As part of my engineering degree’s honours requirements, I have to undergo thesis research. As of the time of originally writing this post (6th August 2021) I had already completed the majority of my subjects, with just COMP3601 (Design Project A), COMP4601 (Design Project B), and my year-long thesis to do.

Picking a topic was daunting.. one because the thesis is a year-long commitment, and two.. well you honestly don’t really know what you’re signing up for.

There were a lot of projects in the topic list.. 359 to be exact. (Update: The 2022 list has 568 topics now… yikess!)
You can also pick your own choice of topic - which I sort of ended up doing after discussing with my professor.

Day -1 | Topic Research

Since we had to pick a thesis from a list, I decided to look through the list.

The majority of the thesis topics revolved around some consistent categories

Formal Verification of ______ - No thanks! Definitely not into the mathematical proofs of things
AI / Machine Learning - Could be cool, but I’m personally not interested in these sorts of things
Blockchain - Despite it being a buzzword, the projects looked interesting
seL4 - Some low level kernel stuff which is cool, but I didn’t do Advanced Operating Systems (AOS) which is listed as a pre-requisite
Biomedical - These sound fun, but the majority are just mobile application development… which is sort of a turn-off to me
IoT Analysis - Some of these delved into security analysis, which was kinda cool

After perusing the 359 thesis topics, I ended up with a shortlist of 23 items

Category | Computer Architecture

On Memory Data Protection for Embedded Processor Systems
FPGA-based Satellite Flight Computer
Drowsy and Decay Leakage Control for the Register File / Cache Memory Architecture

Category | IoT

Embedded Thermal Camera Networks
Sensors and Orchestration in Learning Spaces
A Frontend for IoT
Smart Campus IoT Test Bed

Category | Software Engineering

[Biomedical]
- Design and Develop Software Cloud Services for Health Data
- Design and Develop Backend Services for Medical Questionnaires and Responses
- ikki - A companion robot for sick kids
- Smartphone App for Telepsychiatry and Mental Health
- Smartphone App for Activity Classification and Fall Detection
- Mobile Apps for Cardiac Rehabilitation and Heart Failure
Towards Personal Process Management
Modelling and Analysing Economics Data
Web Frontend for ARGUS (Computer Engineering)

Category | Security Engineering

Vulnerability Database as a Service
Cyber Security using SDN
Security Auditing and Bug Testing
A Novel Approach to Privacy Preservation in the IoT using Blockchains
Privacy-preserving Cloud Services for IoT

Category | Misc

Decentralising big data processing

Category | The Easy Way Out

For a “last resort” measure (in case I wasn’t able to pick any of my interest topics), I also picked some thesis topics that I would consider as easy - but probably boring.

WebCMS3 Mods (Software Engineering)

Topic

Title: “Smart” Vacuum Cleaners - An Audit Into The Security and Integrity of IoT Systems
Topic Area: Security, Hardware, IoT
With the ever-growing adoption of convenient and user-friendly Internet of Things devices, more and more objects around us have made their way onto the internet, requiring connectivity to the web for one reason or another. Despite the unknown nature of communication and limited transparency of data, such privacy concerns are often overlooked in exchange for convenience. This paper audits the Roborock S6 robotic vacuum cleaner to assess its internal operations and network activity behaviour, as to investigate any potential vulnerabilities that may render the device unsafe or insecure.

The Adventure

Starting Out

“Start your thesis in the last term of the year”, they said.
“Get an extra 6 weeks of work time during the summer break”, they said

Imagine working on your thesis during the holiday??? Also my holiday was not really a holiday as I was interning at Atlassian.

Anyhow, I can say with full confidence that self-directed year-long research is the same thing as a self-directed 2-week research.
Time management is hard, and you will always overestimate the amount of time you have left…

Progress and research was very slow for the first few weeks, especially due to logistical delays with getting hold of the device under test.
Eventually I got into a rhythm; and by rhythm I mean doing 14 hour straight deep dives each week, rather than 2 hours a day… At least it was consistent?

Meetings

My supervising professor was sorta always busy so I never actually had a (content-related) meeting.
Whilst I had a couple of meetings with my other supervisor, it was also not really content-related - and more to do with admin logistics…

Am I a fraud?

Throughout several periods during the thesis, I felt abit invalidated because there was already research on the same device.
Whilst I performed independent research, I still had lingering feelings that my work was trivial or not novel enough as my collected results were often shadowed by existing research.. It was quite demotivating..

Increased network activity at 3am? ~~Oooooh~~ The device was just reconnecting
Conflicting MD5 hash of a program despite the same version? ~~Oooooh~~ It was just a stripped version
Wireless password exists in the uploaded log file. ~~Yeah that sounds fine~~ Wait didn’t the privacy policy say it won’t do that???

You’re not a fraud.

Finally! Some new findings. For the record I also found some other things, both regarding privacy and security issues.
So thankfully my research finally offers new contributions!

Oh and I also found a zero day 🔥

Seminars

A big thanks to everyone who decided to join my presentations and listen to me rant about security!

The three seminar that I had to prepare for and present only contributed towards 17% of my mark.
I did however have a lot of fun preparing and sharing my results.

You can find the seminar presentations here (created with Hugo and Reveal.js, exported to PDF with decktape)

Report Writing

Preliminary Report (Report A)

So here’s the deal.
The old me didn’t want to write the report in LaTeX, because the old me thought that it would take too long to learn the syntax and figure out how to use packages (is that what they’re called).
I’m still that old me, I still don’t know how to use LaTeX - but that’s okay, I also don’t know how to use MATLAB either 🤡

In line with how I’ve been writing my course notes (that is, writing notes in Markdown (via Forestry) and letting it be built as static pages with Hugo), I wanted my report to be nicely viewable on my thesis website, because who REALLY wants to read a PDF file right? So the plan was to write my thesis report in Markdown, and then somehow convert the content format into something that looks nice and academic-y, easy right? ~~It’s in LaTeX so it must be true~~ It’s in Times New Roman font so it must be true!

Anyway… hahahahaishouldhavenotdonethishahahahathiswasamistakehahahaha.
Okay it was too bad… some smart dude made a thesis markdown template which effectively preprocesses the Markdown content into LaTeX.
This was ideal, as I could just focus on the content and use the simple formatting scheme of Markdown.
After a few tweaks - it sort of worked well! (apart from the chaos in trying to set it up)

Whilst it did work, I faced several challenges and limitations - namely all being formatting issues. Formatting however is a pretty important factor when it comes to the successful production of a research paper… Specifically, labelling of figures was a challenge (to be honest I think I gave up on this). Furthermore, I had to hack together a one-liner to get the references working on both the PDF export and the website.

We got there at the end though, and the preliminary report is available on both the web and as the required PDF format!

The Thesis (Report C)

“Start your report early! Don’t leave it till the last minute!" - the words of my professor loomed, as I started writing my report a mere few days before it was due 🤡

👏 Okay 👏

So I’ve learnt my lesson: Don’t use Markdown to write your thesis report, formatting was a pain. Use LaTeX. It’s literally designed for writing documents and everyone uses it-
Yeah.. how about no. Let’s use Microsoft Word instead 🤡
No web version this time though, way too much effort!

I think the hardest issue with writing in LaTeX (and also Markdown I guess) is the fact that you’re editing the “source code” of the document, rather than a WYSIWYG editor like Microsoft Word. You therefore need to rebuild the document (or live reload / preview the file to view your changes).
For the sake of argument, my friends who told me off for not using LaTeX were maths students - where they have to write.. you know… maths.
I can confirm that typesetting mathematical equations and proofs in Microsoft Word is not an easy task, so LaTeX makes perfect sense, for them.
My thesis was more just a dump of words and images, which is why I could get away with using Microsoft Word.

I had a body page limit of 50 pages, and I ended up having about 47 pages of content (about 15,400 words).
Kinda crazy how I wrote about 5000 words each day… diamonds are made under pressure huh? 💎

The inbuilt citations feature would probably have worked, but since UNSW pays for a volume license of EndNote, I might as well use that.
Also, until this thesis, I’ve never ever used Microsoft Word’s References feature. Where was this feature when I needed it 😢
Oh right, my group projects used Google Docs instead.

Blah blah blah, TL;DR?

So TL;DR, I did a security and privacy assessment of a robot and found a 0-day.

Nice.

Speaking of TL;DR’s, here’s a TL;DR recounting my research sessions.
It’s probably not accurate as I wasn’t consistent on always adding an entry after finishing my research, but ah well…0

It uses the generic cards list template I wrote some years ago, yay for software re-use!

Copyright Music to Research To

I recorded some of my research sessions, as a means to keep track of time, document my work, and capture any momentary popups or prompts that might disappear before I get to screenshot things (pesky popups and serial console spam!)

https://www.youtube.com/playlist?list=PLD7TGWg7V1ZavJJmTn2_6IHWTKtHIIPWe

There’s definitely a lot of copyright music and content blocks on the videos though, because I often had music playing in the background 🤷‍♀️

Hot Take: Should I do a security thesis at UNSW?

Personally, I think no - at least not for a hardware-based security thesis.

UNSW’s CSE department and SECedu don’t really have any hardware (equipment) or physical resources (like a place to do my research?).
That said, the EE&T department was always a quick walk away - at least that is what I’d say if COVID-19 didn’t shut down the campus.
Whilst I did have a bunch of electrical testing equipment out of personal interest, the cheap $5 USB to UART TTL adapter, and a screwdriver was all that I really used.

I know that some other universities have IoT labs, or dedicated research spaces where you can leave your equipment there and come back the next day without needing to pack/unpack.
UNSW doesn’t have these, to my knowledge.

Since I did my research at home, I had to set up my own sort of IoT lab environment - somewhat clearing out a room in my house so I could set up my equipment (networking, power, communications). That said, working from the comfort of my home was nice.

Wrap Up

After a year of ~~procrastination~~ work, I’m super excited to have completed my thesis!
Feel free to have a look over my research on the thesis webpage, and of the final thesis paper here.

This post probably is very fragmented and doesn’t make much sense… but then again I’m writing this post whilst heavily sleep deprived…
Here’s to writing seventeen thousand words in three days I guess 🍻

ciao.

Notes to future self

~~Start early~~ Yeah it won’t happen
Probably learn how to use LaTeX

My Thesis Journey

Posted Aug 10, 2022