Course Project

One of the most significant components of this course is completing an original research project studying any topic related to computer security and/or privacy. The grading section of the course syllabus page has a detailed breakdown of deliverables for your project. The project should be done in groups of 2 - 3 students. To find teammates for your project, please post on the Ed Discussion board in Canvas.
I will allow for individual student projects under some circumstances (e.g., a pre-existing research project). Please talk to me ahead of time if you intend to do an individual project for this course.

Start thinking about your project early on. The goal of your final project and report is to have enough rigor and depth to merit a workshop-caliber publication.

Below is some food for thought (taken from CS 261N at UC Berkeley) about some of the different project styles / categories that your group might pursue:

  1. Analyze. Undertake a substantive analysis/assessment of security issues for a given system. For example, to what degree does Zoom expose its users to remote compromise? Preserve their privacy? Surreptitiously monitor their communications? Admit misuse of the system to aid in denial-of-service attacks? Have vulerabilities that enable fraud? What is its trust model? What steps could be taken to strength Zoom in this regard? What can you say about the expected efficacy of those steps? Note: it needn't be an application nor involve end systems. You can consider schemes relevant to other layers of the networking stack, or that concern infrastructure/internal components.
  2. Measure. Empirically explore and characterize a security or privacy issue. For example, under what circumstances and to what degree do nodes in the Tor anonymizing network alter the content that passes through them?
  3. Innovate. Devise and analyze (and possibly implement) a new mechanism, technique, or architecture. For example, this could be a new way to protect servers from application-level denial-of-service attacks; a new detector for some type of malicious activity; or a novel approach to email or social networking identity that provides better properties regarding the threats of impersonation, Sybils, or account compromise.
  4. Test. Take a result in the literature and undertake a thoughtful and meaningful reproduction of it to assess to what degree you obtain the same results, and why.
  5. Attack. Develop a new threat. Assess its efficacy, countermeasures/defenses, and likely "arms race" evolution.
  6. Research. Conduct a deep, thoughtful literature survey of a particular area in network security ("research" as a verb). Assess the strengths and weaknesses of the published results in the area, delimit the boundaries of the state of the art, identify themes and abstractions, frame avenues for future work. For this type of research, refer to the "Systemization of Knowledge" (SoK) papers at Oakland, some of which we will read during this course.

You're welcome to pick a topic that is connected to your current research, and I'm happy to discuss possible topics with you in advance. It is acceptable for you to jointly use the same project for this course and another, however, you will need to explicitly discuss this first with me and with the other instructor(s).

If you are looking for project ideas, feel free to check out the list of ideas and past projects from CSE 227 at UC San Diego and CS 261N at UC Berkeley.