CSC 580: Cryptography and Security in Computing

A printable PDF is available.

CS-Specific Research Projects

Students in CSC 580 will work in teams of 3-4 students to complete a semester-long project. As an option for the Spring 2018 semester, we are doing a trial of collaborative projects between CSC 580 (Cryptography and Security in Computing) and ISM 324 (Secure Networked Systems), with a topic related to cloud storage security. Background on cloud storage and information about collaborative projects are provided in a separate handout. Students in CSC 580 who do not opt for a collaborative project can complete a pure technical project in teams of 3-4 CSC 580 students. These teams are also strongly encouraged to focus their project on a topic in security of cloud storage, but can pick another topic of similar depth with the permission of the instructor. Project depth should be appropriate for the student level (advanced undergraduate or master's student): while projects must follow the style and structure of real computer science research, there is no expectation that research "make a contribution to the field" as a real research project would.

Technical project reports are expected to follow the standards of computer science and computer security research, both in terms of focus and structure, and must be formatted to computer science publication standards (standard IEEE conference paper formatting templates will be provided for both Word and LaTeX, providing regular two column single-spaced papers). The length should be 12-15 pages in this format. One CSC 580 class day will be devoted to discussing computer science research practices and standards, and students will explore aspects of this in a homework assignment early in the semester.

Technical Project Topic Suggestions

The following are project topic suggestions for technical projects.

Technical Project Idea 1: Robust efficiency evaluation
For a project of this type, the team should design a test suite and efficiency evaluation mechanism to thoroughly evaluate Nextcloud and at least one other cloud storage service. Test cases should include variations on the number of files (up to approximately 10,000 files) and file size, and comparisons of unencrypted and encrypted storage (as allowed by the systems under evaluation). Efficiency should include measures of CPU and network usage. Ideally, this project should result in a model that can predict the processor and network bandwidth requirements based on environment parameters.

Technical Project Idea 2: Comparison of Nextcloud with composed end-to-end solutions
For this project, Nextcloud security and efficiency will be compared to solutions that use both an unencrypted cloud storage solution (e.g., Dropbox, Box, or Google Drive) and an encrypted filesystem to gain similar security benefits. For example, in Linux a user might stack an encrypted filesystems such as EncFS or eCryptfs on top of a cloud sync'ed directory. In addition to security and efficiency evaluations, you should also address issues of portability and use across different desktop OSes and mobile devices.

Technical Project Idea 3: Proposing and testing extensions to Nextcloud e2e encryption
The early release of Nextcloud end-to-end encryption has some two significant issues. First, nested directories (directories inside directories) are not possible in the Android client, and it's not clear how they are handled in the Linux desktop client. Second, copying or moving a file from an unencrypted folder to an encrypted folder within a single Nextcloud repository does not encrypt the file in the supposedly-encrypted folder (technically this is because the client only issues WebDAV copy/move commands to the server, which makes an identical copy). A project team can propose, implement, and evaluate a trial solution to either of these problems.

Technical Project Idea 4: Providing assurance to the end user
A big benefit of end-to-end encryption is that the end user does not need to trust the cloud storage provider. However, the end-user must trust the client software provider, including any update mechanism provided with the software. How does the user know that there is not just an illusion of security, while the client software actually provides a backdoor for dishonest parties to gain access to the data? A backdoor can be inserted either in the original software installation or surreptitiously installed through a software update. Unlike the other topic ideas, it is not clear how this problem can be solved, but a project team can come up with one or two ideas and do a careful evaluation of how they would work. A couple of ideas to consider are third-party software certification (and signing), or some type of self-certifying or proof-carrying code (most likely for a small part of the overall code). This is a highly-speculative topic, and will require more ingenuity and creativity to solve than the other topics.

Timeline and Deliverables

Tuesday, January 16: Joint meeting of CSC 580 and ISM 324 to discuss collaborative project possibilities (location to be announced).

Tuesday, February 6: Project Proposal
Students submit a document describing the project that their team will undertake. Students must provide a brief outline of the approach they plan to take, at a sufficient level to specify which aspects take an experimental approach and which are more analysis/design focused.

Tuesday, February 20: Project Plan
The project plan fills in details that were outlined in the project proposal, providing specifics on approaches that will be taken. Students must identify at least three relevant references from the published research literature, and for each one provide a full citation along with a brief description of the paper's results and how the paper relates to the project. The project plan should also include a schedule of self-identified project milestones, where each milestone is a specific and clear deliverable.

Tuesday, April 3: Progress Report
The progress report should be a brief summary of progress, and an early draft of the project report. The project should be far enough along by this point where the report should include the full introduction and prior work sections (some statements in the introduction that describe final results can be incomplete or placeholder statements, to be finished after all results have been obtained). The results section(s) should be included, but can be outlines with placeholder notes (e.g., "table of timing experiment results will go here").

Tuesday, April 17: Final Project Report
As described above, students will complete and submit a full research-style paper, using a standard research paper template. All components of a standard research paper should be present (introduction, prior work summary, results, discussion, and conclusion/open problems), and the paper should be 12-15 pages. The paper should include a 1-2 paragraph abstract, as described in the template.

Sample Grading Rubric

Research Design (40%): Interesting and substantial research questions were formulated, and an appropriate research approach designed to address the research questions. The research procedure is documented so that it is clear, reproducible, and gives results that can be trusted as answers to the research questions.

Results presentation and discussion (30%): Results presented in a clear and understandable form, using tables, charts, and graphs as appropriate. Prior work section and results discussion clearly represent the results, how they support research findings, and how they fit into the existing body of knowledge. Conclusion and open problems are stated that clearly describe what results are closed and suggests directions for future directions and extensions of the work.

Paper Organization and Clarity/ Presentation (15%): The paper includes all standard research paper components (introduction, prior work summary, results, discussion, and conclusion with open problems), with an abstract that summarizes the most important parts and results of the paper. The paper uses headings and the information flows well from one section to the next. The writing is clear and correct.

Milestones Completed On-time (15%): All of the milestones were completed by the specified dates and were thorough.