Security I, Dr. Lawlor
The project is designed as a way for you
to do hands-on work with security topics in a field of your
Each project should contain at least some of each of these three
- Research: look up the prior work, to see what other people
have done. Prioritize books or PDF academic papers over HTML
(blog posts, comments, Wikipedia). Students taking the
graduate section will be expected to present the prior academic
work using actual citations, and format
their writeup like a scientific paper.
- Code: write some actual hands-on crypto code. Any language is
fine, although what you turn in should be structured nicely and
- Analysis: check the statistics, histograms, or correlations of
your output. Or measure the runtime performance, in nanoseconds
per byte or round. Or *something* quantifiable and numeric.
October 3, in class: initial project topic discussion. Be prepared
to talk about your project for about two minutes.
October 12, midnight: Turn in rough draft code & brief
writeup. Rough draft needs to run, and have at least some of
the features of the final version, but does not need to do
everything you wanted, and does not need to be pretty or polished.
& 19: Present results in class (about 15 minutes each).
October 31, midnight: Turn in final draft code & brief
Feel free to pick one of these, combine
two or more, or pick some unlisted topic!
- Grab a hard
drive from the dump. Figure out what's on it, and what
story it tells.
- Pick a storage
device that you own, like a microSD card from digital camera
or phone. Extract as much as possible from it, including
hidden and deleted files (e.g., PhotoRec,
- Pick a CVE that sounds
interesting to you, and has proof of concept code available.
Install the vulnerable service, and run the code against the
service. Use a debugger to watch the attack succeed or
- Write your own
vulnerable network service (e.g., C program with buffer
overflow vuln, PHP program with SQL injection vuln, etc),
write code to exploit the vulnerability, and write the patch
to fix your service.
- Implement a cryptanalytic attack, like brute force key
enumeration (pick a managable keyspace), meet-in-the-middle
hashtable attack for split keys, or any of the many flavors of
- Implement your own Feistel-type symmetric cipher, or a
Feisteloid round-style cipher. Be sure to analyze the runtime
performance, differential behavior, and statistical output of
your cipher for varying keys and number of rounds.
- Implement your own round-based cryptographic hash function,
using a non-invertible round function. Again, analyze the
statistics and differential output of your hash for varying
number of rounds.
- Implement any decent existing cipher or hash (AES, DES, RC5,
SHA-1, SHA-256 are all reasonable choices).
- Decrypt any of the more complex CTF crypto examples.