home

SNE Master Research Projects 2019 - 2020

http://uva.nl/
2004-
2005
2005-
2006
2006-
2007
2007-
2008
2008-
2009
2009-
2010
2010-
2011
2011-
2012
2012-
2013
2013-
2014
2014-
2015
2015-
2016
2016-
2017
2017-
2018
2018-
2019
2019-
2020
2020-
2021
2021-
2022
Contact TimeLine Projects LeftOver Projects Presentations-rp1 Presentations-rp2 Objective Process Tips Project Proposal

Contact

Cees de Laat, room: C.3.152
Course Codes:

Research Project 1 53841REP6Y
Research Project 2 53842REP6Y

TimeLine


RP1 (January):
  • Wednesday Sept 11, 13h00-13h30: Introduction to the Research Projects.
  • Wednesday Nov 13, 13h00-16h00: Detailed discussion on selections for RP1.
  • Monday Jan 6th - Friday Jan 31th 2020: Research Project 1.
  • Friday Jan 10th: (updated) research plan due.
  • Monday Feb 3, 10h00-17h00: Presentations RP1 in B1.23 at SP 904.
  • Tuesday Feb 4, 10h00 - 17h00: Presentations RP1 in B1.23 at SP 904.
  • Sunday Feb 9, 24h00: RP - reports due
RP2 (June):
  • Wednesday May 13, ,10h00-16h00, Zoom, Detailed discussion on chosen subjects for RP2.
  • Tuesday Jun 2th - Friday Jun 25: Research Project 2.
  • Friday Jun 5th: (updated) research plan due.
  • Thursday Jul 2, 10h00-17h00: presentations.
  • Friday Jul 3, 10h00-17h00: presentations.
  • Monday Jul 6, 09h00: RP - reports due

Projects

Here is a list of student projects. Find here the left over projects this year: LeftOvers.
In a futile attempt to prevent spam "@" is replaced by "=>" in the table.
Color of cell background:
Project available Presentation received. Confidentiality was requested.
Currently chosen project. Report received. Blocked, not available.
Project plan received. Completed project. Report but no presentation
Outside normal rp timeframe project will be done in next block

wordle-s.png


title
summary
supervisor contact

students
R

P
1
/
2
1

Zero Trust Network Security Model in containerized environments.

Security’s main purpose in an organization is to prevent leaks of confidential data and lowering the risks of modern cyber-attacks against network which recently became critical. Zero Trust is a model of security that treats all network traffic, even if it is inside the perimeter as hostile. In order to implement a Zero Trust Network, the following assertions should be considered <https://on2it.net/en/zero-trust/>:
  • Assume that network is always hostile: Never trust, always verify.
  • Threats exist inside and outside of the network.
  • Authenticate and authorize de- vice, user, workload or system each time it tries to connect, re- gardless of its location.
  • Least privilege-access.
  • Inspect and log traffic.
In order to successfully observe Zero Trust network following the above criteria, there are some security checkpoints that need to be applied where every communication must pass in order to send or receive data. This can be achieved by using appropriate controls for every condition.
For this project we will be investigating the appropriate controls in order to implement Zero Trust for "east/west" traffic in a containerized environment to mitigate data leakage.

The research question can be summarized as:
  • "How to implement Zero Trust for "east/west" traffic between microservices in containerized environment?"
To answer the research question, we have the following sub-questions:
    • How to regulate the "east/west" traffic flow?
    • How to implement confidential- ity at rest and transit data?
Jeroen Scheerder <Jeroen.Scheerder=>on2it.net>

Catherine de Weever <Catherine.deWeever=>os3.nl>
Marios Andreou <mandreou=>os3.nl>
R

P
1
2

Security of Mobility-as-a-Service(MaaS) applications on Mobile Phones.

This project will focus on the security of Mobility-as-a-Service(MaaS) android applications. With MaaS you can think about, but not limited to; Uber, Lime, Beat, Bolt, OV-api,.. The goal of this project is to identify and classify if the applications are using data which not intended to use data for another purpose then needed for the service offered.
Alex Stavroulakis <Stavroulakis.Alex=>kpmg.nl>

Alexander Blaauwgeers <alexander.blaauwgeers=>os3.nl>
R

P
1
4

The Current State of DNS Resolvers and RPKI Protection.

The Domain Name System (DNS) and Border Gateway Protocol (BGP) are two fundamental building blocks of the internet. However, these protocols were initially not developed with security in mind. For instance, malicious groups can perform prefix hijacking and additionally spoof a DNS resolvers IP address in the hijacked IP prefix. The results of such action could be disastrous. Additionally, BGP is also prone to route leaks. In 2008, Resource Public Key Infrastructure (RPKI) was proposed to address this issue.
RPKI is a hierarchical Public Key Infrastructure (PKI) that binds Internet Number Resources (INRs), such as Autonomous System Numbers (ASNs) and IP addresses, to public keys via certificates. With the RPKI certificate scheme, AS owners can prove that they are authorized to advertise certain IP prefixes. To make this certificate scheme work, the Regional Internet Registries (RIRs) control the trust anchors for each region.

The objective of this research is to research which DNS resolvers are (partially) protected by RPKI.
Willem Toorop <willem=>nlnetlabs.nl>

Erik Dekker <Erik.Dekker=>os3.nl>
Marius Brouwer <mbrouwer=>os3.nl>
R

P
1
5

Server agnostic DNS augmentation.

The Extended Berkeley Packet Filter (eBPF) is an instruction set for a general-purpose virtual machine inside the Linux kernel. eBPF programs are constrained to execute in finite time and are allowed to only call a limited predetermined set of helper functions. These limitations guarantee them to be safe to execute in kernel space.

The Linux kernel provides numerous hooks on which eBPF programs can be attached. One of them, the eXpress Data Path (XDP) provides programmability at the lowest layer of the Network Stack (at the device driver layer) and can even be hardware offloaded to programmable devices (e.g. SmartNICs)

eBPF delivers comparable capabilities and performance as kernel bypass techniques (such as the Data Plane Development Kit (DPDK)), but opposed to those techniques does not bypass the operating system, but extends it. This opens interesting new opportunities to extend and/or influence existing network services with new functionalities orthogonal from the software delivering the basic service. Especially UDP based DNS, with per packet communication primitives, is suitable for this kind of augmentation.

This research will explore the limits and possibilities to leverage eBPF and XDP to augment existing network services (most notably DNS). What kind of functionalities can be added (i.e. performance measurements, statistics collection, policy filtering, load balancing etc.), what does that entail architecturally and how does it impact performance?

Two examples of DNS functionalities that spring to mind are:
  • Response Rate Limiting and
  • DNS Cookies
Willem Toorop <willem=>nlnetlabs.nl>
Luuk Hendriks <luuk=>nlnetlabs.nl>

Tom Carpay <tomcarpay=>gmail.com>
R

P
2
6

Collaborative work with Augmented and Virtual Reality - A secure network connection in Unity.

Although the principles have been around some time, Augmented and Virtual Reality finally gets usable for the consumer market. Nowadays, the prominent game engines are used for development of Mixed Reality (AR+VR) applications. This research follows the vision, that different users with different devices should be able to connect to a common server and collaborate virtually by using either AR or VR head-mounted displays or mobile devices like smartphones.
Research question:
  • How does latency impact the quality collaboration of different visualization and device options?
There are existing network capabilities of Unity, existing AR/VR framework that can be built out of unity and existing connectors (which combine for example HTC Vive to Hololens).
The student is asked to:
  • Build a server infrastructure on which users can connect with different devices
  • Build a build-infrastructure for different devices
The software framework will be published under an open source license after the end of the project.
Doris Aschenbrenner <d.aschenbrenner=>tudelft.nl>

Lars Tijsmans <Lars.Tijsmans=>os3.nl>
R

P
1
8

APFS checkpoint management behaviour in macOS.

How many copies do you have? How do Copy On Write  filesystems handle overwriting in files?

Filesystems like APFS use btree structures and COW to transform the disk content from one state to the next. Can these old copied versions be used to create large amount of (latent) snapshots of the filesystem? How does overwriting of (records in sqlite) databasefiles effect the content of the APFS filesystem? The students is asked to research the effects of COW on recovering partially overwritten files and filesystems. As part of this research an estimation of the decay of these latent traces should be researched.
Zeno Geradts <zeno=>holmes.nl>
"Ruud Schramp (DBS)" <schramp=>holmes.nl>

Maarten van der Slik <Maarten.vanderSlik=>os3.nl>
R

P
1
13

Incorporating post-quantum cryptography in a microservice environment.

Summary:

Digital certificates typically use ECDSA or RSA for their digital signatures. These algorithms are expected to be broken by Shor’s algorithm when universal quantum computers with reliable qubits become a reality. The National Institute for Standards and Technology (NIST) is currently in the process of standardizing a set of new algorithms (post-quantum algorithms) that are expected to be resistant to quantum attacks.

The goal of this project is to implement post-quantum algorithms in digital certificates and to assess the usability of these algorithms for public key infrastructures.
Cedric Van Bockhaven <cvanbockhaven=>deloitte.nl>
Itan Barmes <ibarmes=>deloitte.nl>
Vincent van Mieghem <vvanmieghem=>deloitte.nl>

Daan Weller <Daan.Weller=>os3.nl>
Ronald van der Gaag <Ronald.vanderGaag=>os3.nl>
R

P
2
15

 Malicious behavior detection based on CyberArk PAS logs through string matching and genetic neural networks.

CyberArk PAS is a common privileged access manager. For this research, we are interested in identifying potential interesting use cases to be built in Splunk. The research should focus on identifying common risks / vulnerabilities when using CyberArk PAS as a Privileged Access Manager (PAM) and should focus on being able to identify potential misuse. Besides the creation of use cases, we request that the research also focusses on identifying opportunities for combining the syslogs of CyberArk PAS in combination with the output of CyberArk PTA.

For this Internship, you will have to setup a small lab to perform your investigations.

For more information about this topic, reach out to Roel Bierens

http://werkenbijdeloitte.nl/cyber-graduate
Roel Bierens <rbierens=>deloitte.nl>
Bartosz Czaszynski <bczaszynski=>deloitte.nl>

Mike Slotboom <Mike.Slotboom=>os3.nl>
Ivar Slotboom <ivar.slotboom=>os3.nl
R

P
2
19

Analysis on MX-record queries of non-existent domains.

In this research we would like to find out if it is possible to classify expired .nl domains as having a high potential of receiving sensitive email using solely the name of an expired domain name and the knowledge that is as been queried for the reason of sending email to it.

The main research question for this project is defined as follows:
  • Is it possible to classify expired .nl domains, using Open Source Intelligence (OSINT), as having a high potential for receiving email with sensitive content?
To support this research question the following sub- questions have been defined:
  • What OSINT sources can be used for classifying domain names?
  • What classifiers can be identified for a domain being the recipient of sensitive information.
  • What classification system can be used for classifying domain names?
Jelte Jansen <jelte.jansen=>sidn.nl>
Cees de Laat <delaat=>uva.nl>

Jasper Hupkens <Jasper.Hupkens=>os3.nl>
Siebe Hodzelmans <shodzelmans=>os3.nl>
R

P
2
20

Detecting Botnets communicating with Command and Control servers with DNS and NetFlow data.

In the age of cloud computing, one is able to start a new host in a matter of a couple of seconds. This has been proven useful for enterprises, as they can request systems on an on-demand basis. Unfortunately, the internet is not a wholesome place, and malicious ac- tors also leverage these beneficial cloud computing infrastructures for their illicit activities. In this research, we are focusing on detecting botnets in a network by using NetFlow and DNS data. Malicious actors are using public cloud solutions to hide, only using a single IP address for a few hours. As a result of that, traditional IP reputation lists have become outdated with the rise of cloud computing. Specifically, we think that NetFlow and DNS data can be good alternatives as these sources do not solely rely on IP-addresses. These sources instead give information about a specific domain and it’s traffic patterns, which can be used as a more modern approach to detect bots in a network.
Eddie Bijnen <eddie=>true.nl>

Khanh Hoang Huynh <hhuynh=>os3.nl>
Mathijs Visser <mathijs.visser=>os3.nl>
R

P
2
21

Advanced Persistent Threat detection for Industrial Control Systems.

This project is to dive deeper into threat hunting within ICS networks. There are several threat actors targeting ICS out there (e.g. Sandworm, Electrum, Energetic Bear, Chrysene etc.). Each of them has different goals and uses different techniques. Our goal is to select one of them and to research and create detection mechanisms, which would allow for verifying whether traces of the selected threat actor can be found within a given network based on the logging capabilities at hand. Our research would allow blue teams to perform more advanced threat hunting.

How? The generic idea so far is that we would like to create a detection mechanisms, which would include Indicators of Compromise (IoC’s) or other triggers indicating malicious activities of that threat actor on the network. The events could be correlated and mapped to the ICS Mitre ATTACK framework (published just recently in January 2020). Dragos is busy with ICS threat hunting and developed a commercial platform, but we would like to use open source tooling (ELK) and enable blue teams to use our methodology & tooling to hunt for the specific threat actor. This framework can of course be then expanded by different threat actors. Creating a lab environment to test our detection mechanisms + introducing malware samples and verifying whether our rules work would be part of our scope.
Derre Hendrik <hendrik.derre=>howest.be>
Deneut Tijl <Tijl.Deneut=>howest.be>

Dominika Rusek <Dominika.Rusek=>os3.nl>
Steffan Roobol <Steffan.Roobo=>@os3.nl>
R

P
2
23

APFS Slack Analysis and Detection of Hidden Data.

Apple recently introduced APFS with their latest version of OS X, Sierra. The new file system comes with some interesting new features that either pose challenges or opportunities for digital forensics. The goal in this project is to pick one or more relevant features (i.e. encryption, nanosecond timestamps, flexible space allocation, snapshot/cloning, etc.) and reverse engineer their inner workings to come up with a proof-of-concept parsing tool that provides useful input for forensic investigations of Apple systems.
Danny Kielman <danny.kielman=>fox-it.com>

Axel Koolhaas <Axel.Koolhaas=>os3.nl>
Woudt van Steenbergen <woudt.vansteenbergen=>os3.nl>
R

P
1
25

Incentivize distributed shared WiFi through VPN on home routers.

Many forms of free WiFi exists such as ad based solutions [1], provider initiatives [2],
hotel/restaurant/etc. hotspots and Open Wireless Movement [3]. Security and privacy are important factors for sharing wireless. The provider does not want to be held liable [4] and the client wants privacy.

The RP will consist of creating a protocol + Proof of Concept to securely join WiFi networks and share your network. A client connects to a wireless AP using RADIUS credentials; username = PORT@domain, which indicates to which VPN the client will connect to. The AP (upgraded home WiFi router) only lets clients connect to VPN servers, which run on the client's home router, creating a tunnel between a device (client) and the owner's home router (VPN endpoint).

The client has the VPN location embedded in his 802.1x credentials for the shared SSID (like Eduroam) for participating APs. Additionally, the client has a VPN client installed, enabling APs to only allow (whitelist) VPN traffic and a DNS req. for VPN endpoint discovery. This creates the safety for joining any wireless (using the VPN) and sharing your wireless (whitelisting VPN traffic) without worry for liability issues.

This setup will incentivize users to upgrade their routers, giving them more security when connecting to any foreign wireless (through VPN) and provides access to wireless in more places (which require VPN to connect).
  1. worldwifi.io
  2. hotspots.wifi.comcast.com
  3. www.eff.org/issues/open-wireless
  4. www.eff.org/wp/open-wi-fi-and-copyright-primer-network-operators
Peter Boers <peter.boers=>surfnet.nl>

Sander Lentink <sander.lentink=>os3.nl>
R

P
2
29

Detecting Cobalt Strike beacons in NetFlow data.

In the era of an increasingly encrypted communication it is getting harder to distinguish normal from malicious traffic. Deep packet inspection is no longer an option, unless the trusted certificate store of the monitored clients is altered. However, Netflow data might still be able to provide relevant information about the parties involved in the communication and the traffic volumes they exchange. So would it be possible to tell apart ill-intentioned traffic by looking only at the flows?

The basic idea is to research the possibility to build a classifier to distinguish Cobalt Strike Malleable C2 profile (obfuscated network traffic) from real/genuine network traffic. If such a framework proves to be successful, it can help in alerting for covert channel malware communication, cross-site scripting and all other types of network communication not initially intended for a given destination.
Ralph Koning <r.koning=>uva.nl>

Vincent van der Eijk <vincent=>eijk.network>
Coen Schuijt <coen.schuijt=>os3.nl>
R

P
2
30

Elastic Named Data Network (NDN) for data centric application in cloud environments.

The selection of virtual machines (VMs) must account for the performance requirements of applications (or application components) to be hosted on them. The performance of components on specific types of VM can be predicted based on static information (e.g. CPU, memory and storage) provided by cloud providers, however the provisioning overhead for different VM instances and the network performance in one data centre or across different data centres is also important. Moreover, application-specific performance cannot always be easily derived from this static information.

An information catalogue is envisaged that aims to provide a service that can deliver the most up to date cloud resource information to cloud customers to help them use the Cloud better. The goal of this project will be to extend earlier work [1], but will focus on smart performance information discovery. The student will:
  1. Investigate the state of the art for cloud performance information retrieval and cataloguing.
  2. Propose Cloud performance metadata, and prototype a performance information catalogue.
  3. Customize and integrate an (existing) automated performance collection agent with the catalogue.
  4. Enable smart query of performance information from the catalogue using certain metadata.
  5. (Optional) Test the results with the use cases in on-going EU projects like SWITCH.
Some reading material:
  1. Elzinga, O., Koulouzis, S., Hu, Y., Wang, J., Zhou, H., Martin, P., Taal, A., de Laat, C., and Zhao, Z (2017), Automatic collector for dynamic cloud performance Information, IEEE Networking, Architecture and Storage (NAS), Shenzheng, China, Auguest 7-8, 2017 https://doi.org/10.1109/NAS.2017.8026845
More info: Arie Taal, Paul Martin, Zhiming Zhao
Zhiming Zhao <z.zhao=>uva.nl>

Sean Liao <sean.liao=>os3.nl>
R

P
1
40

Tunneling data over a Citrix virtual channel.

Citrix provides services for remote virtual desktop infrastructure (VDI / Xen Desktop) or application virtualization (XenApp). Citrix is sometimes used as a security measure to sandbox the execution of sensitive applications (e.g. so a financial application that may only be run from a single server, with the users that require the access connecting to the virtual desktop). The organization then sets additional restrictions: no access to clipboard data, no access to shared drives, and no outbound connectivity that is allowed to prevent data leaks.
Citrix is built on top of traditional Windows technologies such as RDP to establish the connection to the virtualized desktop infrastructure. RDP has the capability to extend the remote desktop session with clipboard management, attaching of printers and sound devices, and drive mapping. Additionally, it is possible to create plugins to provide other functionalities.

The rdp2tcp project features the possibility to tunnel TCP connections (TCP forwarding) over a remote desktop session. This means no extra ports have to be opened.
We would like to investigate whether it is possible to establish a TCP tunnel over a Citrix virtual desktop session. This would allow routing of traffic through the Citrix server, potentially providing the ability to move laterally through the network in order to access systems connected to the Citrix server (that are not directly exposed to the Internet).

Find here the video from the presentation: RP40 Presentatie Demo Video.mp4
Cedric Van Bockhaven <cvanbockhaven=>deloitte.nl>

Ward Bakker <Ward.Bakker=>os3.nl>
Niels den Otter <notter=>os3.nl>
R

P
1
41

Generating probable password candidates for the offline assessment of Dutch domain password hashes.

Although password authentication is not considered to be the most secure authentication method, it still is a reasonable option in practice today, mainly because of usability and deployability characteristics.
From early on, password authentication has been the target of attacks. As a result techniques and procedures concerning password authentication have been improved, e.g.:
  • Efficient attacks using rainbow tables have been introduced to enable pre-computed hash lookups. To mitigate such attacks, among others, password policies and salts have been used.
  • Graphics processing units (GPUs) are being utilized for guessing large amounts of password candidates per second. To counter such attacks, processing expensive and memory intensive hashing algorithms have been developed.
Our research focuses on assessing the strength of Dutch domain passwords by taking Dutch domain related breach corpus data as a starting point. The results could be valuable to sup- port security assessments in practice, e.g. red teaming exercises, and further development of preventive measures to assure stronger password selection for Dutch domain services.
Pim Campers <Pim.Campers=>secura.com>

Tom Broumels <Tom.Broumels=>os3.nl>
R

P
1
42

Digital Forensic Investigation of Data Theft on the Google Cloud Platform.

The Mitre GCP Matrix [1] displays 9 tactics to gain access on different levels on the Google Cloud Platform, the third most popular cloud platform. One of these tactics, called “Collection”, is getting access to data of interest from either a specific target or just anyone possible. The next goal after collecting data is to steal (exfiltrate) the data. In most cases, metadata could also be interesting.

A common problem with public cloud users is that these users often do not configure their public cloud storage solutions properly. The storage could easily remain public faced to the rest of the world instead of limiting access just to their application. Companies do not want their data to be viewed or exfiltrated by unauthorized. Our research will focus on the early detection and mitigation of the misuse of improperly secured cloud storage with the GCP provided tooling.

[1] https://attack.mitre.org/matrices/enterprise/cloud/gcp/
Korstiaan Stam <korstiaan.stam=>pwc.com>

Frank Wiersma <frank.wiersma=>os3.nl>
Tjeerd Slokker <tjeerd.slokker=>os3.nl>
R

P
1
43

Anomaly Detection on Log Files Based on Simplicity Theory.

As humans know from common sense -- and cognitive studies confirm -- events are relevant to subjects when they are exceptional (for them) or when they (potentially) might have positive or negative impact on their desires or interests. The goal of this project is to investigate how to develop similar relevance mechanisms in computational settings in order to provide adaptive monitoring. Intuitively, the system needs to form an idea of normality from observations, and use it to evaluate whether and to what extent a new observation is exceptional. Second, the system should be provided with a reward model (possibly specified at design time, but that could be modified or refined dynamically) and use it to evaluate the potential impact of a new observation. Once implemented, these filters of relevance could be used for instance in a monitoring application to highlight to the user where to pay further attention. The target domains of such an application might be the most various, for instance networking, social systems, etc.; The objectives of this study are to:
  • investigate computational models for relevance, drawing from existing literature (information theory, algorithmic information theory, simplicity theory, etc.)
  • decide an application domain and settle upon an associated representational model
  • develop the functions necessary for relevance, e.g. prototyping and reward model; and the mechanisms quantifying relevance
  • build a prototype for the target application domain
References:
  • Dessalles, J. L. (2013). Algorithmic simplicity and relevance. Algorithmic Probability and Friends, 7070 LNAI, 119–130.
  • Breuker, J. (1994). Components of problem solving and types of problems. A Future for Knowledge Acquisition, 867, 118–136.
  • Lindenmayer, D. B., & Likens, G. E. (2009). Adaptive monitoring: a new paradigm for long-term research and monitoring. Trends in Ecology and Evolution, 24(9), 482–486.
  • Domshlak, C., Hüllermeier, E., Kaci, S., & Prade, H. (2011). Preferences in AI: An overview. Artificial Intelligence, 175(7–8), 1037–1052.
Giovanni Sileno <G.Sileno=>uva.nl>

Giacomo Casoni <Giacomo.Casoni=>os3.nl>
Mar Badias Simo <Mar.BadiasSimo=>os3.nl>
R

P
1
49

Analyzing and enhancing embedded software technologies on RISC-V64 using the Ghidra framework.

There is a lack of proper tooling (disassemblers and decompilers) for RISCV64. Some plugins for IDA and Ghidra exist (publicly available on the internet), but are in a proof-of-concept stage. This slows down the progress in reversing and analyzing firmware for this architecture. Since embedded devices are expected to take advantage of this architecture due to its openness, reliable tooling is needed. The task would be to check existing tooling and either improve it if possible, or start from scratch with a solid foundation to which extensions can later be added (once they are frozen in the specs).
Alexandru Geana <Geana=>riscure.com>
Karolina Mrozek <Mrozek=>riscure.com>
Dana Geist <Geist=>riscure.com>

Patrick Spaans <pspaans=>os3.nl>
Joris Jonkers Both <Joris.JonkersBoth=>os3.nl>
R

P
1
50

The influence of the training set size on the performance of the Robust Covariance Estimator as an anomaly detection algorithm on automotive CAN data.

Cars are becoming more connected and networked, because of this more attack vectors available on a car.
  • Assessing the security of upcoming protocols for ICS systems, comparing them to each other and also to the current industry standards.
Colin Schappin <cschappin=>deloitte.nl>

Silke Knossen <silke.knossen=>os3.nl>
Vincent Kieberl <vincent.kieberl=>os3.nl>
R

P
1
51

Cybersecurity in Automotive Networks.

Automotive vehicles are comprised of multiple Electronic Control Units (ECUs), each controlling a subsystem of the vehicle. These include, but are not limited to, engine controls, brakes, locks, climate control, and multimedia systems. In an effort to reduce the amount of interconnections required between these ECUs, Bosch developed the Controller Area Network (CAN) bus, first released in 1986. In this research project we look at the security of the automotive networks themselves. We consider if there are measures taken to protect them against malicious messages and if not, if there are extensions that do and how those affect the performance of the bus.

Research Questions:
  1. Which automotive communication protocols are currently used in production, forming the state of practice?
  2. What features are built into the protocols utilized in the automotive industry to provide security?
  3. What extensions to protocols can be used to introduce security to the protocols?
  4. How do these extensions compare in terms of security, according to the CIA triad and other relevant properties, such as authenticity?
  5. If the extensions provide sufficient security, are there any drawbacks or other consequences that need to be taken into consideration?
Colin Schappin <cschappin=>deloitte.nl>

Arnold.Buntsma <Arnold.Buntsma=>os3.nl>
Sebastian Wilczek <Sebastian.Wilczek=>os3.nl>
R

P
1
52

Network Anomaly Detection in Modbus TCP Industrial Control Systems.

ICS malware network behavioral analysis.

  • How does malware look like on an ICS network?
  • Does this differ from regular IT systems and are pattern based / machine learning based solutions applicable to ICS systems?

ICS process mapping to finite state machines and analyzing system behavior.

  • It is possible to map a process (control, safety, ...) used in ICS systems to a finite state machine (FSM)?
  • Can this process of conversion be made easier for ICS processes?
  • Is it possible to use this FSM to monitor the behavior of the system and see if it shows unusual behavior (malware or defect equipment)?
Bartosz Czaszynski <bczaszynski=>deloitte.nl>

Philipp Mieden <Philipp.Mieden=>os3.nl>
Rutger Beltman <Rutger.Beltman=>os3.nl>
R

P
1
53

Using BGP Flow-Spec for distributed micro-segmentation.

BGP Flowspec (RFC 5575) is a standard to distribute ACLs with BGP. This is mainly used in DDOS mitigation, but I think it would be suitable to  implement a distributed firewall and create a microsegmentation solution in a datacenter. This could either be used in combination with the infeastructure and an OS like Cumulus Linux or in (relation to the above) when routing is done on a host/hypervisor. FRRouting currently has Flowspec partly implemented (only as a receiver), which could be used as an implementation.
Attilla de Groot <attilla=>cumulusnetworks.com>

Davide Pucci <Davide.Pucci=>os3.nl>
R

P
1
54

Collecting telemetry data using P4 and RDMA.

Network telemetry defines how various sources can be used to collect different metrics about the network health, and how to transfer it to a receiving end point for analysis. In order to potentially solve performance issues of the network, telemetry metrics such as link utilization and network latency can be examined [1]. With the development of programmable network devices, In-band Network Telemetry (INT) can be used to capture data directly from packet headers. This allows for gathering significantly more telemetry data that can provide more details about the current state of the network. Programming Protocol-Independent Packet Processors (P4) can be used in INT to extract telemetry data from incoming packets, as it allows for efficient controlling of the data plane of network devices. It requires a powerful collector to process a large amount of data at real time with a high resolution. Therefore, we want to investigate how P4 generated telemetry data can be efficiently collected.

With this research we aim to answer the following question:
  • Can DPDK or RDMA be used to efficiently capture P4 telemetry data at high data rates?
To answer this question we drafted the following subquestions:
  1. How can P4 be combined with DPDK to collect telemetry data
  2. How can P4 be combined with RDMA to collect telemetry data
  3. How does the performance of these methods compare?
Joseph Hill <j.d.hill=>uva.nl>
Paola Grosso <p.grosso=>uva.nl>

Silke.Knossen <Silke.Knossen=>os3.nl>
Rutger Beltman <rutger.beltman@os3.nl>
R

P
2
55

Scoring model for IoCs by combining open intelligence feeds to reduce false positives.

In the last few years much research has been done in the field of Threat Intelligence. Many tools have been released to harvest, parse, aggregate, store, and share Indicators Of Compromise (IOC) (https://github.com/hslatman/awesome-threat-intelligence) but yet one big problem remains at the moment of using it, *False Positives*. Commercial, open source, or even home brew feeds of threat intelligence need to go trough a phase of verification. This is a tedious job, mostly done by security analyst, where the data is analysed in order to rule out outdated, non relevant, or wrong (IP:8.8.8.8) IOCs. The idea of this research project is to analyse the various possibilities to perform this verification phase in an automated fashion.
Leandro Velasco <leandro.velasco=>kpn.com>
Joao Novaismarques <joao.novaismarques=>kpn.com>

Jelle Ermerins <jermerins=>os3.nl>
Niek van Noort <Niek.vanNoort=>os3.nl>
R

P
1
56

Detecting Fileless Malicious Behaviour of .NET C2 Agents using ETW.

The cat and mouse game between attackers (RedTeams) and Defenders (BlueTeams) is a never ending story. In the past years attackers have found that Antivirus bypass was doable by performing "fileless attacks" leveraging common tooling in windows environments. A common tool wildly exploited is powershell. As a counter measurement the industry is slowly implementing endpoint monitoring. This practice aims to build on top of the antiviruses by analyzing the events that happens in the system using software like sysmon or other EDR tooling. Moreover, microsoft implemented powershell script block logging. This allows defenders to not just monitor low level events but also analyse the commands executed by the powershell engine. Attackers after noticing that their trick started to get attention moved away and started implementing malicious .Net applications. Due to the nature of the .Net framework, attackers are able to deploy a .Net agent on the target system and send raw .Net code that will be compiled and executed by the agent from memory, thus avoiding detection.
Security researches had found that Event Tracing for Windows (ETW), first introduced in Windows 2000, could be used to detect these new threats.
Recently the company FireEye has released SilkETW, an open source tool that facilitate the use of the data generated by ETW. However, many challenges still remain, vendors and blue teams need to have a better understanding of the events generated and integrate these events into their detection strategies.

The idea behind this research project is to study the effectiveness of this newly discovered technology against threats such as the Covenant framework (https://github.com/cobbr/Covenant) and webshells such as the one recently disclosed by the apt34/Oilrig dump (https://d.uijn.nl/2019/04/18/yet-another-apt34-oilrig-leak-quick-analysis/).

References:
Leandro Velasco <leandro.velasco=>kpn.com>
Jeroen Klaver <jeroen.klaver=>kpn.com>

Alexander Bode <Alexander.Bode=>os3.nl>
Niels Warnars <nwarnars=>os3.nl>
R

P
1
58

Integration of EVPN in Kubernetes.

EVPN-VxLAN is the default overlay solution for IP-Fabrics and Cumulus has upstreamed the EVPN implementation into the FRRouting project. EVPN can also be run on a regular Linux host (https://cumulusnetworks.com/blog/evpn-host/), but Openstack doesn’t have integration with EVPN/FRR or the other changes made in the Linux kernel the last few years (e.g VRFs, vlan-aware bridging).
Attilla de Groot <attilla=>cumulusnetworks.com>
Frank Potter <Frank.Potter=>os3.nl>
R

P
2
60

Ibis Data Serialization in Apache Spark.

Apache Spark is a system for large-scale data processing used for Big Data applications business applications, but also in many scientific applications. Spark uses Java (or Scala) object serialization to transfer data over the network. Especially if data fits in memory, the performance of serialization is the most important bottleneck in Spark applications. Spark currently offers two mechanisms for serialization: Standard Java object serialization and Kryo serialization.

In the Ibis project (www.cs.vu.nl/ibis), we have developed an alternative serialization mechanism for high-performance computing applications that relies on compile-time code generation and zero-copy networking for increased performance. Performance of JVM serialization can also be compared with benchmarks: https://github.com/eishay/jvm-serializers/wiki. However, we also want to evaluate if we can increase Spark performance at the application level by using out improved object serialization system. In addition, our Ibis implementation can use fast local networks such as Infiniband transparently. We also want to investigate if using specialized networks increases application performance. Therefore, this project involves extending Spark with our serialization and networking methods (based on existing libraries), and on analyzing the performance of several real-world Spark applications.
Adam Belloum <A.S.Z.Belloum=>uva.nl>
Jason Maassen <J.Maassen=>esciencecenter.nl>

Dadepo Aderemi <Dadepo.Aderemi=>os3.nl>
Mathijs Visser <mathijs.visser=>os3.nl>
R

P
1
61

Using Mimikatz’ driver, Mimidrv, to disable Windows Defender in Windows.

Mimikatz has a driver bundled that allows an attacker to arbitrary R/W to kernel memory. This project would look into using the mimikatz driver in order to run privileged code via the driver. For example, working from the kernel, it is possible to unhook A/V in order to bypass endpoint protection software. However, several protections are in place (e.g. KPP) that make this difficult. It would be interesting to look into a generic way to unhook minifilter callbacks by using the mimikatz kernel driver.
Cedric van Bockhaven <cvanbockhaven=>deloitte.nl>

Bram Blaauwendraad <Bram.Blaauwendraad=>os3.nl>
Thomas Ouddeken <touddeken=>os3.nl>
R

P
1
65

Security Evaluation on Amazon Web Services’ REST API Authentication Protocol Signature Version 4.

Amazon Web Services is leading the Cloud Computing market with more than a third of the global market share. In this context, they need to enforce strict segregation between their users and virtual environments. AWS provide three different way to access a Cloud environment, either by using the: web console, CLI (Command Line Interface) or SDK (Software Development Kit)

If the first method uses standard OAuth2 authentication, AWS has created its own standard call signaturev4 for direct API REST requests authentication. Sigv4 is an internal and closed source protocol.
This research intends to evaluate the resilience and security of the AWS API compare to usual market standard such as OAuth2 and Basic HTTP Authentication.

To do so, you may start with:
  • Deploying a local Cloud stack or Escher
  • Testing some HTTP attack scenarios on a local server (e.g. replayed attack)
  • Document findings
  • Send a few crafted request to an AWS service and study the response
NB: As AWS doesn’t officially support penetration test on their infrastructure, direct attempt on AWS should be limited to the minimum and Flood attacks avoided.

Reference: https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
Alex Stavroulakis <Stavroulakis.Alex=>kpmg.nl>
Aristide Bouix <Bouix.Aristide=>kpmg.nl>

Hoang Huynh <hhuynh=>os3.nl>
Jason Kerssens <jkerssens=>os3.nl>
R

P
1
67

Insight in Cyber Safety when Remotely Operating SCADA Systems of Dutch Critical Infrastructure Object.

Nowadays most systems (e.g. Scada and process control in industry) have the ability to produce logging and sensor data about all infrastructure components. Often the combination of selected information from those logging files combined with information from external sources and current operations on those systems can create a good picture on the state of security. The challenge is to gather the data, make sure the correct logging is turned on in the first place, then place filters on this data so that the amount becomes manageable. Then data needs to be combined and processed to be usable for decision support and state.

In this rp we seek students that will:
  1. create a data gathering system
  2. artificial intelligence setup and machine learning to process that data.
This project covers a wide field and can easily be scoped into focused small research projects suitable for SNE students when contacting the supervisors.
Cedric Both <cedric=>datadigest.nl>

Tina Tami <tina.tami=>os3.nl>
R

P
1
68

End-to-end security in LoRa and NB-IoT sensor networks.

We have several types of autonomous sensors (e.g. Lora / 4G LTE) running inside some of the critical dutch infrastructure objects (e.g. tunnels, bridges, locks) to monitor the state, activity and availability of different systems. The challenge is to figure out a way to get that data securely from the objects to our Datacenter, but with a validity check to know if the data we have received really originated from the object and is not mangled in any way during transport.

The objective of this research is to figure out:
  • How to securely transport the sensor data
  • Create a mechanism that can monitor the validity of the data (is the data that has been send, also the data we received)
  • Identify risks and capabilities in using different transport mechanisms (e.d. Lora/4G LTE/nb-iot).
Cedric Both <cedric=>datadigest.nl>

Niek van Noort <nnoort=>os3.nl>
Jason Kerssens <jkerssens=>os3.nl>
R

P
2
71

A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a 1 Gbit/s environment.

WireGuard[1] is a new VPN protocol that aims to be as easy to configure and deploy as SSH and to replace other protocols such as IPsec and OpenVPN considered too complex in terms of code and configuration.
Since January, this protocol has been included in the Linux Kernel[2]. An American senator even called to use it as the favored VPN solution for the Government[3].

Behind this hype, is the protocol as fast and secured as it is advertised by its developers? The aim of this project is to deployed local OpenVPN, IPsec and WireGuard servers and to evaluate their different level of resilience.

Reference:
  1. https://www.wireguard.com/
  2. https://www.theregister.co.uk/2020/01/29/wireguard_vpn_will_be_in_linux_56_kernel/
  3. https://www.phoronix.com/scan.php?page=news_item&px=WireGuard-Senator-Recommends
Aristide Bouix <bouix.aristide=>kpmg.nl>
Mohammad Al Najar <alnajar.mohammad=>kpmg.nl>

Patrick Spaans <pspaans=>os3.nl>
Erik Dekker <erik.dekker=>os3.nl>
R

P
2
72

Analysis of Bypassing Detection by Microsoft Advanced Threat Analytics.

This research looks at ways to trigger suspicious activity alerts on Microsoft Advanced Threat Analytics (ATA) in an Active Directory (AD) test environment. ATA is an on-premise platform which detects abnormal activity in AD-environments like reconnaissance, lateral movement and domain dominance cyber-attacks. This detection is done by providing advanced monitoring based on anomaly or behavioural analysis from users, devices and other available resources, e.g. Syslog and SIEM events. This project focuses exclusively on anomaly-based attacks because it doesn't require a learning period of 30 days, as the behavioural analysis from ATA does.
Cedric Van Bockhaven <cvanbockhaven=>deloitte.nl>

Edgar Bohte <Edgar.Bohte=>os3.nl>
Nick Offerman <nick.offerman=>os3.nl>
R

P
2
73

Iris recognition using low resolution photographs from commodity sensors.

Iris recognition is a convenient method of biometric identification, as it does not require the person to be identified to touch anything or to get very close to a device. Iris scan identification does however require the subject to enroll in a recognition database under controlled circumstances and with high resolution pictures of the iris, possibly taken in near-infrared wavelength. This research will explore whether modern iris recognition algorithms or modern AI based iris recognition software can identify persons with iris photographs taken with commodity camera's and under varying circumstances.
Zeno Geradts <zeno=>holmes.nl>

Roy Vermeulen <rvermeulen=>os3.nl>
R

P
2
74

Deepfake detection through PRNU and logistic regression analysis.

It is easy to make a deepfake video nowadays with a GPU on a laptop, so this generates the forensic question how likely a video as evidence in court is a deepfake. There are many detection methods. One of the methods is the detection of the video file itself as well as the artefacts created The question is what kind of methods can be used on file system level to detect that a deepfake has been made and how these methods can be circumvented.
Zeno Geradts <zeno=>holmes.nl>
Catherine de Weever <catherine.deweever=>os3.nl>
Sebastian Wilczek <sebastian.wilczek=>os3.nl>
R

P
2
77

Monitoring an EVPN-VxLAN fabric with BGP Monitoring Protocol.

EVPN-VxLAN is the default solution for many use-cases these days, mainly in the datacenter, but also in campus networks. One key question around EVPN is: How can changes in the overlay network be monitored?

Cumulus Networks uses FreeRangeRouting as the routing suite in Cumulus Linux. FRR has support for EVPN and since recently also for BMP (BGP monitoring protocol). BMP is typically used in service provider environments to monitor DFZ environments. However, BMP can send messages to a collector that contain e.g route changes, peer state changes, statistic reports and message mirroring. This leads to the following research proposal questions:
  • Can BMP be used to monitor an EVPN overlay network?
  • How can this be implemented with FRR? Currently FRR doesn't have the EVPN AFI in BMP implemented, can this be added easily (POC)?
  • Can existing collectors such as OpenBMP be used for this use-case?
  • For what kind of use-cases with regards to monitoring, e.g VM movements, Security incidents, etc, would BMP be useful?
  • Would using BMP require changes to typical designs?
Vivek Venkatraman <vivek=>cumulusnetworks.com>
Donald Sharp <sharpd=>cumulusnetworks.com>
Attilla de Groot <attilla=>cumulusnetworks.com>

Giacomo Casoni <gcasoni=>hotmail.it>
Davide Pucci <Davide.Pucci=>os3.nl>
R

P
2
78

Determining the optimal maximum UDP response size for DNS.

IP fragmentation introduces fragility to Internet communications. Reassembly of fragmented traffic is problematic because it is computational expensive and it holds state for indeterminate periods of time. Moving IP fragmentation to the end-points (as with IPv6) does not help, because of the prevalence of additional components which are incompatible with IP fragmentation, such as Network Address Translation and Stateless Firewalls. IP fragmentation introduces security vulnerabilities by enabling the possibility to spoof parts of a message.

DNS is the largest user of IP fragmentation today. Fortunately it is possible to avoid fragmentation with DNS by limiting the response size and by signalling to re-query over TCP when a response exceeds that size. Ideally DNS responses should be limited to the Path MTU. A response size larger than the Path MTU introduces IP fragmentation. A too small Path MTU will induce more fallback to TCP and thereby decrease performance and increase traffic.

The de-facto protocol to determine the Path MTU on the Internet, Path MTU Discovery, is also unreliable on the current Internet and especially problematic with DNS name servers which are stateless and unable to resend (sized down) responses.

DNS Flag day is an initiative of DNS implementers and DNS resolver operators to improve the operation of DNS on the internet by collaboratively modifying the way DNS resolvers behave. The aim of DNS Flag day 2020 is to minimize fragmented DNS on the Internet by introducing a new default for the maximum UDP response size. The goal of this research project is to help determine an optimal maximum UDP response size for DNS, by measuring the Path MTU to which resolvers and stub-resolvers on the Internet are subject. We envisage using the RIPE Atlas probe network to perform measurements for the DNS resolvers that each probe uses.

Willem Toorop <willem=>nlnetlabs.nl>
Roland van Rijswijk-Deij <roland=>nlnetlabs.nl>

Axel Koolhaas <axel.koolhaas=>gmail.com>
Tjeerd Slokker <tjeerd.slokker=>gmail.com>
R

P
2
86

Using TURN Servers as Proxies.

WebRTC research: The TURN protocol in WebRTC systems allows two parties to send media data to each other via a relay in case a firewall is preventing direct communication. We theorize that it’s possible to use TURN servers as a proxy and use this technology for other purposes than it was intended. An example could be to create a SOCKS or HTTP proxy on top of the TURN protocol and tunnel traffic towards (HTTP) endpoints. Due to the nature of TURN servers they are usually whitelisted systems in corporate environment as they allow video calls in WebRTC video conferencing.
Cedric van Bockhaven <CvanBockhaven=>deloitte.nl>
Jan Freudenreich <jfreudenreich=>deloitte.nl>

Sean Liao <sean.liao=>os3.nl>
R

P
2
95

An Evaluation of IPFS As A distribution Mechanism for RPKI Repository.

In RPKI, Certificate Authorities publish cryptographically signed objects in repositories. Relying-party software fetches these objects and uses them to perform validation on routing activities, most notably Route Origin Validation, to assess the legitimacy of announcements in BGP.

Currently, Rsync and the RPKI Repository Delta Protocol (RRDP) are the two protocols used to publish and retrieve from these RPKI publication repositories. Rsync has shown to have various drawbacks in practice: notable being the significant resources in terms of CPU and memory it requires on the part of the publication server, and challenges with regards to publishing multiple files atomically.

The InterPlanetary File System (IPFS) is a protocol and peer-to-peer network for storing and sharing data in a distributed file system (Wikipedia). It makes use of Markle DAG as the data structure upon which a content-addressable network is built. While for routing it makes use of a modified version of Kademlia, a distributed hash table for decentralised peer-to-peer networks. In IPFS there is no single point of failure and nodes do not need to trust each other IPFS to share content securely.

Some of the unique characteristics of IPFS include content addressability, PKI based identity of participating nodes, immutability, and distributed nature. These characteristics lead to benefits like higher resiliency to DDOS, data integrity guarantees, an inbuilt history audit, and more efficient use of network resources for storing and sharing content.

In this research, we would like to explore how these benefits and characteristics of IPFS can be used to implement a publication protocol for RPKI repositories. It will involve identifying the requirements of RPKI publication repositories and how they can be implemented with IPFS. A prototype will be made, allowing quantitative comparison (of computing and network resources) to Rsync and RRDP. If time permits, we would also like to explore how unique features in IPFS such as immutability can support the RPKI repository publication process.
Luuk Hendriks <luuk=>nlnetlabs.nl>

Dadepo Aderemi <Dadepo.Aderemi=>os3.nl>
Woudt van Steenbergen <Woudt.vanSteenbergen=>os3.nl>
R

P
2
99

Securing home Wi-Fi with WPA3 personal.

The Wi-Fi Alliance announced Wi-Fi Protected Access 3 (WPA3) back in June of 2018 [1]. And WPA3 is supposed to become mandatory for Wi-Fi implementations in the near future [2]. Therefore, WPA3s adoption rate is expected to grow reasonably soon. But, as we can see from the current statistics WPA3 is not actively used by the public at this moment. We can see that at the 1st of May in 2020, only 24 out of roughly 645 million access points that have been recorded by WiGLE use WPA3 [3].

We argue that real world implementations of WPA3 need to be backwards compatible with WPA2. Simply because older devices will have to keep functioning for the foreseeable future, this is already taken care of with WPA3 transitional mode. Which makes the protected management frames (PMF) optional. Thus, allowing clients to keep using WPA2, without PMF. The downside of running WPA3 in this mode is that clients can be easily downgraded back to WPA2, reintroducing all the security flaws that WPA3 is trying to fix. The possibility of this downgrade attack has already been shown in the Dragonblood paper [4].

Our main research question is defined as follows:
  • Can WPA3 transition mode be secured in such a way that downgrade attacks are not feasible?
To answer this question, we define the following subquestions:
  • How can WPA3 personal transition mode be manipulated in downgrading clients to WPA2?
  • What techniques can be utilized to prevent these downgrade attacks?
  • Which implementation requirements are needed to ensure that WPA3 personal transition mode can operate securely?
References:
  1. Wi-Fi Alliance. Wi-Fi Alliance⃝R introduces Wi-Fi CER- TIFIED WPA3TM security. URL: https://www.wi-fi.org/ news-events/newsroom/wi-fi-alliance-introduces-wi-fi- certified-wpa3-security (visited on 01/05/2020).
  2. Wi-Fi Alliance. Security. URL: https://www.wi-fi.org/ discover-wi-fi/security (visited on 01/05/2020).
  3. WiGLE LLC. Statistics. URL: https : / / wigle.net / stats (visited on 01/05/2020).
  4. Mathy Vanhoef and Eyal Ronen. “Dragonblood: A Se- curity Analysis of WPA3’s SAE Handshake.” In: IACR Cryptology ePrint Archive (2019), p. 383.
  5. Paper draft based on this RP submitted to the Communications & Networking Conference.
Arjan van der Vegt <avdvegt=>libertyglobal.com>

Raoul Dijksman <rdijksman=>os3.nl>
Erik Lamers <erik.lamers=>os3.nl>
R

P
2
100

Investigative Research for an IP Peering Service Network for Netherlight.

NetherLight is an exchange by SURFnet and enables light paths for its customers all over the world [1]. Although NetherLight is part of SURFnet, the networks of the two are separated. NetherLight is however, well connected to SURFnet’s network. NetherLight is an exchange that facilitates high bandwidth interconnects. The clients of NetherLight include, but are not limited to, research and education facilities and cloud service providers around the world, for example Microsoft, OneXS, Vodafone, GEANT, and others.

NetherLight currently offers layer 2 VLANS (IEEE 802.1q and IEEE 802.1ad) point-to-point and multipoint con- nections between their clients. Its philosophy is that NetherLight facilitates a layer 2 domain and thus only act on layer 0 to 2 [1]. The VLANS are built using EVPN on top of MPLS. The NetherLight team does capacity management on layer 2 to keep up with the bandwith requirements and forecasts.

Now NetherLight wants to investigate a service that al- lows their customers to setup BGP peerings with each other in a fast, manageable, predictable, scalable and reli- able way. Preferably with minimal or no intervention from NetherLight management/operations. But this goal is too broad for a research project of 4 weeks. Therefore, the main goal of this research project is to investigate what options there are to create a layer 2 underlay to facilitate layer 3 peering, investigate how customers can connect to the peering network and how there experience will be, investigate the operational environment, and give recom- mendations on which option is best suited for the use case of NetherLight.

[1] Hill, A. van den, Vos, M. de, and Malenstein, G. van, Netherlight, 2016. [Online]. Available: https://meetings. internet2.edu/media/medialibrary/2016/05/17/20160517-Malenstein-NetherLight.pdf.
Gerben van Malenstein <gerben.vanmalenstein=>surfnet.nl>
Migiel de Vos <migiel.devos=>surfnet.nl>
Max Mudde <max.mudde=>surfnet.nl>

Arnold Buntsma <arnold.buntsma=>student.uva.nl>
Mar Badias Simó <mar.badiassimo=>student.uva.nl>
R

P
2
101

Securing the Automatic Dependent Surveillance-Broadcast (ADS-B) protocol against spoofing.

Since commercial aviation is ever growing, there is a need for additional and accurate visibility for air traffic controllers (ATCs). In 1943 the military air traffic controllers started to use the first radar. Radar systems are accurate up to a certain extent. Only in the 70’s aviation started to use transponders (short for transmitter- responder). Together with the developments of the Airborne Collision Avoidance System (ACAS) system, the Automatic Dependent Surveillance-Broadcast (ADS-B) was finally introduced. Aircraft equipped with ADS-B periodically transmit their position and other information (such as registration number, flight number, speed, altitude, course and intentions) to ground stations and neighbouring ADS-B equipped aircraft.

This research focuses on finding possible attacks against ADS-B. Specifically, the replay-attacks that are able to mislead ATCs. Especially the detection of such attacks and propose mitigation mechanisms against them. Should time and ethical considerations allow, a proof of concept can supplement the research. The main research question for this project is defined as follows:
  • How can malicious broadcasts of the Automatic Dependent Surveillance-Broadcast (ADS-B) be detected to protect Air Traffic Control (ATC) from Denial-of-Service (DoS) and disinformation attacks?
To support the main research question the following sub-questions are defined:
  • What types of attacks are possible in terms of Denial-of-Service (DoS) and disinformation?
  • In what way can historical or predictive modelling be used for the purpose of filtering disinformation signals?
  • How can detection and filtering algorithms aid in signal integrity and authenticity validation?
  • What kind of advantages can signal fingerprinting offer for the detection of malicious broadcasts?
Jan-Joris van Es <Jan-Joris.van.Es=>nlr.nl>
Nico de Gelder <Nico.de.Gelder=>nlr.nl>

Tim de Boer <tim.deboer=>os3.nl>
R

P
2
102

Requirements for extracting ENF data to correctly timestamp a video.

Electric Network Frequency (ENF) is a result of the ever fluctuating supply and demand of power on a power network. This fluctuation in frequency is relatively unique and can thus be used to timestamp certain events. The aim of this research is to use ENF to timestamp video, which can be useful both in real time detection and forensics.
Zeno Geradts <zeno=>holmes.nl>

Thomas Ouddeken <Thomas.Ouddeken=>os3.nl>
Niels den Otter <notter=>os3.nl>
R

P
2
103

Reverse-engineering CAN bus messages using OBD-II and correlation coefficients.

Vehicle to Everything (V2X) communication is passing of information from a vehicle to any entity that may affect the vehicle, and vice versa. This communication can be done using multiple different techniques. Cellular can be used to  communicate traffic information and talk indirectly to other cars outside of range, and DSRC (Dedicated Short Range Communication) is a Wi-Fi variant defined in the IEEE 802.11p standard operating on the 5.85-5.925 GHz spectrum which can be used for direct communication between nodes.

When V2X is used to help the vehicle make driving decisions, it is paramount that the information it receives is accurate to avoid (potentially lethal) accidents. Therefore, there has to be a framework defined for recognizing both malicious and defective nodes, sending out false information. Using CRL's (Certificate Revocation Lists), all other nodes can then be notified and therefore discard any information received by that node. When defining such a framework,  speed and security are the main concerns.
Sander Ubink <ubink.sander=>kpmg.nl>
Ruben Koeze <koeze.ruben=>kpmg.nl>

Vincent Kieberl <vincent.kieberl=>os3.nl>
Bram Blaauwendraad <Bram.Blaauwendraad=>os3.nl>
R

P
2
104

Securely accessing remote sensors in critical infrastructures.

"One of the problems that Datadigest faces, is that they deploy sensors in remote/hard to access locations(underground installations,tunnels,underwater, etc). These sensors are hard to maintain after the deployment or scale according to the traffic needs. In addition to that, they need to import/export data on a secure and redundant way.
  • Could the use of software defined networks, in combination with other technologies,(such as Wireless Mesh Networks) provide a solution to this problem?
The objective of this research is to figure out how:
  1. Communicate with the sensors in a secure and redundant way using Software Defined Networks.
  2. Monitor the network of sensors and adjust accordingly (deploy new sensors if needed or ban suspicious devices)
  3. Create multiple paths to distribute the data for redundancy (e.d. Split Control/Data plane over Lora/4G LTE/nb-iot).
Cedric Both <cedric=>datadigest.nl>

Pavlos Lontorfos <Pavlos.Lontorfos=>os3.nl>
R

P
2

Presentations-rp2

I hereby would like to invite you to the annual RP2 presentations, where the SNE students will be presenting their research.
Considering the wide variety of presentations the day promises to be very interesting and we hope you will join us.
Program (Printer friendly version: HTML).
Thursday July 2 2020, 10h05 - 16h55 online using bigbluebutton.
Time #RP Title Name(s) LOC RP
10h00
Welcome, introduction, setup Cees de Laat

10h05
5
Server agnostic DNS augmentation. Tom Carpay nlnetlabs 2
10h30
78
Determining the optimal maximum UDP response size for DNS. Axel Koolhaas, Tjeerd Slokker nlnetlabs 2
10h55
bio/coffee break


11h05 95
An Evaluation of IPFS as a distribution mechanism for RPKI Repository. Dadepo Aderemi, Woudt van Steenbergen nlnetlabs 2
11h30 100
Investigative Research for an IP Peering Service Network for Netherlight. Arnold Buntsma, Mar Badias Simó SURFnet 2
11h55
Lunch


13h05 15
Malicious behavioral pattern recognition and prevention based on CyberArk PAS logs in Splunk. Mike Slotboom, Ivar Slotboom deloitte 2
13h30 72
Analysis of Triggers in a Microsoft Advanced Threat Analytics Environment. Edgar Bohte, Nick Offerman deloitte 2
13h55
bio/coffee break


14h05 86
Using TURN servers as Proxies. Sean Liao deloitte 2
14h30 19
Analysis on MX-record queries of non-existent domains. Jasper Hupkens, Siebe Hodzelmans sidn 2
14h55
bio/coffee break


15h05 20
Detecting Botnets communicating with transient C2 servers. Khanh Hoang Huynh, Mathijs Visser true.nl 2
15h30 77
Monitoring a EVPN-VxLAN fabric with BGP Monitoring Protocol. Giacomo Casoni, Davide Pucci cumulusnetwork 2
15h55
bio/coffee break


16h05 71
A performance comparison of the VPN implementations WireGuard, strongSwan and OpenVPN in a one Gbit/s environment Patrick Spaans, Erik Dekker KPMG 2
16h30 103
Reverse-engineering CAN bus messages using OBD-II and correlation coefficients. Vincent Kieberl, Bram Blaauwendraad KPMG 2
16h55
End



Friday July 3 2020, 10h05 - 16h55 online using bigbluebutton.
Time #RP Title Name(s) LOC RP
10h00
Welcome, introduction, setup Cees de Laat

10h05
29
Analysis of Cobalt Strike network traffic obfuscation in C2 communication. Vincent van der Eijk, Coen Schuijt UvA 2
10h30
54
Collecting telemetry data using P4 and RDMA. Silke.Knossen, Rutger Beltman UvA 2
10h55
bio/coffee break


11h05 68
End-to-end security in LoRa and NB-IoT sensor networks. Niek van Noort, Jason Kerssens datadigest 2
11h30 104
Securely accessing remote sensors in critical infrastructures. Pavlos Lontorfos datadigest 2
11h55
Lunch


13h05 102
The effect of video properties on the likelihood of correctly timestamping a video using ENF. Thomas Ouddeken, Niels den Otter NFI 2
13h30 73
Iris recognition from low resolution photographs. Roy Vermeulen NFI 2
13h55
bio/coffee break


14h05 74
Deepfake detection through PRNU and logistic regression analysis. Catherine de Weever, Sebastian Wilczek NFI 2
14h30 21
Advanced Persistent Threats detection framework for Industrial Control Systems. Dominika Rusek, Steffan Roobol howest.be 2
14h55
bio/coffee break


15h05 99
Security of WPA3 transitional mode. Raoul Dijksman, Erik Lamers libertyglobal 2
15h30 6
Collaborative work with Augmented and Virtual Reality – Unity based network infrastructure. Lars Tijsmans tudelft 1
15h55
bio/coffee break


16h05 101
Automatic Dependent Surveillance-Broadcast (ADS-B). Tim de Boer NLR 2
16h30
Closing words Staff



Presentations-rp1

Program (Printer friendly version: HTML, PDF.
(
presentations are 20 min for single and 25 min for pairs of students, yellow = requested specific day/time.)
Monday Feb 3 2020, 10h25 - 17h00 in room B1.23 at Science Park 904 NL-1098XH Amsterdam.
Time #RP Title Name(s) LOC RP
10h25
Welcome, introduction. Cees de Laat

10h25
1
Zero Trust Network Security Model in containerized environments. Catherine de Weever, Marios Andreou on2it 1
10h50
bio/coffee break


11h10 4
The Current State of DNS Resolvers and RPKI Protection. Erik Dekker, Marius Brouwer nlnetlabs 1
11h35 42
A Design and Procedure for Digital Forensic Investigation on Data Theft on the Google Cloud Platform.
Frank Wiersma, Tjeerd Slokker pwc 1
12h00
Lunch


13h00 23
Detecting hidden data within APFS datastructures. Axel Koolhaas, Woudt van Steenbergen fox-it 1
13h25 30
Automated planning and adaptation of Named Data Networks in Cloud environments. Sean Liao UvA 1
13h45
bio/tea/coffee break


14h10 60
Fast Data Serialization and Networking for Apache Spark.
Dadepo Aderemi, Mathijs Visser UvA 1
14h35 43 Anomaly Detection on Log Files Based on Simplicity Theory. Giacomo Casoni, Mar Badias Simo UvA 1
15h00
bio/tea/coffee break


15h20 49 Creating a plugin for Ghidra to support RISC-V64, to analyze the security of embedded technologies. Patrick Spaans, Joris Jonkers Both riscure 1
15h45 65 Security Evaluation on Amazon Web Services’ REST API Authentication Protocol Signature Version 4. Hoang Huynh, Jason Kerssens kpmg 1
16h10 41 Generating probable password candidates for the offline assessment of Dutch domain password hashes. Tom Broumels secura 1
16h30
End



Tuesday feb 4th 2020, 10h00 - 17h00 in room B1.23 at Science Park 904 NL-1098XH Amsterdam.
Time #RP Title Name(s) LOC RP
10h00
Welcome, introduction. Cees de Laat

10h00 52
Network Anomaly Detection in Modbus TCP Industrial Control Systems. Philipp Mieden, Rutger Beltman deloitte 1
10h25
13
Incorporating post-quantum cryptography signatures in digital certificates Daan Weller, Ronald van der Gaag deloitte 2
10h50
bio/coffee break


11h10 50 Large-scale automotive CAN data acquisition for IDS evaluation.
Silke Knossen, Vincent Kieberl deloitte 1
11h35 51 Security Evaluation of Automotive Networks. Arnold.Buntsma, Sebastian Wilczek deloitte 1
12h00
Lunch


13h00 40
Tunneling data over a Citrix virtual channel. Ward Bakker, Niels den Otter deloitte 1
13h25 61
Using Mimikatz’ Mimidrv driver to unhook antivirus callbacks in Windows. Bram Blaauwendraad, Thomas Ouddeken deloitte 1
13h50
bio/tea/coffee break


14h10 56 Detecting Malicious Behaviour of .NET C2 Agents using ETW. Alexander Bode, Niels Warnars kpn 1
14h35 55 Scoring model for IoCs by combining external resources to reduce false positives. Jelle Ermerins, Niek van Noort kpn 1
15h00
bio/tea/coffee break


15h20 53 Using BGP Flow-Spec for distributed micro-segmentation. Davide Pucci cumulusnetworks 1
15h40 8 APFS Checkpoint behaviour research in macOS. Maarten van der Slik NFI 1
16h00 67 Insight in Cyber Safety when Remotely Operating SCADA Systems of Dutch Critical Infrastructure Objects. Tina Tami datadigest 1
16h20
End




Out of normal schedule presentations: Room B1.23at Science Park 904 NL-1098XH Amsterdam. Program:
Date Time Place #RP Title Name(s) LOC RP #stds
2019-09-30
15h00
C3.152
2
Integration of EVPN in Kubernetes. Attilla de Groot
CumulusNetworks
58
1
2019-11-13
13h00
B1.23
1
Security of Mobility-as-a-Service(MaaS)
Alexander Blaauwgeers
KPMG
2
1
2019-11-13
13h25
B1.23 2
Incentivize distributed shared WiFi through VPN on home routers.
Sander Lentink SURFnet
25
1