Security & Trust

Roberto Carbone

Roberto Carbone Head of Unit

Roberto Carbone is the head of the Security and Trust Research Unit of the Center for Cybersecurity at Fondazione Bruno Kessler, since January 2021. He is a researcher of Security & Trust since 2010.

He received his Ph.D. in Electronic and Computer Engineering and Telecommunications from the University of Genova (Italy) in 2009. His previous appointments include a period as visiting scholar in the Department of Computer Science at the University of Pittsburgh (Pennsylvania, US). He has been involved in several international and national research projects and industrial collaborations.

His research focuses on digital identity management and the (formal) analysis of security protocols and services.

Publications

2024

  • Majid Mollaeefar, Eleonora Marchesini, Roberto Carbone, Silvio Ranise
    A Risk-based Approach to Trustworthy AI Systems for Judicial Procedures
    In: 4th CINI National Conference on Artificial Intelligence (Ital-IA 2024) (URL, news)
  • Marco Pernpruner, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication Protocols
    In: IEEE Transactions on Dependable and Secure Computing (TDSC), Volume 21, Issue 4, July/August 2024, Pages 1935-1950 (DOI, complementary material, news)
  • Andrea Bisegna, Matteo Bitussi, Roberto Carbone, Luca Compagna, Silvio Ranise, Avinash Sudhodanan
    CSRFing the SSO Waves: Security Testing of SSO-Based Account Linking Process
    In: 9th IEEE European Symposium on Security and Privacy (EUROS&P 2024) (DOI, complementary material)
  • Andrea Bisegna, Matteo Bitussi, Roberto Carbone, Silvio Ranise
    Enhancing Security Testing for Identity Management Implementations: Introducing Micro-Id-Gym Language and Micro-Id-Gym Testing Tool
    In: IEEE Security & Privacy (DOI, news)

2023

  • Gianluca Sassetti, Amir Sharif, Giada Sciarretta, Roberto Carbone, Silvio Ranise
    Assurance, Consent and Access Control for Privacy-Aware OIDC Deployments
    In: Proceedings of the 37th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2023) (DOI, news)
  • Zahra Ebadi Ansaroudi, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    Control is Nothing Without Trust a First Look into Digital Identity Wallet Trends
    In: Proceedings of the 37th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2023) (DOI)
  • Amir Sharif, Francesco Antonio Marino, Giada Sciarretta, Giuseppe De Marco, Roberto Carbone, Silvio Ranise
    Cross-Domain Sharing of User Claims: A Design Proposal for OpenID Connect Attribute Authorities
    In: 18th International Conference on Availability, Reliability and Security (ARES 2023) (DOI, news)
  • Luca Verderame, Luca Caviglione, Roberto Carbone, Alessio Merlo
    SecCo: Automated Services to Secure Containers in the DevOps Paradigm
    In: 2023 International Conference on Research in Adaptive and Convergent Systems (RACS 2023) (DOI)

2022

  • Stefano Berlato, Roberto Carbone, Umberto Morelli, Silvio Ranise
    End-to-End Protection of IoT Communications Through Cryptographic Enforcement of Access Control Policies
    In: Proceedings of the 36th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2022) (DOI, complementary material)
  • Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    SoK: A Survey on Technological Trends for (pre)Notified eIDAS Electronic Identity Schemes
    In: 17th International Workshop on Frontiers in Availability, Reliability and Security (FARES2022) (DOI, complementary material, news)
    Awards: Best paper award
  • Amir Sharif, Matteo Ranzi, Roberto Carbone, Giada Sciarretta, Francesco Antonio Marino, Silvio Ranise
    The eIDAS Regulation: A Survey of Technological Trends for European Electronic Identity Schemes
    In: MDPI Journal of Applied Science (APPLSCI) (DOI, complementary material, news)

2021

  • Salimeh Dashti, Amir Sharif, Roberto Carbone, Silvio Ranise
    Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments
    In: Proceedings of the 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2021) (news)
  • Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    Best Current Practices for OAuth/OIDC Native Apps: A Study of their Adoption in Popular Providers and Top-Ranked Android Clients
    In: Journal of Information Security and Applications (JISA) (DOI, news)
  • Andreas Heider-Aviet, Danny Roswin Ollik, Stefano Berlato, Silvio Ranise, Roberto Carbone, Van Thanh Le, Nabil El Ioini, Claus Pahl, Hamid R. Berzegar
    Blockchain Based RAN Data Sharing
    In: IEEE International Conference on Smart Data Services (SMDS 2021) (DOI)
  • Stefano Berlato, Roberto Carbone, Silvio Ranise
    Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment
    In: 18th International Conference on Security and Cryptography (SECRYPT 2021) (complementary material, news)
  • Andrea Bisegna, Roberto Carbone, Silvio Ranise
    Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
    In: 4th International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2021) (DOI)
  • Marco Centenaro, Stefano Berlato, Roberto Carbone, Gianfranco Burzio, Giuseppe Faranda Cordella, Roberto Riggio, Silvio Ranise
    Safety-Related Cooperative, Connected, and Automated Mobility Services: Interplay Between Functional and Security Requirements
    In: IEEE Vehicular Technology Magazine, Volume 16, Issue 4, December 2021, Pages 78-88 (DOI)

2020

  • Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    Automated and Secure Integration of the OpenID Connect iGov Profile in Mobile Native Applications
    In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI, complementary material)
  • Andrea Bisegna, Roberto Carbone, Mariano Ceccato, Salvatore Manfredi, Silvio Ranise, Giada Sciarretta, Alessandro Tomasi, Emanuele Viglianisi
    Automated Assistance to the Security Assessment of API for Financial Services in book Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures
    In: Cyber-Physical Threat Intelligence for Critical Infrastructures Security: A Guide to Integrated Cyber-Physical Protection of Modern Critical Infrastructures (DOI)
  • Stefano Berlato, Roberto Carbone, Adam J. Lee, Silvio Ranise
    Exploring Architectures for Cryptographic Access Control Enforcement in the Cloud for Fun and Optimization
    In: 15th ACM ASIA Conference on Computer and Communications Security (ASIACCS 2020) (DOI, complementary material, news)
  • Roberto Carbone, Silvio Ranise, Giada Sciarretta, Luca Viganò
    Formal Analysis of Mobile Multi-Factor Authentication with Single Sign-On Login
    In: ACM Transactions on Privacy and Security (TOPS) (DOI, complementary material, news)
  • Stefano Berlato, Roberto Carbone, Adam J. Lee, Silvio Ranise
    Formal Modelling and Automated Trade-Off Analysis of Enforcement Architectures for Cryptographic Access Control in the Cloud
    In: ACM Transactions on Privacy and Security (TOPS) (complementary material)
  • Andrea Bisegna, Roberto Carbone, Giulio Pellizzari, Silvio Ranise
    Micro-Id-Gym: a Flexible Tool for Pentesting Identity Management Protocols in the Wild and in the Laboratory
    In: 3rd International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2020) (DOI)
  • Marco Centenaro, Stefano Berlato, Roberto Carbone, Gianfranco Burzio, Giuseppe Faranda Cordella, Silvio Ranise, Roberto Riggio
    Security Considerations on 5G-Enabled Back-Situation Awareness for CCAM
    In: 3rd IEEE 5G World Forum (5GWF20) (news)
  • Marco Pernpruner, Roberto Carbone, Silvio Ranise, Giada Sciarretta
    The Good, the Bad and the (Not So) Ugly of Out-Of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis
    In: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy (CODASPY 2020) (DOI, complementary material, news)

2019

  • Amir Sharif, Roberto Carbone, Silvio Ranise, Giada Sciarretta
    A Wizard-Based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
    In: 16th International Conference on Security and Cryptography (SECRYPT 2019) (DOI, complementary material, news)
  • Andrea Bisegna, Roberto Carbone, Ivan Martini, Valentina Odorizzi, Giulio Pellizzari, Silvio Ranise
    Micro-Id-Gym: Identity Management Workouts with Container-Based Microservices
    In: International Journal of Information Security and Cybercrime (IJISP), Volume 8, Issue 1 (DOI)
  • Federico Sinigaglia, Roberto Carbone, Gabriele Costa, Silvio Ranise
    MuFASA: A Tool for High-level Specification and Analysis of Multi-factor Authentication Protocols
    In: Emerging Technologies for Authorization and Authentication (ETAA 2019) (DOI, complementary material, news)

2018

  • Roberto Carbone, Silvio Ranise, Giada Sciarretta
    Design and Security Assessment of Usable Multi-factor Authentication and Single Sign-On Solutions for Mobile Applications
    In: Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data (DOI)
  • Giada Sciarretta, Roberto Carbone, Silvio Ranise, Luca Viganò
    Design, Formal Specification and Analysis of Multi-Factor Authentication Solutions with a Single Sign-On Experience
    In: Principles of Security and Trust (POST 2018) (DOI, news)

2017

  • Giada Sciarretta, Roberto Carbone, Silvio Ranise, Alessandro Armando
    Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
    In: Computers & Security Journal (COSE), Volume 71, November 2017, Pages 71-86 (DOI)
  • Avinash Sudhodanan, Roberto Carbone, Luca Compagna, Nicolas Dolgin, Alessandro Armando, Umberto Morelli
    Large-scale Analysis & Detection of Authentication Cross-Site Request Forgeries
    In: 2nd IEEE European Symposium on Security and Privacy (EUROS&P 2017) (DOI, news)
  • Federico Sinigaglia, Gabriele Costa, Roberto Carbone
    Strong Authentication for e-Banking: a Survey on European Regulations and Implementations
    In: 14th International Conference on Security and Cryptography (SECRYPT 2017) (DOI, news)

2016

  • Giada Sciarretta, Roberto Carbone, Silvio Ranise
    A delegated authorization solution for smart-city mobile applications
    In: 2nd International Forum on Research and Technologies for Society and Industry (RTSI 2016) (DOI)
  • Avinash Sudhodanan, Alessandro Armando, Luca Compagna, Roberto Carbone
    Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications
    In: Network and Distributed System Security Symposium (NDSS 2016) (news)
  • Giada Sciarretta, Alessandro Armando, Roberto Carbone, Silvio Ranise
    Security of Mobile Single Sign-On: a Rational Reconstruction of Facebook Login Solution
    In: 13th International Conference on Security and Cryptography (SECRYPT 2016) (DOI, news)

2014

  • Alessandro Armando, Roberto Carbone, Eyasu Getahun Chekole, Silvio Ranise
    Attribute Based Access Control for APIs in Spring Security
    In: 18th ACM Symposium on Access Control Models and Technologies (SACMAT 2014) (DOI, news)
  • Alessandro Armando, Roberto Carbone, Luca Compagna
    SATMC: A SAT-Based Model Checker for Security-Critical Systems
    In: 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2014) (DOI)
  • Alessandro Armando, Roberto Carbone, Eyasu Getahun Chekole, Claudio Petrazzuolo, Andrea Ranalli, Silvio Ranise
    Selective Release of Smart Metering Data in Multi-domain Smart Grids
    In: Second Open EIT ICT Labs Workshop on Smart Grid Security (SmartGridSec14) (DOI, news)

2011

  • Alessandro Armando, Roberto Carbone, Silvio Ranise
    Automated analysis of semantic-aware access control policies: a logic-based approach
    In: 2011 IEEE Fifth International Conference on Semantic Computing (ICSC 2011) (DOI)

Projects

Current

Former

Dissemination

2024

  • January 19, 2024 • Specialized
    Amir Sharif, Giada Sciarretta, Roberto Carbone, Silvio Ranise, Francesco Antonio Marino, Giuseppe De Marco
    Waiting for the EUDI Wallet: Securing the transition from SAML 2.0 to OpenID Connect
    OpenID Summit Tokyo 2024 (Event)

2022

  • May 5, 2022 • Specialized
    Roberto Carbone, Giuseppe De Marco, Francesco Antonio Marino, Silvio Ranise, Giada Sciarretta, Amir Sharif
    Cross-Domain Sharing of User Claims: A Proposal for OIDC
    OAuth Security Workshop (OSW) 2022 (Event)

2021

  • March 11, 2021 • Specialized
    Andrea Bisegna, Roberto Carbone, Marco Pernpruner, Silvio Ranise
    Scenari, approcci, esperienze di strong authentication pre e post direttiva PSD2
    Tech Talk (DedaGroup)

2019

  • March 22, 2019 • Specialized
    Roberto Carbone, Silvio Ranise, Giada Sciarretta, Amir Sharif
    An Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
    OAuth Security Workshop (OSW) 2019 (Event, Program)

Supervised Theses

2024

  • Stefano Berlato (PhD Thesis, University of Genoa, 2024)
    A Security Service for Performance-Aware End-to-End Protection of Sensitive Data in Cloud Native Applications (link)
    Supervisor: Silvio Ranise | Co-supervisor: Roberto Carbone
  • Roberto Savi (Bachelor's Thesis, University of Trento, 2024)
    Integrating Pentesting Tools for Identity Management Protocols into DevSecOps: The MIG-T Use Case
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone, Laura Cristiano, Pietro De Matteis
  • Pier Guido Seno (Bachelor's Thesis, University of Trento, 2024)
    From Local to Remote: Enhancing MIG-T Pentesting Tool with SaaS for Securing Digital Identity
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone, Laura Cristiano

2023

  • Luigi Dell'Eva (Bachelor's Thesis, University of Trento, 2023)
    Chatting is Healthy: How Better Cybersecurity Hygiene can be Obtained by Integrating Chatbots with Pentesting Tools
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone, Eleonora Marchesini
  • Ion Andy Ditu (Bachelor's Thesis, University of Trento, 2023)
    Leveraging Trusted Execution Environment for Efficient Revocation and Security in Cryptographic Access Control
    Supervisor: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Gianluca Sassetti (Master's Thesis, University of Trento, 2023)
    Privacy Guidelines and Compliance Analysis for OpenID Connect Deployments
    Supervisor: Silvio Ranise | Co-supervisors: Amir Sharif, Giada Sciarretta, Roberto Carbone
  • Erica Elia (Master's Thesis, University of Trento, 2023)
    A Key Recovery Protocol based on Threshold Secret Sharing for Cryptographic Access Control in the Cloud: The CryptoAC use case
    Supervisor: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Andrea Bisegna (PhD Thesis, University of Genoa, 2023)
    Automated Security Testing for Identity Management of Large-scale Digital Infrastructures (link)
    Supervisor: Silvio Ranise | Co-supervisor: Roberto Carbone
  • Alessandro Biasi (Bachelor's Thesis, University of Trento, 2023)
    Syntax and Semantics of a Declarative Language for Security Testing of Browser-based Security Protocols
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone

2022

  • Matteo Bitussi (Bachelor's Thesis, University of Trento, 2022)
    Declarative Specification of Pentesting Strategies for Browser-based Security Protocols: the Case Studies of SAML and OAuth/OIDC
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Eleonora Marchesini (Master's Thesis, University of Trento, 2022)
    Design and Implementation of a Cybersecurity Chatbot for Identity Management Protocols: the SAML and Slack Use Case
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Sofia Zanrosso (Bachelor's Thesis, University of Trento, 2022)
    Enlarging the Pen-Test Coverage of SAML Single Sign-On Solutions with Cyber Threat Intelligence
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Michele Zucchelli (Bachelor's Thesis, University of Trento, 2022)
    Pimp My Micro-Id-Gym: Enhancing the Automation and Usability of a Security Testing Tool for Digital Identity Protocol
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giuseppe Alessio Sciumè (Bachelor's Thesis, University of Trento, 2022)
    A Comprehensive Analysis of the OAuth 2.0 Threat Model to Develop a Chatbot Providing Actionable Security Suggestions
    Supervisor: Silvio Ranise | Co-supervisors: Roberto Carbone, Andrea Bisegna
  • Enrico Marconi (Bachelor's Thesis, University of Trento, 2022)
    Combining Blockchain-as-a-Service and Cryptographic Access Control for Secure Data Sharing Across Multiple Organizations
    Supervisor: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Alessandro Colombo (Bachelor's Thesis, University of Trento, 2022)
    Attribute Based Encryption for Advanced Data Protection in IoT with MQTT
    Supervisor: Silvio Ranise | Co-supervisors: Stefano Berlato, Roberto Carbone

2021

  • Wendy Barreto (Bachelor's Thesis, University of Trento, 2021)
    Design and implementation of an attack pattern language for the automated pentesting of OAuth/OIDC deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Veronica Cristiano (Master's Thesis, University of Trento, 2021)
    Key Management for Cryptographic Enforcement of Access Control Policies in the Cloud: The CryptoAC use case
    Supervisor: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Luca Bazzanella (Bachelor's Thesis, University of Trento, 2021)
    Analysis of the State of the Art of DevSecOps: The Gitlab case study
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Francesco Defilippo (Bachelor's Thesis, University of Trento, 2021)
    Attack Patterns for Pentesting SAML 2.0 Web Browser Single Sign-On deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Chaudhry Muhammad Suleman (Master's Thesis, University of Trento, 2021)
    Cyber-security Risk Assessment for Cooperative, Connected and Automated Mobility Application to Cooperative Lane Merging
    Supervisor: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato
  • Amir Sharif (PhD Thesis, University of Genoa, 2021)
    Analysis of Best Current Practices to Assist Native App Developers with Secure OAuth/OIDC Implementations (link)
    Supervisor: Roberto Carbone | Co-supervisors: Silvio Ranise, Giada Sciarretta

2020

  • Stefano Facchini (Bachelor's Thesis, University of Trento, 2020)
    Design and implementation of an automated tool for checking SAML SSO vulnerabilities and SPID compliance
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giulio Pellizzari (Master's Thesis, University of Trento, 2020)
    Micro-Id-Gym: A Tool to Support Sandboxing and Automated Pentesting of Identity Management Protocols
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Federico Sinigaglia (PhD Thesis, University of Genoa, 2020)
    Security Analysis of Multi-Factor Authentication Security Protocols (link)
    Supervisors: Roberto Carbone, Gabriele Costa
  • Claudio Grisenti (Bachelor's Thesis, University of Trento, 2020)
    A pentesting tool for OAuth and OIDC deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone

2019

  • Stefano Berlato (Master's Thesis, University of Trento, 2019)
    A Pragmatic Approach to Handle "Honest But Curious" Cloud Service Providers: Cryptographic Enforcement of Dynamic Access Control Policies
    Supervisor: Silvio Ranise | Co-supervisor: Roberto Carbone
    Awards: 3rd place at thesis award "Innovare la sicurezza delle informazioni 2020", sponsored by CLUSIT
  • Marco Pernpruner (Master's Thesis, University of Verona, 2019)
    A passwordless out-of-band authentication protocol based on eID cards and push notifications: Design and formal security analysis
    Supervisor: Massimo Merro | Co-supervisors: Giada Sciarretta, Roberto Carbone
  • Lorenzo Tait (Bachelor's Thesis, University of Trento, 2019)
    A Customized Threat Modeling for Secure Deployment And Pentesting of SAML SSO Solutions
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone

2018

  • Valentina Odorizzi (Bachelor's Thesis, University of Trento, 2018)
    Progettazione e sviluppo di uno strumento per l'analisi automatica di vulnerabilità "Missing XML Validation" in SAML SSO
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Saverio Turetta (Bachelor's Thesis, University of Trento, 2018)
    Analysis of the State of the Art in Android Dynamic Analysis Tools
    Supervisor: Silvio Ranise | Co-supervisors: Roberto Carbone, Amir Sharif
  • Ivan Martini (Bachelor's Thesis, University of Trento, 2018)
    An automated security testing framework for SAML SSO deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giulio Pellizzari (Bachelor's Thesis, University of Trento, 2018)
    Design and implementation of a tool to detect Login Cross-Site Request Forgery in SAML SSO: G Suite case study
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Giada Sciarretta (PhD Thesis, University of Trento, 2018)
    A Methodology for the Design and Security Assessment of Mobile Identity Management: Applications to real-world scenarios (link)
    Supervisor: Silvio Ranise | Co-supervisors: Alessandro Armando, Roberto Carbone

2017

  • Avinash Sudhodanan (PhD Thesis, University of Trento, 2017)
    Black-Box Security Testing of Browser-Based Security Protocols (link)
    Supervisor: Alessandro Armando | Co-supervisors: Roberto Carbone, Luca Compagna