Projects
Title: Security analysis of push notifications for mobile identity management solutions
Description: The widespread use of digital identities in our everyday life, along with the release of our sensitive data on many online transactions, calls for Identity Management (IdM) solutions that are secure, privacy-aware, and compatible with new technologies, such as mobile and cloud. The main goal of the proposed intership is the analysis of the state-of-the-art and security considerations of authentication solutions that use push-notification mechanisms as a second factor.
Pre-requisites: Basic knowledge of Web Security and Android OS
Reference person: Giada Sciarretta (giada.sciarretta@fbk.eu)
Note: Availability from mid-February
Assigned: yes
Title: Implementation of identity management solutions based on CIE 3.0
Description: CIE 3.0 (acronym for "Carta d'identità elettronica") is the new Italian electronic identity card. It is equipped with a chip with radio frequency interface---supporting NFC---that can be used for online authentication. The goal of the proposed intership is the implementation of autentication modules (for web and/or mobile applications) involving the use of CIE 3.0.
Pre-requisites: Good implementation skills in Java and Android
Reference person: Giada Sciarretta (giada.sciarretta@fbk.eu)
Note: Availability from mid-February
Assigned: yes
Title: Security Test Plan for SAML SSO 2.0 Implementations: the SPID Use Case
Description: The aim of this work is to extend a Testing Plan for Service Provider and Identity Provider for "Sistema Pubblico Identità Digitale" (SPID). The student will be required to add new test cases, this task consists in:
1) analyze state of the art;
2) define the attacks;
3) define the vulnerabilities;
4) create test cases;
5) prepare a test plan;
6) evaluate the existing tools;
7) create a tool to automatically run the test cases.
Candidate vulnerabilities to test could be, for instance, input validation (e.g. SQL Injection) or client side testing (e.g. Clickjacking).
Pre-requisites: basic knowledge of Web Security, Python/Java
Reference person: Andrea Bisegna (a.bisegna@fbk.eu)
Assigned: Yes
Title: Implement a tool testing the vulnerability due to a misconfiguration of the XML Parsing
Description: Starting from existing test case descriptions in natural language, the student will be required to implement a tool that automatically performs the tests on Identity Providers and Service Providers in the context of "Sistema Pubblico Identità Digitale" (SPID) and SAML SSO 2.0. The student will be required to create a tool which automatically test vulnerability due to a misconfiguration of the XML Parsing in an Identity Provider and a Service Provider.
Pre-requisites: basic knowledge of Web Security, Python/Java
Reference person: Andrea Bisegna (a.bisegna@fbk.eu)
Assigned: yes
Title: Study and Classification of Vulnerabilities & Attacks related to Android apps
Description: This projects aims to obtain a resonably detailed overview of Vulnerabilities and Attacks related to Android Apps and Devices. The first part of the project will include an analysis of the current State of the Art, focusing on the security risks of specific Android apps/components. This first work should lead to a classification of the collected attacks (and related vulnerabilities) based on several threat models and security assumptions. Possibly, the student could also achieve the specification of a set of attack patterns capturing the main features of the attacks that have been collected.
Pre-requisites: Basic knowledge of Android OS, Basic knowledge of security threats
Reference person: Federico Sinigaglia (sinigaglia@fbk.eu)
Assigned: No
Title: Inspection and Security analysis of Mobile Applications
Description: For this project, the student is asked to inspect and analyze specific mobile applications for Android devices. The task is aimed to reconstruct the message sequence or the security protocol in which the App is integrated. To this aim, it will be necessary to analyze the mobile app in order to extract relevant information. The employment a Proxy for sniffing the traffic, the instrumentaton of the code, or the usage of existing Framework for dynamic analysis can be considered.
Pre-requisites: basic knowledge of Android OS, programming skills in Java
Reference person: Federico Sinigaglia (sinigaglia@fbk.eu)
Assigned: No
Title: Extending SecurePG, a tool for cloud policies generation, evaluation and enforcement.
Description: SecurePG is a Java-based tool that allows its users to generate, verify and enforce abstract Access Control (AC) policies in two of the most widely used Cloud Service Providers: Amazon AWS and OpenStack. Support is currently limited to the AWS IAM and S3 services and the corresponding services of OpenStack: Keystone and Swift.
Generation -> Permissions specification through a high-level language that allows cloud developers to express access control requirements as a provider-independent, semi-column separated list of sentences (parsed with an ANTLR grammar). Policy authoring through hints and manual advice.
Verification -> Use of the SMT-based tool (ref. here - paper available in FBK/ST), that implements the Content-based Protection and Release (CPR) AC model, to analyse the authorizations before the enforcement in the cloud.
Enforcement -> Push button technology to enforce the entities and their permissions in pre-existing AWS environments.
Action plan: applicants will be asked to:
• Extend the current implementation to exploit the AC capabilities of IAM and S3 thoroughly
• Enforce entities and permissions in OpenStack with a push-button approach
• Support a new Cloud Service Provider (CSP): Microsoft Azure, Google Cloud or one of the CSP highlighted by the market analyst Gartner in its Magic Quadrant.
(OPZ) Develop the reverse translation engine to support, when possible, the migration of pre-existing cloud environments (AWS <-> OpenStack).
(OPZ) Allow SecurePG to import XACML policies and develop a CPR-oriented query generator to evaluate and compare the results of the tool.
Pre-requisites: junior Java developer. The following characteristics will be considered as additional assets:
- Knowledge of Amazon AWS and OpenStack. If possible, their Access Control Model (ACM);
- Knowledge of Microsoft Azure and Google Cloud Access Control Models;
- Knowledge of the MySQL database service.
Reference person: Umberto Morelli (umorelli@fbk.eu)
Assigned: no
Title: Blockchain and the Distributed Ledger Technologies (DLTs).
Interest in Blockchain has sky-rocketed and continues to grow in multiple areas, from smart contracts to the Internet of Things: the possibility to establish trust between unrelated parties over an untrusted network and to provide immutability, traceability and accountability of records offers unique opportunities. This project aims to analyse Blockchain and DLTs according to the following research lines:
- general overview of available technologies;
- digital identity, hard wallets, and privacy;
- Internet of Things.
Pre-requisites: none. The knowledge of the Blockchain and the Distributed Ledger Technologies will be considered as an additional asset.
Reference person: Umberto Morelli (umorelli@fbk.eu), Alessandro Tomasi (altomasi@fbk.eu)
Research line: Overview of the Blockchain and the Distributed Ledger Technologies
Description: Blockchain has been defined as a technology that will change our life. While many companies already started experimenting with Blockchain, significant concerns remain unanswered: applicability and advantages over traditional centralized and distributed databases, selfish mining, scalability in the non-cryptocurrency applications, privacy leakage (blockchain anonymity and transactional privacy) and degrees of confidentiality.
The candidate shall:
- provide a state of the art review of stable and emerging Blockchain and distributed ledger technologies. The focus will be the trade-off between disintermediation and confidentiality;
- after the review, identify an area of interest and model its support with two or more Blockchain/DLT solutions;
- (OPT) after the modelling, exploit available push-button implementations to compare two or more Blockchain/DLT solutions in the area of interest.
Subsequently, the candidate should be able to address the concerns introduced in the description.
Assigned: yes
Research line: Digital Identity, hard wallets, and privacy
Description: Blockchain, and blockchain-like solutions, have been proposed for the management of digital identities. Some have proposed the replacement of traditional PKI certificates with systems without a single point of failure, similar to web-of-trust - CertCoin, BIX, KSI. Some proposals claim to provide access management to devices through a web of personal connected objects without the need for passwords (UniquID).
Most, if not all these require the presence of a hardware token. At the same time, devices specifically designed to connect to blockchains, known as hard wallets (e.g. Trezor, Ledger Nano) are designed to provide access to currencies for supposedly anonymous transactions.
We want to investigate the intersection between these two closely related applications, with apparently contrasting priorities. The internship's starting point will be a survey of the common ground, with critical comparison; it may then follow a more narrow path, depending on the findings and the common interest.
The candidate shall:
- survey, compare, and contrast blockchain solutions for digital identity, with particular attention to how they maximise privacy and control who can request and who can gain access to an identity;
- survey, compare, and contrast hard wallets, with particular attention to the protocols and hardware they use to securely store and exchange data.
Subsequently, the candidate should be able to answer questions such as the following.
Are digital identity solutions compatible with hard wallets for anonymous transactions? In other words, can the same piece of hardware handles both digital identity and payment systems? What if the hard wallet, rather than being the repository of a single certificate proving digital identity, is part of a list of items registered to an identity in an authority-less scheme?
How effective are de-anonymization techniques based on physical information? In other words, how much does it help to identify individual users if their location and time are known when transactions are made? Do hardware wallets offer more or less resilience against de-anonymization?
Assigned: no
Research line: Internet of Things
Description: The IoT technology is expanding as the ever-growing concerns regarding IoT security. While Gartner, Inc. forecasts the usage of 8.4 billion connected things this year (up 31 percent from 2016), a survey from ESET reveals that more than 40 percent of Americans are not confident that IoT devices are safe and secure, with more than half of people indicating they were discouraged from purchasing an IoT device due to cybersecurity. Moreover, with so many connected devices, the usage of centralized infrastructures (such as PKI) to identify network nodes and control the communications system will soon become a bottleneck, causing delays and failures in critical exchanges due to excessive congestion in network traffic.
Blockchain and DLTs have the potential to transform the way we think about IoT and device security: easily tracing and coordinating billions connected devices (with significant savings for IoT industry manufacturers), eliminating single points of failure, creating a more resilient ecosystem, offering tamper-proof protection of devices data and so on. Despite all their benefits for IoT, Blockchain/DLTs introduce important concerns. Among the others: scalability, legal compliance, the processing power required to encrypt all objects/data and the interoperability among heterogeneous devices.
A new (disruptive) distributed ledger technology aims at being the backbone of the IoT: IOTA. Differently from a traditional Blockchain, Iota has no mining, no blocks and no transaction fees: this allows micro-payments and facilitate communication among sensors, smart devices and adaptive systems.
The candidate shall:
- Overview of the Blockchain and DLT solutions for the Internet of Things.
- Master the IOTA project and the following Iota eXtension Interface (IXI) modules: Masked Authenticated Messaging and Private Transactions.
- (OPT) Provide a proof of concept that employs IOTA or other Blockchain\DLT solutions.
Assigned: yes