Security & Trust

Roberto Carbone

Roberto Carbone Head of Unit

Publications

2023

  • Gianluca Sassetti, Amir Sharif, Giada Sciarretta, Roberto Carbone, Silvio Ranise
    Assurance, Consent and Access Control for Privacy-Aware OIDC Deployments
    In: Proceedings of the 37th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2023) (DOI, news)
  • Amir Sharif, Francesco Antonio Marino, Giada Sciarretta, Giuseppe De Marco, Roberto Carbone, Silvio Ranise
    Cross-Domain Sharing of User Claims: A Design Proposal for OpenID Connect Attribute Authorities
    In: 18th International Conference on Availability, Reliability and Security (ARES 2023) (DOI, news)

2022

  • Stefano Berlato, Roberto Carbone, Umberto Morelli, Silvio Ranise
    End-to-End Protection of IoT Communications Through Cryptographic Enforcement of Access Control Policies
    In: Proceedings of the 36th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2022) (DOI, complementary material)
  • Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
    In: 17th International Workshop on Frontiers in Availability, Reliability and Security (FARES2022) (DOI, complementary material, news)
  • Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Francesco Antonio Marino, Silvio Ranise
    The eIDAS Regulation: A Survey of Technological Trends for European Electronic Identity Schemes
    In: MDPI Journal of Applied Science (APPLSCI) (DOI, complementary material, news)

2021

  • Salimeh Dashti, Amir Sharif, Roberto Carbone, Silvio Ranise
    Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments
    In: Proceedings of the 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2021) (news)
  • Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    Best Current Practices for OAuth/OIDC Native Apps: A Study of their Adoption in Popular Providers and Top-Ranked Android Clients
    In: Journal of Information Security and Applications (JISA) (DOI, news)
  • Andreas Heider-Aviet, Danny Roswin Ollik, Stefano Berlato, Silvio Ranise, Roberto Carbone, Van Thanh Le, Nabil El Ioini, Claus Pahl, Hamid R. Berzegar
    Blockchain Based RAN Data Sharing
    In: IEEE International Conference on Smart Data Services (SMDS 2021) (DOI)
  • Stefano Berlato, Roberto Carbone, Silvio Ranise
    Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment
    In: 18th International Conference on Security and Cryptography (SECRYPT 2021) (complementary material, news)
  • Andrea Bisegna, Roberto Carbone, Silvio Ranise
    Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
    In: 4th International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2021) (DOI)
  • Marco Centenaro, Stefano Berlato, Roberto Carbone, Gianfranco Burzio, Giuseppe Faranda Cordella, Roberto Riggio, Silvio Ranise
    Safety-Related Cooperative, Connected, and Automated Mobility Services: Interplay Between Functional and Security Requirements
    In: IEEE Vehicular Technology Magazine, Volume 16, Issue 4, December 2021, Pages 78-88 (DOI)

2020

  • Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    Automated and Secure Integration of the OpenID Connect iGov Profile in Mobile Native Applications
    In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI, complementary material)
  • Andrea Bisegna, Roberto Carbone, Mariano Ceccato, Salvatore Manfredi, Silvio Ranise, Giada Sciarretta, Alessandro Tomasi, Emanuele Viglianisi
    Automated Assistance to the Security Assessment of API for Financial Services in book Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures
    In: Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures (DOI)
  • Stefano Berlato, Roberto Carbone, Adam J. Lee, Silvio Ranise
    Exploring Architectures for Cryptographic Access Control Enforcement in the Cloud for Fun and Optimization
    In: 15th ACM ASIA Conference on Computer and Communications Security (ASIACCS 2020) (DOI, complementary material, news)
  • Roberto Carbone, Silvio Ranise, Giada Sciarretta, Luca Viganò
    Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login
    In: ACM Transactions on Privacy and Security (TOPS) (DOI, complementary material, news)
  • Stefano Berlato, Roberto Carbone, Adam J. Lee, Silvio Ranise
    Formal Modelling and Automated Trade-Off Analysis of Enforcement Architectures for Cryptographic Access Control in the Cloud
    In: ACM Transactions on Privacy and Security (TOPS) (complementary material)
  • Andrea Bisegna, Roberto Carbone, Giulio Pellizzari, Silvio Ranise
    Micro-Id-Gym: a Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory
    In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI)
  • Marco Centenaro, Stefano Berlato, Roberto Carbone, Gianfranco Burzio, Giuseppe Faranda Cordella, Silvio Ranise, Roberto Riggio
    Security Considerations on 5G-Enabled Back-Situation Awareness for CCAM
    In: 3rd IEEE 5G World Forum (5GWF20) (news)
  • Marco Pernpruner, Roberto Carbone, Silvio Ranise, Giada Sciarretta
    The Good, the Bad and the (Not So) Ugly of Out-Of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis
    In: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy (CODASPY 2020) (DOI, complementary material, news)

2019

  • Amir Sharif, Roberto Carbone, Silvio Ranise, Giada Sciarretta
    A Wizard-Based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
    In: 16th International Conference on Security and Cryptography (SECRYPT 2019) (DOI, complementary material, news)
  • Andrea Bisegna, Roberto Carbone, Ivan Martini, Valentina Odorizzi, Giulio Pellizzari, Silvio Ranise
    Micro-Id-Gym: Identity Management Workouts with Container-Based Microservices
    In: International Journal of Information Security and Cybercrime (IJISP), Volume 8, Issue 1 (DOI)
  • Federico Sinigaglia, Roberto Carbone, Gabriele Costa, Silvio Ranise
    MuFASA: A Tool for High-level Specification and Analysis of Multi-factor Authentication Protocols
    In: Emerging Technologies for Authorization and Authentication (ETAA 2019) (DOI, complementary material, news)

2018

  • Roberto Carbone, Silvio Ranise, Giada Sciarretta
    Design and Security Assessment of Usable Multi-factor Authentication and Single Sign-On Solutions for Mobile Applications
    In: Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data (DOI)
  • Giada Sciarretta, Roberto Carbone, Silvio Ranise, Luca Viganò
    Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
    In: Principles of Security and Trust (POST 2018) (DOI, news)

2017

  • Giada Sciarretta, Roberto Carbone, Silvio Ranise, Alessandro Armando
    Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
    In: Computers & Security Journal (COSE), Volume 71, November 2017, Pages 71-86 (DOI)
  • Avinash Sudhodanan, Roberto Carbone, Luca Compagna, Nicolas Dolgin, Alessandro Armando, Umberto Morelli
    Large-scale Analysis & Detection of Authentication Cross-Site Request Forgeries
    In: 2nd IEEE European Symposium on Security and Privacy (EUROS&P 2017) (DOI, news)
  • Federico Sinigaglia, Gabriele Costa, Roberto Carbone
    Strong Authentication for e-Banking: a Survey on European Regulations and Implementations
    In: 14th International Conference on Security and Cryptography (SECRYPT 2017) (DOI, news)

2016

  • Giada Sciarretta, Roberto Carbone, Silvio Ranise
    A delegated authorization solution for smart-city mobile applications
    In: 2nd International Forum on Research and Technologies for Society and Industry (RTSI 2016) (DOI)
  • Avinash Sudhodanan, Alessandro Armando, Luca Compagna, Roberto Carbone
    Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications
    In: Network and Distributed System Security Symposium (NDSS 2016) (news)
  • Giada Sciarretta, Alessandro Armando, Roberto Carbone, Silvio Ranise
    Security of Mobile Single Sign-On: a Rational Reconstruction of Facebook Login Solution
    In: 13th International Conference on Security and Cryptography (SECRYPT 2016) (DOI, news)

2014

  • Alessandro Armando, Roberto Carbone, Eyasu Getahun Chekole, Silvio Ranise
    Attribute Based Access Control for APIs in Spring Security
    In: 18th ACM Symposium on Access Control Models and Technologies (SACMAT 2014) (DOI, news)
  • Alessandro Armando, Roberto Carbone, Luca Compagna
    SATMC: A SAT-Based Model Checker for Security-Critical Systems
    In: 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2014) (DOI)
  • Alessandro Armando, Roberto Carbone, Eyasu Getahun Chekole, Claudio Petrazzuolo, Andrea Ranalli, Silvio Ranise
    Selective Release of Smart Metering Data in Multi-domain Smart Grids
    In: Second Open EIT ICT Labs Workshop on Smart Grid Security (SmartGridSec14) (DOI, news)

2011

  • Alessandro Armando, Roberto Carbone, Silvio Ranise
    Automated analysis of semantic-aware access control policies: a logic-based approach
    In: 2011 IEEE Fifth International Conference on Semantic Computing (ICSC 2011) (DOI)

Projects

Former

Dissemination

2022

  • May 5, 2022 • Specialized
    Roberto Carbone, Giuseppe De Marco, Francesco Antonio Marino, Silvio Ranise, Giada Sciarretta, Amir Sharif
    Cross-Domain Sharing of User Claims: A Proposal for OIDC
    OAuth Security Workshop (OSW) 2022 (Event)

2021

  • March 11, 2021 • Specialized
    Andrea Bisegna, Roberto Carbone, Marco Pernpruner, Silvio Ranise
    Scenari, approcci, esperienze di strong authentication pre e post direttiva PSD2
    Tech Talk (DedaGroup)

2019

  • March 22, 2019 • Specialized
    Roberto Carbone, Silvio Ranise, Giada Sciarretta, Amir Sharif
    An Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
    OAuth Security Workshop (OSW) 2019 (Event, Program)

Supervised Theses

2023

  • Luigi Dell'Eva (Bachelor's Thesis, University of Trento, 2023)
    Chatting is Healthy: How Better Cybersecurity Hygiene can be Obtained by Integrating Chatbots with Pentesting Tools
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Ion Andy Ditu (Bachelor's Thesis, University of Trento, 2023)
    Leveraging Trusted Execution Environment for Efficient Revocation and Security in Cryptographic Access Control
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Erica Elia (Master's Thesis, University of Trento, 2023)
    A Key Recovery Protocol based on Threshold Secret Sharing for Cryptographic Access Control in the Cloud: The CryptoAC use case
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Alessandro Biasi (Bachelor's Thesis, University of Trento, 2023)
    Syntax and Semantics of a Declarative Language for Security Testing of Browser-based Security Protocols
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone

2022

  • Matteo Bitussi (Bachelor's Thesis, University of Trento, 2022)
    Declarative Specification of Pentesting Strategies for Browser-based Security Protocols: the Case Studies of SAML and OAuth/OIDC
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Eleonora Marchesini (Master's Thesis, University of Trento, 2022)
    Design and Implementation of a Cybersecurity Chatbot for Identity Management Protocols: the SAML and Slack Use Case
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Sofia Zanrosso (Bachelor's Thesis, University of Trento, 2022)
    Enlarging the Pen-Test Coverage of SAML Single Sign-On Solutions with Cyber Threat Intelligence
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Michele Zucchelli (Bachelor's Thesis, University of Trento, 2022)
    Pimp My Micro-Id-Gym: Enhancing the Automation and Usability of a Security Testing Tool for Digital Identity Protocol
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giuseppe Alessio Sciumè (Bachelor's Thesis, University of Trento, 2022)
    A Comprehensive Analysis of the OAuth 2.0 Threat Model to Develop a Chatbot Providing Actionable Security Suggestions
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Andrea Bisegna
  • Enrico Marconi (Bachelor's Thesis, University of Trento, 2022)
    Combining Blockchain-as-a-Service and Cryptographic Access Control for Secure Data Sharing Across Multiple Organizations
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Alessandro Colombo (Bachelor's Thesis, University of Trento, 2022)
    Attribute Based Encryption for Advanced Data Protection in IoT with MQTT
    Supervisors: Silvio Ranise | Co-supervisors: Stefano Berlato, Roberto Carbone

2021

  • Wendy Barreto (Bachelor's Thesis, University of Trento, 2021)
    Design and implementation of an attack pattern language for the automated pentesting of OAuth/OIDC deployments
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Veronica Cristiano (Master's Thesis, University of Trento, 2021)
    Key Management for Cryptographic Enforcement of Access Control Policies in the Cloud: The CryptoAC use case
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Luca Bazzanella (Bachelor's Thesis, University of Trento, 2021)
    Analysis of the State of the Art of DevSecOps: The Gitlab case study
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Francesco Defilippo (Bachelor's Thesis, University of Trento, 2021)
    Attack Patterns for Pentesting SAML 2.0 Web Browser Single Sign-On deployments
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Chaudhry Muhammad Suleman (Master's Thesis, University of Trento, 2021)
    Cyber-security Risk Assessment for Cooperative, Connected and Automated Mobility Application to Cooperative Lane Merging
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Amir Sharif (PhD Thesis, University of Genoa, 2021)
    Analysis of Best Current Practices to Assist Native App Developers with Secure OAuth/OIDC Implementations
    Supervisor: Roberto Carbone | Co-supervisors: Silvio Ranise, Giada Sciarretta

2020

  • Stefano Facchini (Bachelor's Thesis, University of Trento, 2020)
    Design and implementation of an automated tool for checking SAML SSO vulnerabilities and SPID compliance
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giulio Pellizzari (Master's Thesis, University of Trento, 2020)
    Micro-Id-Gym: A Tool to Support Sandboxing and Automated Pentesting of Identity Management Protocols
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Federico Sinigaglia (PhD Thesis, University of Genoa, 2020)
    Security Analysis of Multi-Factor Authentication Security Protocols
    Supervisors: Roberto Carbone, Gabriele Costa
  • Claudio Grisenti (Bachelor's Thesis, University of Trento, 2020)
    A pentesting tool for OAuth and OIDC deployments
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone

2019

  • Stefano Berlato (Master's Thesis, University of Trento, 2019)
    A Pragmatic Approach to Handle "Honest But Curious" Cloud Service Providers: Cryptographic Enforcement of Dynamic Access Control Policies
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone
    Awards: 3rd place at thesis award "Innovare la sicurezza delle informazioni 2020", sponsored by CLUSIT
  • Marco Pernpruner (Master's Thesis, University of Verona, 2019)
    A passwordless out-of-band authentication protocol based on eID cards and push notifications: Design and formal security analysis
    Supervisors: Massimo Merro | Co-supervisors: Giada Sciarretta, Roberto Carbone
  • Lorenzo Tait (Bachelor's Thesis, University of Trento, 2019)
    A Customized Threat Modeling for Secure Deployment And Pentesting of SAML SSO Solutions
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone

2018

  • Valentina Odorizzi (Bachelor's Thesis, University of Trento, 2018)
    Progettazione e sviluppo di uno strumento per l'analisi automatica di vulnerabilità "Missing XML Validation" in SAML SSO
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Saverio Turetta (Bachelor's Thesis, University of Trento, 2018)
    Analysis of the State of the Art in Android Dynamic Analysis Tools
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Amir Sharif
  • Ivan Martini (Bachelor's Thesis, University of Trento, 2018)
    An automated security testing framework for SAML SSO deployments
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giulio Pellizzari (Bachelor's Thesis, University of Trento, 2018)
    Design and implementation of a tool to detect Login Cross-Site Request Forgery in SAML SSO: G Suite case study
    Supervisors: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giada Sciarretta (PhD Thesis, University of Trento, 2018)
    A Methodology for the Design and Security Assessment of Mobile Identity Management: Applications to real-world scenarios
    Supervisors: Silvio Ranise | Co-supervisors: Alessandro Armando, Roberto Carbone

2017

  • Avinash Sudhodanan (PhD Thesis, University of Trento, 2017)
    Black-Box Security Testing of Browser-Based Security Protocols
    Supervisors: Alessandro Armando | Co-supervisors: Roberto Carbone, Luca Compagna