Student Projects

Dr. Alan Sherman

NL Detect - Allen Stone

No Abstract. (No Paper, yet)

Statis Analysis of the VoteHere VHTi Reference Implementation Source Code Using Flawfinder and RATS - Markus Dale

The VoteHere Sentinel is being considered as an add-on to the State of Maryland's Diebold AccuVote-TS electronic voting system to increase voter trust and confidence in the election process. The VoteHere Sentinel is built using the VHTi Reference Source Code Implementation, which is based on a cryptologic e-voting algorithm developed by C. Andrew Neff. The VHTi reference Source code is available for public downloads and we were therefore able to examing that source code using the Flawfinder and RATS open source static analysis tools. The result of that analysis only found 19 potential vulnerabilities in a code base consisting of over 10,000 lines of source code. The 19 potential vulnerabilities are not security vulnerabilities by themselves but could become vulnerabilities if the system that calls these functions fails to implement the proper mitigation techniques. The quality of the source code and its associated documentation was very high and it appears that security was taken very seriously.

Easy PGP - Rick Carback, Emily Fetchko, Bryan Pass

We developed a program that makes PGP easy to install and use by removing key management from the perspective of the user. Then we split a user population into two groups: one to set up and use our program, and one to set up and use a comparable program (with user key management). We surveyed them on ease of use of the program, and analyzed the results.

Balancing a Balanced Budget: making intelligent security budget allocations - Adam Anthony

The problem area for this project is that of making budget-aware decisions on computer security resource allocation. One rising theme in computer security is the use of economic models to adress important problems. What researchers are discovering is that economic decisions are a contributing cause of many computer security failures. This paper will start with a short discussion of economic pressures in computer security, followed by a survey of related work, including the work of Aspnes, et al. It expands on the work of Aspnes, Chang and Yampolskiy who researched the application of what they call the sum of squares partition problem to finding an approximate solution for an optimal inoculation strategy against computer viruses in a newtork. For their research, an optimal strategy was one with a minimum possible cost. The research of this paper will build upon the model found in Aspnes, et. al. First, the project team will aim to determine the effect of removing simplifying assumptions in order to apply the model to a realistic business model. Second, the research will turn to investigating a variation of the model in which all components are similar with the addition of a Budget total B allocated for expenditure on security for a network. Results include three metrics for network level security as a function of spending distribution, and a condition for identifying the optimal node for spending a unit of security resources.

Analysis and Detection of Covert Channels - Sweety Chauhan

Covert channels are mechanisms for communicating information secretly. A network covert channel is a mechanism that can be used to leak information across a network in violation of a security policy. This research project report presents analysis of embedding of storage and timing covert channels in TCP/IP. This project comprises of development and implementation of storage based covert channel (covert ts) and theoretical foundations of Information Theory to detect covert timing channels. In this project covert ts system is developed to exploit timestamp eld of TCP header for covert channel. Covert timing channels use packet inter-arrival times to encode covert messages. This report investigates the channel capacity of Internet-based timing channels and proposes a method to detect the covert timing channels based on use of channel capacity.