Student Projects

Technology Usability Lab In Privacy and Security

Projects completed by Interns, Undergraduate, and Masters students associated with the TULIPS lab. Projects very widely and typically represent one summer's amount of work. Resources and publications provided where available and appropriate. Projects are sorted by the year they were completed and then alphabetically by student.

2018

Project screenshot.

Desinging a tool to teach password security to future developers

Constance Crowe (2016-2018, Undergraduate and Masters Thesis)

Supervisor: Kami Vaniea

Interactive tutorial that allows people to try out some basic password cracking techniques. My project teaches programmers how to break into a "secure" site by attacking the password, I demonstrate potential vulnerabilities from an attacker's point of view as well as how they can be solved from the defender's perspective.

2017

Project screenshot.

Faheem: Real-time Slack Bot URL Explainer Assists Users in Overcoming Phishing

Kholoud Althobaiti (2016-2017, Masters Thesis)

Supervisors: Stuart Anderson, Kami Vaniea

People have difficulty understanding URLs which makes it harder for them to decide what links are safe to click on or identify potential privacy issues. Faheem is a Slack chat bot designed to help users understand a URL through an interactive discussion with the bot.

Project screenshot.

Usability of Configuration Languages: Online Compiler

Aldo Javier Martinez Bacha (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

Testing the usability of configuration languages as part of a survey is challenging because of the diversity of different languages and the lack of an online compiler to show feedback. In this project, I built an online survey tool where a reseracher can setup a set of tasks and the survey taker can interact and compile their answers in several common configuration languages like L3 and Puppet.

Project screenshot.

Geolocation Inference on Twitter

Alexander Caughey (2016-2017, Masters Thesis)

Supervisors: Kami Vaniea, Liane Guillou

Machine learning systems were developed to predict the location of origin of a tweet to city-level accuracy. Initially, a state-of-the-art neural network system was re-implemented which achieved comparable results. Subsequently, this system was extended to include more features and extra hidden layers resulting in an increase in successful predictions. Additionally, the hyperparameters of the system were optimised and an ablation test was performed on the system's input features to determine the most beneficial inputs. Design requirements for a defensive privacy-protecting plug-in like tool were acquired in a focus group study. This system could be used to raise social media users' awareness of the impact of machine learning using publicly available data on privacy.

Project screenshot.

Firewall administration, the game

Ying-An (Annie) Chen (2016-2017, Undergraduate Thesis)

Supervisors: William Waites, Kami Vaniea

Board game focused on configuration of Firewall rules. Computer security is becoming increasingly important in system administration. For this thesis I focused on firewalls as they are a common component of security management. I built a board game which is engaging and motivates people to learn more about Firewalls.

Project screenshot.

Interactive physical visual aid to support active learning in understanding DDoS concepts

Willy Halim Dinata (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

This project explored a new way to bring security awareness of Distributed Denial of Service (DDoS) attacks to the masses. The project consisted of a physical-visual aid showing participants a set of simulated Internet of Things (IoT) devices. Participants could interact with the IoT devices through a Facebook chat bot and use them to attack the video server in the center of the board. When all four IoT devices attack at once the video slows to a crawl.

Project screenshot.

Encrypt me if you can: Helping developers add Transport Layer Security to Android applications

Dimple Gulrajani (2016-2017, Undergraduate Thesis)

Supervisor: Kami Vaniea

An alarming number of mobile applications on the Google Play store do not encrypt their communications leaving them open to Man In The Middle attacks. This thesis analyzes why this is the case and presents a new tutorial to help developers correctly use TLS.

Project screenshot.

Firewall administration the game

Congcong He (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

Card game that teaches the IPTables command line to players. During the game players gather Learning cards which teach them about different aspects of IPTables such as chains. They then use the Learning cards to construct IPTables commands to accomplish missions.

Project screenshot.

An Educational Game for Computer Security

Yini Huang (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

Card game where each player must manage a personal computer which hosts services (make money) and defend their network (costs money). Players then try and take down rivals by playing well known attacks against them, and they defend by correctly identifing how to prevent the attack. The game is intended for students who are currently taking a computer security course and want a good way to review common computer security material in a fun way.

Project screenshot.

Blue Team : A firewall setup game

Karel Kuzmiak (2017-2017, Internship)

Supervisor: Kami Vaniea

Developed an educational game that can be played in a browser and teaches the basic idea behind firewall administration on a network. The aim of the game is to set up firewall rules in different scenarios, in order to teach the player about iptables syntax, and attack logs from IDS.

Project screenshot.

Meagle - Crowdsourced software data with community-moderated software reviews

Tom Macmichael (2016-2017, Undergraduate Thesis)

Supervisors: Sebastian Maneth, Kami Vaniea

Finding impartial information about a given piece of software is not easy: there is no single place users can visit to find and contribute information in a consistent manner. This project reated a new website called Meagle, that allows a community of users to review pieces of software with moderation so the best reviews are easy to find.

Project screenshot.

Firewall simulator as a WebApp

Patrik Mjartan (2016-2017, Undergraduate Thesis)

Supervisors: William Waites, Kami Vaniea

A firewall is a rather straightforward entity at its core - packets trying to get through get inspected and are either let through, or denied. However, configuring and testing a firewall setup can be rather inaccessable to people like students. In particular, setting up multiple machines and VMs can be error prone and problematic for learning. In this project I sought to create a friewall simulator as a WebApp, hence erasing the potentially difficult and time consuming act of setting up the machines.

Project screenshot.

Building a website for users to rate software updates

Kayode Oduyemi (2016-2017, Undergraduate Thesis)

Supervisors: Sebastian Maneth, Kami Vaniea

End users are not particularly aware of the security implications of not installing updates. This project addresses the problem by creating a website where users can comment on and rate software updates.

Project screenshot.

Permission Impossible - the design and evaluation of a video game that teaches beginners about firewalls

Sibylle Sehl (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

Certain topics in Computer Security, for example firewalls, can often seem inaccessible or very difficult to beginners. This project aims to bridge this gap by providing an engaging and friendly environment for beginners to learn about firewalls. Permission Impossible teaches novices about basic firewall terminology and concepts as well as how to build a firewall rule set to enable incoming and outgoing packet traffic.

Project screenshot.

Firewall administration the game

Scott Thompson (2016-2017, Undergraduate Thesis)

Supervisors: Kami Vaniea, William Waites

Managing the Firewall policy rules for a large network is a challenging task, even for a skilled system administrator. Learning these skills can seem insurmountable. In this thesis, I present a Flash game that teaches people how to wirte IPTables rules through a mission-based game.

Project screenshot.

Mailvelope: Evaluate the usability of a security or privacy tool

Qingyu Zhou (2016-2017, Masters Thesis)

Supervisor: Kami Vaniea

To be secure, email encryption solutions also need to be usable. In this project I evaluate the usability of the Mailvelope plugin. I find that many of the issues identified by prior work, such as confusion over public/private keys, remain an issue in Mailvelope. I also propose a new user interface design which is more usable.

2016

Project screenshot.

Visualize router traffic

Constantinos Chrysostomou (2016-2016, Internship)

Supervisor: Kami Vaniea

The Internet of Things (IoT) can make it seem like we have lost control over where our data goes. In this project we took IoT traffic passing across a home network router and visualized where in the world the traffic was going in a live display. The system used D3 for the visualization and a system created by Nikolaos Tsirigotakis to do the packet capture.

Project screenshot.

Learn Security

Rory Mathers (2015-2016, Undergraduate Thesis)

Supervisor: Don Sannella

Android app for teaching about the following kinds of web security threats, from the OWASP top 10 list: session attacks, SQL injection, cross-site scripting, cross-site request forgery, and sensitive data exposure. It's designed for smartphones; it works on tablets as well but looks better on 7-inch tablets than on large tablets. It's completely self-contained, demonstrating attacks on a simulated bank website, and countermeasures, and requires no permissions to install - there is no danger to your security.

Project screenshot.

Usability of system configuration langauges: Errors caused by ordering

Adele Mikoliunaite (2015-2016, Masters Thesis)

Supervisors: Paul Anderson, Kami Vaniea

Being a system administrator in todays environment can be quite challenging with a large number of systems to manage and typically minimal formalized training. Configuration languages such as Puppet, SmartFrong, and L3 help administrators manage their large systems but are these languages usable for novices? In this work I administered a survey to look at the intuitive judgements of admins on configuration features such as referencing, inheritance, scope, and ordering. I found that ordering does matterin certain contexts, especially when paired with other features.

Project screenshot.

Measure the churn of Javascript across multiple re-loadings of web pages

Zhouting Ouyang (2015-2016, Masters Thesis)

Supervisor: Kami Vaniea

When a user visits a webpage the contents of the page is retrieved from various other linked pages. Some of the retrieved content is Javascript which is not owned or hosted by the main site being visited. In this thesis I build a web crawler using Java that measured the number and type of Javascript being retrieved from popular websites. I find that after 10 days around 50% of sites have changed the Javascript being loaded.

Project screenshot.

Using static analysis to display privacy properties of apps

Maria Paz Velarde (2015-2016, Masters Thesis)

Supervisor: Kami Vaniea

This project uses static analysis to understand not only what permissions are being used but what an app does with the permissions. We conducted a short user study to identify what types of app permission behaviors worry end users. We found that users care about the contexts in which an app activates permissions. For example, permissions activated with a button press were less concerning than those activated in the background when the app hadn't even been opened. We then created a redesign of the Android permission interface that shows this type of information to the user.

Project screenshot.

Talking Buses: Transport Planning for Blind and Partially Signted People

Craig Snowden (2015-2016, Undergraduate Thesis)

Supervisor: Kami Vaniea

Using public transportation is a necessity for some blind and partially sighted people, but with accessible information not widely available, accessing these public services can be demotivating. The goal of this project was to implement an iOS mobile application to access public transport information in an accessable manner.

Project screenshot.

A framework for an en masse network security evaluation and network flow analysis for the Internet of Things era

Nikolaos Tsirigotakis (2015-2016, Masters Thesis)

Supervisor: Kami Vaniea

Internet of Things (IoT) is characterized by rapid expansion on top of several different standards, protocols, and technologies, making security evaluation on a per-devices scale prohibitively time consuming. This project focused on building a router-based platform to change all that by allowing the automation of security checks.

Project screenshot.

Find conflicting privacy policies on a webpage

Fangkai Wang (2015-2016, Masters Thesis)

Supervisor: Kami Vaniea

When a website loads content from a third-party some information, such as cookies and header data, is also sent to that third party. Both the first and third party websites have their own privacy policies and there is no guarentee that the policies agree with each other. In this thesis I built a privacy policy collector to find privacy policies from both first and third parties. I then use Natural Language Processing to measure similarity as well as measure how long it would take a human to read the policies.

2015

Project screenshot.

Learn Security

Mac Chong (2014-2015, Undergraduate Thesis)

Supervisor: Don Sannella

Android app for teaching about the following kinds of web security threats, from the OWASP top 10 list: session attacks, SQL injection, cross-site scripting, cross-site request forgery, and sensitive data exposure. It's designed for smartphones; it works on tablets as well but looks better on 7-inch tablets than on large tablets. It's completely self-contained, demonstrating attacks on a simulated bank website, and countermeasures, and requires no permissions to install - there is no danger to your security.