Zero Trust Security is currently one of the most rising network security concepts. The concept was originally proposed to solve the flaws of the still predominant Perimeter Security. Preventing network internal attacker’s lateral movement is one of the core goals of Zero Trust Security. This goal is supposed to achieved i.a. by strictly enforced authentication, authorization, and least privilege approaches. One of the core components to perform these tasks are Policy Enforcement Points (PEP) in combination with Policy Decision Points (PDP). Each request asking for permission to access an network internal resource must be authenticated at the PEP before it is forwarded to the actual resource. In addition, coarse-grained authorization decisions can be enforced here. The actual decision is forwarded to the PDP that uses statically or dynamically defined authentication as well as authorization policies. The PEP is informed about the decision and must enforce it. Examples for existing open-source PEP/PDP solutions are – Pritunl Zero (https://github.com/pritunl/pritunl-zero) – Pomerium (https://github.com/pomerium/pomerium) – ORY Oathkeeper (https://github.com/ory/oathkeeper) The goal of this thesis is to comprehensively evaluate existing PEP/PDP solutions against some predefined criteria as the security state or the performance of the solutions. For master students it is expected to also expand the most promising solution by features according to some predefined use cases.

In Peer-to-Peer Netzwerken interagieren alle beteiligten gleichberechtigt. Doch verschiedene Algorithmen erfordern das Guppen geformt werden. Um diese für Privatsphäre Schutzmaßnahmen zu verwenden, sollte ein geeignetes Protokoll zur Gruppenformung verwendet werden. Ein solches wurde am Institut für verteilte Systeme entwickelt. Ziel dieser Arbeit ist es eine Prototypimplementierung zu entwickeln und diese zu evaluieren. Hierfür müssen Netzwerkkomponenten entwickelt und geeignete Kommunikation zwischen diesen entwickelt werden. Hierzu gehören auch die Integration verschiedener kryptographischer Komponenten. Der genaue Umfang der Arbeit hängt von der gewählten Projektart ab. Empfohlene Programmiersprachen für die Arbeit sind Java, C++ oder Python. Geeignet für Studierende mit Erfahrung in Netzwerk und Softwareentwicklung. This project can also be completed in English. Please contact me for further details.

Das Internet der Dinge (IoT) bietet durch seine unvermeidliche physikalische Verteilung besondere Herausforderungen für die Entwicklung ausfallsicherer IoT Software. Während Software-Komponenten, etwa die Analyse von Sensordaten, auf verschiedene physikalische Komponenten verteilt werden können, unterliegen die Sensoren, Basisstationen und Gateways physikalischen Grenzen. Diese müssen durch Netzwerkkommunikation überbrückt werden und bergen somit weitere Ausfallrisiken. Ziel dieser Arbeit ist es, bestehende Arbeiten zu redundanten Netzwerken in IoT-Umgebungen zu analysieren und zusammenzufassen. Aufbauend auf diesen Erkenntnissen soll dann ein Konzept entwickelt werden, wie eine Beratung zu nötigen Redundanzen in eine Softwareentwicklungsumgebung für IoT Systeme eingebunden werden kann. Geeignet für Studierende mit Interesse an IoT, Ausfallsicherheit und Netzwerkkommunikation. This project can also be completed in English. Please contact me for further details.

Angular is a web framework for single-page application, i.e., most business logic resides in the browser not on the server. The server is contact by a REST interface, mainly used to get direct access to the application data. Shibboleth is an authentication technology used also by KIZ to authenticate and authorise web access. In this work, a simple demo application has to be developed together with a concept for authenticating users and authorisation of their application-logic and REST-based data accesses. Ideally the concept is some sort of library including guidelines, and is tested against the KIZ identity provider. This work includes some basic user management in the application to recognise already known users and attach preferences etc. to it. Challenges are user-authentication expiry during user sessions and version updates in the backend server during the life time of the single-page application.

Für Systeme im Internet der Dinge (IoT) ist es oft hilfreich, Daten und Berechnungen auf die Cloud auszulagern, da Teilnehmern des Systems geographisch verteilt sind oder viele Instanzen zentral administriert werden sollen. Beispiele können hierfür Zugangsberechtigungen für Nutzer von Parkhäusern oder Sensordaten verschiedener Messstationen sein. Diese Zentralisierung kann jedoch Nachteile haben, etwa lange Latenzen um einen Nutzer zu authentisieren, selbst wenn dieser häufig diesselbe Instanz verwendet. Um diesem Problem entgegen zu wirken, können Daten auf verschiedenen Ebenen zwischengespeichert werden, z.B. in einer Einfahrtsschranke oder einem Parkhausserver. Ziel dieser Arbeit ist es, bestehende Arbeiten im Bereich des verteilten Cachings in IoT-Systemen zu untersuchen und gegebenenfalls einen Prototyp für eine Entwicklungsumgebung für IoT-Sofware zu schaffen. Geeignet für Studierende mit Interesse an IoT und verteilter Softwarearchitektur. This project can also be completed in English. Please contact me for further details.

Security assessments of networked systems require knowledge about the utilized communication protocol. For proprietary protocols without known specification and with only limited access to the end-points, the only source of information is the communication itself. To correctly conclude from the captured byte stream to message-formats, -types, and finally a protocol model, structure, message- and field-boundaries, data-type, and semantics need to be inferred.After an initial inference procedure, it is desirable to refine the existing protocol model. Additional information gained by recorded network traffic needs to be incorporated by recognizing the appropriate parts of the model. The modeled knowledge is to be extended depending on the applicable information inferable from the new trace.

Machine learning offers great opportunities, but also comes with risks. Especially the privacy risks are becoming more prevalent in the discussions about machine learning. Recently, Google published a machine learning library called TensorFlow Privacy. Its goal is to make it easier for developers and researchers to build privacy-preserving machine learning models. Specifically, it utilizes Differential Privacy, which mathematically guarantees that the training data to create the models is protected from being extracted. The goal of this thesis or project is to become familiar with the TensorFlow Privacy library, to understand and be able to explain the techniques which are implemented in it, to be able to build privacy-preserved machine learning models, and possibly to implement own protection techniques that could enhance the TensorFlow Privacy library.

To build powerful machine learning models, lots of data is required. However, obtaining the data comes with privacy risks for the people or entities that provide their data. Recently, Google published TensorFlow Federated - an open source framework to allow machine learning on decentralized data. The approach of federated learning makes machine learning in the age of mobile devices and wearables both more efficient, as well as more privacy-friendly. The goal of this thesis or project is to become familiar with the TensorFlow Federated framework, to understand and be able to explain the techniques which are implemented in it, to be able to build machine learning models in a federated way, and possibly to implement own enhancements of the framework.

Security assessments of networked systems require knowledge about the utilized communication protocol. For proprietary protocols without known specification and with only limited access to the end-points, the only source of information is the communication itself. To correctly conclude from the captured byte stream to message-formats, -types, and finally a protocol model, structure, message- and field-boundaries, data-type, and semantics need to be inferred.After an initial inference procedure, it is desirable to refine the existing protocol model. Actively probing an entity for the validity of message syntaxes allows to targetedly enhance the knowledge about the protocol. To do this efficiently a smart method of automatically generating test-cases depending on the current protocol model needs to be developed.

Modern vehicles will use communication to increase the safety of its passengers, reduce fuel consumption, travel time, and more. The communication between the vehicles will be mainly beacon messages containing the speed, position, acceleration and other properties. These messages need to be validated, if they contain correct (plausible) information. For example, when a vehicle is suddenly stopping, but sending an increase in speed, the following vehicles may crash into the misbehaving vehicle. In literature, there is already existing work on detecting misbehavior in the data with different techniques such as subjective logic or machine learning. In this project, we will analyze the VeReMi data-set with the help of different machine learning algorithms. The number of algorithms compared is depending on the scope (credits). The student can choose the framework, e.g. PyTorch.

Neurofeedback provides the necessary means to visualize selected and controlled parameters of the brain activity. In healthcare domain, neurofeedback studies enable mitigation of many psychological disorders and illnesses, mainly by therapies that help patients to better self-regulate their brain activity. Electroencephalography (EEG) is the method of monitoring the electrical activity of the brain, thus providing the necessary feedback. In this thesis work, the student is required to survey the current state of frameworks, techniques, or methods that enable coupling of Mobile EEGs with Smartphones. Bluetooth 2.1 with Enhanced Data Rate (EDR) capability is one of the most effective mean of coupling EEGs with Smartphones. The student would therefore be required to work on the Bluetooth stack to acquire real-time data generated from the Mobile EEGs, parse the electrical signal, and visualize the signal semantically. For successful completion of the thesis, the student would be required to identify and address any one of the open challenges faced by the proposed topic. An example of this can be addressing the bandwidth challenges, battery consumption, or signal accuracy

Encryption is one of the most reliable techniques for protecting information. However, once data is encrypted, using it becomes very difficult. Goal of this thesis or project, is to explore how Machine Learning algorithms can be designed to be able to deal with encrypted data. Firstly, a survey of existing mechanisms should be conducted. In a second part, algorithms will be comparatively implemented, or own encryption mechanisms introduced.