This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Archived research projects in CRoCS laboratory ====== Below, you can find older projects, which are not currently actively pursued further, but may be activated again later (as happened for multiple projects already). ---- ===== Software Security and Secure Programming ===== This project focuses on usage, evaluation and extension of various tools related to secure programming, application vulnerabilities, security testing and code review. We are interested in static and dynamic analysis of applications with a special focus on security bugs, fuzzy testing, taint analysis and semi-automated review procedures and its incorporation into application development lifecycle. This project is coordinated with [[ http://www.ysoft.com/ | Y Soft Corporation, a.s.]], and for students participating in this project, there is a possibility to get a financial support from this company. More general information about Y Soft cooperation with students can be found [[https://www.ysoft.com/en/company/university-relations|here]]. <button collapse="swsecurity">Find out more</button> <collapse id="swsecurity" collapsed="true"> **Last update: 19.09.2018** **Contact:** Andriy Stetsko <xstetsko@fi.muni.cz> or <andriy.stetsko@ysoft.com> ** Financial support:** Y Soft Corporation, a.s. will provide financial support (in a form of stipend at the faculty or a part-time job in the company) to students with promising results. ** Possible topics for cooperation with bachelor students:** * [[https://is.muni.cz/auth/rozpis/tema?balik=1275;tema=336359|OWASP Dependency Check: add support for Go]] * [[https://is.muni.cz/auth/rozpis/tema?balik=1275;tema=336361|OWASP Dependency Check: add support for C]] * [[https://is.muni.cz/auth/rozpis/tema?balik=1275;tema=336378|OWASP Dependency Check: enhance support for JavaScript]] * [[https://is.muni.cz/auth/rozpis/tema?balik=1275;tema=336379|Unused code detection]] * [[https://is.muni.cz/auth/rozpis/tema?balik=1275;tema=336397|Automatic API extraction from traffic analysis]] ** Possible topics for cooperation with master students:** * [[https://is.muni.cz/auth/rozpis/tema?balik=58;tema=336354;|OWASP Dependency Check: add support for C and Go]] * [[https://is.muni.cz/auth/rozpis/tema?balik=58;tema=336381|Unused code detection]] * [[https://is.muni.cz/auth/rozpis/tema?balik=58;tema=336384|Dynamic security analysis of web application]] * [[https://is.muni.cz/auth/rozpis/tema?balik=58;tema=336385|Automatic API extraction from traffic analysis]] * [[https://is.muni.cz/auth/rozpis/tema?balik=58;tema=276842;uplne_info=1|Analysis of export and import laws for systems that involve cryptography]] **Involved people:** {{:public:crocs:stetsko.jpg?50|}} * [[https://is.muni.cz/auth/osoba/184905|Andriy Stetsko]] 2012-now (Project coordinator, thesis supervisor, Y Soft Corporation, a.s.) **Previous research topics:** * 2013-2017: **Tools for dynamic security analysis of web applications**, financial support from Y Soft Corporation * 2015-2016: **Analysis and application of OWASP testing guide**, financial support from Y Soft Corporation * 2015-2016: **Metasploit**, financial support from Y Soft Corporation * 2014-2016: **Secure software development processes**, financial support from Y Soft Corporation * 2012-2016: **Tools for static and dynamic code analysis**, financial support from Y Soft Corporation * 2014-2015: **Security mechanisms of PDF files** * 2014-2015: **Security aspects of Xamarin/Android Platform** * [[http://sourceforge.net/projects/cesta/ | Cesta project]] - security-related transformations of JavaCard source code, financial support from Y Soft Corporation </collapse> ===== Faster randomness testing ===== This project is focused on improving the implementation of standard empirical test of randomness since some complete tests (Linear Complexity, Spectral, Overlapping template matching) can take hours on standard computer for usual amount of data. Tests are usually grouped into test batteries (NIST STS, Diehard,TestU01) to provide more complex randomness analysis. Currently we are focusing on optimization of NIST STS battery. Visit our [[https://randomness-tests.fi.muni.cz|online testing service]]. **Last update: 27.09.2016** **Application** [[https://github.com/sysox/NIST-STS-optimised | Project Github repository]] ** Involved people: ** {{:public:crocs:zriha.jpg?50|}} {{:public:crocs:sys.jpg?50|}} * [[https://is.muni.cz/auth/osoba/2514|Zdenek Říha]] 2013-now (Performance testing) <zriha@fi.muni.cz>; * [[https://is.muni.cz/auth/osoba/232886|Marek Sýs]] 2013-now (Algorithm analysis) <syso@mail.muni.cz> **Publications** * [2015] [[http://www.imt.ro/romjist/Volum18/Number18_1/pdf/02-MSys.pdf| Sýs, M.; Z. Říha, V. Matyáš, K.Márton, A. Suciu: On the Interpretation of Results from the NIST Statistical Test Suite]], ROMJIST Journal, 2015. * [2014] {{:public:crocs:sys_space_2014.pdf| Sýs, M.; Z. Říha: Faster randomness testing with NIST STS}},SPACE 2014, Fourth International Conference on Security, Privacy, and Applied Cryptography Engineering, 2014. ===== Attacker strategy evolution (GANet) ===== **Last update: 08.01.2016** **Contact:** Zdenek Říha <zriha@fi.muni.cz> **Project description:** This project focuses on automated generation of attacker's strategies against real implementation of various network applications. Currently, we aim to optimize existing Denial of Service attacks (DoS attacks, [[https://en.wikipedia.org/wiki/Denial-of-service_attack|Link]]) in order to achieve maximum impact on the victim webserver. GANet contains source codes we are using - for now, combination of OS apps (Perfmon,...) and Python scripts. * Research project [[research:ganet:main| internal wiki pages]] * Project [[https://github.com/crocs-muni/GANet | Github repository]], [[https://github.com/crocs-muni/GANet/wiki | wiki pages]] **Involved people:** {{:public:crocs:bukac.jpg?50|}} {{:public:crocs:ostadal.jpg?50|}} {{:public:crocs:svenda.jpg?50|}} * [[https://is.muni.cz/auth/osoba/2514|Zdenek Říha]] 2016-now (?) <zriha@fi.muni.cz>; * [[https://is.muni.cz/auth/osoba/172999|Víťa Bukač]] 2014-now (preparation of HTTP DOS experiments, VM preparation, initial Python implementation) * [[https://is.muni.cz/auth/osoba/255508|Radim Ošťádal]] 2014-now (preparation of HTTP DOS experiments) * [[https://is.muni.cz/auth/osoba/4085|Petr Švenda]] 2014-now (gibbering) **Former participants:** Tatevik Baghdasaryan 2014-2015 (testing simple web server); ** Selected publications ** * [2015] {{:public:research:ganet_paper1.pdf|Bukač, V.; Ošťádal, R.; Švenda, P.; Baghdasaryan, T. and Matyáš, V.: Challenges of fiction in network security - perspective of virtualized environments}}, LNCS 9379, pp. 145-151, Springer, 2015. * [2014] {{:public:research:redqueensrace_aptwinwingame.pdf|Bukač, V.; Lorenc, V. and Matyáš, V.: Red Queen's Race: APT win-win game. In Security Protocols XXII - 22nd International Workshop, Revised Selected Papers}}, LNCS 8809, pp. 55-61, Springer, 2014. ---- ===== Whitebox cryptography ===== **Last update: 14.9.2015** **Status: Completed/On hold** **Contact:** Petr Švenda <svenda@fi.muni.cz> **Project description:** This project is focused on design and development of the special implementations of cryptographic functions able to operate in an environment under full control of an attacker and still able to protect used secrets (e.g., encryption keys). * Research project [[research:whitebox:main| internal wiki pages]] * Whitebox AES implementation in [[https://github.com/petrs/Whitebox-crypto-AES|Cpp]] and [[https://github.com/xbacinsk/Whitebox-crypto-AES-java|Java]] (GitHub repositories) * SecureFW framework for [[http://www.fi.muni.cz/~xsvenda/securefw.html | source codes and binaries]] - earlier version of whitebox AES implementation in Cpp, secure channel with JavaCard smart card * Explanation of whitebox cryptography, homomorphic encryption and computation with encrypted function/data: {{:public:crocs:WhiteboxCrypto_20130531.pdf|slides}} * List of resources related to [[public:research:whitebox:mobilecrypto| whitebox cryptography]] **Involved people:** {{:public:crocs:bacinska.jpg?50|}} {{:public:crocs:svenda.jpg?50|}} * [[https://is.muni.cz/auth/osoba/373854|Lenka Bačinská]] 2012-now (Whitebox AES) * [[https://is.muni.cz/auth/osoba/4085|Petr Švenda]] 2008-now (project lead, whitebox AES with smartcards) **Former participants:** Marián Čečunda 2013-2015 (Whitebox RSA, HMAC, Keccak); Dušan Klinec 2012-2014 (whitebox AES implementation, attacks); ** Selected publications ** * [2015] {{:public:research:bacinska_whitebox_specialAES_2015.pdf| Bačinská, L.: White-box attack resistant cipher based on WBAES}}, Master thesis, Masaryk university, 2015. * [2015] {{:public:research:cecunda_whitebox_hmac_2015.pdf| Čečunda, M.: Návrh implementace algoritmů RSA a HMAC pomocí whitebox kryptografie}}, Master thesis, Masaryk university, 2015. * [2013] {{:public:crocs:klinec_whitebox_thesis_2013.pdf| Klinec, D.: White-box attack resistant cryptography}}, Master thesis, Masaryk university, 2013. ---- ===== DDoS-as-a-Service landscape ===== **Last update: 14.1.2016** **Status: Completed/On hold** **Contact:** Vít Bukač <xbukac@fi.muni.cz> **Project description:** We want to map the dark economy behind Denial-Of-Service attack services (DDoSaaS) for hire, the communication between DDoSaaS providers and customers and collect samples of attack traffic from real existing DDoS services. This project is about getting hands-on experience with network attacks in real environment instead of in closed labs, analyzing often neglected economy aspect of network attacks and dipping into the mindset of a cyber-criminal. * Research project [[research:ddosaas:main| internal wiki pages]] * [[research:ddosaas:main|More information]] **Involved people:** {{:public:crocs:bukac.jpg?50|}} {{:public:crocs:stavova.jpg?50|}} {{:public:crocs:nemec.jpg?50|}} {{:public:crocs:zriha.jpg?50|}} {{:public:crocs:srom.jpg?50|}} * [[https://is.muni.cz/auth/osoba/172999|Vít Bukač]] 2014-2015 (Coordinator) * [[https://is.muni.cz/auth/osoba/256169|Vlasta Šťavová]] 2014-2015 (Social aspects) * [[https://is.muni.cz/auth/osoba/394036|Lukáš Němec]] 2014-2015 (Technical aspects) * [[https://is.muni.cz/auth/osoba/2514|Zdeněk Říha]] 2015 (Technical aspects) * [[https://is.muni.cz/auth/osoba/422590|Lukáš Šrom]] 2014 (Technical aspects) **Publications** * [2015] {{:public:research:serviceindenial.pdf|Bukač, V.; Šťavová, V.; Němec, L.; Říha, Z. and Matyáš, V.: Service in denial – clouds going with the winds}}, In Proceedings of NSS 2015, 9th International Conference on Network and System Security, LNCS 9408, pp. 130-147, Springer, 2015. * [2015] {{:public:research:dostrafficfeatures.pdf|Bukač, V. and Matyáš, V.: Analyzing traffic features of common standalone DoS attack tools}}, In Proceedings of SPACE 2015, 5th International Conference on Security, Privacy, and Applied Cryptography Engineering, LNCS 9354, pp. 21-40, Springer, 2015. * [2015] {{:public:research:ddosaas_ddosjakosluzba.pdf|Bukač, V.; Říha, Z.; Šťavová, V. and Matyáš, V.: DDoSaaS: DDoS jako služba}}, In IS2: From trends to solutions, pp. 35-39, Tate International, 2015. ---- ===== Android Security ===== **Last update: 14.10.2014** **Status: Completed/On hold** **Contact:** Zdeněk Říha <zriha@fi.muni.cz> ; Dušan Klinec <ph4r05@mail.muni.cz> **Project description:** These activities look at the security issues of the Android installation files (APK). The Android APK files are digitally signed, but the signer can be anybody. Therefore it is possible to to modify the APK files (to include malware, for example) and resign it. This can be done in an automated way. Such a modification/infection can also be done online in the form of the man-in-the-middle attack where the APK package is transparently modified on its way from the server towards the mobile device if no encryption of the communication is done. **Involved people:** {{:public:crocs:zriha.jpg?50|}} {{:public:crocs:klinec.jpg?50|}} * [[https://is.muni.cz/auth/osoba/2514|Zdenek Říha]] 2012-now * [[https://is.muni.cz/auth/osoba/ph4r05|Dušan Klinec]] 2014-now **Former participants:** Jan Svoboda (2013-2014), Eduard Cihuňka (2013-2014) ** Selected publications ** * [2014] [[http://is.muni.cz/th/374288/fi_b?info=1|E. Cihuňka: Editor APK souboru pro Android]] * [2014] [[http://is.muni.cz/th/255654/fi_m?info=1|J. Svoboda: Bezpečnost instalačních APK balíčků Androidu]]