Project 2

• Research: look up the prior work, to see what other people have done. Prioritize books or PDF academic papers over HTML (blog posts, comments, Wikipedia).  Students taking the graduate section will be expected to present the prior academic work using actual citations, and format their writeup like a scientific paper.
  
• Code: write some actual hands-on crypto code. Any language is fine, although what you turn in should be structured nicely and well commented.
• Analysis: check the statistics, histograms, or correlations of your output. Or measure the runtime performance, in nanoseconds per byte or round. Or *something* quantifiable and numeric.

Deadlines

   November 2017      
Su Mo Tu We Th Fr Sa  
26 27 28 29 30        <- Topic due in class
                      
   December 2017      
Su Mo Tu We Th Fr Sa  
                1  2  
 3  4  5  6  7  8  9  <- Rough drafts due on Blackboard
10 11 12 13 14 15 16  <- Presentations in class, final version due on Blackboard

Thursday, November 30, in class: Be ready to talk for 2 minutes about your project topic.

Tuesday, December 5: Turn in rough draft / proof of concept.  Rough draft needs to run, and have at least some of the features of the final version, but does not need to do everything you wanted, and does not need to be pretty or polished.

Tuesday, December 12, 10:15 a.m.-12:15 p.m.: Project presentations (during final exam timeslot).  Have 10 minutes of good material ready: *prepared* examples, figures, diagrams, etc.  Bring an HDMI capable device, or email me your examples beforehand.

Thursday, December 14, midnight: Project final version due. 

Suggested Topics

• Does it work on other platforms (Linux, Android, Windows, OS X?)   Can you make it work there?
• What's a better design for the system you examined?  Are people working on it?
  

• Grab a hard drive from the dump.  Figure out what's on it, and what story it tells.
• Pick a storage device that you own, like a microSD card from digital camera or phone.  Extract as much as possible from it, including hidden and deleted files (e.g., PhotoRec, ddrescue).

• Pick a CVE that sounds interesting to you, and has proof of concept code available.  Install the vulnerable service, and run the code against the service.  Use a debugger to watch the attack succeed or fail.  Test countermeasures like firewalls, ASLR, DEP, SElinux, Microsoft EMET, etc.
  
• Write your own vulnerable network service (e.g., C program with buffer overflow vuln, PHP program with SQL injection vuln, etc), write code to exploit the vulnerability, and write the patch to fix your service.
• Design & implement a toy version of a sensitive web service, such as a online bank (customers: depositors and debtors), cryptocurrency (drug dealers & money launderers), or a web-based grading script (instructors & students).
  

• Implement a cryptanalytic attack, like brute force key enumeration (pick a managable keyspace), meet-in-the-middle hashtable attack for split keys, or any of the many flavors of statistical analysis.
• Implement your own Feistel-type symmetric cipher, or a Feisteloid round-style cipher. Be sure to analyze the runtime performance, differential behavior, and statistical output of your cipher for varying keys and number of rounds.
• Implement your own round-based cryptographic hash function, using a non-invertible round function. Again, analyze the statistics and differential output of your hash for varying number of rounds.
• Implement any decent existing cipher or hash (AES, DES, RC5, SHA-1, SHA-256 are all reasonable choices).
• Decrypt any of the more complex CTF crypto examples.
  

• Pick any presentation from Black Hat (or any other attack-focused tool).  Analyze their technique from the point of view of a white hat: rank countermeasures by your predicted effectiveness. 
  
• Pick any enterprise security solution (or any other defensive tool).  Analyze the enterprise's total security from the point of view of a black hat: rank attacks by predicted effectiveness.