There are two goals with the thesis report:
- To convince a critical reader that you indeed have answered your research question (which typically for hacking projects is something like “Is device X secure against cyber attacks?”).
- To convince a critical reader that you fulfill the requirements for a thesis project.
Try to make sure (i) that everything you write in the report actually contributes to the above, and (ii) that it is clear to the reader to what goal each paragraph and section contributes. When writing the report, try to imagine the objections of a very critical reader, and try to make sure that your report responds to those objections as well as possible.
Do iterate your report with your supervisor a few times during the thesis project, e.g. (i) the outline, (ii) the threat analysis, (iii) critical parts of your penetration testing, (iv) the final report.
It is also strongly recommended that you make use of the services of the Centre for Academic Writing & Rhetoric in order to improve your writing.
The final report can be organized as follows:
Provide the introduction, state the objectives of the project, delimitations, and outline the rest of the report. Explain the societal relevance of your work. For whom and why is your work of interest?
General background and general theory can be placed in this section. If the system is based on some relevant theory, such as cryptography, database theory, operating system theory, networking theory, etc, that theory can be presented here. Envision your student colleagues who might not know anything specific about your project. What do you need to explain to them? Perhaps they need to understand some basics about HTTP, cookies, CORS, SQL, firmware, etc in order to appreciate your contribution. So this section should provide the theory required to understand each one of your penetration tests.
Describe how you approach the thesis project. Typcically this includes your threat modeling methodology and your penetration testing methodology. Convince the reader that your methodology ensures that you don’t miss any important attacks and that your explorations will be convincing. Base your method on established methods (check out the Method section in these master thesis guidelines), or justify why not.
If you have been involved in the selection of the system to be explored (e.g. by using the criteria detailed here), then justify your choice in this section.
Describe the functionality and technology of the system under consideration. Even though you discovered some aspects of the system behavior and structure during penetration tests, you should probably still write about it here. The name of this chapter can be the name of that system rather than “The system under consideration”.
Here, you should describe relevant work previously performed by other researchers. You should include all discovered vulnerabilities of the specific device you are investigating, but also published penetration tests of devices of other brands in the same device category. Oftentimes, there are important similarities between devices of different categories (smart power sockets may have many protocol similarities with smart light bulbs, for instance). It will therefore generally be relevant to also consider such related work. Read more about related work here.
Draw one or several thread modeling diagrams of the system. Detail each attack that the system could be subjected to. Describe each relevant attack vector in the general case (not specifically related to your system under consideration). Refer to solid sources (e.g. papers or presentations to security conferences). Describe your assessment of each threat or threat type as applied to your system. Estimate the potential impact and the probability of successful exploitation.
Carefully choose a limited set of attack vectors (and convincingly motivate that choice) for the penetration testing phase of the project. Document, e.g. in the threat model, how thoroughly you have explored each attack.
Describe the actual penetration tests here.
If the test is simple, you won’t need all the subheadings below. Otherwise, you might. In some cases, such as if all conducted tests are similar, it might be more fitting to write the method of each pentest under the methodology section above, and simply disclose the result for each test here.
- Describe the attack vector to be explored
- If the attack vector is based on particular theory (e.g. SQL injection requires some database theory), then that theory can be described here.
- Describe how the testing is performed
- Describe your findings
- Discuss the reliability, validity and generalizability of your findings. If you found a vulnerability, how serious is it? If the system withstood the attack, how important is that? Why? How much can the reader trust your results? To what extent were you able to answer your research question?
Describe the ramifications of your work with respect to sustainability and ethics. Considering ethics, you can, for instance, describe how you have navigated the law, responsible disclosure, etc.
Summarize all the identified attack vectors in your threat traceability matrix.
Summarize the reliability, validity, and generalizability of your findings. How secure is the tested device, all things considered? How much can the reader trust your results? To what extent were you able to answer your research question?
How secure is the system?
Use citations to (i) support any claims you make that the reader might not agree with, (ii) give credit to the authors and creators (important to avoid accusations of plagiarism), and (iii) demonstrate that you have studied all the relevant background material. This is especially important to show that your threat model is comprehensive - that you have considered all relevant attacks. Guidance on reference format can be found here.