Tag Archives: Security

16/12/2015 – Talk by Heider Wahsheh

Title:  Security Issues in Two Dimensional Barcodes
Time: 12:30
Location: Meeting room, building Zeta
Type: Survey
Speaker: Heider Wahsheh
Abstract:
A barcode is a graphical image that stores data in special patterns of black and white modules. The encoded data can be retrieved using imaging devices such as: barcode scanner machines and smart phones with specific reader applications. In general data can be stored in one dimension (horizontally), or two dimensions (both horizontally and vertically) with more data capacity. Barcodes are easy to use, free and very popular. Barcodes have various applications such as product tracking, advertising and items identification. However, attackers may use barcodes in a malicious way to launch attacks aiming at violating security and users’ privacy. This seminar presents various malicious scenarios with 2-D barcodes and possible protection mechanisms.

03/12/2015 – Talk by Marco Squarcina

Title:  Run-time analysis of PKCS#11 attacks
Time: 13:30
Location: Acadia Lab, building Zeta
Type: Research Results
Speaker: Marco Squarcina
Abstract:
The goal of this talk is to report on the development of a tool aimed at the automatic detection of attacks against PKCS#11 devices. Instead of modifying or configuring the API, we propose a stateful run-time monitor which is able to track key usage over time, for the identification of operations that might result in the leakage of sensitive keys. We briefly report on the components developed for implementing the monitor and discuss new challenges and open issues.

RuCTFE 2015 report

Yesterday the security gang of the University of Venice challenged the best hackers in the world in RuCTFE 2015, one of the most important information security competition. Despite some connectivity problems, at the end of a fierce battle we placed 12th out of 300, resulting once again the 1st Italian team.

Congratulations to out students and professors!

Cookies picture

18/11/2015 – Talk by Gian-Luca dei Rossi

Title:  Evaluating the impact of eDoS attacks to cloud facilities
Time: 12:00
Location: Meeting Room, building Zeta
Type: Research Results
Speaker: Gian-Luca Dei Rossi
Abstract:
The complexity of modern cloud facilities requires attentive management policies that should encompass all aspects of the system. Security is a critical issue, as intrusions, misuse or denial of service attacks may damage both the users and the cloud provider including its reputation on the market.
Disruptive attacks happen fast, cause evident and short term damages and are usually the result of operations that are hard to disguise. On the other hand, Energy oriented Denial of Service (eDoS) attacks aim at producing continuous minor damages, eventually with long term consequences. These long lasting attacks are difficult to detect. In this tale we present a model of the behavior of a system under eDoS attack.
We study the impact in terms of cloud energy consumption of an attack strategy previously proposed in the literature and compare it with other strategies that we propose. Our findings show that the strategy previously proposed in the literature, based on keeping the cloud close to saturation, is not optimal (from the point of view of the attacker) in presence of non-constant workload and that there is a trade-off between the aggressiveness of the attacker and the duration of the attack in order to maximize the damage.

04/11/2015 – Talk by Enrico Steffinlongo

Title:  Static Detection of Collusion Attacks in ARBAC-based Workflow Systems
Time: 13:00
Location: Meeting Room, building Zeta
Type: Research result
Speaker: Enrico Steffinlongo
Abstract: Authorization in workflow systems is usually built on top of role-based access control (RBAC); security policies on workflows are then expressed as constraints on the users performing a set of tasks and the roles assigned to them. When the user-to-role assignment can be changed by potentially untrusted users, like in the case of Administrative RBAC (ARBAC), collusions may take place to circumvent the intended security policies. In this paper, we study this problem in a formal model of workflows based on event structures and we define a precise notion of security against collusion. We then propose a static analysis technique based on a reduction to a role reachability problem for ARBAC, which can be used to prove or disprove security for restricted – yet useful – classes of workflow systems. Finally, we implement our analysis in a tool, WARBAC, and we experimentally show its effectiveness on a set of publicly available examples.

01/04/2014 – Talk by M. Squarcina and M. Tempesta

Title: Surviving the Web: A Journey into Web Session Security
Time: 14:00
Location: Meeting Room, building Zeta
Type: Survey of literature
Speaker: Marco Squarcina and Mauro Tempesta
Abstract: In this talk we describe and classify web security properties, attacks and security solutions. We focus on client-side attacks against web sessions, i.e., attacks that target honest user clients establishing a session with a remote web server. We identify general security properties representative of web session security and we highlight the properties violated by the different attacks. We then survey existing security solutions and mechanisms that prevent or mitigate the attacks: for each security solution, we also evaluate the impact on usability, the compatibility with existing web sites and the ease of deployment. Finally, we identify a list of sound principles that, to some extents, have been taken into account by the designers of the surveyed solutions. We believe that these principles could be helpful for the development of innovative solutions approaching web security in a more systematic and comprehensive way.

04/02/2015 – Talk by Wilayat Khan

Title: Web Session Security: Formal Verification, Client-Side Enforcement and Experimental Analysis
Time: 13:00
Location: Meeting room
Type: Research Result
Speaker: Wilayat Khan
Abstract:

Web applications are the dominant means to provide access to millions of on-line  services and applications such as banking and e-commerce. To personalize users’  web experience, servers need to authenticate the users and then maintain their authentication state throughout a set of related HTTP requests and responses called a web session. As HTTP is a stateless protocol, the common approach, used by most of the web applications to maintain web session, is to use HTTP cookies. Each request belonging to a web session is authenticated by having the web browser to provide to the server a unique long random string, known as session identifier stored as cookie called session cookie. Taking over the session identifier gives full control over to the attacker and hence is an attractive target of the attacker to attack on the confidentiality and integrity of web sessions. The browser should take care of the web session security: a session cookie belonging to one source should not be corrupted or stolen or forced, to be sent with the requests, by any other source.

This research demonstrates that security policies can in fact be written down for both, confidentiality and integrity, of web sessions and enforced at the client side without getting any support from the servers and without breaking too many web applications. Moreover, the enforcement mechanisms designed can be proved correct within mathematical models of the web browsers. These claims are supported by

1) defining both, end-to-end and access control, security policies to protect web sessions;

2) introducing a new and using exiting mathematical models of the web browser extended with confidentiality and integrity security policies for web sessions;

3) offering mathematical proofs that the security mechanisms do enforce the security policies; and

4) designing and developing  prototype browser extensions to test that real-life web applications are supported.

23/07/2014 – Talk by Wilayat Khan

Title: Client Side Web Session Integrity as a Non-Interference Property
Time: 11:00
Location: Meeting room
Type: Research Result
Speaker: Wilayat Khan
Abstract:

Because of the stateless nature of the HTTP protocol, web applications
that need to maintain state over multiple interactions with a client have
to implement some form of session management: the server needs to know to
what ongoing session (if any) incoming HTTP requests belong. Sessions are
usually implemented by means of session cookies, which are unpredictable
random identifier generated by the server at the start of a session.

Sessions can be attacked at network (e.g. sniffing), implementation (e.g.
script injection) and application layers. The attacks at the first two
layers are well-understood problems with well-understood solutions,
however, the problem of application-level session integrity is not yet
well-understood. An attack at application layer happens when a page in the
browser send malicious requests to any of the servers that the browser
currently has a session with, and that request will automatically get the
session cookie attached and hence will be considered as part of a
(possibly authenticated) session by the server, leading to CSRF attacks.
Moreover, malicious requests can also be sent by scripts included in or
injected by an attacker into a page from the same origin.

In this work, we refined our previous ideas to the classical
noninterference property as known from information flow security and
designed an information flow control technique that can enforce session
integrity in a more permissive and fine-grained way than access control
mechanisms.

16/04/2014 – Talk by Silvia Signorato

Title:  Le indagini informatiche nel procedimento penale: analisi, valutazioni, prospettive.
Time: 13:00
Location: Meeting room
Type: Research Result
Speaker: Silvia Signorato
Abstract:

Nell’attuale società globalizzata l’informatica permea ormai quasi ogni ambito del reale. Pressoché inevitabile, quindi, che pure la criminalità si avvalga dell’informatica per la commissione di reati. Al riguardo, si pensi solo a phishing, pedopornografia on line, diffamazioni commesse su social network, cyberstalking, adescamento di minori in Internet, violazione di diritto d’autore, istigazione on line al suicidio, in un crescendo di reati che non può non destare allarme sociale. 

A fronte della commissione di simili reati, anche le indagini penali divengono informatiche e sempre più spesso gli elementi di prova sono rappresentati da digital evidence.
Il seminario intende offrire un quadro introduttivo al tema delle indagini informatiche nel procedimento penale.
In tale ottica, anzitutto verranno tracciate le coordinate della disciplina vigente in materia; in secondo luogo, saranno esaminate le più rilevanti questioni giuridiche che derivano dall’impiego dell’informatica nell’ambito delle indagini penali; infine, verranno evidenziate le inedite prospettive delle investigazioni informatiche.

19/03/2014 – Talk by Andriana E. Gkaniatsou

Title:  Towards the automated analysis of low-level cryptographic protocols
Time: 13:00
Location: Meeting room
Type: Research Result
Speaker: Andriana E. Gkaniatsou (U. of Edinburgh)
Abstract:
In this talk we discuss the problem of the automated analysis of reversed engineered low-level cryptographic protocols. Such analysis is difficult, as most of such protocol implementations are proprietary and confidential.
Our proposal is to consider the analysis as an inference problem and use knowledge repair techniques to fix possible mismatches. We discuss our thoughts towards this problem, and some working examples based on real card implementations.