25/01/2016 – Talk by Pierpaolo Degano

Title:  Context-aware Security: Linguistic Mechanisms and Static Analysis
Time: 14:00
Location: Meeting room, building Zeta
Type: Research Result
Speaker: Pierpaolo Degano
Abstract:
Adaptive systems improve their efficiency by modifying their behaviour to respond to changes in their operational environment. Also, security must adapt to these changes and policy enforcement becomes dependent on the dynamic contexts. We study these issues within (the core of) an adaptive declarative language proposed recently. A main characteristic of this language is to have two components: a logical one for handling the context and a functional one for computing. We extend it with security policies that are expressed in logical terms. They are of two different kinds: context and application policies. The first, unknown a priori to an application, protect the context from unwanted changes. The others protect the applications from malicious actions of the context, can be nested and can be activated and deactivated according to their scope. An execution step can occur only if all the policies in force hold, under the control of an execution monitor. Beneficial to this is a type and effect system, which safely approximates the behaviour of an application, and a further static analysis, based on the computed effect. The last analysis can only be carried on at load time, when the execution context is known, and it enables us to efficiently enforce the security policies on the code execution, by instrumenting applications. The monitor is thus implemented within the language itself, and it is only activated on those policies that may be infringed and switched off otherwise.

Short bio
Pierpaolo Degano has been

  • since 1/11/1990 full Professore in computer science, since 1993 at Dipartimento di Informatica, Università di Pisa
  • 1993-96 head of the Dipartimento di Informatica, Università di Pisa
  • 2000-2003 Chairman of GRIN, the Italian Association of the Professors of Computer Science
  • since 2001 member of the scientific committee of the Scuola di Dottorato di Eccellenza “Galileo Galilei”, since 2009 vice-chairman
  • since 2006 head of the PhD programme in Computer Science
  • since 2007 chairman of the Italian Committee of PhD programmes in Computer Science
  • since 2005 member of the scientific committee of CoSBi, the Microsoft Research – University of Trento Centre for Computational and Systems Biology

22/01/2016 – Talk by Stefano Zanero

Title:  Making sense of a million samples per day: Behavior-based Methods for Automated, Scalable Malware Analysis
Time: 12:00
Location: Meeting room, building Zeta
Type: Research Result
Speaker: Stefano Zanero
Abstract:
With the astonishing rate of new and modified malware samples being released daily, automation of analysis is needed to classify and cluster together similar samples, exclude basic and uninteresting variations, and focus costly manual analysis work on novel and interesting features (e.g., added or remove pieces of code with a given semantic). We will discuss the challenges in analyzing large malware datasets in a (semi)automatic fashion, and some recent research results that may help with the task, by leveraging the concept of “behavior” applied to malicious code.
Short bio: Stefano Zanero is an associate professor at DEIB, the computer engineering department of the Politecnico di Milano University. His research interests focus on systems security, in particular automated malware analysis, cyber-phisical systems security, critical infrastructure security, as well as computer forensics.

16/12/2015 – Talk by Heider Wahsheh

Title:  Security Issues in Two Dimensional Barcodes
Time: 12:30
Location: Meeting room, building Zeta
Type: Survey
Speaker: Heider Wahsheh
Abstract:
A barcode is a graphical image that stores data in special patterns of black and white modules. The encoded data can be retrieved using imaging devices such as: barcode scanner machines and smart phones with specific reader applications. In general data can be stored in one dimension (horizontally), or two dimensions (both horizontally and vertically) with more data capacity. Barcodes are easy to use, free and very popular. Barcodes have various applications such as product tracking, advertising and items identification. However, attackers may use barcodes in a malicious way to launch attacks aiming at violating security and users’ privacy. This seminar presents various malicious scenarios with 2-D barcodes and possible protection mechanisms.

09/12/2015 – Talk by Mohamed Abbadi

Title:  ntroducing Casanova 2, a pragmatic domain specific language for game development
Time: 13:00
Location: Meeting room, building Zeta
Type: Research Results
Speaker: Mohamed Abbadi
Abstract:
The impact of video games, and games in general in our society is getting bigger and bigger to the point that game sales have passed those of music and movies (combined). Nowadays, video games are used not only for entertainment purpose, but also for serious applications such as research, education, training, etc.

Unfortunately, serious game development with traditional general-purpose programming language is a costly endeavor. The inherent complexity of the domain of videogames (physics simulation, AI, rendering, time management, etc.) is absolutely not tamed by typical programming languages. In these languages, we find no first class support of the flow time, lack of intelligent optimization mechanisms, and no understanding of the game loop. Since serious games developers do not enjoy the same resources as in the industry, taming costs of developing games is a very important necessity. Brilliant ideas might not see the light of day if there are not enough resources to support the development processes.

Here comes our work into play: in the past years a tool designed around the domain of games called Casanova has been designed and developed in order to: (i) allow innovative projects to see the end of their development process, (ii) provide developers with the right tool to tackle features that with limited resources might not be built, and (iii) keep the costs in check.
The Casanova programming language has the goal of offering a simple to use, high-performance, effective programming language that is capable of tackling the domain of videogame programming languages, from basic game logic programming up to strategies for AI.

In the presentation I will discuss my past Ph.D. experience and show the latest results of my research: different games for different genres, web-games, virtual-reality lab game, automatic optimizations, LegoV3/Casanova, and some students projects.

03/12/2015 – Talk by Marco Squarcina

Title:  Run-time analysis of PKCS#11 attacks
Time: 13:30
Location: Acadia Lab, building Zeta
Type: Research Results
Speaker: Marco Squarcina
Abstract:
The goal of this talk is to report on the development of a tool aimed at the automatic detection of attacks against PKCS#11 devices. Instead of modifying or configuring the API, we propose a stateful run-time monitor which is able to track key usage over time, for the identification of operations that might result in the leakage of sensitive keys. We briefly report on the components developed for implementing the monitor and discuss new challenges and open issues.

RuCTFE 2015 report

Yesterday the security gang of the University of Venice challenged the best hackers in the world in RuCTFE 2015, one of the most important information security competition. Despite some connectivity problems, at the end of a fierce battle we placed 12th out of 300, resulting once again the 1st Italian team.

Congratulations to out students and professors!

Cookies picture

18/11/2015 – Talk by Gian-Luca dei Rossi

Title:  Evaluating the impact of eDoS attacks to cloud facilities
Time: 12:00
Location: Meeting Room, building Zeta
Type: Research Results
Speaker: Gian-Luca Dei Rossi
Abstract:
The complexity of modern cloud facilities requires attentive management policies that should encompass all aspects of the system. Security is a critical issue, as intrusions, misuse or denial of service attacks may damage both the users and the cloud provider including its reputation on the market.
Disruptive attacks happen fast, cause evident and short term damages and are usually the result of operations that are hard to disguise. On the other hand, Energy oriented Denial of Service (eDoS) attacks aim at producing continuous minor damages, eventually with long term consequences. These long lasting attacks are difficult to detect. In this tale we present a model of the behavior of a system under eDoS attack.
We study the impact in terms of cloud energy consumption of an attack strategy previously proposed in the literature and compare it with other strategies that we propose. Our findings show that the strategy previously proposed in the literature, based on keeping the cloud close to saturation, is not optimal (from the point of view of the attacker) in presence of non-constant workload and that there is a trade-off between the aggressiveness of the attacker and the duration of the attack in order to maximize the damage.

11/11/2015 – Talk by Moshin Jafri

Title:  Underwater Wireless Sensor Networks: Applications, Advances and Research challenges
Time: 13:00
Location: Meeting Room, building Zeta
Type: Survey
Speaker: Moshin Jafri
Abstract: Underwater Wireless Sensor Networks (UWSNs) have several applications such as sea mine detection and seismic monitoring. UWSNs consist of a large number of sensors and vehicles, deployed to transmit sensed data to the base station. They monitor swarms of underwater vehicles in environmental and military applications by exploiting their reconfigureability. In this talk, we discuss about the organizational architecture of UWSNs and the state of the art of various networking facets related to UWSNs. This talk serves as a summary of existing protocols, providing inspiration for the growth of underwater networks. We also outline the recent advancements in this area by focusing on the lower strata of the communication stack, and envision future trends. Current research ranges from low-power algorithms and modulations to energy-aware routing and MAC protocols. We highlight the key challenges such as high error rate, low network throughput and high energy consumption for data transmission. Furthermore, high propagation delay, Doppler shifts and time-varying multi-path effects constitute major research subjects, which require reliable communication systems in order to coordinate multiple devices, either mobile or stable.

04/11/2015 – Talk by Enrico Steffinlongo

Title:  Static Detection of Collusion Attacks in ARBAC-based Workflow Systems
Time: 13:00
Location: Meeting Room, building Zeta
Type: Research result
Speaker: Enrico Steffinlongo
Abstract: Authorization in workflow systems is usually built on top of role-based access control (RBAC); security policies on workflows are then expressed as constraints on the users performing a set of tasks and the roles assigned to them. When the user-to-role assignment can be changed by potentially untrusted users, like in the case of Administrative RBAC (ARBAC), collusions may take place to circumvent the intended security policies. In this paper, we study this problem in a formal model of workflows based on event structures and we define a precise notion of security against collusion. We then propose a static analysis technique based on a reduction to a role reachability problem for ARBAC, which can be used to prove or disprove security for restricted – yet useful – classes of workflow systems. Finally, we implement our analysis in a tool, WARBAC, and we experimentally show its effectiveness on a set of publicly available examples.

27/10/2015 – Talk by Jean-Michel Fourneau (Université de Versailles Saint Quintin)

Title: Discrete Time Stochastic Automata Network with Steady-State Product Form distribution
Time: 13:00
Location: Meeting Room, building Zeta
Type: Research result
Speaker: Jean-Michel Fourneau
Abstract: We present some sufficient conditions for a discrete time Stochastic Automata Networks (SAN) to have a steady-state distribution which has a multiplicative form. The proofs are based on algebraic properties of the tensor operations associated with SAN. Some examples are given.
Bio sketch: J.M. Fourneau is Professor of Computer Science at the University of Versailles St. Quentin, France. He was formerly with Ecole Nationale des Telecommunications, Paris and University of Paris XI Orsay as an Assistant Professor. He graduated in Statistics and Economics from Ecole Nationale de la Statistique et de l’Administation Economique, Paris and he obtained is Ph.D. and his habilitation in Computer Science at the University of Paris XI Orsay in 1987 and 1991 respectively. He is the Head of the Performance Evaluation team within PRiSM laboratory at Versailles University and his recent research interests are algorithmic performance evaluation, Stochastic Automata Networks, G-networks, stochastic bounds, and application to high speed networks, and all optical networks.