Security & Trust

Projects for Academic Year 2022-2023

Second Call (February 2023)

Procedure:

  1. Application: apply to the internship projects you are interested in (up to 3) through the online form, by providing the requested data. The application deadline is set for the 9th February 2023 at 13:00.
  2. Selection: a selection committee reviews the applications for every project and, if needed, asks for an interview.
  3. Results: After the selection process, each applicant is informed of the selection results.
Please contact supervisors via email only to request information: applications sent via email will not be taken into consideration.

Analysis of approaches to session management

Description:

A session is a continuous period of time during which a user accesses an online service relying on the authentication of the user performed by the identity provider. The internship aims to explore state of the art and compare existing approaches, and possibly propose a high-level design of the selected approach in the context of the Cie id ecosystem.

Level: BSc/MSc

Supervisor: Giada Sciarretta (g.sciarretta@fbk.eu)

Prerequisites: Preferably basic knowledge of OpenID Connect

Objectives:

  • State of the art of session management approaches
  • Compare existing solutions
  • Preliminary design

Topics: Identity management, Session management, OIDC

Countering rebroadcast attacks against remote identity proofing

Description:

Remote identity proofing procedures, increasingly employed for enabling online services, may involve the display and remote validation of physical identity documents through video cameras. This phase is exposed to so-called "recapturing" or "rebroadcast" attacks, where a digital image or video depicting the document is shown through a screen, acquired through the camera in place of the actual physical document, and potentially used as identity evidence [1]. The project focuses on the detection of such kind of cyberattacks by analyzing the video stream through deep learning architectures, and the empirical assessment of their performance in prescribed experimental scenarios.

Level: BSc/MSc

Supervisor: Cecilia Pasquini (c.pasquini@fbk.eu)

Prerequisites:

  • Experience with Python (basics of image/video processing is recommended)
  • Experience with deep learning frameworks (e.g., PyTorch, Tensorflow, Keras) is advantageous

Topics: Remote identity proofing, Identity management, Video-based analysis

References:

  1. https://www.mdpi.com/2313-433X/8/7/181

Cryptographic Revocation

Description:

There is a strong interest in privacy-enhancing technologies to satisfy the complex requirements of digital identity, in particular minimizing the personal data shared at each presentation, and preventing others from correlating the activity of digital identity credential holders between presentations. Important use cases are the Mobile Drivers' License (ISO 18013-5) and the European Digital Identity Wallet. Cryptographic accumulators, e.g., [1, 2, 3, 4, 5] are efficient protocols to prove set (non-)membership that have been proposed as privacy-enhancing credential revocation mechanisms for digital credentials, e.g., [6]. During the internship, you will have an opportunity to consider theoretical and practical aspects of these technologies, to be agreed based on your interest and prior knowledge. We are particularly interested in a performance comparison of algorithms of interest, possibly using existing libraries (e.g., https://github.com/mikelodder7/accumulator-rs).

Level: MSc

Supervisor: Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites: An undergraduate course in cryptography is required for basic notions. Knowledge of the following would be highly advantageous:

  • RSA
  • elliptic curve cryptography
  • zero-knowledge proofs
  • programming in rust or python

Objectives:

  • Summary of chosen technologies
  • Comparison of technologies on metrics of interest for the chosen scenario, e.g., complexity (number of operations), proof size, offline functionality
  • Exploration of alternatives for cryptographic agility, e.g., other elliptic curves or hash functions

Topics: Digital identity, Cryptography, Privacy enhancing technologies

References:

  1. "Batching Techniques for Accumulators with Applications to IOPs and Stateless Blockchains". D Boneh, B Bünz, B Fisch. IACR 2018, CRYPTO 2019. ia.cr/2018/1188, doi: 10.1007/978-3-030-26948-7_20. Video
  2. "One-way accumulators: a decentralized alternative to digital signatures". J C Benaloh, M de Mare, Eurocrypt 93. doi: 10.1007/3-540-48285-7_24
  3. "Accumulators from Bilinear Pairings and Applications". L Nguyen, CT-RSA 2005 doi.org/10.1007/978-3-540-30574-3_19
  4. "Universal Accumulators with Efficient Nonmembership Proofs". Li, J., Li, N., Xue, R., 2007. doi: 10.1007/978-3-540-72738-5_17
  5. "Dynamic Universal Accumulator with Batch Update over Bilinear Groups". G. Vitto, A. Biryukov, IACR 2020, CT-RSA 2022. ia.cr/ 2020/777, doi 10.1007/978-3-030-95312-6_17. Video
  6. "Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials". J Camenisch, A Lysyanskaya, CRYPTO 2002. doi: 10.1007/3-540-45708-9_5

Empowering the Public to Protect Themselves: Developing a Web-based Assessment Tool for Promoting Awareness at Dissemination Events

Description:

One of the strategic objectives of the European Union Agency for Cybersecurity (ENISA) to address the shortage and gap in cybersecurity skills is to increase user awareness among the general public and in primary and secondary education, as well as to strengthen training and promote cybersecurity in higher education [1]. To contribute to this effort, the Center for Cybersecurity is developing CyberQ, a web-based application that aims to assess users' cybersecurity awareness during dissemination events such as Notte dei Ricercatori and educational workshops in high and middle schools. The goal of this internship is to expand the inner structure, features, and user interface/user experience of the CyberQ prototype, as well as the set of predefined questions. This internship will give the student hands-on experience developing a useful and practical tool, as well as an in-depth understanding of the complexities of cybersecurity awareness. Students who participate in this internship will be able to contribute to the ongoing effort to raise cybersecurity awareness among the general public as well as in primary and secondary education. They will also be able to apply their knowledge and skills to develop a tool to promote cybersecurity in higher education and beyond.

Level: BSc/MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)

Prerequisites:

  • Experience with Python 3 and Jinja2 development
  • Lateral thinking

Topics: Awareness evaluation, Dissemination tools, Gamification

References:

  1. https://www.enisa.europa.eu/publications/addressing-skills-shortage-and-gap-through-higher-education

Simulating Secure Communications: Developing a Customizable Library for Testing the Resilience of TLS Protocols

Description:

One area that continues to pose challenges for experts is the secure communication protocols used to protect sensitive information online. One such example is the Transport Layer Security (TLS) protocol, which, despite being designed and formally tested by experts, is still vulnerable to newly discovered flaws. The goal of this internship is to design and develop a highly customizable, user-friendly library that can simulate different protocol fragments or entire handshake sequences in order to test the resilience of TLS and its implementations. This library will enable the simulation of a variety of scenarios, such as changes in cipher availability, extensions, and even unexpected behaviors. Students will gain hands-on experience in developing a useful and practical tool as part of this internship, as well as an in-depth understanding of the complexities of secure communication protocols. They will also be able to contribute to the ongoing effort to improve internet security for all users.

Level: MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)

Prerequisites:

  • Proficiency with Python 3 development
  • Knowledge of the TLS protocol
  • Problem-solving

Topics: Research tool, Customizable library, Protocol flow manipulation

Video manipulation vs liveness detection

Description:

Liveness detection techniques are employed in fully or semi-automated video-based identification procedures in order to verify that the applicant is an actual human being. In this context, advanced impersonation attacks can be attempted by leveraging recent AI-based tools for fast manipulation and synthesis of videos depicting faces (so-called deepfakes), which represent a relevant threat for currently implemented liveness checks [1, 2]. The internship activity exploits existing video creation tools (such as dot and DeepFaceLab) and systematically tests their performance with respect to differently designed liveness checks [3].

Level: BSc/MSc

Supervisor: Cecilia Pasquini (c.pasquini@fbk.eu)

Prerequisites:

  • Experience with Python (basics of image/video processing is recommended)
  • Experience with deep learning frameworks (e.g., PyTorch, Tensorflow, Keras) is advantageous

Topics: Remote identity proofing, Identity management, Liveness detection

References:

  1. ​​https://www.usenix.org/system/files/sec22fall_li-changjiang.pdf
  2. https://sensity.ai/blog/deepfake-detection/deepfakes-vs-kyc-biometric-verification/
  3. https://arxiv.org/pdf/2210.06186.pdf

First Call (October-November 2022)

Attack patterns for Identity Management protocols

Description:

Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google, Meta (Facebook) and for Public Administration like eIDAS and SPID are based on IdM protocols. We propose to define attack patterns for assessing the security of IdM implementations. This activity can include the implementation of a plugin.

Level: BSc/MSc

Supervisors: Andrea Bisegna (a.bisegna@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites: Preferably basic knowledge of Java.

Topics: Identity Management protocols, Attack patterns, Penetration testing

References:

  1. https://st.fbk.eu/tools/Micro-Id-Gym.html
  2. https://github.com/stfbk/micro-id-gym

Dematerialization of documents: A Digital Travel Credential Case Study

Description:

Over recent years, technology has radically evolved in fields such as identity, security, biometrics and mobile applications. Technology has already transformed the world of border security and efficient processing of passengers, for example, through secure ePassports (also known as electronic Machine Readable Travel Documents or eMRTD), automated eGates, biometrics used to assure visa regimes, and mobile boarding pass. However, the story is far from complete. A newer generation of secure and efficient solutions is just beginning with the development of Digital Travel Credentials (DTC). The project aims to explore state of the art and compare existing approaches toward DTC.

Level: BSc/MSc

Supervisors: Tahir Ahmad (ahmad@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu)

Prerequisites: Basic knowledge of cyber-security

Objectives:

  • State of the art
  • Compare existing solutions

Topics: Identity management, Mobile applications, Digital wallet

Design and develop a TLS flow library

Description:

While being designed by experts and formally checked with proper technologies, TLS (or its implementations) may still be prone to newly discovered vulnerabilities. The main goal of this internship is to design and build a flexible user-friendly library able to dynamically simulate protocol fragments (or entire handshake sequences) with a high level of customizability (e.g., simulating ciphers availability, extensions and programmable unexpected behaviors).

Level: MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)

Time frame: From January 2023

Prerequisites:

  • Proficient with Python 3 development
  • Knowledge of the TLS protocol
  • Problem-solving

Topics: Research tool, Customizable library, Protocol flow manipulation

Enhance CyberQ: a cybersecurity awareness training program

Description:

CyberQ is a webapp to assess the cybersecurity awareness of users during dissemination events (e.g., Notte dei Ricercatori and educational workshops in high and middle schools). Its prototype, internally available, has been designed to manage different sets of questions (divided by topic and complexity). The main goal of this internship is twofold, as the student will be required to expand both the internal functioning (both in terms of features and UI/UX) and set of predefined questions.

Level: BSc/MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)

Time frame: Spring 2023

Prerequisites:

  • Experience with Python 3 and Jinja2 development
  • Lateral thinking

Topics: Awareness evaluation, Dissemination tools

Enhancing TLSAssistant analysis capabilities

Description:

TLSAssistant v2 is the latest version of our state-of-the-art analysis tool [1], a modular framework able to perform a wide set of checks and easily extensible with new features. Its main focus is to streamline the mitigation process of known and newly discovered TLS attacks, even for non-expert users. The main goal of this internship is to extend its capabilities by implementing a new analysis module, able to increase the amount of available checks (e.g., certificate chain validation, compliance analysis, and many more). Due to the research-focused nature of the internship, it will require a large amount of determination and willingness to overcome various challenges.

Level: BSc/MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)

Time frame: From January 2023

Prerequisites:

  • Experience with Python 3 development
  • Basic knowledge of the TLS protocol
  • Problem-solving

Topics: Research tool, Vulnerability detection, Actionable mitigations, TLS misconfiguration

Notes: Multiple positions available

References:

  1. stfbk/tlsassistant: Fully-featured tool that combines state-of-the-art TLS analyzers with a report system that suggests appropriate mitigations and shows the full set of viable attacks

Key Recovery Protocols for Cryptographic Cloud-hosted Data Protection

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from curious service providers while enforcing access control policies. In CAC, data are encrypted, and the secret decrypting keys embody the permission to access the encrypted data. Unfortunately, an eventual loss of these keys would result in the total loss of the encrypted data. The main goal of this project is to investigate the feasibility and use of key recovery mechanisms in CAC to mitigate eventual key losses [1]. Activities include literature research, high-level design and possibly implementation of the proposed approach in a tool [2] developed and actively maintained by the Security&Trust unit in FBK [3].

Level: BSc/MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security
  • Knowledge of cryptography from cryptography-related courses
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Objectives:

  • Familiarization and study of the state of the art in key recovery protocols.
  • Evaluation of available techniques and design of a solution for key recovery in cryptographic access control schemes.
  • Implementation of the proposed approach in a tool [2] developed and actively maintained by the Security&Trust unit in FBK [3].

Topics: Access Control, Cryptography

References:

  1. Hörandner, Felix & Nieddu, Franco. (2019); “Cloud Data Sharing and Device-Loss Recovery with Hardware-Bound Keys” in ICISS 2019: Information Systems Security pp 196-217, 10.1007/978-3-030- 36945-3_11
  2. stfbk/CryptoAC
  3. Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021)

Multi-Authority Attribute-based Encryption for Secure Access Control in Blockchain-based Applications

Description:

Given the limited trust and inherently centralized nature of Cloud-based applications, the Blockchain may be the solution to guarantee integrity and confidentiality of sensitive data in cross-organizational scenarios. However, the basic security properties offered by the Blockchain should be complemented with fine-grained access control (e.g., attribute-based access control - ABAC) enforced through cryptography (e.g., attribute-based encryption - ABE) for best security. The main goal of this project is to investigate how multi-authority ABE is and can be used in Blockchain-based applications to enforce cross-organizational ABAC policies.

Level: MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security
  • Knowledge of cryptography

Objectives:

  • Familiarization and study of the state of the art in the use of MA-ABE in the Blockchain for enforcement of fine-grained ABAC policies.
  • Evaluation of available techniques and design of a solution joining MA-ABE with the Blockchain for high-assurance of data integrity and confidentiality.
  • Possibly, implementation of the proposed approach in a tool [1] developed and actively maintained by the Security&Trust unit in FBK.

Topics: Cryptography, Blockchain, Access Control

References:

  1. stfbk/CryptoAC

Privacy enhancing technologies for digital identity

Description:

There is a strong interest in privacy-enhancing technologies to satisfy the complex requirements of digital identity, in particular minimizing the personal data shared at each presentation, and preventing others from correlating the activity of digital identity holders between presentations. Important use cases are the Mobile Drivers’ License (ISO 18013-5) and the European Digital Identity Wallet, with a toolbox for the latter currently under development and expected to be first released in october 2022. Many technologies based on cryptography have been proposed to provide solutions for credential status requests, selective disclosure of attributes, and unlinkability of credential presentations, such as cryptographic accumulators, zero-knowledge proofs, commitments, and blind signatures. During the internship, you will have an opportunity to consider theoretical and practical aspects of these technologies, to be agreed based on your interest and prior knowledge. Examples include:

Level: MSc

Supervisor: Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites:

  • An undergraduate course in cryptography is required for basic notions on hash functions and public key cryptography.
  • Knowledge of the following would be highly advantageous, depending on the details of the chosen topic:
    • Elliptic curve cryptography, esp. pairing-based
    • Zero-knowledge proofs
    • Programming in python, javascript, or rust

Objectives:
The following objectives may be weighted differently according to interest, availability, and the chosen topic:

  • Summary of chosen technologies
  • Comparison of technologies on metrics of interest for the chosen scenario, e.g., complexity (number of operations), proof size, offline functionality
  • Exploration of alternatives for cryptographic agility, e.g., other elliptic curves or hash functions
  • Proof-of-concept implementation for the scenario of interest

Topics: Digital identity, Cryptography, Privacy-enhancing technologies

Threat Modeling for Electronic Voting

Description:

There has been renewed interest in electronic and internet voting systems in recent years, due in part to the pandemic, and to logistic difficulties in collecting votes from abroad. Electoral systems have complex and unusual requirements, and electronic voting systems doubly so - see e.g. Council of Europe Recommendations and US voluntary voting systems guidelines. While end-to-end verifiable systems show promise of increased trustworthiness for the public, electronic and internet voting systems have come under scrutiny for significant vulnerabilities [1, 2].
Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. In this internship, the candidate will apply threat modeling tools and processes to the example of electronic voting.

Level: BSc/MSc

Supervisor: Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites: An undergraduate course in information security is required for notions of confidentiality, integrity, and availability. Knowledge of Python would be highly recommended.

Objectives: Produce a threat model for an electoral system following the OWASP process and using pytm.

Topics: Threat modeling, Electronic voting

References:

  1. Park, Specter, Narula, Rivest: "Going from bad to worse: from Internet voting to blockchain voting" https://doi.org/10.1093/cybsec/tyaa025
  2. "Security Analysis of the Estonian Internet Voting System". Springall, Finkenauer, Durumeric, Kitcat, Hursti, MacAlpine, Halderman. https://dl.acm.org/doi/10.1145/2660267.2660315, https://www.youtube.com/watch?v=PT0e9yTD2M8

Trusted Execution Environments for Advanced Data Protection

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from curious service providers while enforcing access control policies. Unfortunately, CAC usually incurs significant computational overhead that limits its applicability in real-world scenarios [1]. The main goal of this project is to investigate how Trusted Execution Environments (TEEs) such as Intel SGX [2] can synergize with CAC to relieve these computational overheads and efficiently guarantee advanced data protection.

Level: BSc/MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Time frame: From February 2023

Prerequisites:

  • Basic knowledge of IT security
  • Basic knowledge of cryptography from cryptography-related courses
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Objectives:

  • Familiarization and study of the state of the art in the use of TEEs for advanced data protection.
  • Evaluation of available techniques and design of a solution joining CAC with TEEs to reduce the cryptographic computational overhead.
  • Implementation of the proposed approach in a tool [3] developed and actively maintained by the Security&Trust unit in FBK [4].

Topics: Access Control, Cryptography, TEE

References:

  1. W. C. Garrison, A. Shull, S. Myers and A. J. Lee, "On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud," 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 819-838, doi: 10.1109/SP.2016.54
  2. https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions.html
  3. stfbk/CryptoAC
  4. Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021)