Projects for Academic Year 2022-2023

Application Procedure

Calls are currently closed. More information will be published with the second call.

Second Call (January-February 2023)

Keep visiting our website to be updated about the second call!

First Call (October-November 2022)

Attack patterns for Identity Management protocols

Description:

Identity Management (IdM) protocols are the protocols supporting Single-Sign On (SSO) which is an authentication schema allowing the user to access different services using the same set of credentials. Two of the most known IdM protocols are SAML 2.0 SSO and OAuth 2.0/OpenID Connect. Several solutions for corporations like Google, Meta (Facebook) and for Public Administration like eIDAS and SPID are based on IdM protocols. We propose to define attack patterns for assessing the security of IdM implementations. This activity can include the implementation of a plugin.

Level: BSc/MSc

Supervisors: Andrea Bisegna, Roberto Carbone (carbone@fbk.eu)

Prerequisites: Preferably basic knowledge of Java.

Topics: Identity Management protocols, Attack patterns, Penetration testing

References:

  1. https://st.fbk.eu/tools/Micro-Id-Gym.html
  2. https://github.com/stfbk/micro-id-gym

Dematerialization of documents: A Digital Travel Credential Case Study

Description:

Over recent years, technology has radically evolved in fields such as identity, security, biometrics and mobile applications. Technology has already transformed the world of border security and efficient processing of passengers, for example, through secure ePassports (also known as electronic Machine Readable Travel Documents or eMRTD), automated eGates, biometrics used to assure visa regimes, and mobile boarding pass. However, the story is far from complete. A newer generation of secure and efficient solutions is just beginning with the development of Digital Travel Credentials (DTC). The project aims to explore state of the art and compare existing approaches toward DTC.

Level: BSc/MSc

Supervisors: Tahir Ahmad (ahmad@fbk.eu), Giada Sciarretta (g.sciarretta@fbk.eu)

Prerequisites: Basic knowledge of cyber-security

Objectives:

  • State of the art
  • Compare existing solutions

Topics: Identity management, Mobile applications, Digital wallet

Design and develop a TLS flow library

Description:

While being designed by experts and formally checked with proper technologies, TLS (or its implementations) may still be prone to newly discovered vulnerabilities. The main goal of this internship is to design and build a flexible user-friendly library able to dynamically simulate protocol fragments (or entire handshake sequences) with a high level of customizability (e.g., simulating ciphers availability, extensions and programmable unexpected behaviors).

Level: MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)

Time frame: From January 2023

Prerequisites:

  • Proficient with Python 3 development
  • Knowledge of the TLS protocol
  • Problem-solving

Topics: Research tool, Customizable library, Protocol flow manipulation

Enhance CyberQ: a cybersecurity awareness training program

Description:

CyberQ is a webapp to assess the cybersecurity awareness of users during dissemination events (e.g., Notte dei Ricercatori and educational workshops in high and middle schools). Its prototype, internally available, has been designed to manage different sets of questions (divided by topic and complexity). The main goal of this internship is twofold, as the student will be required to expand both the internal functioning (both in terms of features and UI/UX) and set of predefined questions.

Level: BSc/MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)

Time frame: Spring 2023

Prerequisites:

  • Experience with Python 3 and Jinja2 development
  • Lateral thinking

Topics: Awareness evaluation, Dissemination tools

Enhancing TLSAssistant analysis capabilities

Description:

TLSAssistant v2 is the latest version of our state-of-the-art analysis tool [1], a modular framework able to perform a wide set of checks and easily extensible with new features. Its main focus is to streamline the mitigation process of known and newly discovered TLS attacks, even for non-expert users. The main goal of this internship is to extend its capabilities by implementing a new analysis module, able to increase the amount of available checks (e.g., certificate chain validation, compliance analysis, and many more). Due to the research-focused nature of the internship, it will require a large amount of determination and willingness to overcome various challenges.

Level: BSc/MSc

Supervisors: Salvatore Manfredi (smanfredi@fbk.eu), Matteo Rizzi (mrizzi@fbk.eu)

Time frame: From January 2023

Prerequisites:

  • Experience with Python 3 development
  • Basic knowledge of the TLS protocol
  • Problem-solving

Topics: Research tool, Vulnerability detection, Actionable mitigations, TLS misconfiguration

Notes: Multiple positions available

References:

  1. stfbk/tlsassistant: Fully-featured tool that combines state-of-the-art TLS analyzers with a report system that suggests appropriate mitigations and shows the full set of viable attacks

Key Recovery Protocols for Cryptographic Cloud-hosted Data Protection

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from curious service providers while enforcing access control policies. In CAC, data are encrypted, and the secret decrypting keys embody the permission to access the encrypted data. Unfortunately, an eventual loss of these keys would result in the total loss of the encrypted data. The main goal of this project is to investigate the feasibility and use of key recovery mechanisms in CAC to mitigate eventual key losses [1]. Activities include literature research, high-level design and possibly implementation of the proposed approach in a tool [2] developed and actively maintained by the Security&Trust unit in FBK [3].

Level: BSc/MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security
  • Knowledge of cryptography from cryptography-related courses
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Objectives:

  • Familiarization and study of the state of the art in key recovery protocols.
  • Evaluation of available techniques and design of a solution for key recovery in cryptographic access control schemes.
  • Implementation of the proposed approach in a tool [2] developed and actively maintained by the Security&Trust unit in FBK [3].

Topics: Access Control, Cryptography

References:

  1. Hörandner, Felix & Nieddu, Franco. (2019); “Cloud Data Sharing and Device-Loss Recovery with Hardware-Bound Keys” in ICISS 2019: Information Systems Security pp 196-217, 10.1007/978-3-030- 36945-3_11
  2. stfbk/CryptoAC
  3. Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021)

Multi-Authority Attribute-based Encryption for Secure Access Control in Blockchain-based Applications

Description:

Given the limited trust and inherently centralized nature of Cloud-based applications, the Blockchain may be the solution to guarantee integrity and confidentiality of sensitive data in cross-organizational scenarios. However, the basic security properties offered by the Blockchain should be complemented with fine-grained access control (e.g., attribute-based access control - ABAC) enforced through cryptography (e.g., attribute-based encryption - ABE) for best security. The main goal of this project is to investigate how multi-authority ABE is and can be used in Blockchain-based applications to enforce cross-organizational ABAC policies.

Level: MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Prerequisites:

  • Basic knowledge of IT security
  • Knowledge of cryptography

Objectives:

  • Familiarization and study of the state of the art in the use of MA-ABE in the Blockchain for enforcement of fine-grained ABAC policies.
  • Evaluation of available techniques and design of a solution joining MA-ABE with the Blockchain for high-assurance of data integrity and confidentiality.
  • Possibly, implementation of the proposed approach in a tool [1] developed and actively maintained by the Security&Trust unit in FBK.

Topics: Cryptography, Blockchain, Access Control

References:

  1. stfbk/CryptoAC

Privacy enhancing technologies for digital identity

Description:

There is a strong interest in privacy-enhancing technologies to satisfy the complex requirements of digital identity, in particular minimizing the personal data shared at each presentation, and preventing others from correlating the activity of digital identity holders between presentations. Important use cases are the Mobile Drivers’ License (ISO 18013-5) and the European Digital Identity Wallet, with a toolbox for the latter currently under development and expected to be first released in october 2022. Many technologies based on cryptography have been proposed to provide solutions for credential status requests, selective disclosure of attributes, and unlinkability of credential presentations, such as cryptographic accumulators, zero-knowledge proofs, commitments, and blind signatures. During the internship, you will have an opportunity to consider theoretical and practical aspects of these technologies, to be agreed based on your interest and prior knowledge. Examples include:

Level: MSc

Supervisor: Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites:

  • An undergraduate course in cryptography is required for basic notions on hash functions and public key cryptography.
  • Knowledge of the following would be highly advantageous, depending on the details of the chosen topic:
    • Elliptic curve cryptography, esp. pairing-based
    • Zero-knowledge proofs
    • Programming in python, javascript, or rust

Objectives:
The following objectives may be weighted differently according to interest, availability, and the chosen topic:

  • Summary of chosen technologies
  • Comparison of technologies on metrics of interest for the chosen scenario, e.g., complexity (number of operations), proof size, offline functionality
  • Exploration of alternatives for cryptographic agility, e.g., other elliptic curves or hash functions
  • Proof-of-concept implementation for the scenario of interest

Topics: Digital identity, Cryptography, Privacy-enhancing technologies

Threat Modeling for Electronic Voting

Description:

There has been renewed interest in electronic and internet voting systems in recent years, due in part to the pandemic, and to logistic difficulties in collecting votes from abroad. Electoral systems have complex and unusual requirements, and electronic voting systems doubly so - see e.g. Council of Europe Recommendations and US voluntary voting systems guidelines. While end-to-end verifiable systems show promise of increased trustworthiness for the public, electronic and internet voting systems have come under scrutiny for significant vulnerabilities [1, 2].
Threat modeling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. In this internship, the candidate will apply threat modeling tools and processes to the example of electronic voting.

Level: BSc/MSc

Supervisor: Alessandro Tomasi (altomasi@fbk.eu)

Prerequisites: An undergraduate course in information security is required for notions of confidentiality, integrity, and availability. Knowledge of Python would be highly recommended.

Objectives: Produce a threat model for an electoral system following the OWASP process and using pytm.

Topics: Threat modeling, Electronic voting

References:

  1. Park, Specter, Narula, Rivest: "Going from bad to worse: from Internet voting to blockchain voting" https://doi.org/10.1093/cybsec/tyaa025
  2. "Security Analysis of the Estonian Internet Voting System". Springall, Finkenauer, Durumeric, Kitcat, Hursti, MacAlpine, Halderman. https://dl.acm.org/doi/10.1145/2660267.2660315, https://www.youtube.com/watch?v=PT0e9yTD2M8

Trusted Execution Environments for Advanced Data Protection

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from curious service providers while enforcing access control policies. Unfortunately, CAC usually incurs significant computational overhead that limits its applicability in real-world scenarios [1]. The main goal of this project is to investigate how Trusted Execution Environments (TEEs) such as Intel SGX [2] can synergize with CAC to relieve these computational overheads and efficiently guarantee advanced data protection.

Level: BSc/MSc

Supervisors: Stefano Berlato (sberlato@fbk.eu), Roberto Carbone (carbone@fbk.eu)

Time frame: From February 2023

Prerequisites:

  • Basic knowledge of IT security
  • Basic knowledge of cryptography from cryptography-related courses
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Objectives:

  • Familiarization and study of the state of the art in the use of TEEs for advanced data protection.
  • Evaluation of available techniques and design of a solution joining CAC with TEEs to reduce the cryptographic computational overhead.
  • Implementation of the proposed approach in a tool [3] developed and actively maintained by the Security&Trust unit in FBK [4].

Topics: Access Control, Cryptography, TEE

References:

  1. W. C. Garrison, A. Shull, S. Myers and A. J. Lee, "On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud," 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 819-838, doi: 10.1109/SP.2016.54
  2. https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions.html
  3. stfbk/CryptoAC
  4. Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021)