For more information about doing an MSc project
with me or others in the Digital Security group:
My core research interests are
-- how can we avoid security holes in software?
This question applies to every stage
of the software development lifecyle, from (security) requirement engineering,
design, coding, testing, and maintenance.
smartcards and applications that use smartcards, and
the Java Card platform
formal methods for program specification and verification,
including type systems and static analyses,
especially for Java, as a way to improve software security.
state-machine learing to analyse implementations of
more applied research investigating security of various systems,
for example payment and banking systems,
or smart grid systems.
Looking at my publications may give more concrete ideas of what
I'm working on. Some concrete proposals below. These proposals
reflect my own interests; of course, you're more than welcome to
come up with other proposals based on your own expertise and
interests. NB for a Master thesis you should choose a topic that
you think is interesting.
Explore the possibilities that Java type annotations, as
implemented in the
for example for tainting analysis in Java (or JSP) web
applications, Android apps, or JavaCard smartcard
For Information Science students: read
the excellent book "The
inmates are running the asylum" by Alan Cooper, (which IMO is essential
reading for all Information Science; available in our library under "8023 CO")
and apply the approach described there to any over-engineered, hard-to-use
interface that you know, for instance Blackboard, the reservation system at the
university sports centre, or - for application that are security-sensitive -
using PGP, managing ssh keys and ssl certificates, ....
The company Topicus in Deventer has opportunities for MSc projects in the field using static analysis for
domain-specific checks, esp. for Java web applications.
Interesting questions to investigate for such tools are
(i) ways to improve this technology,
(ii) possible customisations of tools for particular application domains
(eg. JavaCard, Android, Java web-apps, or hypervisors in C);
(iii) trying to come up with best practices to apply such tools:
(iv) testing one tool or compare tools on example applications.
There is currently little hard emperical evidence about the use of these
tools, so it would
for instance be intersting to a tool on (an old release of) some
open source project, say.
to see if it exposes
known security vulnerabilities or new ones.
Safe C Experiment with and evaluate safe C dialects such