Security and trust

A) Trusted endpoints
One key aspect of mobile and distributed computing is the possibility of protecting ‘endpoints’. This is typically done using special cryptographic devices that users trust and that are impossible, in principle, to tamper with. Smartcards, USB cryptographic tokens, RFID devices, Hardware Security Modules used by banks, are all examples of tamper-resistant hardware that allows for performing security critical operations in an untrusted distributed setting. This technology is becoming more and more pervasive and users are already asking to perform any task using just one device such as their smartphone. This research area is very challenging as confirmed by the many attacks found on these kind of devices in the recent years. NFC, the technology that allows one to use smartphone as contactless devices in place of smartcards is not yet mature as confirmed by the recent flaws in the famous Google Wallet. The security research group has been active in this area in the last years. The main result is a tool that reverse-engineers real devices, builds a model and tries to validate it possibly finding attacks that are tested on the devices. The results are alarming since many commercial devices are completely flawed. We intend to go on with this research and to additionally investigate advanced techniques,  such as ‘mandatory access control’ ,  that allow to strengthen the security of centralized servers and clouds.

 

Selected bibliography

  • R. Halder, A. Cortesi: Abstract Interpretation of Database Query Languages, in Computer Lanchiages, Systems & Structures, vol. 38(2), 2012 pp. 123-157
  • A. Cortesi., F. Logozzo: Verification of Non-functional Requirements by Abstract Interpretation in Stephan Reiff-Marganiec, Marcel Tilly, Handbook of Research on Service-Oriented Systems and Non-Functional Properties: Future Directions, Hershey, PA, IGI Global, 2012, pp. 22-35
  • M. Centenaro, R. Focardi, F.L. Luccio, Type-Based Analysis of PKCS#11 Key Management. In the proceedings of the 1st Conference on Principles of Security and Trust (POST2012), 26-27 March 2012, Tallinn, Estonia, LNCS 7215, pp. 349–368, Springer 2012
  • M. Zanioli, P. Ferrara, A. Cortesi: SAILS: Static Analysis of Information Leakage with Sample, Proceedings of the 27th ACM Symposium on Applied Computing, ACM Press, pp. 1308-1313
  • M. Bugliesi, S. Calzavara, R. Focardi, M. Squarcina: Gran: Model Checking Grsecurity RBAC Policies. 25th IEEE Computer Security Foundations Symposium, June 25‚Äì27, 2012, Harvard University, Cambridge MA, USA, pp. 126-138
  • R. Focardi, F.L. Luccio: Guessing Bank PINs by Winning a Mastermind Game. Theory of Computing Systems (TOCS), 50(1), 52-71, 2012
  • G. Costantini, P. Ferrara, A. Cortesi: Static Analysis of String Values in Shengchao Qin and Zongyan Qiu, Formal Methods and Software Engineering, in LECTURE NOTES IN COMPUTER SCIENCE, Heidelberg, Spribger Verlag, vol. 6991, 2011, pp. 505-521
  • M. Bugliesi and R. Focardi: Channel abstractions for network security. Mathematical Structures in Computer Science, vol. 20, pp. 3-44. 2010
  • R. Halder, A. Cortesi: Obfuscation-based analysis of SQL injection attacks, Proceedings – IEEE Symposium on Computers and Communications, Los Alamos, IEEE Computer Society, 2010, pp. 931-938
  • C. Braghin, A. Cortesi, R. Focardi: Information flow security in Boundary Ambients, in INFORMATION AND COMPUTATION, vol. 206, 2008, pp. 460-489
  • M. Bugliesi, R. Focardi, and M. Maffei. Dynamic Types for Authentication: Journal of Computer Security, 15(6):563-617, 2007
  • R. Focardi and S. Rossi: Information flow security in dynamic contexts. Journal of Computer Security, 14(1):65-110, 2006
  • S. Bhattacharyai, A. Cortesi: Distortion-Free Authentication Watermarking in Cordeiro J., Virvou M., Shishkov B., Software and Data Technologies, in Communications in Computer and Information Science, Berlin, Springer Verlag, vol. 170