The definition of access control policies is a critical step in securing IT resources and complying with legislation. Policy administrators need tools to analyze the policies they write and inherit - for instance, to ensure that the set of policies they write and inherit are internally consistent, compliant with legislation, and correctly translated into the implementation of their choice.
Develop a dockerized framework for ABAC policy analysis as a service.
Knowledge of docker would be advantageous for Task 1. Knowledge of SMT would be advantageous for task 2.
Alessandro Tomasi - altomasi [at] fbk [dot] eu
Decentralized identity (DID) is an emerging proposal to offer identity subjects greater control and flexibility in the management of their digital identities. We are interested in exploring the state of currently available DID-enabling software, particularly with regard to the authentication protocols.
Develop a proof-of-concept integration of DID with legacy authentication.
Experience of android development would be advantageous for task 2.
Alessandro Tomasi - altomasi [at] fbk [dot] eu
OAuth is an open standard widely used in corporations for exchanging authentication and authorization data between parties, in particular, between an Authorization Server and a Client. Several solutions for corporations like Google and Facebook are based on OAuth. We propose to define attack patterns for assessing the security of OAuth implementations. This activity can include the implementation of new plugins of an available tool for testing OAuth solutions.
Anytime
Andrea Bisegna - a.bisegna [at] fbk [dot] eu
Roberto Carbone - carbone [at] fbk [dot] eu
BSc or MSc
Preferably basic knowledge of Java.
SAML SSO an open standard broadly used in corporations for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Several solutions for corporations like Google together with infrastructures for digital identities as eIDAS (electronic IDentification Authentication and trust Services) and SPID (Sistema Pubblico Identita' Digitale) are based on the SAML Web Browser SSO.
In the context of a joint lab between Security&Trust Unit (FBK) and Istituto Poligrafico Zecca dello Stato, we propose to perform penetration testing for assessing the security of SAML SSO implementations. This activity can include the implementation of new plugins of an available tool for testing SSO solutions.
Anytime
Andrea Bisegna - a.bisegna [at] fbk [dot] eu
Roberto Carbone - carbone [at] fbk [dot] eu
BSc or MSc
Preferably basic knowledge of Java and XML.
We use our digital identities every day, from accessing our email account to online shopping. Underlying these transactions, there are Identity Management protocols that exchange user's attributes among the different entities involved in the communication. During this internship we will agree on and explore one of the current open challenges in this context (e.g., study of some OAuth 2.0 extensions, analysis of SPID for native apps, analysis of SCA for PSD2 and so on).
April
Giada Sciarretta - giada.sciarretta [at] fbk [dot] eu
BSc or MSc
Notions of web and mobile security (e.g., authentication, authorization, digital certificates,...).
Web card-skimming is a form of internet or carding fraud whereby a checkout/payment page on a website is compromised when a malicious code is injected onto the page via compromising a third-party script service (e.g., analytics service) in order to steal customer payment information. In recent months, the number of e-commerce websites that were affected by this kind of attacks have increased dramatically affecting not only small store but also big websites. During this internship, we will investigate how this attack works and we will elaborate a mitigation strategy.
Anytime in 2020
Biniam Fisseha Demissie - demissie [at] fbk [dot] eu
BSc or MSc
Knowledge of web-oriented programming languages, including Javascript and HTML