recent project proposals may be available here.
There are possibilites for projects at ENCS in The Hague, typically around security (smart) electrical grid. Topics include: 'Traffic classification for Industrial Control Systems (ICSs)' to identify ICS traffic and do intrusion detection; security assessment by pen testing (eg of smart meters) or by fuzzing (eg of smart meter protocols such as DLMS/IEC62056); applied crypto incl. protocol design (eg. for smart electric vehicle charging), crypto implementation (eg. implementation of cryptographic algorithms on embedded controllers used in the energy distribution) and side-channel analysis (eg. side-channel anomaly detection in embedded devices); protocol analysis (eg for DLMS/IEC62056 or MBus gas meters).
In Dutch, because speaking Dutch is essential for this one: Het Team High Tech Crime (THTC) van de Nederlandse politie heeft een stageplaats beschikbaar rond het (kunnen) doen van aangifte bij de politie door een organisatie over een DDOS aanval en opsporing. Er zijn twee centrale vragen. De eerste is wat een organisatie minimaal zou moeten (kunnen) vastleggen en (niet) doen tijdens de DDOS aanval om opsporing door de politie zinvol te maken. Het gaat dan bijvoorbeeld om het vastleggen bepaald netwerkverkeer tijdens en mogelijk ook voor de DDOS aanval. De tweede vraag is wat de politie medewerker allemaal zou moeten onderzoeken en de wijzen daarop. Vanuit de opdracht zijn Nederlandse banken bereid gevonden mee te werken en hun ervaringen te delen met DDOS aanvallen in de recente praktijk. De resultaten van het onderzoek moeten in het Nederlands worden gesteld zodat de afstudeerder Nederlandstalig is. Contact: Eric Verheul
Planon Cloud Center: The company Planon in Nijmegen is looking for a Master thesis student to look into security, privacy and certification (ISO) issues surrounding cloud usage of its clients, to understand implications of moving some of Planon's solutions to the cloud. Questions include: What are differences among user groups (banks, universities, private/public organisations, etc)? What are differences per country/continent? What is the impact of legislation such as the Patriot Act? Contact Lejla Batina or Rinus Plasmeijer.
CCV in Arnhem is a large supplier of payment terminals and also provides associated services for the processing of financial transactions. With CCV there are possibilities for projects in the field of payment solutions, e.g. security and testing, not just at the front end (e.g. interaction between smartcards and terminals) but also back end (e.g. the online payment transaction processing, DoS issues, etc.). Contact Erik Poll.
Social login 4.0 - Using the privacy-friendly IRMA technology online with OpenID Connect Description: It is becoming more and more common to see web sites where you can log in using your social identity (e.g. your Facebook or Google account). Most of these login scenarios are based on OAuth, OAuth2 and - in the near future - Open ID Connect (see http://openid.net/connect/). The problem with many of these logins is that relying parties (the site you log in to) often request a lot of personal data. From a privacy perspective that is undesirable. The IRMA project (https://www.irmacard.org/) on the other hand is "privacy-by-design". We differentiate between identifying and non-identifying information about a user (attributes) and put the user at the centre of all interactions. No data is revealed without the user's consent and the system is built to facilitate selective and minimal disclosure of personal information. The goal of this student assignment is to investigate how we can marry IRMA's privacy friendly approach with OpenID Connect. Students are challenged to analyse how IRMA fits in the OpenID architecture and to build a prototype that demonstrates the use of IRMA credentials in an OpenID Connect identity provider. Knowledge of OAuth2 or federated identity management helps, as well as good programming skills. We have OAuth2 software available in several programming languages (e.g. PHP and Java) that can be used as a starting point. This research project may be performed in Nijmegen or at SURFnet (http://www.surfnet.nl/en/) in Utrecht. Students interested in this project should Gergely Alpar.