Security & Trust

Giada Sciarretta

Giada Sciarretta Researcher

Giada Sciarretta is a researcher of the Security & Trust research unit of Fondazione Bruno Kessler. She obtained her MSc in mathematics at the University of Trento in 2012 and received her Ph.D. in computer science at the same University in 2018 while working with the Security & Trust unit. Her research activities involve the design, security analysis (with informal and formal specifications), and risk assessment of access delegation and single sign-on protocols (e.g., OAuth 2.0 and OpenID Connect), multi-factor authentication (e.g., based on biometric or eID cards) and fully-remote enrollment procedures. She is currently working on several projects related to identity and access management, focusing on various aspects in the context of the European Digital Identity Wallet (e.g, PID issuing, mDL presentation, selective disclosure).

Publications

2023

  • Andrea Flamini, Silvio Ranise, Giada Sciarretta, Mario Scuro, Amir Sharif, Alessandro Tomasi
    A First Appraisal of Cryptographic Mechanisms for the Selective Disclosure of Verifiable Credentials
    In: 20th International Conference on Security and Cryptography (SECRYPT 2023) (DOI, news)
  • Gianluca Sassetti, Amir Sharif, Giada Sciarretta, Roberto Carbone, Silvio Ranise
    Assurance, Consent and Access Control for Privacy-Aware OIDC Deployments
    In: Proceedings of the 37th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2023) (DOI, news)
  • Amir Sharif, Francesco Antonio Marino, Giada Sciarretta, Giuseppe De Marco, Roberto Carbone, Silvio Ranise
    Cross-Domain Sharing of User Claims: A Design Proposal for OpenID Connect Attribute Authorities
    In: 18th International Conference on Availability, Reliability and Security (ARES 2023) (DOI, news)

2022

  • Matteo Rizzi, Salvatore Manfredi, Giada Sciarretta, Silvio Ranise
    A Modular and Extensible Framework for Securing TLS
    In: Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy (CODASPY 2022) (DOI, news)
  • Matteo Rizzi, Salvatore Manfredi, Giada Sciarretta, Silvio Ranise
    Demo: TLSAssistant v2 - A Modular and Extensible Framework for Securing TLS
    In: Proceedings of the 27th ACM Symposium on Access Control Models and Technologies (SACMAT 2022) (DOI, news)
  • Salvatore Manfredi, Mariano Ceccato, Giada Sciarretta, Silvio Ranise
    Empirical Validation on the Usability of Security Reports for Patching TLS Misconfigurations: User- and Case-Studies on Actionable Mitigations
    In: Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA) (DOI)
  • Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
    In: 17th International Workshop on Frontiers in Availability, Reliability and Security (FARES2022) (DOI, complementary material, news)
  • Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Francesco Antonio Marino, Silvio Ranise
    The eIDAS Regulation: A Survey of Technological Trends for European Electronic Identity Schemes
    In: MDPI Journal of Applied Science (APPLSCI) (DOI, complementary material, news)

2021

  • Marco Pernpruner, Giada Sciarretta, Silvio Ranise
    A Framework for Security and Risk Analysis of Enrollment Procedures: Application to Fully-Remote Solutions Based on eDocuments
    In: 18th International Conference on Security and Cryptography (SECRYPT 2021) (DOI, complementary material)
  • Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    Best Current Practices for OAuth/OIDC Native Apps: A Study of their Adoption in Popular Providers and Top-Ranked Android Clients
    In: Journal of Information Security and Applications (JISA) (DOI, news)
  • Salvatore Manfredi, Mariano Ceccato, Giada Sciarretta, Silvio Ranise
    Do Security Reports Meet Usability? - Lessons Learned from Using Actionable Mitigations for Patching TLS Misconfigurations
    In: The 16th International Conference on Availability, Reliability and Security (ARES 2021) (ETACS 2021) (DOI, complementary material, news)
  • Matteo Leonelli, Umberto Morelli, Silvio Ranise, Giada Sciarretta
    Secure Pull Printing with QR Codes and National eID Cards: A Software-oriented Design and an Open-source Implementation
    In: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy (CODASPY 2021) (DOI, complementary material, news)

2020

  • Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    Automated and Secure Integration of the OpenID Connect iGov Profile in Mobile Native Applications
    In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI, complementary material)
  • Andrea Bisegna, Roberto Carbone, Mariano Ceccato, Salvatore Manfredi, Silvio Ranise, Giada Sciarretta, Alessandro Tomasi, Emanuele Viglianisi
    Automated Assistance to the Security Assessment of API for Financial Services in book Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures
    In: Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures (DOI)
  • Roberto Carbone, Silvio Ranise, Giada Sciarretta, Luca Viganò
    Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login
    In: ACM Transactions on Privacy and Security (TOPS) (DOI, complementary material, news)
  • Marco Pernpruner, Roberto Carbone, Silvio Ranise, Giada Sciarretta
    The Good, the Bad and the (Not So) Ugly of Out-Of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis
    In: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy (CODASPY 2020) (DOI, complementary material, news)
  • Salvatore Manfredi, Silvio Ranise, Giada Sciarretta, Alessandro Tomasi
    TLSAssistant goes FINSEC: A Security Platform Integration Extending Threat Intelligence Language
    In: 1st International Workshop on Cyber-Physical Security for Critical Infrastructures Protection (CPS4CIP 2020)

2019

  • Amir Sharif, Roberto Carbone, Silvio Ranise, Giada Sciarretta
    A Wizard-Based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
    In: 16th International Conference on Security and Cryptography (SECRYPT 2019) (DOI, complementary material, news)
  • Umberto Morelli, Silvio Ranise, Damiano Sartori, Giada Sciarretta, Alessandro Tomasi
    Audit-Based Access Control with a Distributed Ledger: Applications to Healthcare Organizations
    In: 15th International Workshop on Security and Trust Management (STM 2019) (DOI, news)
  • Sergii Kushch, Silvio Ranise, Giada Sciarretta
    Blockchain Tree for eHealth
    In: 2019 IEEE Global Conference on Internet of Things (GCIoT 2019) (DOI)
  • Silvio Ranise, Giada Sciarretta, Alessandro Tomasi
    Enroll, and authentication will follow: eID-based enrollment for a customized, secure, and frictionless authentication experience
    In: 12th International Symposium on Foundations & Practice of Security (FPS 2019) (DOI, news)
  • Salvatore Manfredi, Silvio Ranise, Giada Sciarretta
    Lost in TLS? No More! Assisted Deployment of Secure TLS Configurations
    In: Proceedings of the 33rd Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2019), vol. 11559, pp. 201-220 (DOI, news)

2018

  • Roberto Carbone, Silvio Ranise, Giada Sciarretta
    Design and Security Assessment of Usable Multi-factor Authentication and Single Sign-On Solutions for Mobile Applications
    In: Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data (DOI)
  • Giada Sciarretta, Roberto Carbone, Silvio Ranise, Luca Viganò
    Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
    In: Principles of Security and Trust (POST 2018) (DOI, news)

2017

  • Giada Sciarretta, Roberto Carbone, Silvio Ranise, Alessandro Armando
    Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
    In: Computers & Security Journal (COSE), Volume 71, November 2017, Pages 71-86 (DOI)

2016

  • Giada Sciarretta, Roberto Carbone, Silvio Ranise
    A delegated authorization solution for smart-city mobile applications
    In: 2nd International Forum on Research and Technologies for Society and Industry (RTSI 2016) (DOI)
  • Giada Sciarretta, Alessandro Armando, Roberto Carbone, Silvio Ranise
    Security of Mobile Single Sign-On: a Rational Reconstruction of Facebook Login Solution
    In: 13th International Conference on Security and Cryptography (SECRYPT 2016) (DOI, news)

Theses

  • Giada Sciarretta (PhD Thesis, University of Trento, 2018)
    A Methodology for the Design and Security Assessment of Mobile Identity Management: Applications to real-world scenarios
    Supervisors: Silvio Ranise | Co-supervisors: Alessandro Armando, Roberto Carbone

Projects

Former

FIDES 2015

FIDES 2015

Federated Identity Management System
FIDES 2016

FIDES 2016

Federated Identity Management System
STAnD

STAnD

Security Tools for App Development

Dissemination

2023

  • May 11, 2023 • Specialized
    Francesco Antonio Marino, Giada Sciarretta, Amir Sharif
    Past, Present, and Future of the Italian Digital Identity Ecosystem
    European Identity and Cloud (EIC) Conference 2023 (Event, Session)
  • April 14, 2023 • School
    Matteo Rizzi, Giada Sciarretta
    Cybersecurity: l'esperienza di due giovani professionisti
    Liceo Steam International, Rovereto
  • February 16-17, 2023 • School
    Salvatore Manfredi, Giada Sciarretta
    Avvicinamento alla sicurezza informatica
    Istituto Comprensivo Civezzano, Trento

2022

  • May 5, 2022 • Specialized
    Roberto Carbone, Giuseppe De Marco, Francesco Antonio Marino, Silvio Ranise, Giada Sciarretta, Amir Sharif
    Cross-Domain Sharing of User Claims: A Proposal for OIDC
    OAuth Security Workshop (OSW) 2022 (Event)
  • February 21-25, 2022 • School
    Salvatore Manfredi, Giada Sciarretta
    Giornata mondiale per la Sicurezza in Rete
    Istituto Comprensivo Civezzano, Trento

2021

  • September 24, 2021 • General
    Salvatore Manfredi, Umberto Morelli, Giada Sciarretta, Alessandro Tomasi
    Siamo al sicuro? Mettiamoci alla prova! Avvicinamento alla sicurezza informatica
    Notte dei Ricercatori 2021 (Event)
  • May 5, 2021 • General
    Marco Pernpruner, Giada Sciarretta, Alessandro Tomasi
    Identità digitale: identificazione e autenticazione
    PMI Academy, Accademia d'Impresa (Event, Video)

2020

  • May 5, 2020 • General
    Marco Pernpruner, Giada Sciarretta, Silvio Ranise
    Cyber Security & Servizi Finanziari
    FBK Academy (News and video)

2019

  • March 22, 2019 • Specialized
    Roberto Carbone, Silvio Ranise, Giada Sciarretta, Amir Sharif
    An Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
    OAuth Security Workshop (OSW) 2019 (Event, Program)
  • February 18-22, 2019 • School
    Matteo Leonelli, Salvatore Manfredi, Umberto Morelli, Giada Sciarretta, Silvio Ranise
    Pro[M] Camp 2019
    Pro[M] Camp 2019 (Event)

Supervised Theses

2023

  • Salvatore Manfredi (PhD Thesis, University of Genoa, 2023)
    Automated Assistance for Actionable Security: Security and Compliance of TLS Configurations
    Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta

2022

  • Nicola Casagrande (Bachelor's Thesis, University of Trento, 2022)
    Dematerialized Documents: The Italian Driving License Use Case
    Supervisors: Silvio Ranise | Co-supervisors: Giada Sciarretta, Tahir Ahmad
  • Federico Cucino (Bachelor's Thesis, University of Trento, 2022)
    Miglioramento delle capacità di analisi di TLSAssistant - Automatizzazione delle mitigazioni per NGINX
    Supervisors: Silvio Ranise | Co-supervisors: Salvatore Manfredi, Giada Sciarretta
  • Ivan Valentini (Bachelor's Thesis, University of Trento, 2022)
    Estensione delle capacità di analisi di TLSAssistant - Rilevazione e mitigazione di ALPACA, POODLE e Raccoon
    Supervisors: Silvio Ranise | Co-supervisors: Salvatore Manfredi, Giada Sciarretta
  • Rupert Gobber (Master's Thesis, University of Trento, 2022)
    Design and implementation of a verifiable credentials service for a data marketplace
    Supervisors: Silvio Ranise | Co-supervisors: Giada Sciarretta, Alessandro Tomasi
  • Martina Vecellio Reane (Bachelor's Thesis, University of Trento, 2022)
    Automated Security and Risk Analysis of Remote Identity Proofing Procedures
    Supervisors: Silvio Ranise | Co-supervisors: Marco Pernpruner, Giada Sciarretta

2021

  • Matteo Rizzi (Bachelor's Thesis, University of Trento, 2021)
    TLS Analyzers for Android Apps: State-of-the-art Analysis and Integration in TLSAssistant
    Supervisors: Silvio Ranise | Co-supervisors: Giada Sciarretta, Salvatore Manfredi
    Awards: 3rd place at thesis award "Innovare la sicurezza delle informazioni 2021", sponsored by CLUSIT
  • Matteo Longato (Bachelor's Thesis, University of Trento, 2021)
    Verifiable credentials applied to self reporting applications
    Supervisors: Silvio Ranise | Co-supervisors: Giada Sciarretta, Alessandro Tomasi
  • Leonardo Xompero (Bachelor's Thesis, University of Trento, 2021)
    A Survey of Risk-Based Authentication: How features and security actions can be used to mitigate attackers
    Supervisors: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner
  • Giuseppe Lamorgese (Bachelor's Thesis, University of Trento, 2021)
    Autenticazione password-less con FIDO2: Descrizione del flusso e considerazioni sulla sicurezza
    Supervisors: Silvio Ranise | Co-supervisors: Giada Sciarretta
  • Giacomo Zanolli (Bachelor's Thesis, University of Trento, 2021)
    FIDO2 Passwordless Authentication: From the basics to an implementation in the context of an authorization system
    Supervisors: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner
  • Amir Sharif (PhD Thesis, University of Genoa, 2021)
    Analysis of Best Current Practices to Assist Native App Developers with Secure OAuth/OIDC Implementations
    Supervisor: Roberto Carbone | Co-supervisors: Silvio Ranise, Giada Sciarretta
  • Alessandro Pegoraro (Bachelor's Thesis, University of Trento, 2021)
    Payment Services Directive 2 in the Wild - A comparison between Open Banking UK and NextGenPSD2
    Supervisors: Silvio Ranise | Co-supervisors: Giada Sciarretta, Salvatore Manfredi
  • Adrien Beaugendre (Master's Thesis, University of Rennes 1 and University of Trento, 2021)
    A Flexible Risk Analysis on MuFASA Tool
    Supervisors: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner

2020

  • Alessio Valenza (Bachelor's Thesis, University of Trento, 2020)
    Autenticazione bancaria post-PSD2: siamo al sicuro? Analisi automatica del rischio di protocolli di autenticazione
    Supervisors: Silvio Ranise | Co-supervisors: Giada Sciarretta, Marco Pernpruner

2019

  • Salvatore Manfredi (Master's Thesis, University of Trento, 2019)
    Assisting users in securing TLS configurations
    Supervisors: Silvio Ranise | Co-supervisor: Giada Sciarretta
  • Marco Pernpruner (Master's Thesis, University of Verona, 2019)
    A passwordless out-of-band authentication protocol based on eID cards and push notifications: Design and formal security analysis
    Supervisors: Massimo Merro | Co-supervisors: Giada Sciarretta, Roberto Carbone
  • Davide Piva (Bachelor's Thesis, University of Trento, 2019)
    Assisting Developers in Securing OAuth 2.0 Deployment: Demystifying Threats and Protection Techniques for Bearer Credentials
    Supervisors: Silvio Ranise | Co-supervisor: Giada Sciarretta

2018

  • Giovanni Ferronato (Bachelor's Thesis, University of Trento, 2018)
    Multi-factor Authentication Through Push Notification and NFC-enabled Identity Card: A solution for secure authentication in unsecure contexts
    Supervisors: Silvio Ranise | Co-supervisor: Giada Sciarretta
    Awards: 3rd place at thesis award "Innovare la sicurezza delle informazioni 2019", sponsored by CLUSIT
  • Daniele Del Sale (Bachelor's Thesis, University of Trento, 2018)
    Procedure di autenticazione multi-fattore basate su push notification: Analisi dello stato dell'arte e specifica delle best-practice per un'implementazione sicura
    Supervisors: Silvio Ranise | Co-supervisor: Giada Sciarretta
Contacts
Links