Graduated students


contact info

Dr. Ir. Hugo Jonker
Open Universiteit
Valkenburgerweg 177
6419 AT Heerlen
phone: +31 (0)45 576 2143
twitter: @hugojonker

This page describes final projects by students who finished their studies under my direct supervision. Students I currently supervise are listed on the supervision page.

Graduated PhD students:


Graduated MSc students:


Research internships (MSc students):


Graduated BSc students:


Graduated BPMIT students: As a courtesy to the starting Information Sciences group, from 2015-2018, I helped out by supervising a few of their master students for their final project for the BPMIT programme. The BPMIT MSc. programme focuses on the management aspect of IT projects. As such, it is more in line with the field of Management than Computer Science, which is reflected in the methodology of the below theses.

Enforced Privacy: from practice to theory

Naipeng Dong, PhD thesis, University of Luxembourg.
Defended: November 2013.
Co-supervised with Prof. Dr. S. Mauw and Dr. J. Pang.
Link: thesis.
Publications: FAST'10, FHIES'11, ESORICS'12, ESORICS'13.

The project focused on formalising enforced privacy. Starting point was to investigate practical requirements for enforced privacy in voting, healthcare, and auctions. Using the resulting domain-specific formalisations, a generalisation step was made, which captures not only privacy-reducing conspiracies, but also privacy-preserving coalitions.

Interpreting NTFS Time-stamps

Jelle Bouma, BSc thesis, Open University.
Finished: August 2019.
Links: thesis.

The NTFS file system records 8 time stamps per file.This thesis investigates how these time stamps may change due to regular (user-triggered) operations. The resulting list of time stamp effects is used to develop an approach to recovering which operations have been applied to a file, based on the current state of these 8 time stamps. Finally, a proof-of-concept implementation of this approach was created.

Synthetic Fragmentation Experiments using WildFragSim

Robbert Noordzij, BSc thesis, Open University.
Finished: August 2019.
Links: thesis.

Longitudinal studies on fragmentation and block allocation in hard disks are hard to execute: simulations will not accurately model disks found in real life, while convincing a large group of disk owners to participate in a years-long study has its own problems. In this research, a tool is developed to improve simulations to more closely mimic human behaviour - in particular, writing rhythm. The tool is currently geared towards investigating fragmentation effects.

File dating based on the Physical Location of the File

Yvonne Vollebregt, BSc thesis, Open University.
Finished: August 2019.
Links: thesis.

In digital forensic investigations, it is necessary not only to prove that a specific file existed on the examined device, but also to establish some bounds upon the length of duration. Presence of a file that existed only for a split second will likely be regarded very differently than a file that existed on the device for months. To establish such bounds, two file dating mechanisms were tested: dating the entire disk based on the physical location of files, and dating a single file based on the dates of 10 neighboring files. The second method proved more useful, but neither will be sufficient in all cases.

FP-Block 2.0: preventing browser fingerprinting

Nataliya Yasko and Siebren Cosijn, BSc thesis, Open University.
Finished: August 2019.
Links: thesis, software.

FPBlock is a browser plugin (developed by Christof Ferreira Torres) that prevents fingerprint-based cross-site tracking. Since its release in 2015, several critiques were released. Moreover, Firefox moved to a new plugin model, which necessitated an update. FPBlock 2.0 addresses several shortcomings of the original FPBlock, improving tracking resistance. Specifically, resistance to canvas fingerprinting and font fingerprinting is repaired and an initialisation bug is fixed. In addition, several small inconsistencies in the used web identities were uncovered and addressed. Moreover, fingerprint generation is now done a priori, and fingerprint selection is done in near-constant time. This allows FPBlock to be used on millions of sites without the fingerprint selection process grinding the browser to a halt.

Shepherd: Enabling Large-Scale Scanning of Websites after Social Single Sign-on

Alan Verresen and Jelle Kalkman, BSc thesis, Open University.
Finished: August 2019.
Links: thesis. (this software is not made publicly available)

Shepherd is a tool for automating website logins, enabling studies of post-login content. So far, Shepherd worked with domain-specific credentials. This project worked to add support for single-sign on logins, such as logging in with your Facebook or Google account. The resulting extension to Shepherd generalised the concept of single-sign on, and can also support non-western identity providers.

Comparing privacy plugins

Nick Nibbeling, BSc thesis, Radboud University.
Finished: July 2019.
Links: thesis.

This thesis compares several plugins that claim to offer improved privacy to their users.

Research Internship: Towards a Fingerprint Surface

Rick Dolfing, MSc research internship, Radboud University.
Finished: April 2019.
Links: thesis.

When fingerprinting is discussed, a lot of different terminology is being used. Studies use different terms, are not always clear about the studied features and propose methods which lack a fundamental approach. There is an understanding about the concept of fingerprinting, but it lacks a fundamental way to reason about it. We talk about a fingerprint surface and propose a taxonomy to use when discussing this topic. We applied our taxonomy to important studies over multiple years and reason about counter measures. We argue that the fingerprint surface is a fundamentally hard to problem, as it is hard to be complete in every category. We identified the one category that can be complete and we introduce the Prop-test to return the entire fingerprint surface for this category.

Turning It Off: context-driven prevention of passive WiFi-tracking

Aksel Harrewijn, MSc thesis, Open University.
Finished: May 2019.
Links: thesis (in Dutch).

Smart phone tracking has become popular in the public space. This thesis investigates whether countering this via a simple machine-learning based app that turns off wifi when outside trusted areas is a viable solution. In comparison to a simple polling solution, it guards privacy better, thereby showing the potential for using machine learning to counter wifi-tracking.

Automated data extraction: what you see might not be what you get

Gabry Vlot, MSc thesis, Open University.
Finished: July 2018.
Links: thesis, software: webbot detection scanner, fingerprinting webserver tailored for webbots (both on GitHub).
Publication: ESORICS'19.

More and more research relies on automatically visiting web pages and processing the results. These investigations typically do not account for the possibility that a web site returns different content to a scraper or web bot than to a regular user. In this project, we provide a taxonomy of how to detect web bots. We provide a characterisation of the client-side detectable fingerprint surface of 9 web bots. Using these findings, we design a generic detector that detects web bot detection. We implement the detector and found that ~11% of web sites in the Alexa Top 1 million is employing some form of web bot detection.

50 ways to lose your cover

Annet Vink and Katleen de Nil, BSc thesis, Open University.
Finished: July 2018.
Links: thesis, cover song.

In 2010, Eckersley released a web site that measured various attributes, and computed how unique each visitor was compared to the visitors that preceded. This was the first (public) foray into browser fingerprinting: tracking a browser based on its attributes. After attracting half a million visitors, Eckersley was able to determine for many different attributes of a browser (screen resolution, user agent, etc.) how much impact they had on privacy.
Recently, Torres & Jonker investigated fingerprinting on mobile phones and found that the incidence of fingerprinting in apps is significantly higher than the most recent data on fingerprinting in web sites. This project developed a test setup, similar to Eckersley's, to be able to test to what extent any given attribute on a mobile phone impacts privacy.

Automating outlier detection in academic publishing

Niels Tielenburg, MSc thesis, Open University.
Finished: June 2017.
Links: thesis, software.

In recent years, several egregious cases of scientific fraud emerged (e.g. Diederik Stapel, Hyung-In Moon). These people were detected by peers suspicious of uncharacteristic speed in the scientific process - not by any procedures in the scientific publishing process.

This project took a first step towards addressing this. Due to the ever-increasing volume of research output, automation is necessary. Unfortunately, detecting fraud cannot be fully automated - some types of fraud strongly resemble behaviour of excellent researchers. The scope of the project was therefore to design a method to identify those scientists where manual investigation is warranted.

The project designed heuristics on publication data and provided tooling to automatically gather publication data. This helps to identify outliers. Such outliers were then further investigated by a partially automated comparison with their scientific peers (co-authors, co-editors, papers published in the same venue, etc.). Outliers who stand out from their scientific peers are of interest and could be manually investigated.

Private tweeting

Bas Doorn, Lucas Vos BSc thesis, Open Universiteit.
Finished: June 2017.
Links: thesis, software.

Social networks provide wonderful possibilities for interaction. In turn, they learn the social network of each user. The idea behind this project is to create a layer on top of an existing social network (e.g. Twitter), that allows a user to use all the advantages of a social network without revealing the full extent of his/her network.

Counting Sheep: analysing online authentication security

Marc Sleegers, BSc thesis, Open Universiteit.
Finished: March 2017.
Links: thesis, poster CSW-NL.

Modern websites store an authentication cookie on the client computer when the login process succeeds. This cookie allows the end user to remain authenticated for the remainder of the session, forgoing the need to supply credentials to each following request. An attacker can steal this cookie in a session hijacking attack, effectively authenticating as the victim without needing the username and the password.

As such, it is vital that authentication cookies are used securely over an encrypted connection. Firesheep showed that websites typically protected the login process, but dropped down to an insecure connection immediately after in 2010. While this secured credentials, it left the authentication cookie exposed. Following this, Firesheep allowed any attacker to trivially hijack sessions on sites such as Google and Facebook. The websites in the spotlight quickly implemented a secure connection across the board, but it is unknown if others followed suit.

Analysing how widespread "faux" online authentication security still is first requires a way to identify domains that are vulnerable to session hijacking. We conclude that this type of faux web security can be identified by analysing the authentication cookies of a site. During initial testing we found that the problem still exists today, despite the internet ecosystem appearing to be more secure. Additionally, we found that mobile apps suffer from the same vulnerabilities. Following these results, we developed a tool, Shepherd, which analyses a given number of domains using a pre-emptive and generic approach. Using this tool, we were able to automate the entire login process for 4689 unique domains without the need for prior information such as credentials. We found that four out of five authenticated domains (3764) are indeed still vulnerable to session hijacking.

S3 - Securely Sharing Selfies

Gert-Jan den Besten, BSc thesis, Open Universiteit.
Finished: November 2016.
Links: thesis (NL), developed app.

Photosharing has become very popular. In this project, we combine photos with context information: information about when and where the photo was taken. This is used to ensure access is only granted in similar circumstances.

A GIMP-plugin for deblurring uniform motion blurred text images

Else van Schaijk, Ton Poppe, BSc thesis, Open Universiteit.
Finished: July 2016.
Links: thesis (NL), software.

Blurring is way to add "smearing" to pictures. This can be used to hide text: a strong enough blur smears the text such that it becomes illegible. This may be used to hide information. For example, a Dutch newspaper broke a story on national exams being available on the black market by showing the first page of the exam - with the questions blurred. This evokes the question: can the blur be reversed?

This project build on the work of F. Lange in the Deblurring Text project (see below). Based on this, an investigation of the state of the art in text deblurring was done, and the students selected the then-best algorithm by Pan et al, and implemented this text deblurring algorithm as a GIMP plugin.

Fingerprint Privacy: A Fresh Perspective on Web Privacy

Christof Ferreira-Torres, BSc thesis, University of Luxembourg.
Finished: June 2014.
Links: thesis, software
Publication: ESORICS'15.

Web tracking is pervasive. Common tracking techniques depend on client-side storage and can thus be thwarted by savvy users. However, an emerging class of trackers is using so-called browser fingerprinting to track users across different sites. These trackers take a series of measurements of the client's browser, such as screen resolution, time zone settings, operating system, etc. The combination of all these measurements (the "fingerprint") is often unique. Thus, users can be tracked by their fingerprint.

Existing measures for online privacy fall into two categories: blocking the trackers or faking the measurements they take. Fingerprinting trackers are embedded into commonly-used web widgets, such as social media buttons or video. Most users would not want to block such widgets, thus ensuring that the tracker is not blocked. This leaves faking the fingerprint as the most viable counter. However, research had already shown that it is often easy to detect faking - in fact, it becomes another vector for identification!

In this project, we proposed a new perspective on online privacy: consistent faking. We developed a Firefox plugin, FP-Block, that successfully prevents fingerprinting trackers from cross-site tracking. The plugin generates fingerprints based on real-world usage data, and ensures that any two generated fingerprints are distinct in at least three attributes. Moreover, the fingerprints are consistent - no iPhones running flash. Finally, the plugin ensures that any third parties whose widgets are embedded in a requested page receive the same fingerprint as used for the original request. E.g., if sites A and B both have a Facebook button, Facebook will see two different fingerprints.

Deblurring text: from theory towards an implementation

François Lange, BSc thesis, University of Luxembourg.
Finished: June 2014.
Links: thesis.

Blurring is way to add "smearing" to pictures. This can be used to hide text: a strong enough blur smears the text such that it becomes illegible. This may be used to hide information. For example, a Dutch newspaper broke a story on national exams being available on the black market by showing the first page of the exam - with the questions blurred. This evokes the question: can the blur be reversed?

This project investigated several approaches to deblurring: mathematically inverting the (unknown) blur operation, using pre-blurred letters as a basis for comparison, etc. The field dedicated to mathematically inverting an unknown blur operation proved very rich. The then-best text deblurring algorithm, by Cho et al., was chosen for implementation as a GIMP plugin. 3 out of 5 steps of Cho et al's algorithm were implemented within the time frame of the project.

Autogenerating context to manage sensitive data in Android-phones

Xin Zhu, BSc thesis, University of Luxembourg.
Finished: June 2013.
Links: thesis.

SnapChat was a popular app for sharing photos. The premise / promise of the app was that a shared photo would be only be accessible for 10 seconds. It turned out that this was not due to any security, but merely due to hiding the shared photo from the normal user interface by renaming it. This project provided an initial investigation of how to do this with actual security in mind, and how a phone's sensors might be leveraged to support security of shared photos.


Filipe Ferreira, BSc thesis, University of Luxembourg.
Finished: February 2012.
Links: thesis

In 2011, researchers showed that it is possible to determine what is typed on a keyboard by having a nearby phone detect vibrations from the typing and decoding this. The original research was carried out on an iPhone. The goal of this project was to investigate how to achieve the same on an Android phone.

The project resulted in an Android app that registers vibrations using a phone's three accelerometers and its gyroscope. These are sent to a back-end server for further processing. Moreover, the project showed that:

  1. a stand-alone application, running only on the phone, lacks the processing power to duplicate their results;
  2. that the rate at which sensor data is made available via the Android framework is insufficient to duplicate these results;
  3. that this rate cannot be improved by going to the lower JNI layer;
  4. that even accessing the linux kernel directly does not provide a sufficient data rate.

Analyzing RFID authentication Protocols

Tristan van Stijn, MSc thesis, Eindhoven University of Technology.
Finished: May 2006.
Links: thesis.

The thesis presents an investigation into security and privacy of existing Radio Frequency IDentification (RFID) protocols in order to increase the understanding of this complex field of RFID protocols and their characteristics.

The investigation of existing RFID protocols is done by developing a generic model alongside security requirements to which various existing RFID protocols are compared. This generic model is constructed by systematic analysis of a basic identification protocol with respect to an attacker. Further an overview and categorization of existing RFID protocols is provided in order to discuss closely related RFID protocols.