Please fill in your name, email address, and general idea you'd like to explore for your final project.
Michael McCanna <acrefoot@mit.edu>, Duncan Townsend <duncant@mit.edu>: Implementing a deniable steganographic filesystem (possibly in a FUSE module). The medium for the stenography is MP3 files, or possibly certain video files (for larger filesystems).
Ben Bitdiddle <benbit@mit.edu>: Helping Android users track what permissions each application exercises over time.
Paul Medlock-Walton <paulmw@mit.edu>: Add security to communications between mobile phones and the server when playing a geo-location multiplayer game using TaleBlazer http://education.mit.edu/projects/taleblazer (Need 1 more person, server and mobile code both in JavaScript)
Ilia Lebedev <ilebedev@mit.edu> I would like to Implement dynamic permissions in android: in addition to asking the user to approve permissions during installation, high-risk permissions must be prompted when the application generates an intent. The user can chose to deny or approve the intent, and to optionally remember his decision for current session, for current version of the app, or forever. This approach to access control may or may not require that the intent be handled in a safe way, even if denied, if the application blocks and waits for a response . If time permits, I would also like to explore fine-grained network access policies in Android. I believe it may be possible to construct a demo in google's emulator, or even on a dev phone.
Emily Stark <estark@mit.edu>, Meelap Shah <meelap@mit.edu>: We plan to build a tool to convert existing web apps into a form that provides data confidentiality guarantees to clients. Our tool will take as input server side code and partition it into two pieces; one piece will remain on the server and the other will be pushed to the client. Data fields containing sensitive client data will be encrypted on the client so that nothing is revealed to the server. The code will be partitioned so that the piece that remains on the server can operate on ciphertext. This will maintain the application's functionality while providing the confidentiality guarantees we desire.
Isaac Gutekunst <igutek@mit.ed>, Jelle van den Hooff <jelle@mit.edu>: We would like to create an application framework that performs tainting of all data, and allows controlled inter-application communication. The framework may allow the concept of a secure clipboard that allows pasting between certain privileged applications. For example, copying from a list of quiz solutions, and a pasting into a new quiz would be allowed, but copying answers into a quiz would not.
Ryan Lopopolo <lopopolo@mit.edu>, Edgar Salazar <esalazar@mit.edu>: We would like to allow users to revoke a subset of dangerous android permissions on a per app basis. We will wrap applications in their own sandboxes and interpose on their intents, possibly redirecting them to dummy services.
Josh Hodosh <jo21979@mit.edu>: I'm thinking of adding a SystemService to Android that can handle OAuth and OATH authentication. These are important functions that shouldn't be left to application developers to reimplement. (eg. "foursquared"....)
Adin Schmahmann <adin@mit.edu>: I'd like to work on creating a GUI for defining dependencies to help with specifying security considerations. However, if anyone would be interested in createing a version of UserFS, but using capabilities, or finding a way to properly sandbox a web browser binary let me know.
Katherine Fang <katfang@mit.edu>, Yuzhi Zheng <yuzhi@mit.edu>, Deb Hanus <dhanus@mit.edu>: Examining the security of Google's Chromebook laptops.