Security/Automation/WinterOfSecurity2014
THIS IS A WORK IN PROGRESS AND NOT READY FOR PRIME TIME.
Winter Of Security 2014
The Winter of Security (MWOS) is Mozilla program to involve students with Security projects. Students who have to perform a semester project as part of their university curriculum can apply to one of the MWOS project. Projects are guided by a Mozilla Adviser, and a University Professor. Students are graded by their University, based on success criteria identified at the beginning of the project. Mozilla Advisers allocate up to 2 hours each week to their students, typically on video-conference, to discuss progress and roadblocks.
Projects are focused on building security tools, and students are expected to write code.
Selection process
Projects are assigned to groups of students. Groups are defined by the universities, and can be of any size between 1 and 4 students. The selection process is open to all students in undergraduate/license and graduate/master programs. A group applies to up to 3 projects by submitting an application that contains:
- the names of the projects the team is applying to
- team introduction and motivation (max 1000 characters)
- presentation of the university program (max 500 characters)
- short description of each team member (skills, interest, ...) (max 500 character for each team member)
- links to relevant resources (university website, resumes, ...)
Student projects
Web Security
ScanJS: Contribute to a JavaScript source code analyzer
- Mozilla Advisor: Frederik Braun
- difficulty: high
- language: english
ScanJS is a JavaScript source code analyzer written in JavaScript. It helps reviewing and testing open web apps for security vulnerabilities. I can mentor you contributing to our existing codebase by taking some known issues and help us improve the tool's capabilities. You check out ScanJS on our demo page by uploading a JS file (or a ZIP file containing multiple of those).
Forensic
Cross-platform memory scanning in Go
- Mozilla Advisor: Julien Vehent
- difficulty: high
- language: english or french
The Mozilla InvestiGator (MIG) project needs a way to inspect the content of the memory of a system, and detect threats. The typical approach in memory forensic is to dump the memory of a system, and perform analysis on another system, using tools like Volatility. We are looking for an approach that is less invasive, where an agent running on a target system can inspect its own memory without disrupting operations. Existing libraries, such as Volatility, are hard to ship to remote systems because of their size and dependencies. The goal of this project is to design and code a lean, cross-platform, memory inspection library in the Go language that can be integrated into MIG. This project is an opportunity for a group of students to take a close look at memory forensic across all operating systems.
Network Security
Active measurement of firewalls configuration compliance
- Mozilla Advisor: TBD
- difficulty: medium
- language: english
Building firewall rules is a difficulty exercise, but keeping these rules strict over several years is an even harder challenge. Products exist, such as Tufin, to facilitate the operations of firewalls at scale. In this project, we are looking for a way to actively measure compliance, by injecting traffic inside the network and parsing the results. Unlike classic port scanning, such as NMAP, which typically consist of scanning from outside-in, the idea here would be to scan from multiple network locations in parallel, and aggregate the results. One VLAN could be scanning another, without crossing datacenter boundaries. The goal is to build the scanning logic, but also the compliance validation aspect, which consist of defining in technical terms what compliance means, and checking for compliance against scan results.
Cross-platform firewall driver in Go
- Mozilla Advisor: Julien Vehent
- difficulty: medium
- language: english or french
The Mozilla InvestiGator (MIG) is designing to detect and respond to threats. One way of responding to an attack is to create firewall rules on the local host to block an IP, or a particular connection. The goal of this project is to create a library in the Go language that can create and delete firewall rules on Windows, MacOS and Linux (iptables and ntables). The library should also be able to retrieve a ruleset from a host in a standardized format (JSON). This project is an opportunity for a group of students to take a close look at firewall management on the major operating systems.
System Security
Cryptography
Compliance checking of TLS configuration
- Mozilla Advisor: Julien Vehent
- difficulty: easy
- language: english or french
Mozilla maintains guidelines for server side configurations of SSL/TLS. The goal of this project is to build a tool that verifies compliance of a configuration with our guidelines, and help the administrators improve their security. It is very similar in philosophy to project like SSL Labs, but with a stronger emphasis on explaining how to reach a better security level, and educating the administrators.
Risk Management
A playful way of teaching risk management to individuals
- Mozilla Advisor: TBD
- difficulty: medium
- language: english
Risk management methodologies are numerous, but often regarded by individuals outside of the security community as dull and boring. The goal of this project is to design a way to teach the Mozilla Risk Management program to individuals at Mozilla. This could take the form of a strategy game, or anything that the students think is appropriate. This project has a strong component of creativity, but must also take into account some of the particularities of Mozilla: people are technically minded, work remotely often on video, and care a lot about security and privacy. A successful training program should teach the individual the entire lifecycle of data at Mozilla.
An online threat modelling tool
- Mozilla Advisor: TBD
- difficulty: medium
- language: english
Threat modelling is an important part of designing an application, and a threat model diagram is a very useful way to document the threats that apply to your application. Unfortunately there are a very limited number of thread modelling tools available, and most of those are restricted to specific platforms. This project is to create an online HTML5 application which will allow the user to easily create threat model diagrams online. It should be very easy to use, and allow the diagrams to be exported in the most common image formats. The graphical elements of the Microsoft Threat Modeling tool are a good example of the type of functionality required.