some case studies

About

@@ -40,7 +40,7 @@ access on new development, influencing on the development roadmap.
 
 ### Alfred
 
-Alfred is a research associate at University of Cambridge.  He enjoys to write
+Alfred is a research associate at the University of Cambridge.  He enjoys to write
 code, and also travelling and repairing his recumbent bicycle, and being a
 barista.
 
@@ -49,7 +49,8 @@ imperative code (using a higher-order separation logic and the theorem prover
 Coq).  At the moment he is working on an executable formal model of
 TCP/IP which can act as a test validator.
 
-Alfred co-authored a TLS implementation from the grounds up in OCaml.
+Alfred co-authored a TLS implementation from the grounds up in OCaml, and
+contributes to the MirageOS project as a core team member.
 
 ### Eva
 

Projects/Pinata

@@ -1,7 +1,32 @@
 ---
 title: The Bitcoin Piñata
 author: someone
-abstract: some abstract
+abstract: A transparent self-serving bug bounty with 10 BTC.
 ---
 
-This is one of our projects
+The [Bitcoin Piñata](http://ownme.ipredator.se) is a unikernel which serves as
+bug bounty system to test TLS and the underlying implementations.  Its
+communication endpoints are a website describing the setup, and both a TLS
+client and a TLS server listening on a port.  The total size, including TLS,
+X.509, TCP/IP, of the virtual machine image is 4MB, which is less than 4% of a
+comparable system using a Linux kernel and OpenSSL.
+
+When a TLS handshake is successfully completed with mutual authentication, the
+Piñata transmits the private key to a bitcoin wallet which is filled with ~10BTC
+(~40000 EUR).
+
+On startup, the Piñata generates its certificate authority on the fly, including
+certificates and private keys.  This means that only the Piñata itself contains
+private keys which can authenticate successfully, thus an attacker has to find
+an exploitable flaw in any software layer (OCaml runtime, virtual network
+device, TCP/IP stack, TLS library, X.509 validation, or elsewhere).
+
+The Piñata is online since February 2015, and although thousands of unique IP
+addresses initiated connections, the wallet still contains the 10 BTC.
+
+By using a Bitcoin wallet, the Piñata is a transparent bug bounty.  Everybody
+can observe (by looking into the Bitcoin blockchain) whether it has been
+compromised and the money has been transferred to another wallet.  It is also
+self-serving: when an attacker discovers a flaw, they don't need to fill out
+any forms to retrieve the bounty, instead they can take the wallet, without any
+questions asked.

Projects/TLStunnel

@@ -0,0 +1,22 @@
+---
+title: TLS reverse proxy
+author: someone
+abstract: ![TLS reverse proxy](/static/img/reverse.png)
+---
+
+![TLS reverse proxy](/static/img/reverse.png)
+
+The [tlstunnel](https://github.com/hannesm/tlstunnel) is a unikernel (depicted
+as Proxy) which listens for TLS connections, and forwards requests to backend
+services (depicted as web server).  The specific backend is chosen by inspecting
+the Server Name Indication, a widely deployed extension of the TLS protocol,
+where a client requests the server name to talk with during the TLS handshake.
+
+It is similar to other projects such as stunnel or stud, but uses our TLS
+implementation written in the memory-safe language OCaml, instead of one written
+in the error-prone language C.  The backend web servers don't need TLS support,
+which lowers the maintainence burden.  Many security issues in TLS
+implementations are due to memory safety and support for outdated ciphersuites.
+
+This TLS reverse proxy is deployed on various websites, including [Real World
+OCaml](https://realworldocaml.org) since 2015.