Honours Thesis Projects
The thesis topics listed here are available to strong undergraduate students. They are mostly associated with research projects and generally quite challenging; many topics have the potential to lead to a publication, and in average we get about one paper a year from the work of one (or more) undergraduate thesis students. Students who are not aiming for excellence are in the wrong place here.
Note that the below list is constantly updated, new topics are added as we identify them as work on various research projects proceeds. Topics marked are recent additions.
UNSW students can access all of our recent student theses.
- topics supervised by Gernot Heiser
- topics supervised by Ihor Kuz
- topics supervised by Gerwin Klein
- topics supervised by Kevin Elphinstone
- How to apply
- info for postgraduate students
Undergraduate Thesis Topics in Operating Systems and Formal Methods
We are generally looking for honours candidates, or students with outstanding performance in operating systems. Specifically we guarantee a thesis topic to any student who has obtained a HD grade in UNSW's Operating Systems or Advanced Operating Systems course, no matter what their other grades are!
Present topics supervised by Gernot Heiser (official list)
3628: Message-passing vs migrating
Message-passing and migrating threads are two basic ways of implementing cross-domain communication (IPC). seL4, like all previous L4 kernels, uses the former. The kernel of the Composite OS, designed for similar application domains, uses the latter.
This thesis is to examine and evaluate the Composite model and compare it to seL4, with the aim of understanding the main trade-offs and performance limitations, as well as the implications for resource management.
Novelty and Contribution: evaluation of microkernel communication models in the context of a real-time capable system.
3627: Secure network OS for SDN
Present "network OSes" for SDN controllers are applications that run on top of a standard OS, such as Linux. They also provide little or no security against buggy or malicious control apps.
The recent Rosemary work proposes a micro-kernelish NOS that runs on top of Linux. A sensible approach would be a minimal seL4-based system that runs natively, and uses seL4's protection and IPC mechanisms. This should be able to achieve better protection as well as better performance than Rosemary.
This project is to design such a system, implement a prototype and evaluate it. Results are likely publishable.
3587: Interrupt-Related Covert Channels on
seL4 is the world's only general-purpose kernel with a proof of confidentiality that applies to its binary implementation. This proof provides very strong guarantees that the kernel enforces data confidentiality --- i.e. prevents information leakage that would violate the system's access control policy --- with some side conditions. The side conditions include interrupts being disabled and that the proof does not cover covert timing channels.
One such timing channel arises when interrupts are enabled: the arrival of interrupts causes the time-slice of the current thread to be extended, because interrupt-servicing pre-empts the currently running thread, allowing it to indirectly observe interrupts that should otherwise remain secret. The goal of this project is to investigate mechanisms to mitigate and close such channels, while ensuring adequate interrupt response latencies.
We expect a natural trade-off between channel bandwidth and interrupt-response latency, so further work in this project would investigate this trade-off by applying existing tools to measure the effectiveness of various mitigation strategies against benchmarked latencies. This project therefore involves a combination of kernel implementation, benchmarking and analysis.
Novelty: If successful, the results of this project could be incorporated into future versions of seL4, and be applied to relax the assumptions of the seL4 confidentiality proof, increasing seL4's applicably for applications that demand both high-performance and high-assurance. seL4 would become the world's only kernel with a code-level confidentiality proof that holds when interrupts are enabled.
Outcome: The design, implementation and empirical evaluation of kernel mechanisms to mitigate interrupt-related covert channels for seL4.
3586: Sloth vs eChronos
eChronos is an RTOS designed for deeply-embedded systems with no memory protection and single-mode execution, that is being developed and formally verified by Data61. Sloth is a system for a similar application domain, which takes the unusual approach of leaving all scheduling to hardware, by running everything in an interrupt context. This limits the use of Sloth to processors where interrupts mode can be entered by software. This project is to evaluate and quantify the performance advantage of Sloth over eChronos.
Novelty: Sloth is presently the world's fastest RTOS. eChronos, which has the advantage of formal verification and less dependence on hardware features, is a more traditionally-designed RTOS. This project will determine whether the performance advantage of Sloth is significant enough to justify the different (and more limiting) design.
Outcome: A better understanding of RTOS design tradeoffs, eminently publishable results.
3584: Protected-Mode eChronos
eChronos is an RTOS designed for deeply-embedded systems with no memory protection and single-mode execution, that is being developed and formally verified by Data61. However there are interesting use cases for a verified kernel on mid-range processors that feature a simple memory-protection unit (MPU). A particularly interesting case is the ARM Coretex M4, which eChronos already supports, albeit without utilising the MPU. This project is to design a protected-mode version of eChronos, implement and evaluate it.
Novelty: Data61 has produced the first verified kernels for high-end microprocessors with full virtual memory (seL4) as well as for low-end single-mode microcontrollers (eChronos). The remaining middle ground are MPU-only processors. Success of this project will complete coverage.
Outcome: eChronos version that uses memory protection
3582: Effective Cross-Kernel Communication
For reasons of scalability and verifiability, seL4 uses a multikernel approach where cores do not share an L2 cache. This implies that kernels on different cores do not share state, and communicate asynchronously via mailboxes.
This project is to design, implement and evaluate a user-level communication package for threads running on different cores on top of the kernel's minimal mechanisms, and compare to other approaches, e.g., Linux IPC. This will, no doubt, require work on the seL4 mechanisms too. In fact, the project could be split between two students, one working inside the kernel and one at user level.
Data61's Trustworthy Systems team are world leaders in research for providing unprecedented security, safety, reliability and efficiency for software systems. Successes include deployment of the OKL4 microkernel in billions of devices, and the first formally verified OS kernel, seL4. Present activities include covert channel mitigation, mixed-criticality real-time systems, and automatic code-proof co-generation. We are building a complete seL4-based high-assurance system for autonomous helicopters, like Boeing's Unmanned Little Bird, in a project funded by US DoD. You will work with a unique combination of OS and formal methods experts, producing high-impact work with real-world applicability, driven by ambition and team spirit.
Novelty: Multikernels are new, and other than the Barrelfish paper there is little evaluation, and what there is is on x86, with vastly different tradeoffs to our ARM platforms. Furthermore, seL4's idiosyncrasies mean that previous resuts are not necessarily transferrable. Given the significance of seL4, this work can lead to publishable results.
Outcome: Understanding of how to do user-level communication in an seL4 multikernel; report describing design, implementation and evaluation.
References: Baumann et al, The multikernel: A new OS}architecture for scalable multicore systems, SOSP'09
- >3210: Making the TPM
The Trusted Platform Module (TPM) specified by the Trusted Computing Group (TCG) and implemented on many PC platforms supports a secure boot and remote attestation (where an external agent can ascertain that the system is in a particular software configuration). However, the TCG approach has been a considered a failure for end-user devices, as it does nothing to ensure that the “trusted” software is trustworthy and does not support upgrading it when it has found to be vulnerable.
The formally-verified seL4 microkernel presents an opportunity to make TPMs useful: seL4 is truly trustworthy, so attesting that it is running provides real assurance of trustworthiness. seL4 itself can then be used to instantiate a trusted software stack, and protect it from untrusted components, and it can be used to upgrade the trusted software securely. The Ironclad approach uses a similar idea, but requires verification of the full system, ruling out use of any untrusted compoenents. Instead, we use seL4's isolation properties for protecting critical components from untrusted ones.
This thesis is to build a demonstrator of an seL4-based trustworthy system. This will require implementing TPM-facilitated secure boot of seL4 and some trusted base which can be remotely attested. If time allows, demonstrate secure software evolution.
Novelty and Contribution: Such an approach to a practical TPM-based trusted system has not been demonstrated, and will constitute publishable research.
References: Chris Hawblitzel, Jon Howell, Jacob R. Lorch, Arjun Narayan, Bryan Parno, Danfeng Zhang, Brian Zill: Ironclad Apps: End-to-End Security via Automated Full-System Verification, OSDI'14.
I will not take on students who have not shown a convincing performance in COMP3231 ``Operating Systems''. I normally expect students to have done COMP9242 ``Advanced Operating Systems'', although I make exceptions in special cases.
Most topics can lead to publications.
Present topics supervised by Ihor Kuz (official list)
3287: Secure terminal on seL4
seL4 is a formally verified microkernel for building secure systems. A key element of such systems is secure access to terminal I/O (i.e. the screen, keyboard, and mouse), which means that different applications can get user input and output without worrying that other malicious applications (such as a key logger) can interfere. Nitpicker is a secure display architecture developed at Technical University of Dresden. In this project implement a version of Nitpicker for seL4, and use it as the basis for building a secure windowed terminal. Evaluate the resulting system by analysing its functionality, performance, and security.
3288: seL4 AUTOSAR
seL4 has been developed to be the basis for building secure systems, however, it can also be used as the basis for safety-critical systems, such as those used in cars. With seL4 in such systems, it becomes possible to provide guarantees about memory isolation properties, which is crucial for safety-critical systems. Besides memory isolation, seL4 also has known timing properties, making it possible to give timing guarantees, which is important for real-time systems such as those found in cars. The goal of this project is to investigate the role that seL4 can play in such systems by implementing the AUTOSAR automotive framework to use seL4 as the underlying OS.
3289: Qubes on seL4
Qubes is a new operating system architecture for developing secure desktop systems. It is based on isolation, running each application in a separate virtual machine so that they cannot maliciously interfere with each other. However, Qubes is based on Xen, which is a relatively heavyweight, and unsecure, hypervisor. Qubes would be much better if it ran on, and relied on, seL4 for its isolation. In this project you will implement a version of Qubes on seL4, and evaluate it by running various applications to analyse the security benefits that seL4 provides.
1268: Shared resources in an microkernel-based
One of the key services that an OS provides is a managing access to shared resources. For example, a file system manages access to shared disk space, a network stack manages access to a network device, a window system manages access to the display, etc. In a modular, microkernel-based OS, these shared resources are managed by user-level services. In this project you will investigate ways of modelling such shared resource managers within the CAmkES component framework on seL4 and develop a suitable model for building such services in a componentised environment. You will assess the suitability of this model by designing, implementing, and evaluating one or more such services (e.g., a file system, a network stack, etc.).
IK10: Click Modular Router on L4
Related topics supervised by Gerwin Klein (official list)
GWK01: Formal Model of an ARM Processor in
Develop a specification of an ARM processor (e.g. Xscale) suitable for use in formal verification of programs. A similar such model for an MMU-less ARM6 core has been developed by Anthony Fox at Cambridge in the HOL4 system. This should be examined for its usability, and for what is missing with respect to a full model of an Xscale processor. If time allows, an instruction-set level simulator should be generated from the model. This project is an integral part of the formal verification of the L4 micro kernel at Data61. It connects cutting edge OS research with real-world large-scale system verification. You will work with the developers of L4 and Isabelle in an international team of PhD students and researchers in Data61's TS group.
GWK02: Verifying the core of standard C library in
You will work with a state-of-the-art interactive theorem prover (Isabelle/HOL) to formally verify the functional behaviour of a small number of basic C functions like memcpy, memset, etc. The verification of these functions is at the basis of any undertaking that wants to provide guarantees about programs implemented in C. This project is an integral and important part of the formal verification of the L4 micro kernel at Data61. You will work with the developers of L4 and Isabelle in an international team of PhD students and researchers in Data61's TS group.
GWK03: Formal Model of L4 IPC and/or Threads in
Develop a specification of a subsystem of the L4 microkernel in the theorem prover Isabelle/HOL. L4 provides three basic abstractions - address spaces, threads and IPC. An abstract model has been developed for address spaces and the virtual memory subsystem, the aim of this project is to provide a similar model for one or both of the remaining abstractions. In addition, an investigation into high-level properties of this model will be undertaken, together with the development of proofs that the models satisfy these properties. If time allows, the model will be refined towards the L4Ka::Pistachio implementation on ARM. This project is an integral part of the formal verification of the L4 micro kernel at Data61. It connects cutting edge OS research with real-world large-scale system verification. You will work with the developers of L4 and Isabelle in an international team of PhD students and researchers in Data61's TS group.
Related topics supervised by Kevin Elphinstone (official list)
2981: Secure microkernel-based web server using Linux
Our research group has developed a formally verified secure microkernel that supports virtualisation. We have a version of Linux that runs on top of this kernel. The goal of this project is to develop a secure web server platform consisting of a instance of Linux running in the DMZ and an instance of Linux running on the trusted network - all actually running on the same machine using the secure microkernel to separate them. This project has the chance to be deployed as a demonstrator for our groups web site.
KJE15: A Secure Bootstrapper for the seL4
The seL4 microkernel is a high assurance microkernel capable of acting as a seperation kernel when it and the encompassing system is instantiated correctly. The goal of this thesis is to develop a simple component model that can specific an initial system state - i.e. the servers and applications that will run on the microkernel. THe component model is then used to generate the boot strapping code to instantiate the system with the specified seperation guarantees. The project may involve evaluating the existing CAMKES framework for the component model, and looking at formal models and guarantees for both the component model, and the generation of the boot strapper.
KJE16: Linux as a component.
Data61 has various versions of Linux that run para-virtualised on various versions of micro-kernels developed here at Data61. However, the connection between Linux and the platform is rather ad-hoc, which makes is difficult bring Linux into the principled componet framework (CAMKES) developed here at Data61. This project would involve examining the interface between the micro-kernel and the support infrastructure to allow Linux to be just another component in the CAMKES framework.
KJE17: ARTEMIS robotic clarinet player
Data61 is entering the ARTEMIS intrument playing robot competition. This project involves developing the system software side of the robot, with an eye to making it general enough to use it for future entries. It involves low-level embedded controller programming, Linux kernel programming, and application programming. A familiarity with music is also helpful.
How to apply:
Contact the relevant supervisor.
Note for OS/FM related topics: We promise a thesis topic to every interested student who has obtained a HD grade in COMP3231/COMP9201 Operating Systems or COMP9242 Advanced Operating Systems. If necessary we will define additional topics to match demand.
We will not turn down any students doing exceptionally well in OS courses. However, this does not mean that an HD in OS or Advanced OS is a prerequisite for doing a thesis with me. Interested students with lower OS marks are welcome to talk to me if they feel they can convince me that they will be able to perform well in an OS thesis.
Keep in mind that these topics are all research issues and generally at the level of Honours Theses. They are not suitable for marginal students or students with a weak understanding of operating systems. We expect you to know your OS before you start.
Postgraduate thesis topics:
Undergraduate thesis topics are also suitable for coursework Master's projects. Same conditions apply: You must have a pretty good track record in OS courses for OS and FM related topics.