BACHECA TESI
Edizione 2022
Marco Alecci (Università degli Studi di Padova)
"Assessment of the Blocking Cards Effectiveness in Protecting Mifare Classic Smart Card"
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Marco Alecci (Università degli Studi di Padova)
"Assessment of the Blocking Cards Effectiveness in Protecting Mifare Classic Smart Card"
(Relatore: Prof. Mauro Conti).
Smart Cards are physical cards that can connect to a reader either by direct physical contact or through a short-range wireless connectivity standard such as Radio-Frequency IDentification (RFID) or Near Field Communication (NFC). In particular, due to their speed and convenience, contactless smart cards are rapidly becoming one of the most widely used technologies with major deployments worldwide in applications such as micropayment, physical and logical access control, corporate IDs, and automatic fare collection. The MIFARE Classic produced by NXP Semiconductors is currently one of the most used contactless smart cards, with more than 5 billion cards sold worldwide.
Due to their use cases, smart cards are increasingly being targeted by cyber criminals who want to retrieve users’ sensitive information or any profitable data. As a consequence, several countermeasures have been designed, such as blocking cards, which currently represent one of the most common and affordable defense mechanisms. They are usually kept in a pocket or wallet to block potential attacks by emitting a noisy jamming signal or physically shielding the smart card.
This work introduces an attack against the MIFARE Classic smart card that can be carried out even in the presence of a blocking card, employing a Software Defined Radio (SDR) to capture and analyze the raw signal of a communication between the card and the reader. Then, we analyze the effectiveness of five different blocking cards by comparing their performance in protecting a MIFARE Classic from the introduced attack. Finally, by analyzing them individually, we will show how blocking cards that add noise signals at multiple fixed frequencies offer the highest possible level of protection.
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Sara Bardi (Università degli Studi di Padova)
"Social honeypots on Instagram: a study on technologies and methodologies to automate them"
(Relatore: Prof. Mauro Conti).
Online Social Networks (OSNs) have gained increasing popularity in recent years leading to very fast growth in terms of registered users. While OSNs are widely used for legitimate content sharing, their rapid growth has also led to the emergence of illegal activities (e.g. spamming, profile cloning, profile hijacking) that take
advantage of their popularity. One tool used to detect these malicious activities is the social honeypot. In principle, social honeypots consist in honeypot profiles, for instance Facebook pages or Twitter accounts, which are able to attract users for further analysis. However, we are convinced that social honeypots can be seen not only as a cybersecurity countermeasure, but also as a flexible system that can be adopted for many different purposes. For instance, for customers profiling and products advertising, or for understanding social trends among people.
This thesis aims to make a first attempt toward better understanding of the methodologies and technologies to build automated social honeypots on Instagram. This approach has never been exploited before, in fact there is no previous work that proposed social honeypots on this social network and, furthermore, all the social honeypots presented in the literature are not automated. Hence, our experiment consists in 21 social honeypots, deployed on Instagram, whose management is completely automatic. To this end, we have implemented two post generation strategies:
one involves simpler methods such as using stock images, the second is based on more complex processes by using the latest Machine Learning technologies. Each honeypot is equipped with an engagement plan that identify how it generates engagement with other users.
Our results show that automatic social honeypots on Instagram are possible and that they can be customized according to our needs. We have demonstrated that the post generation strategy based on Machine Learning is not the best choice yet and that a simple interaction with other users, by just liking or commenting their posts,
is the option to be preferred. Thanks to these results, we are convinced that the work presented in this thesis can pave the way to further researches and solutions.
Link esterno alla tesi: https://thesis.unipd.it/handle/20.500.12608/33777
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Alex Baron (Università degli Studi di Padova)
"IMAT: A Lightweight IoT Network Intrusion Detection System based on Machine Learning techniques"
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/index.html
Alex Baron (Università degli Studi di Padova)
"IMAT: A Lightweight IoT Network Intrusion Detection System based on Machine Learning techniques"
(Relatore: Mauro Conti).
Internet of Things (IoT) is one of the fastest-expanding technologies nowadays, and promises to be revolutionary for the near future. IoT systems are in fact an incredible convenience due to centralized and computerized control of any electronic device. This technology allows various physical devices, home applications, vehicles, appliances, etc., to be interconnected and exposed to the Internet. On the other hand, it entails the fundamental need to protect the network from adversarial and unwanted alterations. To prevent such threats it is necessary to appeal to Intrusion Detection Systems (IDS), which can be used in information environments to monitor identified threats or anomalies. The most recent and efficient IDS applications involve the use of Machine Learning (ML) techniques which can automatically detect and prevent malicious attacks, such as distributed denial-of-service (DDoS), which represents a recurring threat to IoT networks in recent years. The work presented on this thesis comes with a double purpose: build and test different light Machine Learning models which achieve great performance by running on resource-constrained devices; and at the same time we present a novel Network-based Intrusion Detection System based on the latter devices which can automatically detect IoT attack traffic. Our proposed system consists of deploying small low-powered devices to each component of an IoT environment where each device performs Machine Learning based Intrusion Detection at network level. In this work we describe and train different light-ML models which are tested on Raspberry Pis and FPGAs boards. The performance of such classifiers detecting benign and malicious traffic is presented and compared by response time, accuracy, precision, recall, f1-score and ROC-AUC metrics. The aim of this work is to test these machine learning models on recent datasets with the purpose of finding the most performing ones which can be used for intrusion-defense over IoT environments characterized by high flexibility, easy-installation and efficiency. The obtained results are above 0.99% of accuracy for different models and they indicate that the proposed system can bring a remarkable layer of security. We show how Machine Learning applied to small low-cost devices is an efficient and versatile combination characterized by a bright future ahead.
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/index.html
Massimiliano Belluomini (Università degli Studi di Padova, Dipartimento di Matematica)
"Backdoor Attacks and Defences on Neural Networks"
(Relatore: Conti Mauro).
In recent years, we have seen an explosion of activity in deep learning in both academia and industry. Deep Neural Networks (DNNs) significantly outperform previous machine learning techniques in various domains, e.g., image recognition, speech processing, and translation. However, the safety of DNNs has now been recognized as a realistic security concern.
The basic concept of a backdoor attack is to hide a secret functionality in a system, in our case, a DNN. The system behaves as expected for most inputs, but malicious inputs activate the backdoor.
Deep learning models can be trained and provided by third parties or outsourced to the cloud. The reason behind this practice is that the computational power required to train reliable models is not always available to engineers or small companies. Apart from outsourcing the training phase, another strategy used is transfer learning. In this case, an existing model is fine-tuned for a new task. These scenarios allow adversaries to manipulate model training to create backdoors.
The thesis investigates different aspects of the broad scenario of backdoor attacks in DNNs. We analyze the neuron activations in backdoor models and designed a possible defence based on empirical observations. The neurons of the last layer of a DNN show high variance in their activations when the input samples contain the trigger.
We also present a new type of trigger that can be used in audio signals obtained using the echo. Smaller echoes (less than 1 ms) are not even audible to humans, but they can still be used as a trigger for command recognition systems. We show that with this trigger, we can bypass STRIP-ViTA, a popular defence mechanism against backdoors.
Finally, we analyze and evaluate the blind backdoor attacks, which are backdoor attacks that are based on both code and data poisoning, and tested them with an untested defence. We also propose a way to bypass the defence.
Link esterno alla tesi: https://thesis.unipd.it/handle/20.500.12608/42054?mode=simple
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Alessandro Colombo (Università di Trento - Dipartimento di Ingegneria e Scienze dell'Informazione)
"Attribute Based Encryption for Advance Data Protection in IoT with MQTT"
Alessandro Colombo (Università di Trento - Dipartimento di Ingegneria e Scienze dell'Informazione)
"Attribute Based Encryption for Advance Data Protection in IoT with MQTT"
(Relatore: Silvio Ranise).
The Internet of Things (IoT) industry is rapidly expanding in a progressively digitalized world. As the amount of valuable and sensitive information managed by IoT devices increases, the general security deficiency in IoT communications leaves this information at the mercy of external attackers, malicious insiders, and honest but curious Cloud providers. MQTT is the most adopted standard in IoT communications, it expects a star network topology with a central entity, called broker, mediating the exchange of messages among connected clients. MQTT is designed to be extremely lightweight and it can scale up to connect millions of devices. However, to maintain minimal overhead, the MQTT standard does not provide any security layer by default and suggests instead the usage of Transport Layer Security (TLS) for securing communications. However, besides being hardly supported by (resource-constrained) IoT devices, TLS only provides hop-by-hop protection, meaning that all the intermediaries between sender and receiver (e.g., partially-trusted MQTT brokers) have access to the content of exchanged messages.
In this thesis, we propose a cryptographic enforcement mechanism for fine-grained Attribute Based Access Control policies, protecting both the confidentiality and the integrity of sensitive information in transit, i.e., exchanged by IoT devices, with MQTT. To this end, we base our scheme on ABE, a Public Key Encryption (PKE) scheme that naturally enforces expressive Access Control (AC) policies cryptographically. Indeed, by using ABE, we can automatically enforce whether a user is authorized to access a particular resource without asking, i.e., trusting, an intermediary to take AC decisions. Our scheme ensures end-to-end protection of exchanged messages, meaning that only the sender and the authorized receivers can access the content of a message. Furthermore, we provide our solution with an expressive revocation mechanism, able to perform dynamic changes on the enforced AC policies. In such a manner, administrators can modify the privileges associated with each IoT device or even exclude some of them from the system, ensuring high flexibility and adaptability to extremely dynamic IoT scenarios. Finally, we test the validity and applicability of our approach through the implementation of a proof-of-concept.
Gianluca Conte (Università degli Studi di Milano)
"Cyber Risk Mitigation Through an Organizational and Management Prospective in a Multiple Legal and Quality Environment"
Gianluca Conte (Università degli Studi di Milano)
"Cyber Risk Mitigation Through an Organizational and Management Prospective in a Multiple Legal and Quality Environment"
(Relatore: Prof.ssa Sorrentino).
La cybersecurity ha enorme importanza per tutti gli attori sociali (persone fisiche e giuridiche, istituzioni, nazioni) avendo significativo impatto sulle libertà personali, sulle relazioni tra persone giuridiche, sulla sovranità degli stati e determinando importanti effetti economici sia micro che macro.
La sicurezza IT nasce certamente come tema tecnologico ma la pervasività dell’informatica ha fatto comprendere con chiarezza come la sua sicurezza sia un compito multidisciplinare, dove la tecnologia è centrale ma è solo una delle componenti.
Nella tesi è stata condotta un’analisi non sistematica della letteratura scientifica (c.ca 500 fonti analizzate, ricondotte ad un corpus di 43 contributi) al fine di rispondere a 4 quesiti di ricerca: RQ.1 Come il «fattore umano» influenza la sicurezza informatica? RQ.2 Cosa si intende per sicurezza informatica dal punto di vista di gestione ed organizzativo? RQ.3 Quali framework meglio conciliano il «fattore umano» con le dimensioni di gestione ed organizzativa? RQ.4 Quali principi possono essere generalizzati per definire modelli astratti di gestione ed organizzativi?
L’esito dell’analisi suggerisce che 1) la letteratura scientifica non sembra affrontare in modo olistico il tema e si osservano approcci verticali su aspetti specifici, 2) le molte ed eterogenee normative che trattano il tema della cybersecurity non aiutano a trovare una sintesi e spesso, anzi, richiedono che temi simili siano affrontati in modo differente e non integrato (es. differenti definizioni di rischio, inteso come probabilità x impatto, dove l’impatto, per ciascuna normativa è valutato in modo differente), 3) l’uomo è l’anello più debole della catena ma non lo è in quanto tale quanto piuttosto perché reso tale da un’inadeguata awareness.
Partendo da ipotesi ex-ante, in base ai riscontri della letteratura scientifica, professionale, a benchmark, framework e a practices di riferimento, obiettivo finale del lavoro è stato quello di proporre (ipotizzando anche l’approccio progettuale ed i costi): 1) un “modello di gestione della sicurezza delle informazione” che rispondesse ai requisiti ISO 27001 in modo sinergico ed integrato con altri ambiti normativi, prevedendo e descrivendo un set di Policy e Procedure a copertura degli ambiti richiesti dalla normativa e “sensibili” in base al contesto ipotizzato, 2) una “struttura organizzativa adibita alla gestione della sicurezza delle informazioni”, dotata di idonee competenze (ipotizzate e descritte), mandato ed accountability per poter mantenere e sviluppare il Sistema di Gestione ipotizzato.
Ciò che, ad oggi, si può concludere è che le evidenze scientifiche sono ampie ma non esaustive, il contesto normativo della cybersecurity è complesso, non integrato e richiede di affrontare una molteplicità di «temi simili» con prospettive e definizioni differenti e ciò non aiuta ad avere un’adeguata assurance che richiede, invece, un approccio integrato, potenzialmente molto costoso da adottare.
Rispetto a quanto analizzato sembrano sussistere i seguenti punti aperti: 1) limitata integrazione dei Sistemi di Gestione rispetto ad una pluralità ortogonale di ambiti normativi e di compliance, 2) assenza di una proposta dominante inerente all’accountability organizzativa di manutenzione e sviluppo del Sistema di Gestione stesso, 3) la valutazione di adeguatezza di misure «tecnologiche ed organizzative» (art. 32 GDPR) rispetto a quale benchmark vengono valutate? 4) In caso di mancata consapevole adozione di misure idonee, l’ente ha un beneficio non irrilevante (derivante da un risparmio: sent. cass. 22256/21). In caso di commissione di «reato informatico» ex D.lgs 231/01, ciò attività una responsabilità amministrativa dell’ente ex D.lgs 231/01?
Federico Cucino (Dipartimento di Ingegneria e Scienze dell'Informazione - Università di Trento)
"Miglioramento delle capacità di analisi di TLSAssistant: automatizzazione delle mitigazioni per Nginx"
Link esterno al gruppo di ricerca: https://st.fbk.eu/
Federico Cucino (Dipartimento di Ingegneria e Scienze dell'Informazione - Università di Trento)
"Miglioramento delle capacità di analisi di TLSAssistant: automatizzazione delle mitigazioni per Nginx"
(Relatore: Prof. Silvio Ranise).
Transport Layer Security (in breve TLS) è un protocollo di sicurezza progettato per implementare privacy e integrità dei dati nelle comunicazioni su Internet. TLS è utilizzato per cifrare i dati inviati e ricevuti tra client e server, come pagine web, sul protocollo HTTP, ma anche per cifrare la trasmissione delle email, per trasferire file in maniera sicura, per telefonia online e molto altro ancora.
Ai giorni nostri, sebbene tutto ruoti attorno al protocollo TLS per garantire privacy e integrità delle comunicazioni sul web, quest’ultimo non sempre è in grado di essere configurato in maniera sicura e ottimale. Il compito di applicare la migliore configurazione è tutto in mano ai sistemisti, che devono prima rilevare le vulnerabilità e, successivamente, cercare le mitigazioni appropriate da applicare per ognuna di esse.
TLSAssistant, sviluppato all’interno dell’unità Security & Trust della Fondazione Bruno Kessler, semplifica il lavoro agli amministratori di sistema, fornendo in un unico strumento le funzionalità di analisi delle vulnerabilità note e il suggerimento delle mitigazioni appropriate unito a un approfondito report finale. Le mitigazioni fornite sono personalizzate in base al tipo di server web in utilizzo ed è possibile far applicare le modifiche direttamente ai propri file di configurazione.
L’obiettivo iniziale del lavoro era quello di aumentare la quantità di webserver supportati, allo scopo di permettere a TLSAssistant una maggiore copertura relativa alle mitigazioni in output. Una serie di circostanze hanno poi spostato il focus del progetto all’estensione delle capacità di analisi relative al webserver Nginx, già parzialmente supportato ma con margine di estensibilità tale da permettere di svolgere una dettagliata fase di valutazione, progettazione e implementazione.
Link esterno al gruppo di ricerca: https://st.fbk.eu/
Stefano Da Roit (Dipartimento di Ingegneria e Scienza dell'Informazione - Università di Trento)
"Automated Detection of DoS Attacks in MQTT 5.0 Brokers"
Link esterno al gruppo di ricerca: https://st.fbk.eu/
Stefano Da Roit (Dipartimento di Ingegneria e Scienza dell'Informazione - Università di Trento)
"Automated Detection of DoS Attacks in MQTT 5.0 Brokers"
(Relatore: Silvio Ranise, Umberto Morelli).
MQTT is a lightweight message protocol standardized by OASIS and considered the de-facto standard for the Internet of Things (IoT). It follows the publish-subscribe paradigm, where a central entity, the broker, forwards messages received by publishing clients to subscribed clients via topics, that can be described as message queues. As clients typically have constrained resources, Denial of Service (DoS)
attacks are among the main security issues in IoT.
The main purpose of the project was to review the features introduced in the last version of the
MQTT protocol in light of their misuse to provoke DoS attacks to the clients or the broker. To this
end, I identified the features reported in the last official MQTT protocol specification and verified their adoption among the most widely used MQTT brokers; reviewed the available literature on MQTT DoS attacks to investigate known vulnerabilities (e.g., Common Vulnerabilities and Exposures - CVE); tested investigated and new vulnerabilities exploiting identified MQTT features; and integrate the tests in MQTTSA, a security tool to investigate MQTT (mis-)configurations.
The test campaign revealed the improper validation of packets in almost all the brokers under test. This may damage both the brokers and their connected clients. We are in the process of reporting identified bugs and vulnerabilities to the broker providers. One of the reported issues has already been fixed (NanoMQ); another one is under evaluation (EMQX).
The project has been carried out at the Security & Trust research Unit of Fondazione Bruno
Kessler (Trento, Italy).
Link esterno al gruppo di ricerca: https://st.fbk.eu/
Raffaele Franco (Dipartimento di Ingegneria dell'Università del Sannio)
"Definition of Guidelines for the Execution of Automotive Penetration Testing on CAN Architectures"
Raffaele Franco (Dipartimento di Ingegneria dell'Università del Sannio)
"Definition of Guidelines for the Execution of Automotive Penetration Testing on CAN Architectures"
(Relatore: Corrado Aaron Visaggio).
L’industria automobilistica mira ad integrare la security nel processo di sviluppo del veicolo, quindi un veicolo è analizzato per ogni possibile minaccia, in modo da consentire lo sviluppo di adeguate contromisure.
Nella letteratura sono descritti numerosi attacchi eseguiti ad ogni tipologia di veicolo, per cui è stato dimostrato che è possibile manipolare sia sensori che attuatori e quindi componenti critici che costituiscono, ad esempio, i sistemi di frenata, sterzata, accelerazione, ecc.
I veicoli moderni includono un elevato numero di sistemi embedded, chiamati centraline o unità elettroniche di controllo, che eseguono compiti di controllo del veicolo e sono interconnessi mediante una rete fisica e interna al veicolo. Seppure negli ultimi anni sono state adottate contromisure volte a proteggere le risorse veicolari, come ad esempio secure gateway e firewall, è evidente come a causa delle limitate risorse computazioni tali contromisure non sono impenetrabili.
Un attaccante, una volta ottenuto l’accesso alla rete interna veicolare, ha numerose possibilità per manovrare il veicolo, esattamente come il conducente oppure un’officina autorizzata. Infatti, le reti veicolari sono costituite di componenti elettronici che sono spesso non sufficientemente segregati e che comunicano attraverso canali non affidabili e protocolli non sicuri.
L’eterogeneità dei sistemi automotive rende un security assessment estremamente complesso da compiere. Per ridurre le possibilità di compromettere la sicurezza dell’operatività del veicolo, essenziale per evitare disturbi o lesioni al guidatore e i passeggeri, la security deve essere parte integrale del ciclo di vita di sviluppo del veicolo e applicata sin dalle prime fasi.
Dal momento che l’industria automobilistica si muove verso la mobilità elettrica sempre più auto risulteranno connesse a sistemi back-end in Internet, quindi la security per il settore automobilistico diventa un fattore cruciale nel processo di sviluppo dei veicoli, nonché un nuovo elemento soggetto all’omologazione dei veicoli stessi.
Le interfacce aggiuntive e accessibili remotamente del veicolo incrementano significativamente le superfici di attacco. Quindi lo sviluppo di tali interfacce può potenzialmente esporre protocolli, usati nella rete veicolare interna, a punti di accesso remoti.
Il protocollo CAN (Controller Network Area) è uno standard proposto nel 1993 ed è diventato lo standard de-facto per connettere le centraline all’interno dei veicoli negli ultimi 20 anni. Tuttavia, tale protocollo presenta vulnerabilità come la mancanza di autenticazione, di crittografia e di controllo dell’integrità delle informazioni a livello applicativo, le quali minacciano severamente la sicurezza delle persone a bordo.
Lo scopo della tesi è quello di analizzare gli scenari di attacco e di indentificare come un avversario può attaccare un veicolo. L’idea è di iniziare dalla conoscenza che può essere acquisita dell’interno del veicolo attraverso interfacce cablate (es. porta di diagnosi) per poi tentare di estendere gli attacchi partendo dai punti di accesso remoti (es. Wi-Fi, Bluetooth, ecc.).
Fuzz testing e penetration testing rappresentano le migliori strategie per fronteggiare gli attacchi alle correnti e future generazioni di veicoli. Il fuzzing, attraverso l’immissione di dati non validi, imprevisti o casuali, consente di scovare numerose debolezze e vulnerabilità all’interno del veicolo. Nel penetration testing, invece, un tester prova a violare le proprietà di security di un veicolo attraverso numerosi attacchi, immedesimandosi nel ruolo di un attaccante. Poiché questo compito è solitamente eseguito seguendo un approccio black-box con una minima conoscenza guadagnata da fonti pubbliche o ricerche specifiche sul target, le attività di penetration testing richiedono una forte conoscenza ed esperienza. Proprio per questo motivo automatizzare tale processo è estremamente difficile.
Egon Galvani (Università degli Studi di Padova )
"FairDrop: a Confidential Fair Exchange Protocol for Media Workers"
(Relatore: Prof. Mauro Conti).
In recent years, the asymmetry between open societies and regimes that control their media has increased, leading to the number of murdered journalists more than doubling worldwide. Even in countries in which freedom of the press is publicly recognized, the number of journalists jailed, assaulted, or criminally charged is relevant and growing. These attacks on media workers usually want to limit or control information regarding critical topics. In this context, the necessity of a system that allows reporters to publish their works without risking their own life is evident. Some systems to share information with newspapers while keeping the source anonymous exist. An example is SecureDrop, developed and maintained by the Freedom of the Press Foundation, and widely adopted by all major international newspapers. What limits them from extensively using this type of system is the lack of credibility in the information exchanged, which represents the main problem for the publisher's reputation. In this thesis, we present FairDrop, a system that allows the exchange of information between two untrusted parties and proposes a tradeoff between the anonymity of the source and the credibility of the information exchanged. We present a fair exchange protocol based on blockchain that allows sharing of a digital good fairly and confidentially. We also define the guidelines for a system based on ring signatures to measure the credibility of the exchanged information. All our design decisions are made taking into account the requirements of a journalist-newspaper communication, and the guidelines for anonymous sources applied by major newspapers around the world. We test the system in a real-world blockchain testnet, considering multi-seller and buyer situations, and introducing economic incentives for sources to use the system.
Link esterno alla tesi: https://thesis.unipd.it/handle/20.500.12608/42055
Manuel Ivagnes (Dipartimento di Ingegneria Informatica Automatica e Gestionale, Università degli Studi di Roma "La Sapienza" )
"Lightweight Real-Time Ransomware Detection with Native OS Assistance via ETW "
Manuel Ivagnes (Dipartimento di Ingegneria Informatica Automatica e Gestionale, Università degli Studi di Roma "La Sapienza" )
"Lightweight Real-Time Ransomware Detection with Native OS Assistance via ETW "
(Relatore: Prof. Daniele Cono D’Elia).
I ransomware sono una classe di malware che rende inaccessibili i dati dei computer infettati chiedendo il pagamento di un riscatto per ripristinarli. Quando la vittima è un’organizzazione, gli attaccanti spesso colpiscono simultaneamente l’intera infrastruttura per paralizzarla. Queste minacce hanno costretto i vendor di sistemi di sicurezza a cambiare approccio verso detection e reaction: non basta più riconoscere e rimuovere un'infezione, ma serve fermarla prima che sia troppo tardi; ciò rende diversi sistemi attuali inefficaci verso il ransomware.
Questa tesi propone una soluzione alternativa ed originale per ransomware detection su ambienti Windows. Sviluppata in un tirocinio in Leonardo S.p.A., è progettata per l’impiego in scenari reali accanto a sistemi di monitoraggio real-time esistenti, quali EDR, senza alterare il funzionamento dell’infrastruttura sottostante. La soluzione si avvale di Event Tracing for Windows (ETW): questa funzionalità nativa del kernel di Windows risulta essere molto leggera in overhead ed offre elevata compatibilità con il software esistente. Inoltre, evita le limitazioni implementative di userland API hooks (aggirabili facilmente con tecniche note) e dei kernel drivers (spesso complessi da sviluppare e proni a generare un alto carico CPU).
La soluzione si basa su euristiche di detection nate da un’approfondita attività di reverse engineering dei tratti comportamentali di molteplici varianti di ransomware appartenenti a famiglie diverse. La tesi presenta in modo esaustivo alcune di tali varianti e analizza nel dettaglio gli eventi valutati come riconducibili con alta probabilità ad attacchi ransomware. La soluzione si compone di quattro moduli cooperanti e specializzati sulle caratteristiche degli eventi in questione. Rispettivamente, i moduli operano attraverso: (i) intercettare l’utilizzo
illegittimo di strumenti di amministrazione; (ii) identificare pattern di accesso e modifica dei file che sono riconducibili a ransomware; (iii) individuare correlazioni insolite tra specifici eventi (es. create/delete); (iv) sfruttare il pattern di creazione delle note di riscatto che è caratteristico di alcune famiglie di ransomware. Monitorare caratteristiche comportamentali che sono generali tra i ransomware consente una detection precisa ed agnostica, senza dover far ricorso a signature ottenibili analizzando varianti già note di una stessa minaccia.
Il prototipo implementato è:?- Automatizzato, leggero, real-time: richiede moderate risorse computazionali per analizzare gli enormi flussi ETW; esegue l’analisi dinamica in tempo reale di tutti i processi in esecuzione; termina in autonomia quelli sospetti.?- Accurato, veloce, robusto: nella sperimentazione, dimostra di rilevare velocemente ransomware appartenenti a famiglie e varianti non note al momento dello sviluppo.?- Proattivo: può intercettare sul nascere (ossia senza corruzione di alcun file) alcune famiglie di ransomware che fanno uso di specifici comandi da amministratore.?- Personalizzabile: il responsabile della sicurezza di perimetro può tarare moduli e filtri sugli eventi secondo proprie policy di sicurezza interna e strategie di rischio cyber.
Per la valutazione sperimentale, si è costruito un ambiente di test rappresentativo di un ambiente di un utente standard secondo le best practices dell’area, con test automatizzati per avere risultati scientificamente riproducibili. Per evitare overfitting delle euristiche, si è diversificato il più possibile il dataset di test, analizzando 111 campioni provenienti da 25 famiglie di ransomware diverse, per poi verificare possibili falsi positivi da programmi legittimi (es., che fanno frequente ricorso a cifratura e compressione). Il prototipo mostra un tasso di detection pari al 98,2% senza falsi positivi, con un numero di file compromessi spesso compreso tra zero e le poche decine (prima che il sample venga rilevato e terminato), con consumo di CPU < 1% e l’utilizzo di RAM nell’ordine di poche decine di MB.
Eleonora Marchesini (Università degli studi di Trento)
"Design and Implementation of a Cybersecurity Chatbot for Identity Management Protocols: the SAML and Slack Use Case"
Eleonora Marchesini (Università degli studi di Trento)
"Design and Implementation of a Cybersecurity Chatbot for Identity Management Protocols: the SAML and Slack Use Case"
(Relatore: Silvio Ranise, Roberto Carbone, Andrea Bisegna).
Thanks to the increase of web applications in our society to simplify everyday life, people started to use more frequently online services. To access these services, the creation of an account with a password-based authentication method is usually required. Some of these services, together with the authentication can provide an authorization for the requested resources even between different domains. Consequently, there is a decreasing in the usage of perimeter-based architecture, i.e., anyone inside a corporate network is trusted, in favor of an identity based, i.e., access is based on the user. Considering the large number of different services and the change in architecture, the user must remember lots of passwords and tends to reuse them even if the best practices discourage it. To address this problem Identity Management (IdM) protocols have been introduced. These protocols have many applications as they allow to manage identity and security processes with a central and single point of administration and the possibility to be run over multiple machines setting different access levels for users. However, these protocols must be maintained through their lifetime, requiring economic and time effort, as the information to manage them, i.e., a standard upgrade or information about a weakness on a specific version, can be disseminated over the network, e.g., on news or blogs, and can involve specific knowledge to be correctly applied. For this reason, we decided to look for a strategy to help users, by answering to their questions and providing the right information with a simple approach, through the usage of a chatbot. Several chatbots have been analyzed to discover if there were any which facilitate the retrieval of data for the users in the implementation of IdM protocols. We were not able to find something related but using what we learned we designed and implemented a cybersecurity chatbot. In this thesis, we focused on the study of chatbots and their application in the security field. The work starts with the design of a cybersecurity chatbot for IdM protocols and their analysis through the literature. The proposed design has been constructed looking to general chatbots adding the information related to the security. The first step is in the Backend, with the construction of a database populated with security information, Cyber Threat Intelligence (CTI) information, which contains possible weaknesses and related attacks with mitigations gathered over the net. This constitutes a repository with possible answers related to user’s sentences where the brain of the chatbot, the Trainer, is responsible for the correct understanding and evaluation. In the Frontend there are a Threat Visualizer, which provide a hands-on look over the result, and the UI Chatbot, where responses are given. This design has been implemented in Python with the usage of libraries as TensorFlow for data elaboration and a serialization standard for CTI information, STIX2. Thanks to the serialization, which makes data consistent between different machines, as Threat Visualizer is possible to integrate the STIX Visualizer. Finally, we describe a use case for a possible application of the cybersecurity chatbot. We consider as protocol the Security Assertion Markup Language (SAML), an XML standard for exchanging messages regarding a user authentication and authorization across secure domain, and Slack as User Interaction point, which is an online collab oration tool used by many corporations, that allows development and usage of bots. Thus, we have tuned the implementation with a database composed of SAML CTI information and Slack as a communication component. Then, we presented an instance of interaction with the user, from his first approach to the result and its different representations, i.e., graphical, or textual. Finally, some considerations about our choices are presented, together with the capability of the script to be, as modular as possible to adapt to changes in a component without impacting the functionalities provided by the others.
Francesco Marchiori (Università degli Studi di Padova)
"STIXnet: Entity and Relation Extraction from Unstructured CTI Reports"
(Relatore: Prof. Mauro Conti).
The increased frequency of cyber attacks against organizations and their potentially devastating effects has raised awareness on the severity of these threats. In order to proactively harden their defences, organizations have started to invest in Cyber Threat Intelligence (CTI), the field of Cybersecurity that deals with the collection, analysis and organization of intelligence on the attackers and their techniques. By being able to profile the activity of a particular threat actor, thus knowing the types of organizations that it targets and the kind of vulnerabilities that it exploits, it is possible not only to mitigate their attacks, but also to prevent them.
Although the sharing of this type of intelligence is facilitated by several standards such as STIX (Structured Threat Information eXpression), most of the data still consists of reports written in natural language. This particular format can be highly time-consuming for Cyber Threat Intelligence analysts, which may need to read the entire report and label entities and relations in order to generate an interconnected graph from which the intel can be extracted.
In this thesis, done in collaboration with Leonardo S.p.A., we provide a modular and extensible system called STIXnet for the extraction of entities and relations from natural language CTI reports. The tool is embedded in a larger platform, developed by Leonardo, called Cyber Threat Intelligence System (CTIS) and therefore inherits some of its features, such as an extensible knowledge base which also acts as a database for the entities to extract.
STIXnet uses techniques from Natural Language Processing (NLP), the branch of computer science that studies the ability of a computer program to process and analyze natural language data. This field of study has been recently revolutionized by the increasing popularity of Machine Learning, which allows for more efficient algorithms and better results. After looking for known entities retrieved from the knowledge base, STIXnet analyzes the semantic structure of the sentences in order to extract new possible entities and predicts Tactics, Techniques, and Procedures (TTPs) used by the attacker. Finally, an NLP model extracts relations between these entities and converts them to be compliant with the STIX 2.1 standard, thus generating an interconnected graph which can be exported and shared. STIXnet is also able to be constantly and automatically improved with some feedback from a human analyzer, which by highlighting false positives and false negatives in the processing of the report, can trigger a fine-tuning process that will increase the tool's overall accuracy and precision.
This framework can help defenders to immediately know at a glace all the gathered intelligence on a particular threat actor and thus deploy effective threat detection, perform attack simulations and strengthen their defenses, and together with the Cyber Threat Intelligence System platform organizations can be always one step ahead of the attacker and be secure against Advanced Persistent Threats (APTs).
Link esterno alla tesi: http://hdl.handle.net/20.500.12608/33779
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Matteo Midena (Dipartimento di Matematica - Università degli Studi di Padova)
"La rivoluzione dell’identità digitale: utilizzo di smart contract nella self-sovereign identity"
Link esterno alla tesi: https://thesis.unipd.it/handle/20.500.12608/34934
Matteo Midena (Dipartimento di Matematica - Università degli Studi di Padova)
"La rivoluzione dell’identità digitale: utilizzo di smart contract nella self-sovereign identity"
(Relatore: Silvia Crafa, Mattia Zago).
Il problema dell’identità online è qualcosa che è stato discusso e affrontato molto negli ultimi 10 anni. In particolare il processo di evoluzione comprende il passaggio da credenziali fisiche a digitali, in cui si sono risolti i principali problemi legati a un conseguimento burocratico e costoso sia per l’ente di emissione sia per l’utente stesso. Rimane però molto discutibile la tematica della privacy, i nostri dati sono salvati sui server dell’emittente e per usufruire di molti servizi, vengono mostrati a servizi di terze parti che molto spesso hanno un incentivo economico a collezionarli e a salvarli. Lo scopo di questa tesi è la realizzazione di un sistema decentralizzato di identità digitale che permetta all’utente di essere indipendente da un qualsiasi ente centrale. La soluzione basata sul Self-Sovereign Identity è user-centered, l’utente ha il completo controllo e la gestione del consenso delle proprie informazioni. Questo tipo di approccio prevede l’uso di tre componenti principali: credenziali verificabili, decentralized identifier e registri distribuiti. L’uso della tecnologia blockchain come verifiable data registry offre diversi vantaggi, come ad esempio, la possibilità di avere un registro trasparente, immutabile, sicuro e decentralizzato, il quale permette di sostituire l’ente centrale del modello classico ed offrire le medesime garanzie. Allo stesso tempo comporta lo svantaggio di dover affrontare diverse problematiche relative alla privacy e alla gestione della fiducia. La tecnologia blockchain si basa su un registro pubblico, chiunque può accedervi e modificarlo, identificandosi con lo pseudonimo dell’indirizzo del proprio wallet. Per questo motivo è importante sviluppare una soluzione che protegga la privacy degli utenti e che preveda un solido meccanismo di fiducia per garantire l’identità delle entità coinvolte. Questi sono i due problemi cardine da affrontare, senza i quali qualsiasi soluzione di questo tipo perderebbe di efficacia.
Nello specifico, verrà sviluppata una suite di smart contract che svolga le operazioni di rilascio, verifica e revoca di credenziali verificabili con lo scopo di gestire, in una web app, l’integrazione tra il wallet ethereum e il wallet ssi dell’utente, per poter utilizzare le credenziali verificabili possedute in un contesto decentralizzato.
Link esterno alla tesi: https://thesis.unipd.it/handle/20.500.12608/34934
Alberto Molon (Dipartimento di Ingengeria dell'Informazione, Università degli Studi di Padova)
"Automated Analysis and Exploitation of Vulnerable Android Applications"
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/index.html
Alberto Molon (Dipartimento di Ingengeria dell'Informazione, Università degli Studi di Padova)
"Automated Analysis and Exploitation of Vulnerable Android Applications"
(Relatore: Eleonora Losiouk).
Android security is a constantly growing field due to intensive system inspections and testing conducted by developers and researches. This led Google to constantly update its product with new functionalities, bug fixes, new security mechanisms and extra prevention methods.
On the other hand, building secure mobile applications is more challenging due to trade-offs between usability, efficiency and security. Very often, this led Android developers to leave bugs or vulnerabilities in the code. Google tackles this issue by providing some security tips and best practices in its documentation. However, it is only a prevention method, which developers and security researchers should fully read, understand and adapt in their code.
From these security guidelines, 32 rules were extracted and coded into SPECK: a rule-based static taint analysis system that automatically finds the violations of a given Android app.
Such “vuln-rules” describe several vulnerabilities, which are prompted and highlighted by SPECK during the static analysis of the Android app.
In order to prove the danger of these issues, SPECK is extended to SPECK+, which is able to automatically generate attacks to exploit the detected vulnerabilities for a specific rule.
Moreover, developers can both write their own rules to test their app against a particular issue and insert custom exploits even from other existing tools. With this extension, vuln-rules should be coded into a special formalism called SPECK-F.
An higher overview of the SPECK+ workflow is the following: first, it checks whether a test app is compliant with the provided vuln-rule by performing a static analysis over the source code of the app (if the APK was provided, it is first decompiled); then, if at least one vulnerability is found, an exploit is automatically generated in order to prove the vulnerability danger.
In this thesis, I studied 11 rules, which I first formalised using SPECK-F and then I implemented the corresponding exploits. Finally, I evaluated these attacks against a list of 100 popular apps.
Results show that rules regarding insecure communications are exploited with a success rate above 40% using root emulators; then, 3 out of 5 rules regarding improper platform usage are exploited with a success rate above 88%.
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/index.html
Andrea Piras (Università degli Studi di Cagliari)
"A PROPOSAL FOR A CYBERSECURITY PLAN FOR CRITICAL INFRASTRUCTURES AND PUBLIC ADMINISTRATION"
Andrea Piras (Università degli Studi di Cagliari)
"A PROPOSAL FOR A CYBERSECURITY PLAN FOR CRITICAL INFRASTRUCTURES AND PUBLIC ADMINISTRATION"
(Relatore: Giorgio Giacinto).
The purpose of this thesis is to propose a cybersecurity plan for critical infrastructures and the public administration. This proposal aims to leads the CISO (Chief Information Security Officer) who wants to address the challenges of a complex organization within the national security perimeter. The reader will have the conceptual tools to have a holistic view of cybersecurity, considering different factors, such as protecting cloud services, supply chain control, incident response, risk management, business continuity, and much more.
The proposed plan is divided into three tiers: strategic, tactical and operational. At the strategic level, addressed to the top management, the main laws, directives and regulations regarding critical infrastructures and public administration are analyzed: NIS/NIS2, national security perimeter, AGID minimum security measures, and Cybersecurity Act. Then, a new approach to risk management is presented. Several assessments are performed to calculate the risk, including the analysis of the services delivered on-premises, and those in the cloud; the assessment of vulnerabilities and configurations; the evaluation of business processes using the national framework for data protection inspired by NIST; the assessment to understand the type of data processed (public, corporate, or personal) and the type of exposure (internal or to the Internet). To calculate the risk, compared to the traditional impact x probability model, different parameters are used such as the severity of vulnerabilities, misconfigurations, missing controls, type of data processed, data exposure, etc. In this way, risks can be prioritized more effectively.
At the strategic level, the thesis discusses how to bind business continuity management to risk management. Training and awareness should also be strategic goals.
At the tactical level, addressed to security architects, the thesis proposes risk mitigation measures with a defense-in-depth approach. A set of redundant controls are proposed to be applied at different levels, which are: the human level, the physical level, and technical levels such as perimeter and network, host, application, and data. The controls are divided according to the context: on-premises infrastructure, cloud, supply chain, and data.
At the operational level, addressed to analysts and engineers, the thesis proposes incident management according to NIST SP800-61, and the creation of a SOC (Security Operation Center) to be more reactive and more proactive. To be more reactive, the thesis considers the use of EDR/SOAR systems and automated playbooks written by a team of engineers supporting the incident response team. To be more proactive, the SOC must be supported by a team that performs vulnerability scanning and service assessment. But it must also be able to extract IoCs (indicators of compromise) using a threat intelligence platform to detect and block attackers' TTPs (tactics, techniques, and procedures).
Lorenzo Pisu (Dipartimento di Ingegneria Elettrica, Elettronica ed Informatica - Università Degli Studi Di Cagliari)
"A security assessment of the server-side template injection vulnerability"
Link esterno al gruppo di ricerca: https://pralab.diee.unica.it/
Lorenzo Pisu (Dipartimento di Ingegneria Elettrica, Elettronica ed Informatica - Università Degli Studi Di Cagliari)
"A security assessment of the server-side template injection vulnerability"
(Relatore: Davide Maiorca).
A template engine is a technology that allows the creation of HTML pages with custom tags interpreted into data presented to the user. A basic example in which template engines are handy is when we want to show a list of text items on an HTML page, we do not want to define by hand every single tag if we can pass the list. Template engines allow writing directives that automatically unpack the list and prepare the HTML page for rendering. The problem is that such powerful tools sometimes can also have dangerous functionalities, which is why a template engine might allow a programmer to execute arbitrary, for example, Python code. Even if both the
template engine creators and the programmers thought it would be helpful
to have such features. The problem is that a programmer that is not careful
enough or does not know this feature exists might allow users to inject some
template engine tags inside the page. When abused by malicious users, this
small mistake can produce consequences that, in many cases, result in the
feared remote code execution. The vulnerability that arises when a user can
inject template engine directives inside a web application is called Server-Side
Template Injection (SSTI).Throughout this thesis, we will analyze 34 template engines in 8 programming
languages: Python, PHP, JavaScript, Java, Ruby, Go, Perl, and C#.
Moreover, we will see how dangerous they are when misused. No one else
in the literature has attempted to survey the vastity of template engines
existing to check each of them and spot vulnerabilities.
Link esterno al gruppo di ricerca: https://pralab.diee.unica.it/
Simeone Pizzi (Università degli studi di Padova)
"VirtualPatch: Fixing Android security vulnerabilities with app-level virtualization"
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Simeone Pizzi (Università degli studi di Padova)
"VirtualPatch: Fixing Android security vulnerabilities with app-level virtualization"
(Relatore: Eleonora Losiouk).
Fin dal suo rilascio iniziale, il sistema operativo Android è stato affetto dal problema della frammentazione, ossia la presenza di diverse versioni personalizzate del sistema operativo, rilasciate dai diversi produttori di dispositivi. Una delle principali conseguenze di questo problema riguarda la diffusione delle patch di sicurezza, che impiegano molto tempo a raggiungere i dispositivi degli utenti.
Ho studiato gli Android Security Bulletin, e analizzato come il più grosso produttore di dispositivi Android (Samsung) gestisce gli aggiornamenti di sicurezza, trovando che dal momento in cui una vulnerabilità viene risolta nel codice sorgente a quando la soluzione arriva ai dispositivi degli utenti passano spesso diverse settimane.
In questa tesi propongo VirtualPatch, una soluzione che ha come obiettivo la distribuzione delle patch di sicurezza immediatamente dopo il loro sviluppo. VirtualPatch è una soluzione basata sulla virtualizzazione app-level che può essere utilizzata per proteggere dalle vulnerabilità che affliggono diversi livelli dell’architettura Android. Siccome la virtualizzazione di VirtualPatch agisce a livello dell’applicazione, per applicare le patch non è richiesto un aggiornamento del sistema operativo sottostante. Per valutare VirtualPatch, ho sviluppato patch di sicurezza ed exploit per 7 diverse CVE, localizzate in diversi livelli dell'architettura di Android, e verificato che tali patch siano efficaci nella difesa contro exploit. Infine, ho misurato il tempo che VirtualPatch impiega a caricare le patch di sicurezza, per sottolineare come queste patch di sicurezza non introducano ritardi significativi nell'esecuzione delle app all'interno di VirtualPatch.
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Matteo Protopapa (DAUIN - Dipartimento di Automatica e Informatica - Politecnico di Torino)
"Automatic differential cryptanalysis of the SPECK block cipher with Monte Carlo Tree Search"
Link esterno alla tesi: https://webthesis.biblio.polito.it/24602/
Matteo Protopapa (DAUIN - Dipartimento di Automatica e Informatica - Politecnico di Torino)
"Automatic differential cryptanalysis of the SPECK block cipher with Monte Carlo Tree Search"
(Relatore: BASILE CATALDO (DAUIN), BAZZANELLA DANILO (DISMA)).
Nowadays, cryptography is one of the main building blocks in computer science, as it contributes to digital data security in the broadest sense, both when stored and when exchanged. Block ciphers play an important role in this scenario, as they represent some of the functions used to achieve cryptographic security. Differential cryptanalysis is a powerful tool to assess the security and robustness of ciphers and hash functions. This technique, which usually takes the form of a chosen plaintext attack, aims to analyse the multiple rounds in a block cipher. In practice, its purpose is to find sequences of perturbations, called differences, from the input of the cipher and up to the largest possible number of rounds so that the total propagation probability is as high as possible. When a good sequence (also called differential characteristic) is found, the attack is considered successful, and in some cases it can allow a key recovery attack, in which the secret key used with the cipher is discovered. The work described in this Thesis regards the automation of the search for differential characteristics in block ciphers. The case study focuses on the SPECK family of ciphers. The objective is to ease the security assessment of block ciphers by developing a tool capable of finding good sequences of differences in an automated way, with a very small knowledge of the target cipher and with no human interaction. The tool is based on a variant of the Monte-Carlo Tree Search (MCTS) called Single Player MCTS. Monte-Carlo Tree Search is a well-known algorithm in the context of board games such as Chess of Go because of its strength when the number of solutions is so high that a complete search is unfeasible, as is the case in cryptanalysis, but it is almost unexplored in this field. The research started from a survey of the works present in literature, which led to the discovery of precious heuristics that improve the performance of the MCTS algorithm. Then, the implementation phase has taken place, from the code for the precomputation of data needed to the algorithm, to the algorithm itself, the collection of statistics and the validation of the outcome. During this phase, several heuristics collected from previous works were gradually added to face the limitations that arose, and each addition contributed positively to the global performance of the algorithm. At last, a comparison between the new tool and the existing ones is performed: although graph-based searches are the natural competitor of the Monte-Carlo Tree Search, due to their internal behaviour, also solver-based ones are taken into account. The results are promising as the search is significantly faster than the state-of-the-art works for the smallest versions of SPECK, while non-optimal but still good results are obtained for the bigger version. Moreover, additional optimizations can be introduced, leaving room to further improvements in the already good results.
Link esterno alla tesi: https://webthesis.biblio.polito.it/24602/
Silvia Lucia Sanna (Università degli studi di Cagliari)
"A risk estimation study of native code vulnerabilities in Android applications"
Silvia Lucia Sanna (Università degli studi di Cagliari)
"A risk estimation study of native code vulnerabilities in Android applications"
(Relatore: Davide Maiorca).
La mia tesi di Laurea Magistrale affronta il tema delle vulnerabilità nel codice nativo delle app Android, in particolare stimandone un valore di rischio. Android è il sistema operativo mobile più usato (settembre 2020), perciò le app Android sono le più diffuse: una vulnerabilità in queste app può arrecare un danno a moltissimi utenti anche relativi a PA o infrastrutture critiche. Con codice nativo si intendono librerie in C/C++ che consentono l’interazione con attività o componenti nativi, tra cui hardware come la fotocamera. Solitamente gli sviluppatori le importano da terze parti. Se in queste librerie è presente una vulnerabilità in una funzione implementata erroneamente, un attaccante potrebbe sfruttare questa vulnerabilità per danneggiare l’utente. Ad esempio, se una di queste funzioni interpreta male l’input, un attaccante può avere accesso alla memoria RAM e leggere i dati, modificarli o eseguire del codice per altri scopi. Quando una vulnerabilità viene scoperta, viene divulgata seguendo uno standard specifico, denominata come CVE e rilasciata poi in database pubblici come NVD.
A causa delle poche pubblicazioni su questo tema, l’obiettivo della tesi è stato individuare vulnerabilità note (CVE) in 100.000 app scaricate da Androzoo (con più di 200.000 file di librerie appartenenti a 20.000 prodotti) ed attribuire a ognuna un punteggio sul rischio relativo alle CVE identificate. La libreria compilata nell’app è un ELF file dove non sempre è chiaro il nome e le funzioni utilizzate, ma possono essere identificate tramite l’analisi delle stringhe e funzioni utilizzate nel binario con sintassi univoca e costante. Lo studio si è centrato sulle 15 librerie più diffuse e più vulnerabili.
Successivamente è stato creato un database contenente tutti i dati relativi alle CVE di ogni libreria necessari nello studio. Il nome della funzione vulnerabile e la versione della libreria coinvolta sono presenti solo nel campo “descrizione” della CVE, scritto in inglese naturale. La descrizione è leggibile dall’uomo e non segue una sintassi standard, per questo motivo abbiamo utilizzato algoritmi NLP e prodotto una regola per identificare il nome della funzione vulnerabile sulla base di regole della programmazione. L’identificazione della CVE nella libreria è avvenuta con un approccio whitelist: per ogni funzione estratta dal binario dell’app, se questa era presente nel database di vulnerabilità e la versione della libreria era tra le vulnerabili, allora l’app presenta la CVE.
Il focus dello studio è l’attribuzione di un punteggio di rischio per ogni app, necessario specialmente a causa dell’offuscamento del binario e app. Sulla base dello standard ISO 27005:2008, il rischio è stato definito come il prodotto di exploitability, facilità nell’utilizzo della vulnerabilità; impact, quantificazione del danno causato dalla vulnerabilità; vulnerabilità, la CVE definita sulla sua presenza probabilistica, con valore massimo 1 per versione e funzione vulnerabili, 0 in assenza e valori intermedi nei casi di offuscamento, stimati in base alla data di rilascio dell’app e della CVE (se la CVE è pubblicata dopo l’app, è probabile che sia vulnerabile). Inoltre, grazie a uno studio pubblicato precedentemente, nel 60% delle app la CVE viene corretta entro 2 anni dal rilascio, nel 40% mai.
Nella fase di rischio abbiamo analizzato circa 2000 app, dove il 65% ha ottenuto un punteggio di rischio fino al 5% mentre solo l’1% delle app ha avuto il punteggio più alto ma comunque classificabile come basso in quanto inferiore al 30%. Su larga scala, mediamente le app sono sicure.
Infine, lo studio è stato applicato su un dataset di app bancarie (infrastruttura critica): sono state analizzate 12 app e solo 7 presentavano codice nativo, di queste solo 3 hanno avuto un punteggio maggiore di 0 ma inferiore al 5%. In una sola app è stata trovata una funzione vulnerabile e in caso di mancanza di protezione, l’attaccante potrebbe ottenere informazioni finanziarie importanti.
Diego Soi (Università degli Studi di Cagliari - Dipartimento di Ingegneria Elettrica ed Eletttronica)
"An explainable Deep Learning approach for the detection of Android Malware"
Diego Soi (Università degli Studi di Cagliari - Dipartimento di Ingegneria Elettrica ed Eletttronica)
"An explainable Deep Learning approach for the detection of Android Malware"
(Relatore: Prof. Davide Maiorca).
Nowadays, smartphones are not only used as telephones to make phone calls or send SMS like in the early days of mobile telephony. They are massively used in everyday activities both critical and less critical. Examples of operations are watching a video on YouTube or playing a video game but also sending emails, sharing resources on the internet which may expose sensitive information (e.g. geolocation of a photo), or accessing internet banking applications to transfer money. In addition, companies are increasingly enforcing BYOD (Bring Your Own Device) policies that allow employers to access company networks and data through their own devices.
One can clearly understand how mobile device vulnerabilities may pose a great risk to the security and privacy of end users and companies’ critical assets.
In this thesis, we consider Android smartphones and their applications (or APKs). That is important because the Android operating system occupies a huge piece of the worldwide mobile operating system market: about 70% considering only 2022. In addition, android malware is continuously increasing in number every year because of its massive usage by the end user. So, malware writers are interested in it since the attack extent could be wider concerning attacks affecting iOS for example.
The main thesis objective, as suggested by the title, is to develop a deep learning approach to detect android malware by implementing an explainability model so that the analyst is able to understand which the basic instructions are done by the application.
We started by analyzing current research about android malware classification and explainability. Then, we propose a novel approach based on static analysis including an explainability stage. In particular, a convolutional neural network is applied to the features extracted (i.e. API calls of the APK) to first classify the app and then explain it using SHAP values to compute relevance scores of each API.
Some tests are proposed to evaluate classification model performance and the generated explanations. In particular, both local and global explainability are tested. The first regards the analysis of a single application to rate the kind of knowledge that we can extract. The second is about the analysis of more than a sample to understand if a correlation can be found on those malware APKs.
Eventually, We were able to reach promising results not only for what regards classification but also for global explanations.
Francesco Varotto (Dipartimento di Matematica - Università di Padova)
"Divergent: nothing as it seems. A novel defence against Website Fingerprinting attacks"
(Relatore: Mauro Conti).
Website Fingerprinting (WF) attacks exploit Network Side Channels (NSCs) in order to obtain user’s web activity, leak secrets or identify the requested web page. The means through which a malicious user could exploit are, among all, packet timing, packet sizes and traffic shape, even when the communication channel is encrypted or anonymized. Specifically, he gathers network traffic generated while a user accesses a website, and then exerts a series of techniques to discover patterns of the network flow to infer the type of website the victim inquires. State-of-the-art WF attacks have been shown to be effective even against privacy technologies that have as main goal to protect and hide the identity of the users during their network activities (such as Tor, VPNs). These threats are of particular concern since break the privacy, and the anonymity, expected by users who employ such frameworks. With our proposal, we explore a new method for improving the flaws that distinguish the principal defences that have been presented, while still maintaining good performances against WF attacks. The other defences suppose to modify the network protocol, pair each web page to a decoy one or demand too much bandwidth. In this thesis we present a traffic analysis attack for WF, that leverages a deep learning’s model called Convolutional Neural Networks (CNN), in both traditional and anonymity networks (especially against Tor). With CNN, the attacker is able to identify individual pages in the
same website with more than 92% and 95% of accuracy, respectively for traditional and Tor
networks. Then, we propose a novel defence, named Divergent, which is capable of reducing the impact of the attack. Our countermeasure lowers the confidence of the output of the adversarial model, introducing only 23% of bandwidth overhead and almost 0% of time overhead on average. Divergent is based on the idea of changing the traffic fingerprint strictly tight to a resource upon each client’s request, leveraging randomness and dummy packets.
Link esterno alla tesi: https://thesis.unipd.it/handle/20.500.12608/33780
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Marco Xausa (Dipartimento di Ingegneria e Scienza dell'Informazione, Università di Trento )
"Self-Sovereign Identity - Custom DID Method"
Marco Xausa (Dipartimento di Ingegneria e Scienza dell'Informazione, Università di Trento )
"Self-Sovereign Identity - Custom DID Method"
(Relatore: Fabrizio Granelli, Mattia Zago).
Nowadays, the internet allows its users to perform an enormous number of operations. They can be very different, ranging from reading books to bank transfers, and can involve data belonging to different people. For this reason, access to some information and the ability to perform certain operations has to be restricted with some form of authentication and authorization. The different web versions trusted different Identity and Access Management (IAM) standards. Web1.0 was based on the simple login and password paradigm, which still represents a basis for today’s standards. The next version, Web2.0, introduced a new pattern, the Single Sign On (SSO) as well as Identity Provider (IDP) and Service Provider (SP), enabling the outsourcing of both authentication and authorization procedures. But recently, with the diffusion of the Web3.0 model, a new standard is needed. Thereby, a new identification system has been created, the Self-Sovereign Identity (SSI), which aims to bring decentralization to identity management.
SSO has been the first disrupting change to IAM, and is considered the state of the art in terms of security and usability. It brought simplification to internet surfing since the authentication had to be performed only once for several different services. New entities were added to the authentication flow, for example, a SP exposes services that require authentication. If a user tries to access a service, he will be redirected to the login page of the IDP. The user will thus provide his username and password and will eventually be authenticated. The IDP informs the SP that the user has been recognized. The SP hence will provide a token to the user that can be used to prove the successful authentication.
A variety of identification types are available, based on:
• possession, something that the user owns. It can be lost and duplicated. Valid objects could be:
– tokens (e.g., RSA token, Yubikey, RFID, and acoustic/magnetic token)
– device/location (e.g., a known device)
– document/smartcard (e.g., ID card, x509 certificate)
• inherence, something that only the user is. In this case, it cannot be changed, shared, or repudiated. Some examples are:
– biometrical data (e.g., facial recognition, iris/retina recognition, fingerprint )
– behavioral data (e.g., app usage)
• knowledge, something that the user knows. It can be shared, forgotten, and changed. Types of secrets are:
– private secret (e.g., password, pin or graphical password)
– public secret (e.g., access code )
These methods could be combined to create Multi Factor Authentication (MFA) systems. Normally, they leverage a group of two or more proofs from the above categories to provide a greater level of security and reliability to the authentication process.
In addition, authentication can be further subdivided in:
• legacy authentication i.e., authentication protocols where the user sends credentials directly to the resource (e.g., IMAP, SMTP, etc.)
• modern authentication i.e., methods based on the SSO workflow, where IDP and SP are separated entities, providing a better and safer experience (e.g., Secure Assertion Markup Language (SAML)).
During the last decade, these protocols have been leveraged by the government to create multiple identity standards as Sistema Pubblico di Identità Digitale (SPID) and Carta di Indentità Elettronica (CIE). Both provide SSO experiences, but the first uses SAML, whereas the second exploits X.509 certificates. However, these systems have the necessity to identify the user through a delicate enrollment process, which might be compromised or otherwise disabled. In addition, users’ data has to be stored in a centralized infrastructure, that is affected by the single point of failure weakness. Besides that, the collected users’ information and metadata can be used by the IDP for profit intents.
For these reasons along with Web3.0, a new digital identity, the Self-Sovereign Identity (SSI), is being developed. The focus is on decentralization and leaving to users more control of their information.
Decentralized Identity (DI), which is a form of SSI, represents a new paradigm leveraging distributed ledger technology. Data is no longer stored in centralized storage, but rather by the user. To ensure a chain of trustworthiness, public ledgers are exploited (e.g., blockchains). This permits the user to own his information and provide it by himself without any request to a centralized entity, hence making decentralization the main strength of this system. Since DI represents an innovation to IAM, it is still being defined, and a lot of work is being put in place by different associations, international organizations, and government bodies - such as World Wide Web Consortium (W3C), Decentralized Identity Foundation (DIF) and Trust over IP (ToIP) - to define the standards for this technology and to ensure the interoperability among the different platforms that will implement this methodology. DI is structured as a layered system, where lower layers provide services to higher layers. The objective of this structure is to create a trust framework encompassing the layers and conforming to privacy laws.
At the top of this stack, there are applications and wallets. Any kind of application can be built at the top of this pile. The most used kind is wallets. Wallets store private keys and seed phrases to help the user manage his identity information, blockchain addresses, or multi-factor logins. Some of them, identity wallets, can store digital claims. They are slightly different from crypto wallets, which are meant to store only blockchain addresses. Moreover, another differentiation is made between custodial and non-custodial wallets. Custodial wallets are third-party applications that store the private keys on the tenant’s behalf, while non-custodial wallets store the private keys locally.
Below the application and wallet layer, there is the agent layer. At this stage, agent frameworks allow lightweight apps (single-page apps or decentralized apps) to interact directly and discretely between each other or with a VDR, with a lower level of risk than traditional cloud and server infrastructure. Essentially, agents work as a bridge between applications and VDRs and between applications themselves. Agent frameworks lay upon Verifiable Credential (VC), which are the core component of this system. They are a set of claims that can be stored by the user on a digital wallet and disclosed at need. They are issued by a trusted authority to the subject they refer to, and can be presented to a verifier who can check their validity using cryptographic primitives. A VC refers to a Subject by means of a Decentralized Identifier (DID).
The document’s focus is to describe these identifiers.
DIDs are globally unique identifiers that can be used to retrieve information about a subject (a person, a company, or an object). Universal unique identifiers are used in a variety of circumstances. They can be used as ID numbers, product identifiers, and URIs. Typically, they are not under the user’s control, and they are released by external authorities who decide who or what they refer to and whether they can be revoked. DIDs can be resolved to obtain a DID document that reports a set of cryptographic keys and methods to communicate with the subject and to verify eventual information contained in a Verifiable Credential.
?
Each DID is bounded to a DID Method, which describes what actions are allowed over a DID and how they are performed. Normally, each method describes the interactions with a public ledger, which is used to store the data and to ensure the chain of trustworthiness of the information. However, this is not mandatory, indeed many methods lie on other technologies.
The documentation and the requirements needed to define a DID Method are managed by the World Wide Web Consortium (W3C). The consortium does not provide constraints in the DID Method definition, but rather a series of guidelines that should be followed. Therefore, many different DID Methods exist and they can be very different, ensuring various level of decentralization.
The document describes the actual state of the art for managing DIDs and explores two DID Method in depth:
• did:sov
• did:key
These two methods are coupled with a clear documentation that describes how they work. Indeed, they present two different environments for the DID usage. The first one is a typical DID Method that exploits a distributed ledger to ensure the decentralization of the data (also referred as public DID), while the second is a “self-contained” did, which do not require a distributed ledger, but uses only cryptographic primitives (also referred as private did).
Afterward, the document moves onto the definition of the new custom DID Method for Monokee. Monokee Srl is a company offering IAM services which decided to integrate a SSI products for its customers, helping enterprises in the transition to a decentralized pattern. The project required the definition of a DID method that could encompass different DIDs from different contexts to help the interpolation between different SSI infrastructures.
The method’s characteristics are described starting from its syntax (how to create the unique string) and moving to all the functionalities it can offer.
The did:monokee operations defined are:
• Create – creation of the unique DID and its DID Document;
• Read – retrieving the DID Document of a given DID;
• Update – update information stored on the DID document;
• Delete – revoke the DID to make it invalid.
The documentation created has been reflected in the reference implementation. It has been realized using the typescript programming language and has been made available on a public repository under MIT License.
Jiancheng Ye (Dipartimento di Matematica, Università Degli Studi Di Padova)
"User Privacy on Spotify: Predicting Personal Data from Music Preferences"
(Relatore: Prof. Mauro Conti).
The way we listen to music has changed drastically in the past decade. Now we can play any kind of music from various artists around the world through our smart devices. Many music streaming providers, if not most, are built with systems to track users’ music preferences and suggest new content. The music we listen to reveals a great deal about who we are. In general, people share their playlists and songs of their favorite artists on the music platform; find people with common music genres and connect with them. It is not always easy to make friends with unknown people, but music is a good way to accomplish that. In spite of that, we must also look at other sides of the coin from a security perspective. Is it a good idea to share music interests with others or will it compromise our privacy? According to privacy experts and developers, there is no purposeless data. Everything can be used to infer private information, even a single like on social media, which seems, at first sight, meaningless, but it can reveal more information than it promises. In the case that our musical tastes reveal our information, we may be profiled for targeted advertisement, by surveillance agencies, or in general, become potential victims of malicious activities Since music is part of our daily lives, and there are many providers that let us listen to music, we are even more at risk of being profiled and having our data sold. In this research, we demonstrate the feasibility of inferring personal data based on playlists and songs people publicly shared on Spotify. Through an online survey, we collected a new dataset containing the private information of 750 Spotify users and we downloaded around 402,999 songs extracted from a total of 8777 playlists. Our statistical analysis shows significant correlations between users’ music preferences (e.g., music genre) and private information (e.g., age, gender, economic status). As a consequence of significant correlations, we built several machine-learning models to infer private information and our results demonstrated that such inference is possible, posing a real privacy threat to all music listeners. In particular, we accurately predicted the gender (71.7% f1-score), and several other private attributes, such as whether a person drinks (62.8% f1-score) or smokes (60.2% f1-score) regularly. The purpose of this project is to raise awareness about how seemingly purposeless data can reveal personal information and educate users about how to better protect their privacy.
Link esterno alla tesi: http://hdl.handle.net/20.500.12608/42058
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
BACHECA TESI EDIZIONI PASSATE
Edizione 2022
Edizione 2022
Edizione 2021
Edizione 2020
Edizione 2019
Edizione 2018
Edizione 2017
Edizione 2016
Edizione 2015
Edizione 2014
Edizione 2013
Edizione 2012
Edizione 2011
Edizione 2010
Edizione 2009
Edizione 2008
Edizione 2007
Il Premio Tesi è realizzato in collaborazione e con il sostegno di: