Projects

The following list of projects should be treated as a work in progress until the end of the semester. It is most likely that the project topics listed below will be offered as internships in the next semester, but for now the list is only intended to give students an example of some areas of current interest.

Native mobile applications and private, permissioned blockchain clients

Description

Private and permissioned blockchains rely on robust authentication of principals. Smartphones are ubiquitous and well accepted by users, and mobile clients now exist for some enterprise-grade blockchain solutions. Difficulties often arise in authenticating users through mobiles: this project aims to test a proof-of-concept solution first-hand.

Time frame: March - July

Supervisor: Alessandro Tomasi

BSc / MSc: MSc, but BSc options can be discussed

Prerequisites

Fundamental notions of security and cryptography: authentication, authorization, symmetric encryption, digital signatures, digital certificates, hash functions. Knowledge of java or very similar language is required.

Previous android development experience is a very strong plus, as is hands-on experience with hyperledger fabric or ethereum.

Distributed Access Control and GDPR compliance

Description

The EU GDPR establishes the legal framework for the protection of personal data. One of the means by which this is put into practice is through access control policies. An area of recent research has been how to centralize the definition of policies while decentralizing the enforcement, and a few proposals based on distributed ledgers have recently been made. This project aims to study how a GDPR-compliant access control policy could be implemented in a distributed ledger technology.

Time frame: March - July

Supervisor: Alessandro Tomasi

BSc / MSc: MSc, but BSc options can be discussed

Prerequisites

Fundamental notions of security and cryptography: authentication, authorization, symmetric encryption, digital signatures, digital certificates, hash functions. Knowledge of one or more of python, C++, java, go, or solidity.

Knowledge of PSD2-related concepts and terminology is not required, but a willingness to study and understand it is expected. Knowledge of access control methods is a plus, as is hands-on experience with a distributed ledger such as ethereum or hyperledger fabric

Risk-based security posture management

Description

Absolute security is a mirage. Human mistakes, resource scarcity and natural events, together with a continuously changing digital world, ensure that vulnerabilities will always be present in every software system. While investing more in security helps to spot software and organizational holes and to define stronger protocols and practices, as long as security incidents may nevertheless happen, attention has to be given also to the capability of managing system security in presence of unknown and therefore unavoidable risks.

This project aims at exploring the possibility to use automated reasoning techniques at design time for:

  • Estimating the likelihood of incidents to happen, and possibly reducing it, without direct knowledge of the vulnerabilities.
  • Improving the design-time capability to respond to security incidents, by reducing the response time or reducing the amount of assets at risk.

Time frame: September-February

Supervisor: Alberto Siena

BSc / MSc: MSc

Prerequisites

Knowledge of Java.

Basic knowledge of genetic algorithms will help.

Identity Management Protocols

Description

We use our digital identities every day, from accessing our email account to online shopping. Underlying these transactions, there are Identity Management protocols that exchange user's attributes among the different entities involved in the communication. During this internship we will agree on and explore one of the current open challenges in this context.

Time frame: April

Supervisor: Giada Sciarretta

BSc / MSc: BSc

Prerequisites

Notions of web and mobile security (e.g., authentication, authorization, digital certificates,...). Good knowledge of Java and experience with Android.

Enrollment and authentication through the Italian Electronic Identity Card (CIE)

Description

In the context of a joint lab between Security&Trust Unit (FBK) and Istituto Poligrafico Zecca dello Stato, we propose to contribute in the design and to implement a service to enroll users by leveraging the information contained in the CIE.

Time frame: April

Supervisor: Andrea Bisegna & Roberto Carbone

BSc / MSc: BSc

Prerequisites

Preferably good knowledge of Java.

Security SAML SSO Testing Plan

Description

SAML SSO an open standard broadly used in corporation for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Several solutions fro corporation like Google together with infrastructures for digital identities as eIDAS (electronic IDentification Authentication and trust Services) and SPID (Sistema Pubblico Identita' Digitale) are based on the SAML Web Browser SSO.

In the context of a joint lab between Security&Trust Unit (FBK) and Istituto Poligrafico Zecca dello Stato, we propose to extend a testing plan for assessing the security of SAML SSO implementations. This activity can include the implementation of new plugins of an available tool for testing SSO solutions.

Time frame: April

Supervisor: Andrea Bisegna & Roberto Carbone

BSc / MSc: BSc

Prerequisites

Preferably basic knowledge of Java and XML.

Extending SecurePG, a tool for cloud policies generation, evaluation and enforcement.

Description

SecurePG is a Java-based tool that allows its users to generate, verify and enforce abstract Access Control (AC) policies in two of the most widely used Cloud Service Providers: Amazon AWS and OpenStack. Support of the cloud providers is currently limited to the AWS IAM, IoT (core functionalities and GreenGrass) and S3, and the OpenStack Keystone and Swift services.

Generation -> Permissions specification through a high-level language that allows cloud developers to express access control requirements as a provider-independent, semi-column separated list of sentences (parsed with an ANTLR grammar). Policy authoring through hints and manual advice.

Verification -> Use of the SMT-based tool (ref. here, paper available in FBK/ST) that implements the Content-based Protection and Release (CPR) AC model, to analyse the authorizations before the enforcement in the cloud.

Enforcement -> Push button technology to enforce the entities and their permissions in pre-existing AWS environments.

Action plan: applicants will be asked to:

  • BSc: migrate the application from a single-user GUI to a distributed web-based application

Prerequisites:

  • Knowledge of a Java REST framework (e.g., JAX-RS or Spring)
  • Basic knowledge of Docker
  • MSc: replace the Java-based policy verification mechanism with the python-based engine presented by Ranise S. and Siswantoro H. in Automated Legal Compliance Checking by Security Policy Analysis (more information available here, paper in FBK/ST)
  • Prerequisites:
  • Knowledge of Python and Java

Additional tasks will be evaluated depending on the skills, time constraints and the consistency with the project.

Time frame: September - February, March - July

Supervisor: Umberto Morelli

BSc / MSc: BSc or MSc

General prerequisites

The following characteristics will be considered as additional assets:

  • Good software design and development skills;
  • Good knowledge of English.

Ethereum Smart Contract Security Testing Plan and Tool

Description

One of the most used and important decentralized platform that runs smart contracts is Ethereum. We propose to develop a plan and a tool which performs smart contracts security audits.

Time frame: April

Supervisor: Andrea Bisegna & Roberto Carbone

BSc / MSc: BSc

Prerequisites

Preferably basic knowledge of Ethereum.