PhD topics

Suggested PhD topics in Cyber Security, Privacy and Trust.

If you are interested in one of these topics, please read the application guidance first and then contact the named supervisor to discuss.


  1. Logical specification and analysis of web applications for safety and security. Existing web application interface testing tools (such as Selenium) are limited to hand-crafted test cases. Our Quickstrom tool allows for automatic property-based testing against a specification written in temporal logic. PhD topics in this area could extend to handle epistemic security properties, incorporating model checking techniques for a more rigorous analysis, or add probabilistic confidence bounds about coverage. Contact: Liam O'Connor

  2. Integration of algorithmic verification into interactive proof assistants.  Algorithmic verification tools (e.g., model checkers and static analysers) are currently separate from proof assistants used to produce full functional correctness and security proofs of software (such as the seL4 Microkernel). This topic would integrate verified algorithmic verification techniques into a proof assistant, aiming to reduce the cost of end-to-end verification. Contact: Liam O'Connor

  3. Speculative Execution Defences.  Find ways to mitigate the performance, security and/or programmability issues caused by Spectre and Meltdown-style attacks on modern processors. This could be via new microarchitectures to limit the potential of side channels, or to improve memory performance in the face of restrictions, or new compiler and programming-language techniques to insert barrier instructions, to maintain safety without more hardware support or ad-hoc, unsafe programmer methods. Contact: Sam Ainsworth

  4. Codesign for Security. Many large codebases, such as browsers and operating systems, use insecure low-level languages to improve performance. This project will look at architectural, compiler, runtime, and or architecture-compiler codesign techniques, to mitigate the security vulnerabilities faced by today's high-performance code, such as spatial, temporal, and type safety. Contact: Sam Ainsworth

  5. Deep Threats in Autonomous Vehicles. From self-driving cars to delivery drones, autonomous vehicles are becoming everyday.  But the blackbox or greybox nature of deep learning potentially undermines the required safety criticality and in the wrong hands could pose severe cyber security threats. Using vehicle perception and navigation as case studies, this project will systematically study threats arising from deep learning to autonomous vehciles and look at effective and generic mitigations. Contact: Chris Xiaoxuan Lu
  6. Internet of Safe Things. With billions of connected devices deployed, Internet of Things (IoT) based cyber-physical systems (CPS) bring unprecedented risks due to the unexpected interaction between systems and the larger number of attack vectors. These arise in medical devices, smart home appliance control, digital twin development or conflicts in policy execution at a societal scale. PhD topics will focus on the security, privacy and safety issues and investigate solutions that integrate hardware and software components, particularly those that have humans in the loop. Contact: Chris Xiaoxuan Lu
  7. Cyber risk analysis and modelling of  uncertainties related to potential data/privacy breaches and the economic costs. Optimal decision models among the costs of managing cyber security, users satisfaction and cyber risks faced by organisations. Contact: Tiejun Ma

  8. Human factors modelling related to cyber risk taking and decision making.  Particularly in relation to fintech applications (e.g. mobile, transactions, fraud and AML).  Contact: Tiejun Ma

  9. Human factors of software updating. Updating software is one of the best ways to protect a computer from attack, yet many people choose to not update software. Identify the best practices for automatic updating of software so that users are happy and security patches are installed quickly. Contact: Kami Vaniea

  10. Usable security API design for SSL/TLS. Understand the current usability issues with security APIs such as SSL and TLS. Then design a new API that is easier to use resulting in higher adoption of security practices and a reduction of errors. Contact: Kami Vaniea

  11. Design and analysis of electronic voting protocols. Many countries have or plan to conduct legally binding elections using electronic voting systems. Such systems need to provide security guarantees, e.g., fairness, privacy, and verifiability. These are tricky to establish and can be in conflict with one another. Several proposed electronic voting systems have been found to fail to achieve their intended security goals, demonstrating the need for formally verified electronic voting systems. Contact: Myrto Arapinis

  12. Brain activity as a biometric: Towards more secure and robust authentication mechanisms. We seek to enable the use of human brain activity as a biometric beyond current security platforms. We expect that the use of electroencephalogram (EEG) recordings as a new authentication mechanism will achieve the long-sought advantages of universality, intrinsic liveness detection, continuous identification, and robustness against spoofing attacks. We will focus on developing techniques compatible with affordable consumer-grade EEG devices, rather than the expensive and cumbersome clinical devices. This project is set up as an interdisciplinary collaboration between researchers at Informatics and Engineering. Contact: Javier Escudero

  13. Verification of Security of the mbed OS uVisor (with ARM). The mbed OS uVisor is a core security component for ARM's mbed IoT platform. It creates isolated security domains M7 microcontrollers with a Memory Protection Unit (MPU). On top of these the uVisor provides a flexible compartmentalisation using separate security domains ("Secure Boxes"), configured with ACLs. This project will apply theorem proving methods to help define and then verify correctness and security properties of the uVisor implementation, building on previous work on instruction set models and decompilation techniques. Contact: Ian Stark

  14. Formal Specifications and Proofs for TrustZone (with ARM). Increasing complexity and connectivity in microcontroller devices motivates new protection mechanisms to improve reliability and security. ARM's TrustZone for ARMv8-M provides a separate "secure world" execution mode to enable features such as secure firmware updates, safe integration of code from multiple suppliers and controlled access to privileged peripherals. This project will study the low-level instruction set design of TrustZone for ARMv8-M, devising formal specifications describing the security properties that hold at the instruction level and proofs that these provide the intended protection against low-level attacks. Contact: Ian Stark

  15. Quantum-enhanced Cloud. The security of the cloud could be obtained through Fully Homomorphic Encryption schemes. However these schemes are potentially breakable in a post-quantum regime and require huge overhead and hence despite intensive efforts from all the major players in the information industry, they remain mainly infeasible. The primary goal of this project is to develop quantum enhanced protocols where both efficiency and security are boosted. Implementations of plug and play solutions for these new protocols will be also pursued in realistic scenarios. Contact: Elham Kashefi

  16. Mobile Crowdsensing with Location Privacy. Using sensor data from mobile phones for better understanding of users and fine-grained monitoring of the environment is a major current research topic. From point of view of privacy, the challenge is to infer important features from collective data, without compromising location and other sensitive information of any individual. Contact: Rik Sarkar

  17. Security of Blockchain protocols. Study the underpinnings of blockchain based distributed protocols, including the mechanisms behind Bitcoin, Ethereum and other cryptocurrency systems. Contact: Aggelos Kiayias

  18. Privacy in communication systems. Study the concept of privacy in communications and data sharing and design and analyze systems that facilitate it using suitable cryptographic and statistical methods. Contact: Aggelos Kiayias

  19. Applied and Theoretical Cryptography. Study cryptography from both applied and theoretical angles and apply it to solve problems such as secure channels, identification systems, cloud storage, secure digital content distribution and others. Contact: Aggelos Kiayias

  20. Automatic Vulnerability Predicition and Discovery. Software vulnerabilities continue to plague the industry. Tools help find problems, but current technology is limited. Future systems will be proactive, searching for possible problems and deploying work-arounds or repairs automatically.  PhD topics may investigate AI methods such as program synthesis, critics and abstraction-refinement, or reinforcement learning.   You need a background in software security, ideally also program analysis, logic and reasoning, AI methods.  Contact: David Aspinall

  21. User Interfaces for Sensitive Health Data. How can we help users control who can see sensitive information about their health and well-being? This is particularly relevant for people who live with a long-term condition that requires support from formal carers, such as health professionals, and informal carers, such as family and friends, and for people with a stigmatised condition, such as HIV+, schizophrenia, or urinary incontinence. Contact: Maria Wolters

  22. Hardware-assisted Dependable Software Systems.  Design and build systems to improve the safety and security of software systems by leveraging the new ISA extensions available as part of commodity CPUs. More specifically, we are interested to explore the usage of new Intel ISA extensions such as Intel SGX,and Intel MPX to improve the dependability of legacy software systems written in C/C++, including operating systems and file-systems. Contact: Pramod Bhatotia

  23. Secure Remote Authentication via Game Playing. This project investigates a new approach to secure remote authentication which frames the problem as an interactive game between client and server, in which the server has to reason about the complex behaviour of the client based on observed game moves.  Contact: Stefano Albrecht.

  24. Consensus in a world with quantum technologies.  The goal is to explore consensus protocols, such as Blockchain and Byzantine Agreement, in the presence of quantum technologies. Quantum technologies can be used either by adversaries in order to break existing classical protocols, or by honest parties to achieve better performance as far as efficiency or level of security provided.  In this project both directions will be considered. In the first direction (quantum adversaries) full security analysis of classical consensus protocols against quantum adversaries will be carried out, including: (i) ensuring that for all subroutines if hard problems are used to guarantee security, then these problems remain hard when the adversary has a quantum computer (e.g. base security on lattice crypto), (ii) the security definitions and the proof techniques are compatible with quantum adversaries. As far as the second direction is concerned, it is known that (simple) quantum technologies can be used to achieve enhanced Byzantine Agreement protocols.  The investigation will take into account (i) realistic constraints and (ii) proper security analysis that includes hybrid quantum-classical subroutines by addressing the issue of composability of quantum and classical protocols.  Contact: Petros Wallden or Elham Kashefi.

  25. Tactics for Attacks. The goal is to explore extensions of attack trees (used for threat modelling) and equip them with ways to reason about, and generate, traces of actual attacks, using "tactics" (a notion from interactive theorem proving).  These methods will allow us to construct and manipulate large attack trees, and  apply new higher-level methods to exploit generation which can chain together several different steps.   Contact: David Aspinall

  26. Preserving Privacy in an Online World. The goal of this project is to build AI-based methods to preserve privacy in online social systems (such as social networks and IoT systems). Fully funded PhD position with Nadin Kokciyan.  See here.

  27. Cryptanalysis of Cryptographic Algorithms. Research, apply and design techniques for analysis and attacking of symmetric-key cryptographic algorithms such as block ciphers, stream ciphers and hash functions.  Contact: Vesselin Velichkov.


Staff listed here may also be interested in other PhD research proposals on other topics, please contact to discuss.


[ Note for staff: please contact David Aspinall with updates/additions to this list. ]