Security & Trust

Projects for Academic Year 2021-2022

Application Procedure

Apply to the internship projects you are interested in (up to 3) through the online form, by providing the requested data.

Supervisors should be contacted via email only to request information: please note that applications sent via email will not be taken into consideration.

First Call (November 2021)

Attack patterns for Identity Management protocols Not available

Description:

Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google, Meta (Facebook) and for Public Administration like eIDAS and SPID are based on IdM protocols. We propose to define attack patterns for assessing the security of IdM implementations. This activity can include the implementation of a plugin.

Supervisors: Andrea Bisegna (a.bisegna@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites: Preferably basic knowledge of Java.

Topics: Identity Management protocols, Attack patterns, Penetration testing

References:

  1. https://st.fbk.eu/tools/Micro-Id-Gym.html
  2. https://github.com/stfbk/micro-id-gym

Attribute-based Encryption for Advanced Data Protection in IoT with MQTT Not available

Description:

While yielding many benefits, emerging paradigms such as the Edge and the Internet-of-Things (IoT) threaten the confidentiality of users' sensitive data. In such a complex and dynamic scenario, fine-grained Access Control (AC) policies are necessary to control data sharing. However, traditional approaches to AC leave data unencrypted and at the mercy of curious service providers. The main goal of this project is to investigate how Attribute-based Encryption (ABE) can guarantee advanced data protection from all unauthorized entities while enforcing fine-grained Attribute-based AC (ABAC) policies in IoT scenarios using the MQTT protocol.

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security
  • Basic knowledge of cryptography from cryptography-related courses
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Objectives:

  • Familiarization and study of the state of the art in the use of ABE for advanced data protection in IoT scenarios with MQTT.
  • Evaluation of available techniques and design of a solution for cryptographic enforcement of ABAC policies in IoT scenarios with MQTT.
  • Implementation of the proposed approach in a tool developed and actively maintained by the Security&Trust unit in FBK.

Topics: Access Control, Cryptography, IoT

References:

  1. Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021).

Blockchain Meets Cryptographic Access Control for Advanced Data Protection Not available

Description:

Given the limited trust and the distributed nature of IoT and Edge scenarios, the Blockchain may be the solution to guarantee integrity and confidentiality of sensitive data at the cost of addressing scalable performance and consensus protocols. The main goal of this project is to investigate how Blockchain technologies such as Hyperledger [1] can synergize with cryptographic access control to efficiently guarantee advanced data protection.

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security
  • Basic knowledge of cryptography from cryptography-related courses
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Objectives:

  • Familiarization and study of the state of the art in the use of the Blockchain for advanced data protection.
  • Evaluation of available techniques and design of a solution joining CAC with the Blockchain for high-assurance of data integrity and confidentiality.
  • Implementation of the proposed approach in a tool developed and actively maintained by the Security&Trust unit in FBK.

Topics: Access Control, Cryptography, Blockchain

References:

  1. https://www.hyperledger.org/
  2. Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021).

Dematerialized Identity Not available

Description:

Technology has already transformed the world of border security and efficient processing of passengers, for example through electronic Machine Readable Travel Documents (eMRTD), automated eGates, and use of biometrics. However, a newer generation of secure and efficient solutions are just beginning with the development of the Digital Travel Credential (DTC). In the context of a collaboration with Istituto Poligrafico Zecca dello Stato (IPZS), we are interested in the design and implementation of an Android application to store and show DTCs.

This topic can also involve two students, the final goal (develop a prototype mobile app for storing/showing dematerialized documents) will be in common, while the type of document will be different (e.g., DTC and mobile Driving Licence - mDL).

Supervisors: Giada Sciarretta (g.sciarretta@fbk.eu), Tahir Ahmad (ahmad@fbk.eu)

Prerequisites:

  • Experience of Android development
  • Basic knowledge of cyber-security

Objectives:

  • Study and design solutions based on DTC/mDL
  • Develop a prototype mobile app for storing/showing the DTC/mDL

Topic: Identity Management

References:

  1. https://unitingaviation.com/news/security-facilitation/replacing-a-conventional-passport-with-digital-travel-credentials/
  2. https://www.icao.int/Meetings/TRIP-Symposium-2019/PublishingImages/Pages/Presentations/Digital%20Travel%20Credentials.pdf
  3. https://www.iso.org/obp/ui/#iso:std:iso-iec:18013:-5:dis:ed-1:v1:en

Denial of Service attacks in MQTT 5.0 features Not available

Description:

MQTT is a lightweight message protocol standardized by OASIS and considered the de-facto standard for the Internet of Things (IoT). It follows the publish-subscribe paradigm, where a central entity (the broker) forwards messages received by publishing clients to subscribed clients via topics (a sort of message queues). As clients typically have constrained resources, Denial of Service (DoS) attacks are among the main security issues in IoT.

The goal of this project is to review the features introduced by OASIS in the last version of the MQTT protocol in light of their misuse to provoke DoS attacks to the clients or the broker: identify the features from the protocol v.5.0 specification and verify their adoption among the most widely used MQTT clients and brokers; then, implement the identified attacks in MQTTSA: a command-line tool that automatically detects misconfigurations in MQTT brokers and provides a report of the potential vulnerabilities and a list of recommendations and code snippets.

Supervisor: Umberto Morelli (umorelli@fbk.eu)

Time frame: January/February 2022

Prerequisites:

  • Experience in Python programming.
  • English.

Objectives:

  • Investigate the OASIS MQTT v.5.0 specification [1] for features that would enable client- and broker-side DoS attacks.
  • Review available literature.
  • Verify the correct adoption of the identified MQTT v.5.0 features among its most common broker and client implementations (at least two brokers and two clients).
  • Integrate the proposed approach in the DoS plugin of MQTTSA [2].

Topics: MQTT, Denial of Service (DoS)

References:

  1. https://docs.oasis-open.org/mqtt/mqtt/v5.0/mqtt-v5.0.html
  2. https://github.com/stfbk/mqttsa

Enhancing TLSAssistant analysis capabilities Not available

Description:

TLSAssistant v2 is the (soon-to-be-released) latest version of our TLSAssistant tool [1], a complete Python redesign performed to convert the standalone analyzer in a modular framework, extensible with new features and thus capable of streamlining the mitigation process of known and newly discovered TLS attacks even for non-expert users.

The main goal of this internship is to extend its capabilities by implementing a new analysis module, able to increase the amount of available checks (e.g., certificate chain validation [2]) or to detect recently-discovered attacks (e.g., ALPACA [3], Raccoon [4], Zombie POODLE and GOLDENDOODLE [5]).

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu)

Prerequisites:

  • Experience of OS virtualization
  • Experience of Python development
  • Basic knowledge of the TLS protocol

Topics: Vulnerability detection, Actionable mitigations, TLS misconfiguration, Modular framework

References:

  1. stfbk/tlsassistant: Fully-featured tool that combines state-of-the-art TLS analyzers with a report system that suggests appropriate mitigations and shows the full set of viable attacks
  2. Path Building vs Path Verifying: The Chain of Pain
  3. ALPACA Attack
  4. Raccoon Attack
  5. Zombie POODLE and GOLDENDOODLE Vulnerabilities | Qualys Security Blog

Improving TLSAssistant webserver coverage Not available

Description:

TLSAssistant [1] is an open-source testing tool designed to help administrators in securing and verifying their TLS deployment. By combining state-of-the-art analysis tools with a report system able to provide actionable security hints (e.g., guiding the mitigation process), it can drastically decrease [2] the amount of time required to resolve a wide set of issues when using Apache or NGINX. The main goal of this internship is to increase the set of supported webservers by replicating the vulnerable systems and writing the set of actionable mitigations that will guide the users.

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu)

Prerequisites:

  • Experience of OS virtualization
  • Experience of Unix shell usage (Bash suggested)
  • Basic knowledge of the TLS protocol.

Topics: Actionable mitigations, TLS misconfiguration, Security reports

References:

  1. stfbk/tlsassistant: Fully-featured tool that combines state-of-the-art TLS analyzers with a report system that suggests appropriate mitigations and shows the full set of viable attacks
  2. Salvatore Manfredi, Mariano Ceccato, Giada Sciarretta, and Silvio Ranise. 2021. Do Security Reports Meet Usability? Lessons Learned from Using Actionable Mitigations for Patching TLS Misconfigurations. In The 16th International Conference on Availability, Reliability and Security (ARES 2021). DOI: https://doi.org/10.1145/3465481.3469187

Security and Risk Analysis of Enrollment Procedures Not available

Description:

Enrollment is a procedure to identify people remotely; this way, many companies allow customers to perform sensitive operations without leaving home. However, companies must sturdily design enrollment procedures and adopt suitable security mechanisms to prevent impersonation. Otherwise, consequences would be catastrophic: malicious agents could exploit bank accounts for money laundering or other unlawful aims, access other people’s sensitive data, and even sign contracts under another name.

The goal of this project is to analyse how the security and risk of enrollment procedures can be enhanced, also in light of a recent report on remote identity proofing issued by the European Union Agency for Cybersecurity (ENISA). Some cutting-edge technologies will be explored, such as electronic documents (i.e., eID cards and ePassports) that are considerably simplifying sensitive online operations thanks to their cryptographic features.

Supervisors: Marco Pernpruner (mpernpruner@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu)

Prerequisites:

  • Basic knowledge of cybersecurity.
  • Experience in Python programming is appreciated.

Objectives:

  • Familiarization with the report on remote identity proofing issued by ENISA.
  • Investigation into the security and risk of enrollment procedures based on different security means (such as eDocuments).
  • Extension of an existing tool for the analysis of enrollment procedures, developed within the Security & Trust unit.

Topics: Enrollment, Risk Analysis, Security Analysis

References:

  1. Marco Pernpruner, Giada Sciarretta, Silvio Ranise. "A Framework for Security and Risk Analysis of Enrollment Procedures: Application to Fully-remote Solutions based on eDocuments". In Proceedings of the 18th International Conference on Security and Cryptography (SECRYPT 2021). https://doi.org/10.5220/0010554502220233.
  2. European Union Agency for Cybersecurity (ENISA). "Remote ID Proofing". https://www.enisa.europa.eu/publications/enisa-report-remote-id-proofing

Smishing Not available

Description:

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.

Smishing is a phishing attack carried out over mobile text messaging, also known as SMS phishing.

As a variant of phishing, victims are deceived into giving sensitive information to a disguised attacker. SMS phishing can be assisted by malware or fraud websites. It occurs on many mobile text messaging platforms, including non-SMS channels like WhatsApp.

The student will develop a framework that continuously monitors websites that are used to report potential phishing messages and automatically identify trending phishing campaigns, involved entities (e.g., Poste Italiane), and indicators of compromises (IOCs).

Supervisor: Biniam Fisseha Demissie

Prerequisites:

  • Programming skills in Java or Python
  • English

Objectives:

  • Develop a framework that continuously monitors a set of websites
  • Extract potential phishing reports from these websites
  • Use NLP techniques to extract phishing campaigns, involved entities and IOCs

Topics: Phishing, Cyber threat intelligence, Indicator of compromise

References:

  1. https://encyclopedia.kaspersky.com/knowledge/what-is-phishing/
  2. https://usa.kaspersky.com/resource-center/threats/what-is-smishing-and-how-to-defend-against-it

Trusted Execution Environments for Advanced Data Protection Not available

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from curious Cloud providers while also enforcing access control policies.

Unfortunately, CAC usually incurs significant computational overheads that limit its applicability in real-world scenarios [1]. The main goal of this project is to investigate how Trusted Execution Environments (TEEs) such as Intel SGX [2] can synergize with CAC to relieve these computational overheads and efficiently guarantee advanced data protection. Activities include literature research, high-level design and possibly implementation of the proposed approach in a tool developed and actively maintained by the Security&Trust unit in FBK [3].

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security
  • Basic knowledge of cryptography from cryptography-related courses
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Topics: Access Control, Cryptography, Cloud

References:

  1. W. C. Garrison, A. Shull, S. Myers and A. J. Lee, "On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud," 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 819-838, doi: 10.1109/SP.2016.54.
  2. https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions.html
  3. Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021).

Second Call (March 2022)

Privacy Issues in OIDC implementations in the Wild Available

Description:

OpenID Connect (OIDC) is a dominant Single Sign-On (SSO) solution used by varied websites and mobile applications. Major web players such as Google or Facebook play the role of Identity Providers (IdPs), offering so-called social login features to Relying Parties (RPs) previously registered with their services. However, the widespread use of OIDC raises questions about how users' privacy will be protected. We identified a set of privacy issues and the relevant OIDC parameters that can be supported by the IdPs and implemented by the RPs to avoid these kinds of privacy issues. The main goal of this project is to investigate the status of current popular IdPs and top-ranked Google applications regarding the identified privacy issues.

Supervisors: Amir Sharif (asharif@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Basic knowledge of cyber security
  • Basic knowledge of OpenID Connect protocol is appreciated but not required

Objectives: Investigate the current status of popular IdPs and top-ranked google apps regarding privacy-preserving parameters and policies.

Topics: Identity Management, OpenID Connect, Privacy-preserving solutions

References:

  1. Sharif, A., Carbone, R., Sciarretta, G., & Ranise, S. (2022). "Best current practices for OAuth/OIDC Native Apps: A study of their adoption in popular providers and top-ranked Android clients". Journal of Information Security and Applications, 65, 103097.
  2. W. Li and C. J. Mitchell, "User Access Privacy in OAuth 2.0 and OpenID Connect," 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 2020, pp. 664-6732, doi: 10.1109/EuroSPW51379.2020.00095.
  3. Villarán, C., & Beltrán, M. (2021). "Protecting End User's Privacy When using Social Login through GDPR Compliance".
  4. Morkonda, S. G., van Oorschot, P. C., & Chiasson, S. (2021). "Exploring Privacy Implications in OAuth Deployments". arXiv preprint arXiv:2103.02579.