--------------------[[ Finding differences in stacks and parsers ]]------------ NIDS evasion described in http://www.cs.dartmouth.edu/~sergey/netreads/evading-nids.txt relies on the differences between how TCP/IP stacks and their IDS counterparts implemented assembly of packets into streams. These differences are a special case of a broader phenomenon: disagreement of parsers on the meaning of the bytes they are parsing. ---------------------[ TCP in IPv4 vs TCP in IPv6 ]-------------------------- Linux implements TCP for IPv4 and IPv6 in two different sets of code files: net/ipv4/tcp.c and net/ipv6/tcp_ipv6.c in the Linux source tree, and related files in the respective directories. (You can find these files cross-referenced for easy reading at http://lxr.free-electrons.com/source/net/ipv4/tcp.c http://lxr.free-electrons.com/source/net/ipv6/tcp_ipv6.c) These implementations are close but not identical. There may be TCP packet sequences that get reassembled differently when sent over IPv4 vs IPv6. Research question: Find examples of such packet sequences. You will need to analyze the source code closely. ---------------------[ X.509 Parser Differentials ]-------------------------- There is a similar weakness pattern in X.509, the SSL/TLS certificate standard, which is critical to HTTPS security on the Internet: http://www.ioactive.com/pdfs/PKILayerCake.pdf (detailed walkthrough) https://www.cosic.esat.kuleuven.be/publications/article-1432.pdf (academic version) (If you don't know how SSL/TLS work, this link gives a good summation in the first two answers: http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work Of course, there are many others, including youtube videos, etc.) Research question: Assess the state of parser differentials in modern open-source X.509 parsing libraries. Compare free SSL/TLS implementations in OpenSSL, Apache, GnuTLS, etc. (see https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations) and construct certificates that these implementations parse differently. You will need to read and understand the implementation's code to construct these examples. Have the "PKI layer cake" issues been fully fixed? High Pass if you find any issues similar to those in the "PKI Layer Cake" in latest versions. Such results will also likely be publishable. ------------------------------[[Privacy leaks]]------------------------------ Implementation differences in TCP/IP and other protocols between systems and their most popular applications have long been used for fingerprinting systems both actively (via crafted packets) or passively (by sniffing their connections). -------------------------[ Active fingerprinting ]------------------------- Active fingerprinting is quite old. It's been incorporated into Nmap, the standard scanning tool: http://nmap.org/book/osdetect.html . Other projects like SynFP tried to minimize the amount of traffic needed to determine the OS: http://taosecurity.blogspot.com/2006/05/host-fingerprinting-with-sinfp-picture.html, others limited scanning to just a single protocol: http://redeslinux.com/manuales_english/seguridad/ICMP_Scanning_v3.0.pdf Use these tools to fingerprint your systems. Can you fingerprint your smartphone with a minimal number of packets? Research question: Most modern smartphones come with IPv6. Can you use the ICMPv6 protocol (or any other Layer 2, 3, or 4 protocol) to fingerprint them? For instance, can you distinguish between Android and iOS? What are the signatures that tell them apart? Can you distinguish between different versions of Android and different versions of iOS? For an in-depth take on IPv6, refer to https://sites.google.com/site/yartikhiy/home/ipv6book We did some work on this in the past: https://www.usenix.org/legacy/event/lisa11/tech/full_papers/Williamson.pdf http://dxoig.mn/papers/wisec08-bratus.pdf for Wi-Fi networks. (see below for 802.11 link layer details). -------------------------[ Passive fingerprinting ]------------------------- P0f is a classic passive fingerprinting tool. It has gone through several versions, the latest is http://lcamtuf.coredump.cx/p0f3/ . See also the summary of its development in http://resources.infosecinstitute.com/passive-fingerprinting-os/ Richer link layers such as 802.11 (Wi-Fi) provide more opportunities for passive fingerprinting: https://share.sandia.gov/news/resources/releases/2006/images/wireless-fingerprinting.pdf and even using values in a single field: http://uninformed.org/index.cgi?v=5&a=1 (hacker version) http://cisr.nps.edu/downloads/theses/06thesis_ellch.pdf (academic version) (My favorite book on the 802.11 Link layer is http://www.amazon.com/802-11-WLAN-Hands-On-Analysis-Troubleshooting/dp/1425907350 I strongly recommend it -- and, sadly, there seem to be no electronic versions of it. Summaries like https://technet.microsoft.com/en-us/library/cc757419%28v=ws.10%29.aspx http://seat.massey.ac.nz/159334/Lectures/Week2_3_1s.pdf and http://www3.nd.edu/~mhaenggi/NET/wireless/802.11b/Data%20Link%20Layer.htm may help). Research question: Explore whether these methods still work for modern systems such as smartphones and laptops. Wireshark on Linux and MacOS should be capable of Monitor Mode link-layer frame capturing; you need this "monitor mode" a.k.a. "RF mode", because it's the only mode that passes true frames from the air to the packet analyzer. Some info for older Macs can be found in https://supportforums.cisco.com/document/75221/wireless-sniffing-using-mac-os-x-106-and-above) Research question: Find new ways of fingerprinting systems actively or passively (by sniffing their connections). Of particular interest are mobile phones and/or IPv6 stacks. Fingerprinting has had practical applications for wireless intrusion detection systems (WIDS): http://www.willhackforsushi.com/presentations/Wireless_Device_Fingerprinting.pdf