12/12/2017 – Talk by Euripides Markou

Title:Exploration and graph searching problems in networks
Time: 13:00
Location: Meeting room, Building Zeta
Type: Research Result
Speaker: Talk by Euripides Markou
Abstract: In this seminar we will discuss different problems in networks: The Black Hole Search problem in synchronous trees and graphs; the Black Hole Search problem and the rendezvous problem for weak agents (e.g., memoryless). We will show algorithms and discuss impossibility results, new directions and open problems.
Short bio: Euripides Markou is an Assistant Professor at the University of Thessaly. He got his Ph.D. in Computer Science in 2003 from the National University of Athens. His area of interest are in the field of distributed and geometric computing.

12/12/2017 – Talk by Novarun Deb

Title:Enterprise Modelling and Requirements Analysis using the i* Framework
Time: 14:00
Location: Meeting room, Ed. Zeta
Type: Research Result
Speaker: Talk by Novarun Deb
Abstract:We identify that the inherent sequence agnostic property of goal models prevents requirement analysts from performing compliance checks in the requirements phase itself as compliance rules are generally embedded with temporal information. This is where we propose the Semantic Implosion Algorithm that extracts a finite state model corresponding to a given goal model with the help of model transformation. This algorithm outperforms the existing solution by a factor of 1017, making our solution more efficient and scalable for deployment in the real world. We also develop the iToNuSMV tool that implements the Semantic Implosion Algorithm and performs model checking on i models. Subsequently, we go beyond structural analysis and try to explore the semantics associated with goal models and how they can be used in the goal model maintenance problem. Our final research contribution is the Annotation of Functional Semantics and their Reconciliation AFSR framework that provides a new goal model nomenclature that goes beyond the legacy nomenclature and associates semantics with individual goals. The framework also provides a reconciliation machinery that helps to perform semantic analysis and detect entailment or consistency conflicts within goal models. The framework also provides analysts with corrective measures that can be adopted to resolve such conflicts. We also demonstrate how the goal maintenance problem can be mapped to the state space search problem and an admissible and consistent heuristic path cost function allows us to deploy A search to find the optimal goal model configuration that is free from all conflicts.

30/11/2017 – Talk by Ludovica Luisa Vissat

Title: Modelling of spatial stochastic systems and analysis of their spatio-temporal properties
Time: 13:00
Location: Meeting room, Ed. Zeta
Type: Research Result
Speaker: Ludovica Luisa Vissat
Abstract: In my talk I will give an overview of my PhD research work. We have initially developed a novel process algebra, specifically tailored for modelling ecological systems, and more generally for spatial stochastic systems. These systems can be seen as a collection of agents that can interact and are spatially located. To analyse properties of the dynamics of these stochastic systems, we worked with spatio-temporal logics and statistical model checking.

We introduced the novel Three-Valued Spatio-Temporal Logic, which extends the available analysis, looking at the spatio-temporal evolution of the satisfaction probabilities of given logical formulas, estimated through statistical model checking. I will present different case studies during the talk, to show various applications of our modelling language and spatio-temporal analysis.

24/10/2017 – Talk by Amit Mandal

Title: A Novel Meta-Information Management System for SaaS
Time: 12:15
Location: Meeting room, Ed. Zeta
Type: Research Result
Speaker: Amit Mandal
Abstract: Efficient hosting and provisioning of cloud based software services are complex engineering task with the increasing and heterogeneous SaaS resources. In this context, SaaS resource includes services, business processes, data sources, etc. This demands an efficient categorization and cataloguing mechanism. It can be achieved by exploring and managing the meta-information of various SaaS resources. However, meta-information management system of SaaS should ensure: (i) collection of relevant meta-information about the interrelated services, business processes, and data sources; (ii) easy accessibility and (iii) incremental update. Further, it should capable of tracing the correspondence among different SaaS resources across the cloud. To address these issues we proposed a flexible and scalable meta-information management system for SaaS. It comprises of meta-information crawler, indexer, uploader, and storage system. The crawler collects meta-information from various repositories. On next, the crawled meta-information is uploaded to the Hadoop system using a multidimensional indexing system. Further, to ensure efficient management, easy update, faster storing and retrieval of meta-information a series of experiments have been carried out. The experimental results show that the proposed mechanism can efficiently scale and it can effectively categorise and catalogue different SaaS resources.

17/10/2017 – Talk by Giuseppe Maggiore

Title: GrandeOmega, a smart e-learning platform
Time: 14:00
Location: Meeting room, Ed. Zeta
Type: Research Result
Speaker: Giuseppe Maggiore
Abstract: Teaching programming and mathematics presents a challenge: learning such disciplines requires, at the same time, a heavy does of both theory and practice. Theory provides the overview, the rules, and the fundamental way the discipline is set up. Practice offers context and motivation for the theory, and its repetition breeds familiarity and deeper understanding.

Moreover, while teachers strive towards sharing the beauty and elegance of abstract concepts, students often wish to learn “useful” concepts that have a real-world application, and to experiment with it. Unfortunately, this becomes a chicken-and-egg problem: too much practice overshadows proper learning of the underlying theory, and too much theory demotivates students.

In this talk, we present GrandeOmega, a tool that facilitates the teaching of the formal application of programming languages and similar formalisms in an active, engaging, practical way.

11/10/2017 – Talk by Stefano Calzavara

Title: CCSP: Controlled relaxation of content security policies by runtime policy composition
Time: 12:00 (noon)
Location: ACADIA Lab., Ed. Zeta
Type: Research Result
Speaker: Stefano Calzavara
Abstract: Content Security Policy (CSP) is a W3C standard designed to prevent and mitigate the impact of content injection vulnerabilities on websites by means of browser-enforced security policies. Though CSP is gaining a lot of popularity in the wild, previous research questioned one of its key design choices, namely the use of static white-lists to define legitimate content inclusions. In this talk we present Compositional CSP (CCSP), an extension of CSP based on runtime policy composition. CCSP is designed to overcome the limitations arising from the use of static white-lists, while avoiding a major overhaul of CSP and the logic underlying policy writing. We perform an extensive evaluation of the design of CCSP by focusing on the general security guarantees it provides, its backward compatibility and its deployment cost. We then assess the potential impact of CCSP on the web and we implement a prototype of our proposal, which we test on major websites. In the end, we conclude that the deployment of CCSP can be done with limited efforts and would lead to significant benefits for the large majority of the websites.

CISPA – Meeting 10/10/2017, 10:30

CISPA SEMINARS

When: Tuesday 10 October, at 10:30 in the morning
Where: Università Ca’ Foscari, Via Torino, 155 – 30170 Venezia Mestre Sala Conferenze del campus scientifico

First seminar:
Speaker: Dr. Giancarlo Pellegrino, Research Group Leader at CISPA
Title: Automated Vulnerability Analysis for Modern Application Software
Abstract:The complexity and pervasiveness of application software are growing rapidly. Nowadays, application software encompasses multiple devices, e.g., mobile and IoT,  and web services to perform operations ranging from online shopping and managing household appliances to controlling manufacturing processes. Like any other programs, application software has vulnerabilities that, when exploited,  can be used for financial fraud, stealing confidential data, and industrial espionage. Unfortunately, existing automated vulnerability analysis techniques are inadequate to tackle the complexity reached by these programs, thus leaving them exposed to attackers. My main research topic intends to stop this emerging trend and lay the foundation for the next-generation automated vulnerability analysis techniques. This talk focuses on the detection power and attack surface coverage challenges and presents two recent advances in the field. The first part of the talk presents Deemon, a tool that combines dynamic analysis and property graphs to mine Cross-Site Request Forgery, a long-neglected severe vulnerability. The second part of the talk presents jAEk, a new generation web application crawler that uses JavaScript dynamic analysis to increase the covered attack surface of web applications by 80%.
Short bio: Giancarlo Pellegrino is currently a research group leader at CISPA. His main research interests include all aspects of application security especially web security and automated vulnerability analysis. He has been selected for the CISPA-Stanford Center for Cybersecurity, and he will be soon appointed to a visiting assistant professor at Stanford University. Prior to that, Giancarlo was a postdoctoral researcher at CISPA and TU Darmstadt, Germany. During his doctoral stud- ies, Giancarlo was a member of the S3 group at EURECOM, in France, under the supervision of Prof. Davide Balzarotti. Until August 2013, he was a researcher associate in the “Security and Trust” research group at SAP SE.
Contact: gpellegrino@cispa.saarland

Second seminar:

Speaker: Sandra Strohbach, Dr. Giancarlo Pellegrino
Title: CISPA – One of Europe’s leading research sites of IT security
Abstract: The public presentation offers an overview of the Center for IT security, Privacy, and Accountability – CISPA located on the Saarland Informatics Campus in Saarbrücken, Germany. Founded in 2011, CISPA has become an important address of IT security and privacy.
You can learn more about the different research areas, excellent education programmes, and career opportunities. The examples of current research projects provide an insight into our daily work.
Short bio:  After her studies in translation science, Sandra Strohbach did her PhD in applied linguistics at Saarland University. At the same time, she worked as research assistant and lecturer in the department of Romanic languages. Since 2010, Sandra Strohbach has worked in the field of science management. She is an expert in the field of funding programmes and international cooperation as well as strategic development. She joined CISPA in 2017 and coordinates na- tional and international projects, among them the CISPA-Stanford Center for Cybersecurity.

Contact: strohbach@cispa.saarland

 

CISPA MEETING

One of Europe’s leading research sites for IT security

When: Tuesday 10 October, at 12.30 in the afternoon
Where: Università Ca’ Foscari, Via Torino, 155 – 30170 Venezia Mestre Sala Conferenze del campus scientifico

What to expect:

  • Insight into the CISPA goals
  • High Level Study courses and exchange programmes
  • Excellent Research environment
  • Various job opportunities for qualified individuals

 

 

19/07/2017 – Talks by Mauro Tempesta, Francesco Palmarini, Heider Wahsheh, Marco Squarcina

The program of the day will be:

11.00 Mauro Tempesta
11.20 Francesco Palmarini
11.40 Heider Wahsheh
14.00 Marco Squarcina

Titles and abstracts follow:

Title: Run-time Attack Detection in Cryptographic APIs
Speaker: Marco Squarcina
Abstract:
Cryptographic APIs are often vulnerable to attacks that compromise
sensitive cryptographic keys. In the literature we find many proposals
for preventing or mitigating such attacks but they typically require to
modify the API or to configure it in a way that might break existing
applications. This makes it hard to adopt such proposals, especially
because security APIs are often used in highly sensitive settings, such
as financial and critical infrastructures, where systems are rarely
modified and legacy applications are very common. In this talk we
propose a different approach. We introduce an effective method to
monitor existing cryptographic systems in order to detect, and possibly
prevent, the leakage of sensitive cryptographic keys. The method
collects logs for various devices and cryptographic services and is able
to detect, offline, any leakage of sensitive keys, under the assumption
that a key fingerprint is provided for each sensitive key. We define key
security formally and we prove that the method is sound, complete and
efficient. We also show that without key fingerprinting completeness is
lost, i.e., some attacks cannot be detected. We discuss possible
practical implementations and we develop a proof-of-concept log analysis
tool for PKCS#11 that is able to detect, on a significant fragment of
the API, all key-management attacks from the literature.

14/07/2017 – Talk by Matus Namec

Title: Measuring Popularity of Cryptographic Libraries in Internet-Wide Scans Fingerprinting
Time: 11:00
Location: Skype call
Type: Research Result
Speaker: Matus Nemec
Abstract:
We measure the popularity of cryptographic libraries in large datasets of RSA public keys. We do so by improving a recently proposed method based on biases introduced by alternative implementations of prime selection in different cryptographic libraries. We extend the previous work by applying statistical inference to approximate a share of libraries matching an observed distribution of RSA keys in an inspected dataset (e.g., Internet-wide scan of TLS handshakes). The sensitivity of our method is sufficient to detect transient events such as a periodic insertion of keys from a specific library into Certificate Transparency logs and inconsistencies in archived datasets.

We apply the method on keys from multiple Internet-wide scans collected in years 2010 through 2017, on Certificate Transparency logs and on separate datasets for PGP keys and SSH keys. The results quantify a strong dominance of OpenSSL with more than 84% TLS keys for Alexa 1M domains, steadily increasing since the first measurement. OpenSSL is even more popular for GitHub client-side SSH keys, with a share larger than 96%. Surprisingly, new certificates inserted in Certificate Transparency logs on certain days contain more than 20% keys most likely originating from Java libraries, while TLS scans contain less than 5% of such keys.

Since the ground truth is not known, we compared our measurements with other estimates and simulated different scenarios to evaluate the accuracy of our method. To our best knowledge, this is the first accurate measurement of the popularity of cryptographic libraries not based on proxy information like web server fingerprinting, but directly on the number of observed unique keys.

Project “Formal Specification for Secured Software System” has been approved!

The project entitled “Formal Specification for Secured Software System” has been approved for funding. We would like to congratulate prof. Agostino Cortesi who is the Italian principal investigator and prof. Nabendu Chaki who is the Indian principal investigator. The objective of the project is to investigate whether security policies of a (possibly safety critical) system could be integrated into the formal requirement specification using formal methods, in order to detect ambiguities and inconsistencies within the specification phase in Software development life-cycle. The funding will cover the costs of researchers’ mobility between India and Italy.