Privacy-Aware Risk-Based Access Control Systems
Increasing availability of large and diverse datasets calls for increased flexibility in access control to improve the exploitation of the data and prevent privacy violations. Risk-aware access control systems offer a natural approach to the problem. The aim of my PhD is to develop a novel Privacy-Aware framework combining trust with risk to support access control in dynamic contexts and allow striking a balance between the privacy risks associated with an access request and the utility of data. If the risk is too large compared to the trust level, adapted strategies are applied to decrease the risk (e.g. through anonymization) or to increase the trust level (e.g. additional obligations).
Confused by Path: Analysis of Path Confusion Based Attacks
Seyed Ali Mirheidari
Publications | seyedali.mirheidari [at] unitn.it (Email)
There are new attack vectors based on the semantic disconnect between web browser and web server in interpreting URL paths. This semantic disconnect, referred as "Path Confusion", has been largely overlooked till now while it could be as serious as client-side attacks such as cross-site scripting. Since leveraging Path Confusion is recent and obscure, it is important to characterize the extent of threats and investigate their enabling factors. In this research, we will analyze Path Confusion-based attacks and security risks they could pose against different web communication components. Toward this goal I will investigate different attack scenarios and their enabling factors.
FuturesMEX: Secure, Distributed Futures Market Exchange
Chan Nam Ngo
In a Futures-Exchange, the interactions between economic and security properties non-monotonic security behavior are a challenge for security research. We show the security properties that guarantee an Exchange's economic viability and an attack when traders' anonymity is broken. We describe all key operations for a secure, fully distributed Futures-Exchange. Our distributed, asynchronous protocol simulates the centralized functionality. We consider security with abort (in absence of honest majority) and extend it to penalties. Our evaluation demonstrates that the computation of actual trading days is feasible for low-frequency markets.
Security of Open-Source Software projects
There are two major directions of my research: - Distinguishing security-related fixes from all other commits in software repositories. Then this information will be used for automatic classification of security and regular fixes with the help of Deep Learning techniques. - Differential benchmark for comparing static analysis security testing tools (Fortify SCA, Coverity, SonarQube, etc.), using historical fixes in real-world software as a ground-truth vulnerability source. The benchmark eliminates SAST tool alerts not related to a specific vulnerability, and therefore, performs automatic assessment of SAST tools on their actual performance.
Security and privacy preservation in IoT discovery, authentication and access control through blockchain technologies
Miguel Rodrigo Pincheira Caro
Publications | miguel.pincheiracaro [at] unitn.it (Email)
Blockchain can offer Internet of Thing devices a playground where they can be identified without the need of involving central trusted authorities (decentralised identity control) and the possibility to operate and interact within a trust-less environment. One of the big challenges of blockchain technologies is the lack of privacy mechanisms that avoid users to openly and publicly publish personal data on the blockchain public ledger. Objective of this PhD is the study on novel processes, paradigms methods to preserve privacy when discovering IoT devices, when authenticating and offering access to them through blockchain technologies.
A Methodology for the Design and Security Assessment of Mobile Identity Management
Applications to real-world scenarios
While there exist many secure identity management (IdM) solutions for web applications, their adaptation in the mobile context is a new and open challenge. To overcome this difficulty, we provide a reference model and a design methodology which can be used by different organizations to implement mobile IdM solutions. In general, our goal is to propose novel IdM solutions for mobile apps that satisfy the expected security requirements, while complying with national (e.g., SPID for Italy) and European (e.g., eIDAS) laws. To avoid design flaws we follow the security-by-design paradigm, and to evaluate the security properties of our proposals we use formal method techniques.
Automated Analysis and Synthesis for the Compliance of Privacy and Other Legal Provisions
Publications | hari.siswantoro [at] unitn.it (Email)
Enforcing legal compliance into software systems is a non-trivial task that requires an interdisciplinary approach. This thesis presents a new methodology for legal compliance checking against European legal provisions, namely the EU Data Protection Directive, the EU General Data Protection Regulation and the revised EU Payment Services Directive. We propose two types of compliance checking mechanisms that should be exploited at design-time or run-time. The former is based on security policy analysis of access control policies. The later is built on top of an approach to synthesizing run-time monitors for workflow-driven applications.
Risk assessment for vulnerabilities
Duc Ly Vu
My objectives is mainly developing an risk assesment methodology based on machine learning and security visualization. In particular, by representing the risks visually in the applications, users can easily understand their impacts . Using machine learning as a metric to users for evaluating the trustworthless of the apps they are going to install. I will carry out the experiments on a collection of malware datasets to indicate the efficient of the proposed approach. Besides that, I aim to obtain the PhD degree in ICT at the University of Trento, and continue my academy carreer after the PhD.