Televic Rail wants to improve the security of embedded systems in Train environments. Systems contain different sub-systems: hardware, operating system, software, …
Televic has improved a lot in the automation of the build process for Operating Systems and Software. Currently the build process (pipeline) is finished when a successful build is created.
To have a realistic view of the existing security issues, a staging environment which simulates the production environment is needed. This staging environment is accessible by the build server and should deploy software and Operating Systems towards the corresponding hardware (continuous delivery). Once everything in the staging environment is deployed, different tests can be executed (functional integration and security tests). Some examples of such security tests:
Portscan: scan the operating system of the embedded system to find open UDP/TCP ports
Dynamic Analysis Security Testing (DAST)
Fuzz testing which is a test in which random data is sent to system inputs (e.g. software interfaces) and monitor if the system can survive (no denial of service)
Web application testing: different tests to verify the security of a web application (OWASP Top 10 list for example)
Webinterface API tests: test to verify the security of an API (e.g. REST interface)
Network vulnerability scan: scan if the systems use open source components containing discovered known vulnerabilities (on exposed interfaces)
Other penetration testing tools …
The research part of this thesis is to identity the weakest link in our system. The student will create software / scripts which behave as a hacker which execute different security tests in the staging environment (fully automated). Study about risk analysis in a cybersecurity context will have to be executed to create a realistic set of security tests.
Next to this, each tool will generate reports, all results need to be collected and parsed to create a list of issues (and priorities). These results need to be presented on a dashboard which provide an overview of the maturity of the security in the system.
Nature of the work
Level: Bachelor, Master
Type of work: Research: 30%, Implem.: 50%, Experim.: 20%
Location: Televic, University
Type of activities: Design, Implementation, Programming