If you like programming and/or have a strong interest in privacy: at iLab, which is part of iHub, Bart Jacobs and his colleagues work on designing and building innotative privacy-friendly solutions for e.g. (authentication), (email encryption), sharing medical data (sharing medical data), and social media.
Here there often possibility for research internships or thesis projects. Contact Bart Jacobs or any of the iLab people listed on https://ihub.ru.nl/people.page.
At SURF there is a possibility for a research internship to look into threat prevention and monitoring for eduVPN.
eduVPN is an open-source VPN solution tailored for education and research institutes. Around the globe roughly 130+ universities are using eduVPN as the VPN solution to provide securely access to important IT services. The eduVPN software is continuously being improved and we're looking for a technically skilled student that can help us taking a next step.
Your task is to identify, describe and propose solutions for common VPN software/server attack scenarios. Various ways to make life difficult for attackers have already been implemented, but we want to identify additional possibilities to improve on this.
Possible solutions may include outright prevention of identified attack scenarios, or if not preventable implement effective logging and alerting.
As an example scenario: a user connects to the VPN server from Western Europe, and 10 minutes later from South East Asia.
Contact Erik Poll to get in touch with Rogier Spoor at SURF.
When security incidents happen, it is important to analyse them to identify root causes and improvements in security controls. Goal of this project is to investigate methods and notations to perform such an analysis in a systematic way for a typical corporate IT network. As case study an actual (near)incident from 2023 of a compromised router on a university campus network can be used.
Existing risk management methodologies that can be used as starting point include BowTie and Tripod (Lite). Some of these are from the safety domain and might need to be adapted to typical IT risks and countermeasures.
Contact Pol van Aubel or Erik Poll (Date added: April 2024).
LoraWan is a long range wide area network protocol for low-powered devices. KPN has a country-wide LoraWan network and there is also an open initiative, TheThingsNetwork.org.Goal of this project would be to set up an open source implementation of LoraWan for GNU Radio software-defined radio (eg. the gr-lora_sdr project on github) and use that to fuzz network traffic to see how robust LoraWan devices are against malformed traffic.
Contact Erik Poll or Mathijs Schuts in the Software Science section for more info.
(Date added: February 2024).
At Computest there are possibilities for a research internship and master thesis on security/vulnerability research. To get an impression of the kind of work they do, check out their corporate blog, for instance about their efforts in the Pwn2Own competition.
Example topics include:
Computest is based in Zoetermeer, but partly remote working is an option. Contact Erik Poll to get in contact with Daan Keuper at Computest.
(Date added: May 2023)
OMRON (omron.eu) is an international company that makes industrial automation solutions. As cybersecurity is a growing concern in industrial applications, there are several security-related possibilities for research interships at OMRON in Den Bosch. For students doing software science, there may also be some (embedded) software-focussed possibilities.
Contact Erik Poll to get in touch with Amanda Ruiz Dominguez at Omron.
(Date added: March 2023)
At Bosch Security Systems in Breda there is a possibility for a research internship to look at possibilities to integrate fuzzing into their software development processes. At Bosch Security Systems they o.a. make public address systems which involve embedded Linux components and high-quality audio solutions.
Contact Erik Poll to get in touch with Stephan van Tienen at Bosch.
(date added 7 October 2022)
With electricity grid operator Alliander there are possibilities for research internships or master theses to investigate future scenarios for handling security. This could be looking into ways to operate SOCs and SIEMs: on-premises vs cloud vs hybrid, in-house vs (partly) outsources, for regular IT vs for the OT (Operational Technology) they operate. Or looking at requirements and solutions for NDR (Network Detection & Reponse) or SOAR (security orchestration, automation and response).
The location could be Arnhem or Haarlem.
Contact Erik Poll to get into contact with Barry Pouwels.
(date added: 27 September 2022)
At Philips Medical Systems and at Verum there are possibilities for projects on secure protocol implementations. This can involve a range of techniques: fuzzing, model-based security testing, formal interface specifications, and code-generation.
Verum is a company in Eindhoven that makes tools for code generation and analysis, notably Dezyne. Philips Medical Systems has been using that tool, but also collaborates with TNO on other tools for more rigorous software development and testing, e.g. ComMA.
Contact Erik Poll, or Mathijs Schuts in the Software Science group.
Contact: David Rupprecht, david.rupprecht@rub.de
(Date added: March 2022)
Kropman is a company that develops and maintains technical installations at factories and large buildings, as well as building automation systems for access control, lighting, heating, etc. They are headquartered in Nijmegen. They are looking for a intern to look into the security of their IT infrastructure, specifically the use of OpenVPN for their remote service center.
Contact Erik Poll to get in touch with Joep van der Velden at Kropman.
(Date added: Feb 2022)
ElaadNL is an expertise center set up by the Dutch electricity grid operators for the charging infrastructure for electric cars that is being rolled out across the country. At ELaadNL there is an opportunity for a research internship to investigate the sate-of-affairs w.r.t. security certification (specifically ISO 27K) of companies involved in the charging infrastructure and their suppliers.
Contact Pol van Aubel or Erik Poll to get in touch with Harm van den Brink at Elaad.
(Date added: Feb 2022)
Accelerate PQC development. Areas include hardware or software implementations of lattice based schemes or finding (countermeasures against) side-channel attacks on these implementations. Improvements to LMDPL. Pre-silicon side-channel verification, as part of the cooperation with Radboud. The main work will be to demonstrate the usability of the developed tools in a corporate environment, e.g. integration with existing tool flow. Light-weight crypto. Once NIST has selected an algorithm, make an implementation of it and demonstrate the advantages over AES. Contact Ileana Buhan
(September 2021)
SURF regularly sees DNS water water torture attacks on their authoritative name servers. These are DDoS attacks where an attacker generates DNS queries with non-existent subdomains to attack an authoritative DNS server. As these subdomains do not exist, the server will eventually have to respond with an NXDOMAIN. With enough DNS queries an attacker can exhaust the capacity of an authoritative server. For example, when attacking "example.com" a DNS water torture query can look like "test125.example.com". The problem that we want to solve is, how do we quickly recognize these queries and filter them out?
Considered solutions: A Naive Bayes model for every domain based on some minimal threshold could probably be used. Or maybe the regular number of DNS queries can be monitored.
Contact Erik Poll to get in touch with Rogier Spoor at SURF.
(Date added: March 2024).
At SURF there is a possibility for a research internship to look into threat prevention and monitoring for eduVPN.
eduVPN is an open-source VPN solution tailored for education and research institutes. Around the globe roughly 130+ universities are using eduVPN as the VPN solution to provide securely access to important IT services. The eduVPN software is continuously being improved and we're looking for a technically skilled student that can help us taking a next step.
Your task is to identify, describe and propose solutions for common VPN software/server attack scenarios. Various ways to make life difficult for attackers have already been implemented, but we want to identify additional possibilities to improve on this.
Possible solutions may include outright prevention of identified attack scenarios, or if not preventable implement effective logging and alerting.
As an example scenario: a user connects to the VPN server from Western Europe, and 10 minutes later from South East Asia.
Contact Erik Poll to get in touch with Rogier Spoor at SURF.
There are possibilities for two research internship projects at SURF to work combining Surf Filesender with Remote Document Encryption (RDE). SURF, based in Utrecht, is in charge of some of the IT infrastructure of Dutch universities, incl. eduRoam and eduVPN.
Remote Document Encryption (RDE), invented by Eric Verheul in 2017, is a trick to use the cryptographic functionality of the chip in an e-passport to send someone an encrypted file that they can only decrypt using their passport. The technique works for all EU passports, for Dutch ID cards and for driving licenses. Contact Eric Verheul
(June 2021).
At SURFnet in Utrecht there are typically some possibilities for doing research internships or Master thesis: see SURFnet's project page
For a research internship: define a model to evaluate the security of various solutions for "data vaults" for personal data, such as Digi.me, Ockto.nl, etc. UwKluis, A rigorous comparison also requires coming up with well-defined attacker model as a basis for the evaluation. Contact: Bart Jacobs.
SIDN, the foundation in charge of the .nl domain, are based in Arnhem. They have a research lab there, called SIDN labs, that works on the security and stability of the internet and new developments for the future internet. The blog of SIDN labs gives a good indication of possible topics.
Irdeto in Hoofddorp has MSc projects in the areas of Penetration testing, Media security, Automotive security, Cloud Security, Reverse Engineering, and Cyber Forensic Investigations. The project would suit students with knowledge of network and security protocols and some familiarity with pentesting or digital forensics, and scripting languages like python. Contact: Amanda Kop
Detecting security vulnerabilities in C-code using machine learning; project at the company Riscure. More info on Harald Vranken's MSc project page. Harald Vranken works at the OU but is in Nijmegen on Fridays. This could be a project at the company Riscure.
Project at the Dutch Road Transport agency RDW) More info on Harald Vranken's MSc project page.
Bitcoin relies on vast amounts of distributed computing power to ensure the integrity of the blockchain that records the history of bitcoin transactions, and hence consumes a huge amount of energy (see e.g. this article by Harald Vranken). Researchers have estimated that bitcoin mining consumes about 1% of the wordwide electricity production.
An interesting question is what the carbon footprint of bitcoin mining is, or phrased differently, what the impact of bitcoin mining is on the environment. Some bitcoin miners obtain their electricity from coal-fueled power plants, while other rely on more sustainable, renewable energy sources such as solar, wind, hydro, or geothermic energy. It is however not clear at the moment what mix of energy sources is used in bitcoin mining. The goal of the research project is to estimate this energy mix.
For more info, contact Harald Vranken who also works at the OU but is in Nijmegen on Fridays.
Also for Information Science students: at RDW (the Road Transport Agency of the Dutch government) there is the option to investigate the energy use of the computation and communication needs of connected and/or automated vehicle. For more info, contact Harald Vranken who also works at the OU but is in Nijmegen on Fridays.
Fox-IT, who make the open source OpenVPN-NL implementation for the Dutch government's national communications security agency NBV (aka NL-NCSA).
The project could be done externally at SURFnet in Utrecht. Ideally, the results would contribute to an RFC for OpenVPN, that the parties above are working on.
A more practical direction, more for a research internship, would be looking at possibilities to generate some code from specs (e.g. for a more modern alternative to C/C++, such as Go or Rust) or try out/extend new tools such as Hammer parser combinators and Nail to see how convenient a parser can be built with that. Another direction would be to look into formal verification of (aspects of) a specification and/or implementation.
Contact Jan Tretmans or Erik Poll.
Software house InfoSupport has several options; see also here or here.
At TNO there are possibilities to do a research internship or master thesis on fuzzing or more broadly on vulnerability research and software security testing. This could take place at TNO Eindhoven, Den Haag or Groningen. Contact Erik Poll or Stefan van den Berg at TNO <FIRSTNAME.vandenLASTNAME@tno.nl>
for more information.
There are possibilites at TNO on other topics too: see https://www.tno.nl/en/careers/vacancies
For Information and Computer Science: NEDAP in Groenlo has several opportunities for thesis projects: More in
Compumatica in Uden develops high-end network security solutions. One topic for an MSc thesis would be exploring the possibilities of a Cavium OCTEON network accelerator, esp. how the multi-core capabilities of this network accelerator can be used in order to maximize the degree of parallelism that can be used when processing packets, incl. ensuring encryption and integrity checks, e.g. using IPSEC. This requires C/C++ programming skils. Another topic would be comparing different open source Mandatory access control (MAC) solutions (e.g. SELinux, grsecurity, apparmor, TOMOYO and Smack) in the context of an embedded firwewall, also wrt. the performance impact in an heterogeneous system that includes a hardware accelerator and other components such as smartcards. Contact Peter Schwabe to get in touch with the folks at Compumatica.
If you want to do your Master thesis at one of the Max Planck institute in Germany, e.g. the Security & Privacy group in Saarbrucken : there are Radboud Max Planck Internships for this. Talk to Peter Schwabe for more info.
The start-up OpenHealthCare in collaboration with the software house First8 in Nijmegen is developing tablet/smartphone app for patients to interact in medical studies. There are possibilities for a Master thesis looking into security and privacy issues of use case and realisation. Contact Marko van Eekelen (or Martijn Verhoeven of First8 via Marko).
If you're into crypto-protocols using ElGamal and the implementation of them on smartcards: with Morpho (formerly de Staatsdrukkerij SDU, the company that for instance produces the Dutch passports), there are possibilities to look into possibilities to realise authentication schemes using pseudonimisation. This also involves looking into the details of the German eID and the FIDO standard. Contact Eric Verheul.
There are possibilites for projects at ENCS in The Hague, typically around security (smart) electrical grid. Topics include: 'Traffic classification for Industrial Control Systems (ICSs)' to identify ICS traffic and do intrusion detection; security assessment by pen testing (eg of smart meters) or by fuzzing (eg of smart meter protocols such as DLMS/IEC62056); applied crypto incl. protocol design (eg. for smart electric vehicle charging), crypto implementation (eg. implementation of cryptographic algorithms on embedded controllers used in the energy distribution) and side-channel analysis (eg. side-channel anomaly detection in embedded devices); protocol analysis (eg for DLMS/IEC62056 or MBus gas meters).
CCV in Arnhem is a large supplier of payment terminals and also provides associated services for the processing of financial transactions. With CCV there are possibilities for projects in the field of payment solutions, e.g. security and testing, not just at the front end (e.g. interaction between smartcards and terminals) but also back end (e.g. the online payment transaction processing, DoS issues, etc.). Contact Erik Poll.
For options for research interships and MSc thesis project with Dutch government organisations, explore these following two links: https://www.ubrijk.nl/i-partnerschap/ https://www.werkenvoornederland.nl/starters/stages Note: most of this info is in Dutch.