Projects
Policy Analysis and Translation
Introduction
The definition of access control policies is a critical step in securing IT resources and complying with legislation. Policy administrators need tools to analyze the policies they write and inherit - for instance, to ensure that the set of policies they write and inherit are internally consistent, compliant with legislation, and correctly translated into the implementation of their choice.
Objective
Develop a dockerized framework for ABAC policy analysis as a service.
Task list
- Create the docker framework
- dockerfile and installation of software from repositories
- service endpoints for policy analysis: input policy - say, as json - and objective of analysis, output analysis report
- UI for policy definition from keyword database
- Policy analysis with pysmt
Prerequisites
Knowledge of docker would be advantageous for Task 1. Knowledge of SMT would be advantageous for task 2.
Supervisor
Alessandro Tomasi - altomasi [at] fbk [dot] eu
Decentralized identity and authentication
Introduction
Decentralized identity (DID) is an emerging proposal to offer identity subjects greater control and flexibility in the management of their digital identities. We are interested in exploring the state of currently available DID-enabling software, particularly with regard to the authentication protocols.
Objective
Develop a proof-of-concept integration of DID with legacy authentication.
Topics
- Analysis of hyperledger indy as decentralized identity provider
- Security analysis of sdk
- Development of client - most likely node or android - to integrate DID in use case
- Comparison of DID with eIDAS and OIDC, especially authentication and data exchange
- Investigate compliance with GDPR, KYC, and AML.
Prerequisites
Experience of android development would be advantageous for task 2.
Supervisor
Alessandro Tomasi - altomasi [at] fbk [dot] eu
Define attack patterns for OAuth protocol
Description
OAuth is an open standard widely used in corporations for exchanging authentication and authorization data between parties, in particular, between an Authorization Server and a Client. Several solutions for corporations like Google and Facebook are based on OAuth. We propose to define attack patterns for assessing the security of OAuth implementations. This activity can include the implementation of new plugins of an available tool for testing OAuth solutions.
Time frame
Anytime
Supervisor
Andrea Bisegna - a.bisegna [at] fbk [dot] eu
Roberto Carbone - carbone [at] fbk [dot] eu
BSc / MSc
BSc or MSc
Prerequisites
Preferably basic knowledge of Java.
Penetration Testing of a SAML SSO Implementation
Description
SAML SSO an open standard broadly used in corporations for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Several solutions for corporations like Google together with infrastructures for digital identities as eIDAS (electronic IDentification Authentication and trust Services) and SPID (Sistema Pubblico Identita' Digitale) are based on the SAML Web Browser SSO.
In the context of a joint lab between Security&Trust Unit (FBK) and Istituto Poligrafico Zecca dello Stato, we propose to perform penetration testing for assessing the security of SAML SSO implementations. This activity can include the implementation of new plugins of an available tool for testing SSO solutions.
Time frame
Anytime
Supervisor
Andrea Bisegna - a.bisegna [at] fbk [dot] eu
Roberto Carbone - carbone [at] fbk [dot] eu
BSc / MSc
BSc or MSc
Prerequisites
Preferably basic knowledge of Java and XML.
Identity Management Protocols
Description
We use our digital identities every day, from accessing our email account to online shopping. Underlying these transactions, there are Identity Management protocols that exchange user's attributes among the different entities involved in the communication. During this internship we will agree on and explore one of the current open challenges in this context (e.g., study of some OAuth 2.0 extensions, analysis of SPID for native apps, analysis of SCA for PSD2 and so on).
Time frame
April
Supervisor
Giada Sciarretta - giada.sciarretta [at] fbk [dot] eu
BSc / MSc
BSc or MSc
Prerequisites
Notions of web and mobile security (e.g., authentication, authorization, digital certificates,...).
Analysis of web skimming vulnerabilities and attacks
Description
Web card-skimming is a form of internet or carding fraud whereby a checkout/payment page on a website is compromised when a malicious code is injected onto the page via compromising a third-party script service (e.g., analytics service) in order to steal customer payment information. In recent months, the number of e-commerce websites that were affected by this kind of attacks have increased dramatically affecting not only small store but also big websites. During this internship, we will investigate how this attack works and we will elaborate a mitigation strategy.
Time frame
Anytime in 2020
Supervisor
Biniam Fisseha Demissie - demissie [at] fbk [dot] eu
BSc / MSc
BSc or MSc
Prerequisites
Knowledge of web-oriented programming languages, including Javascript and HTML