The following is a list of suggestions for project topics. This list is aimed at people who don't already have a preferred project topic in mind. It may also be of interest to people who have a particular area of interest, but haven't figured out what part of it they would like to investigate. In addition to this list, feel free to browse the literature available in the library and online (see links on course web page) for ideas that might better fit your interests.
  1. What is the state of the art in terms of intrusion dection systems?
  2. What is the state of the art in figuring out what to do once one's computer system has been intruded?
  3. What security problems arise from difficulties people have with evaluating risk? What is the literature on this topic? How is determining the riskiness of a stock investment different from determing the riskiness of providing personal information to a web site?
  4. How does PGP handle encrypted email and why doesn't everyone use it?
  5. Are people really monitoring all web traffic? What would be the resource requirements of such a thing?
  6. People seem to have difficult managing passwords, but if we can put retinal scanners on all laptops that might solve the user authentication problem. What are the issues involved and the weaknesses of such an approach?
  7. SELinux implements mandatory access controls. How does this work and how effective is it at improving Linux security?
  8. My laptop comes with a Trusted Platform Module. What is it, how does it work, and what are its limitations? Will this finally solve our computer security problems?
  9. What are people doing about `denial of service' attacks? Is there any way to solve this problem?
  10. Even if everything is securely encrypted, a lot can be learned by just watching who is talking to who and how much they are sending (traffic analysis). Are people working on this security problem and have they come up with any useful solutions?
  11. I have heard that people have subverted the Xbox so that they can run Linux on it. How did they do that? Is it still an issue?
  12. How does SSH work? Why are there different versions/releases?
  13. I heard that some people are breaking SSH by looking at the timing between keystrokes. Does that really work and what is being done about it?
  14. I heard some people were spying on web browser users by timing browser response to queries generated by Javascript routines (since cached information responds faster than uncached)? Is this really a problem? If so, what are the fixes?
  15. I heard some people where breaking the security of hardware encryption devices by deducing the key used from the amount of time it takes to encrypt known messages. Is this really a problem? If so, what are the fixes?
  16. I heard that one can tell what is being typed by recording the sound made by the typing and then using a computer to analyze it. How does that work?
  17. I heard that computer monitors are always emitting radio signals and so people can monitor your computer usage from another room. How does that work? Is it still a problem in this age of LCD screens?
  18. How would one go about breaking Enigma ciphers now a days with the help of much faster computers than they had during World War II?
  19. How would one use a computer to help break a double transposition cipher?
  20. Bruce Schneier's A SELF-STUDY COURSE IN BLOCK-CIPHER CRYPTANALYSIS looks interesting (http://www.schneier.com/paper-self-study.pdf). How far can I get following his suggestions and what did I learn along the way?
  21. How do security audits of computer systems work?
  22. One always hears about buffer overflows in computer programs being a problem. Why hasn't this been fixed by now? What are people doing about it?
  23. Why is integer overflow a security problem? What are people doing about it?
  24. In 2006, OpenSSH had a race condition problem that created a security problem. What was that all about and how can it be prevented in the future?
  25. I noticed that CERT has published Secure Coding Standards for both C and C++. What are they about? What can be done to make sure people are following them when working on a large project?
  26. How does Java handle security issues?
  27. Is Java more secure than other languages to program network applications in? What evidence is available on this point?