Internship & Thesis Projects
During the course of the year, students fulfill their internships or participate in course projects within the lectorate. Below is an overview of current projects, with specification of students’ required skills.
(Hardware) Reverse Engineering of a LoRaWAN Gate- way
A LoRaWAN gateway is a device that allows e.g., low-power device to connect to it over LoRaWAN, and the gateway then subsequently connects to and forwards the traffic over a high-bandwidth network such as WiFi, Ethernet, or cellular. The aim of this project is to reverse engineer a LoRaWAN gateway and, among other things, understand the inner workings of its firmware and its update pro- cess. E.g., open up the device and analyze it from a hardware security point of view; set up a miscreant in the middle (MitM) device to intercept firmware update traffic, capture the firmware, modify it, and have the LoRaWAN device accept the modified firmware. If the MitM approach does not work, other av- enues to access the firmware and the update process will have to be explored, such as the possibility of accessing the device through a serial debugging port, reading the firmware directly from the Flash chip, or other similar approaches.
Desired skills:
- Applied (hardware) security
- Reverse engineering
- Linux power user
- Research mindset
Encryption key manager security projects at Thales Research and Technology, Delft
This lectorate is partially sponsored by Thales, and as such, some internships are offered at the Thales location in Delft, as part of the collaboration between THUAS and Thales.
A basic encryption key management server (KMS) is run as a normal (Java) user application. The secrets necessary for the server to operate, such as the private key for the TLS certificate, are stored in a PKCS#12 keystore on disk. If a password is required, it is stored in a configuration file. Application se- crets, such as symmetric keys used by clients of the KMS, are also stored in a PKCS#12 keystore, or in plaintext in an unsecured local database.
Project #1: Secure Boot and Remote Attestation Using TPM
Trusted computing deals with aspects such as verifying that the code (firmware, kernel, operating system, application code, etc.) used to start a system is trusted, and being able to verify that a system is in a trusted state before providing secrets to it, such as typing in your password. Secure boot and re- mote attestation are mechanisms for achieving such trust, with the help of a hardware component called a trusted platform module (TPM). This assignment is to set up a system with secure boot, such that the system only boots properly signed code, up to and including the operating system, and the KMS applica- tion code. Additionally, remote attestation needs to be implemented such that a KMS client or administrator knows that they are communicating with a trusted system.
Desired skills:
- Applied security
- Java
- Linux power user
- Research mindset
Project #2: Trusted Execution Environment
To enhance the security of a KMS, the objective of this project is to design and implement the KMS in such a way that (part of) it runs in a trusted execution environment, such as Intel SGX, or ARM TrustZone. A trusted execution en- vironment (TEE) runs code in an enclave, where even a administrator in the normal, rich execution environment does not have access. Therefore, even if a malicious actor has gained access to the system where the KMS is running, they shall not have access to any information, and in particular the secrets, in the secure enclave. A common problem with secure enclaves is how to get secrets into them initially, so this is the initial challenge for this project. The feasibility of using the code in the TEE to e.g., terminate TLS connections, or access the TPM, is also something that shall be investigated. Finally, in the case of a distributed KMS with multiple nodes, an administrator shall ideally only have to provide the initial secret to one node, and subsequent nodes should be able to receive the secret from unsealed nodes in a secure manner.
Desired skills:
- Applied security
- Java
- Linux power user
- Research mindset
Project #3: Usable Deployment and Access Management
Usability is a key aspect of any security feature - if a system is not usable, chances are that users will find a way around the security mechanisms, leading to a degradation of the realized, and a mismatch between the expected and actual, security of the system. The task of this project is to find usable ways to deploy and manage the KMS from a user and access control point of view. The access control and user management should be integrated into existing systems, such as LDAP. Delegation and granting of access should be done in a way that also non-technical users can adopt. The end deliverable can be a design, prototype, survey about pain-points of the current system, or a combination of one or more of the above.
Desired skills:
- Applied security
- User Experience (UX)
- Access control
- Research mindset