Umberto Morelli Technologist

Technologist at the Security & Trust Research Unit of the FBK Cybersecurity Center

Representative for the ISO 9001:2015 and ISO 27001:2022 certification for the Cybersecurity Center.

Eight years experience in line with three objectives:

Support the security-by-design and security-by-default paradigms in established technologies by developing tools to aid cybersecurity architects and developers. Notable examples:
- Development and extension of SecurePG, a Java tool for the local generation and evaluation of access control policies in cloud environments (Amazon AWS and OpenStack platforms); and for migrating identities and permissions (expressed in natural language) to/from the cloud.
- Collaborative development MQTTSA, a Python tool to automatically detect security misconfigurations in MQTT environments and provide a pdf report of the security best practices, the potential vulnerabilities, and a list of actionable mitigations.
- Contribute to developing an interface to automatically host a secure MQTT service (and evaluate its performance according to different scenarios).
Develop prototypes with emerging technologies to support their secure adoption, or leverage their potential to enhance the protection of users and their data. Significant cases:
- Collaboratively design, develop and test a Kotlin Android mobile application and a set of Python backend microservices to host a secure remote voting election (created in a multidisciplinary working group).
- Use Hyperledger Fabric, a private distributed ledger, to access health data securely.
- Experiment with using the Italian identity card (CIE 3.0) in the following use cases: Home Automation, Automotive and enterprise services (such as Pull Printing).
Raise awareness on cybersecurity issues and best practices, mainly in Cloud and IoT environments. Among the activities:
- Participation at local events, such as ISACA, ProM, and Webvalley, and provision of University seminars, workshops, and lessons for specialised institutes (e.g., the ITT Buonarroti in Trento).
- Tutor for Security&Trust internship students and coach for young researchers.
- Contribute to developing a laboratory to experiment with students on IT/OT infrastructures and related cybersecurity issues.

I’m passionate about state-of-the-art approaches (e.g., for identity management and cloud/edge access control), cutting-edge security solutions (e.g., following the zero-trust approach and leveraging the cyber-threat intelligence), and technologies that impact society: e-voting, digital wallets and the secure offering of public services (such as TreC - the healthcare platform for the citizens of Trento).

I’m currently contributing to MERIT, a 4-year EU project launched in Oct. 2022, which includes Universities, SMEs, DIH, and FBK as an Excellence Center, with the primary goal of creating a University master programme on the most relevant AI, CS and IoT topics; to upskill MERIT members with targeted initiatives, as well as support the dissemination activities of the identified target groups.

Publications

2024

Riccardo Longo, Majid Mollaeefar, Umberto Morelli, Chiara Spadafora, Alessandro Tomasi, Silvio Ranise
Modeling and Assessing Coercion Threats in Electronic Voting
In: 19th International Conference on Risks and Security of Internet and Systems (CRiSIS 2024) (DOI, news)
Awards: Best Paper Award at CRiSIS 2024

2023

Matteo Bitussi, Riccardo Longo, Francesco Antonio Marino, Umberto Morelli, Amir Sharif, Chiara Spadafora, Alessandro Tomasi
Coercion-resistant i-voting with short PIN and OAuth 2.0
In: International Joint Conference on Electronic Voting (E-Vote-ID 2023) (DOI)

2022

Tahir Ahmad, Umberto Morelli, Silvio Ranise
Distributed Enforcement of Access Control policies in Intelligent Transportation System (ITS) for Situation Awareness
In: 17th International Workshop on Frontiers in Availability, Reliability and Security (FARES2022) (DOI, news)
Stefano Berlato, Roberto Carbone, Umberto Morelli, Silvio Ranise
End-to-End Protection of IoT Communications Through Cryptographic Enforcement of Access Control Policies
In: Proceedings of the 36th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2022) (DOI, complementary material)

2021

Umberto Morelli, Ivan Vaccari, Silvio Ranise, Enrico Cambiaso
DoS Attacks in Available MQTT Implementations: Investigating the Impact on Brokers and Devices, and supported Anti-DoS Protections.
In: The 5th International Workshop on Security and Forensics of IoT (IoT-SECFOR 2021) (complementary material, news)
Tahir Ahmad, Umberto Morelli, Silvio Ranise, Nicola Zannone
Extending access control in AWS IoT through event-driven functions: an experimental evaluation using a smart lock system
In: International Journal of Information Security (DOI)
Matteo Leonelli, Umberto Morelli, Silvio Ranise, Giada Sciarretta
Secure Pull Printing with QR Codes and National eID Cards: A Software-oriented Design and an Open-source Implementation
In: Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy (CODASPY 2021) (DOI, complementary material, news)

2020

Tahir Ahmad, Umberto Morelli, Silvio Ranise
Deploying Access Control Enforcement for IoT in the Cloud-Edge Continuum with the help of the CAP Theorem
In: 25th ACM Symposium on Access Control Models And Technologies (SACMAT 2020) (news)

2019

Umberto Morelli, Silvio Ranise, Lorenzo Nicolodi
An Open and Flexible CyberSecurity Training Laboratory in IT/OT Infrastructures
In: 1st Model-driven Simulation and Training Environments for Cybersecurity Workshop (MSTEC 2019) (DOI, news)
Umberto Morelli, Silvio Ranise, Damiano Sartori, Giada Sciarretta, Alessandro Tomasi
Audit-Based Access Control with a Distributed Ledger: Applications to Healthcare Organizations
In: 15th International Workshop on Security and Trust Management (STM 2019) (DOI, news)
Andrea Palmieri, Paolo Prem, Silvio Ranise, Umberto Morelli, Tahir Ahmad
MQTTSA: A Tool for Automatically Assisting the Secure Deployments of MQTT brokers
In: IEEE SERVICES Workshop on Cyber Security & Resilience in the Internet of Things (IEEE SERVICES CSRIoT 2019) (DOI, news)

2018

Tahir Ahmad, Umberto Morelli, Silvio Ranise, Nicola Zannone
A Lazy Approach to Access Control as a Service (ACaaS) for IoT: An AWS Case Study
In: 23rd ACM Symposium on Access Control Models And Technologies (SACMAT 2018) (DOI, news)

2017

Umberto Morelli, Silvio Ranise
Assisted Authoring, Analysis and Enforcement of Access Control Policies in the Cloud
In: 32nd International Conference on ICT Systems Security and Privacy Protection (IFIPSEC 2017) (DOI, news)
Avinash Sudhodanan, Roberto Carbone, Luca Compagna, Nicolas Dolgin, Alessandro Armando, Umberto Morelli
Large-scale Analysis & Detection of Authentication Cross-Site Request Forgeries
In: 2nd IEEE European Symposium on Security and Privacy (EUROS&P 2017) (DOI, news)

Projects

Former

F&C eVoting

Dissemination

2023

March 26, 2023 • Specialized
Umberto Morelli
Identity and ABAC in AWS and Azure
Workshop for the "Fog and Cloud Computing" Master Course at UniTN

2021

September 24, 2021 • General
Salvatore Manfredi, Umberto Morelli, Giada Sciarretta, Alessandro Tomasi
Siamo al sicuro? Mettiamoci alla prova! Avvicinamento alla sicurezza informatica
Notte dei Ricercatori 2021 (Event)

2019

October 5, 2019 • General
Umberto Morelli
Come comunicano gli oggetti smart? Lo fanno in maniera sicura?
ISACA 2019

September 27, 2019 • General
Salvatore Manfredi, Umberto Morelli, Alessandro Tomasi
Ti senti al sicuro? Sicurezza online, identità digitale e uso della carta d'identità elettronica
Notte dei Ricercatori 2019 (Event, Program)

March 21, 2019 • Specialized
Umberto Morelli
Blockchain and distributed ledger technologies: Risks and opportunities for healthcare
LawTech IT seminars

February 18-22, 2019 • School
Matteo Leonelli, Salvatore Manfredi, Umberto Morelli, Giada Sciarretta, Silvio Ranise
Pro[M] Camp 2019
Pro[M] Camp 2019 (Event)

2018

June 27, 2018 • School
Umberto Morelli
Blockchain and distributed ledger technologies: Risks and opportunities for healthcare
Webvalley

Supervised Theses

2022

Stefano Da Roit (Bachelor's Thesis, University of Trento, 2022)
Automated Detection of DoS Attacks in MQTT 5.0 Brokers
Supervisor: Silvio Ranise | Co-supervisor: Umberto Morelli

2021

Matteo Leonelli (Bachelor's Thesis, University of Trento, 2021)
Open and Cross-platform Ecosystem for Enterprise Services: Secure and Authenticated Access with the use of Italian Identity Cards and FIDO
Supervisor: Silvio Ranise | Co-supervisor: Umberto Morelli
Lorenzo Bellesso (Postgraduate Thesis, University of Genoa, 2021)
Implementazione di una soluzione di generazione e rilascio credenziali in ambito IoT fondata sull'uso della Carta d'Identità Elettronica (CIE)
Supervisor: Silvio Ranise | Co-supervisor: Umberto Morelli

2019

Carlotta Tagliaro (Bachelor's Thesis, University of Trento, 2019)
Security and Performance tradeoffs in the Internet of Things
Supervisor: Silvio Ranise | Co-supervisor: Umberto Morelli
Awards: 4th place at thesis award "Innovare la sicurezza delle informazioni 2020", sponsored by CLUSIT

2018

Mirko Schicchi (Bachelor's Thesis, 2018)
IOTA and the Internet of Things: A possible solution for autonomous driving vehicles
Supervisor: Silvio Ranise | Co-supervisors: Umberto Morelli, Alessandro Tomasi
Enrico Donatoni (Bachelor's Thesis, University of Trento, 2018)
Blockchain in Finance: a comparison of Ripple, Quorum and Corda
Supervisor: Silvio Ranise | Co-supervisors: Umberto Morelli, Alessandro Tomasi
Damiano Sartori (Bachelor's Thesis, University of Trento, 2018)
Attribute Based Access Control over a Hyperledger Fabric Network: An application for Electronic Health Records
Supervisor: Silvio Ranise | Co-supervisors: Umberto Morelli, Alessandro Tomasi

Contacts

Links