BACHECA TESI
Edizione 2019
Daniele Angioni (Dipartimento di Ingegneria Elettrica ed Elettronica - Università degli studi di Cagliari)
"Riconoscimento di impronte falsificate da cellulare"
"Riconoscimento di impronte falsificate da cellulare"Daniele Angioni (Dipartimento di Ingegneria Elettrica ed Elettronica - Università degli studi di Cagliari)
"Riconoscimento di impronte falsificate da cellulare"
(Relatore: Gian Luca Marcialis).
Lo scopo di questa tesi è stata quella di valutare il livello di minaccia di una una tecnica di falsificazione delle impronte digitali contro dei sistemi di liveness detection allo stato dell\\\\\\\'arte. Questa tecnica utilizza delle fotografie allo schermo del cellulare dove giace l\\\\\\\'impronta latente. Da queste foto si possono ricavare delle repliche, tramite qualche processo di digital image processing, di alta qualità .\\\\r\\\\nFare una fotografia è molto più semplice e veloce dei classici metodi di acquisizione dell\\\\\\\'impronta latente, e può essere quindi utilizzata per ingannare la vittima.\\\\r\\\\nPer valutare fino a che punto questo metodo possa essere una minaccia è stato costruito un nuovo dataset di impronte vere e falsi realizzati con questo metodo, per fare dei test con i primi tre vincitori della competizione LivDet 2019.\\\\r\\\\nI risultati mettono in evidenza come il nuovo metodo presenti un livello di minaccia pari alle repliche realizzate con il completo consenso della vittima.
"Riconoscimento di impronte falsificate da cellulare"(Relatore: Gian Luca Marcialis).
Lo scopo di questa tesi è stata quella di valutare il livello di minaccia di una una tecnica di falsificazione delle impronte digitali contro dei sistemi di liveness detection allo stato dell\\\\\\\'arte. Questa tecnica utilizza delle fotografie allo schermo del cellulare dove giace l\\\\\\\'impronta latente. Da queste foto si possono ricavare delle repliche, tramite qualche processo di digital image processing, di alta qualità .\\\\r\\\\nFare una fotografia è molto più semplice e veloce dei classici metodi di acquisizione dell\\\\\\\'impronta latente, e può essere quindi utilizzata per ingannare la vittima.\\\\r\\\\nPer valutare fino a che punto questo metodo possa essere una minaccia è stato costruito un nuovo dataset di impronte vere e falsi realizzati con questo metodo, per fare dei test con i primi tre vincitori della competizione LivDet 2019.\\\\r\\\\nI risultati mettono in evidenza come il nuovo metodo presenti un livello di minaccia pari alle repliche realizzate con il completo consenso della vittima.
Cristian Assaiante (Sapienza, Università di Roma)
"A Micro-Architectural Red Pill"
Link esterno al gruppo di ricerca: https://season-lab.github.io/
"A Micro-Architectural Red Pill"Link esterno al gruppo di ricerca: https://season-lab.github.io/
Cristian Assaiante (Sapienza, Università di Roma)
"A Micro-Architectural Red Pill"
(Relatore: Daniele Cono D'Elia).
Malware analysis is one of the most important fields of the cyber security world. A malware analyst is constantly racing against malware writers in order to cut the spread of malicious software as soon as possible by understanding its behaviour, and then finding a way to detect it or make it harmless. The increasing diffusion of adversarial techniques however is making automatic dynamic analysis of malware in systems like sandboxes harder and slower. Malware that tries to withstand analysis systems by detecting their presence is called evasive. Samples of this kind are equipped with techniques to determine whether execution is taking place in a hostile analysis environment instead of a victim machine. There are an extremely large amount of so-called red pills to detect almost every execution technology and static or dynamic analysis tool an analyst could take advantage from. As introducing artifacts during dynamic analysis is inevitable, to reduce the time spent in the analysis process malware analysts and system architects ideally must know every technique a malware developer could possibly use, and how to neutralize their effects with proper countermeasures. In this thesis we propose an entirely new type of red pill designed to detect hypervisors using micro-architectural effects. Hypervisors are largely used in dynamic malware analysis to execute samples in a controlled, easy-to-restore environment without the risk of damaging the analyst machine irreparably. The idea behind our technique lies in artifacts of modern hypervisors that cause the eviction of some cache sets. In particular, transitions during the execution to the virtual machine monitor typically pollute the caches in a way that does not happen in bare-metal systems. In order to detect this phenomenon we use some of the most advanced techniques for cache side-channel attacks, which have been developed in recent years to exploit micro-architectural vulnerabilities such as Spectre. The tests we conducted on three of the most common hypervisors used in the malware analysis scene (VirtualBox, VMWare, Xen) show how our red pill is able to detect the presence of a virtualized environment with an extremely high success rate, by keeping track of how many cache sets get evicted during the normal operation of the virtual machine monitor. Due to the micro-architectural approach used and the simple nature of the computations that we perform, our attack is not only difficult to detect, but particularly hard, if not impossible, to mitigate or subvert for dynamic analysis systems.
Link esterno al gruppo di ricerca: https://season-lab.github.io/
"A Micro-Architectural Red Pill"(Relatore: Daniele Cono D'Elia).
Malware analysis is one of the most important fields of the cyber security world. A malware analyst is constantly racing against malware writers in order to cut the spread of malicious software as soon as possible by understanding its behaviour, and then finding a way to detect it or make it harmless. The increasing diffusion of adversarial techniques however is making automatic dynamic analysis of malware in systems like sandboxes harder and slower. Malware that tries to withstand analysis systems by detecting their presence is called evasive. Samples of this kind are equipped with techniques to determine whether execution is taking place in a hostile analysis environment instead of a victim machine. There are an extremely large amount of so-called red pills to detect almost every execution technology and static or dynamic analysis tool an analyst could take advantage from. As introducing artifacts during dynamic analysis is inevitable, to reduce the time spent in the analysis process malware analysts and system architects ideally must know every technique a malware developer could possibly use, and how to neutralize their effects with proper countermeasures. In this thesis we propose an entirely new type of red pill designed to detect hypervisors using micro-architectural effects. Hypervisors are largely used in dynamic malware analysis to execute samples in a controlled, easy-to-restore environment without the risk of damaging the analyst machine irreparably. The idea behind our technique lies in artifacts of modern hypervisors that cause the eviction of some cache sets. In particular, transitions during the execution to the virtual machine monitor typically pollute the caches in a way that does not happen in bare-metal systems. In order to detect this phenomenon we use some of the most advanced techniques for cache side-channel attacks, which have been developed in recent years to exploit micro-architectural vulnerabilities such as Spectre. The tests we conducted on three of the most common hypervisors used in the malware analysis scene (VirtualBox, VMWare, Xen) show how our red pill is able to detect the presence of a virtualized environment with an extremely high success rate, by keeping track of how many cache sets get evicted during the normal operation of the virtual machine monitor. Due to the micro-architectural approach used and the simple nature of the computations that we perform, our attack is not only difficult to detect, but particularly hard, if not impossible, to mitigate or subvert for dynamic analysis systems.
Link esterno al gruppo di ricerca: https://season-lab.github.io/
Stefano Berlato (Dipartimento di Ingegneria e Scienze dell'Informazione, Università di Trento)
"A Pragmatic Approach to Handle "Honest But Curious" Cloud Service Providers: Cryptographic Enforcement of Dynamic Access Control Policies"
Link esterno alla tesi: https://github.com/StefanoBerlato/Master-Thesis
Link esterno al gruppo di ricerca: https://ict.fbk.eu/cybersecurity-people/page/1/
"A Pragmatic Approach to Handle "Honest But Curious" Cloud Service Providers: Cryptographic Enforcement of Dynamic Access Control Policies"Link esterno alla tesi: https://github.com/StefanoBerlato/Master-Thesis
Link esterno al gruppo di ricerca: https://ict.fbk.eu/cybersecurity-people/page/1/
Stefano Berlato (Dipartimento di Ingegneria e Scienze dell'Informazione, Università di Trento)
"A Pragmatic Approach to Handle "Honest But Curious" Cloud Service Providers: Cryptographic Enforcement of Dynamic Access Control Policies"
(Relatore: Silvio Ranise, Roberto Carbone).
Cryptographic Access Control is the natural solution to allow companies to store sensitive data in the Cloud while preserving confidentiality and the possibility to let employees share resources. While many researches focused on this topic, the vast majority proposed only abstract schemes. Few studies developed even a working prototype and none deeply studied a deployment in a realistic use case by considering concrete issues like keys management, robustness or scalability. In this thesis, we filled the gap between these abstract schemes and an actual deployment. We addressed real-world issues like keys management, robustness and scalability rather than focusing high-level issues only. Con- cretely, we chose a state-of-the-art cryptographic access control scheme and extended it to deliver a fully-working implementation. We formulated four high-level properties to derive low-level assump- tions and requirements. Furthermore, we formalized two degrees of freedom and presented twelve different architectures, explaining in detail advantages and drawbacks. To finalize to our discussion, we implemented a cryptographic access control scheme running in a Docker container and interacting with Amazon Web Services. To cover as many use cases as possible, we designed it so to interface with multiple Cloud Service Providers and support multiple architectures with a simple, if not com- pletely null, configuration effort. Summarizing, our work provided a detailed view of the challenges and conditions that can serve as guidelines also for other future implementations of cryptographic access control schemes.
Link esterno alla tesi: https://github.com/StefanoBerlato/Master-Thesis
Link esterno al gruppo di ricerca: https://ict.fbk.eu/cybersecurity-people/page/1/
"A Pragmatic Approach to Handle "Honest But Curious" Cloud Service Providers: Cryptographic Enforcement of Dynamic Access Control Policies"(Relatore: Silvio Ranise, Roberto Carbone).
Cryptographic Access Control is the natural solution to allow companies to store sensitive data in the Cloud while preserving confidentiality and the possibility to let employees share resources. While many researches focused on this topic, the vast majority proposed only abstract schemes. Few studies developed even a working prototype and none deeply studied a deployment in a realistic use case by considering concrete issues like keys management, robustness or scalability. In this thesis, we filled the gap between these abstract schemes and an actual deployment. We addressed real-world issues like keys management, robustness and scalability rather than focusing high-level issues only. Con- cretely, we chose a state-of-the-art cryptographic access control scheme and extended it to deliver a fully-working implementation. We formulated four high-level properties to derive low-level assump- tions and requirements. Furthermore, we formalized two degrees of freedom and presented twelve different architectures, explaining in detail advantages and drawbacks. To finalize to our discussion, we implemented a cryptographic access control scheme running in a Docker container and interacting with Amazon Web Services. To cover as many use cases as possible, we designed it so to interface with multiple Cloud Service Providers and support multiple architectures with a simple, if not com- pletely null, configuration effort. Summarizing, our work provided a detailed view of the challenges and conditions that can serve as guidelines also for other future implementations of cryptographic access control schemes.
Link esterno alla tesi: https://github.com/StefanoBerlato/Master-Thesis
Link esterno al gruppo di ricerca: https://ict.fbk.eu/cybersecurity-people/page/1/
Pietro Borrello (Sapienza, Università di Roma)
"Hiding in the particles: dematerializing software through code reuse techniques"
Link esterno al gruppo di ricerca: https://season-lab.github.io/
"Hiding in the particles: dematerializing software through code reuse techniques"Link esterno al gruppo di ricerca: https://season-lab.github.io/
Pietro Borrello (Sapienza, Università di Roma)
"Hiding in the particles: dematerializing software through code reuse techniques"
(Relatore: Daniele Cono D'Elia).
Software can be one of the most worthy assets in a company. Proprietary software brings value to a company selling services or shipping unique features through its functionalities. As any valuable asset, software is subject to cyber attacks. While software running remotely may be the target of exploitation attempts, locally running software may be the target of reverse engineering attacks. Software obfuscation is a powerful tool to protect programs from reverse engineering attacks. By transforming applications into semantically equivalent, highly complicated counterparts, the time required for an attacker to understand the inner workings of a software will increase by orders of magnitude. Code Reuse techniques have historically been considered a powerful exploitation paradigm, allowing an attacker to carry out an attack without having to inject any code in a vulnerable application thanks to their Turing-complete expressive power. Return-Oriented Programming (ROP) is the most widely known embodiment of the Code Reuse paradigm, with attackers concatenating code fragments already present in the application by leveraging ret instructions. In this thesis we make a perspective shift on ROP using it as a defensive technique: by exploiting the destructured control flow resulting from ROP payloads, we design a strong and general code obfuscation technique against reverse engineering attacks. Expressing code fragments through ROP provides a difficult-to-understand code, while its semantics is preserved: this matches the definition of code obfuscation. We provide the first design and evaluation of a ROP Obfuscator able to deal with complex real-world code and resilient to state-of-the-art deobfuscation approaches, suggesting that Code Reuse is a direction worth embracing in the realm of strong obfuscation techniques. Our obfuscator maps a compiled code to an intermediate representation that we use to transform native instructions and control-flow constructs into short sequences of equivalent ROP gadgets. Its implementation ships as a compiler-like infrastructure in the form of a binary rewriter that targets functions selected by the user, turning them into ROP chains that can operate seamlessly with the parts left unobfuscated. The obfuscator introduces additional transformations designed to take advantage of the underpinnings of code reuse mechanisms, with the goal of effectively hiding the original control flow by hitting the weak points in the scalability of existing deobfuscation analyses. The thesis presents an extensive evaluation of the level of protection that our obfuscator can achieve with respect to state-of-the-art deobfuscation techniques. We show how our tool increases the time required for an attacker to deobfuscate its target and reverse the original program by order of magnitudes, without introducing costly execution time overheads during its normal use. We compare our proposal with virtualization obfuscation, nowadays perceived as the state-of-the-art obfuscation technique. We perform better than the Tigress Virtualization Obfuscator in all our experiments, where we consider deobfuscation time and run-time overhead from the obfuscation. In particular, in deobfuscation attempts our technique exhausted a larger resource budget (time and memory) than the one required to break virtualization obfuscation. To show the generality of the approach and also validate our implementation, we obfuscate the Linux Coreutils in their entirety and then run their extensive test suite. These programs are largely used in software testing research as they exercise heterogeneous programming behaviors, and the obfuscated version we produce obtains a 100% success rate for the tests. By providing the community with a complete design and implementation able to protect realistic programs against both manual and automatic attacks, we hope to make a strong contribution towards better software protection systems against reverse engineering attacks.
Link esterno al gruppo di ricerca: https://season-lab.github.io/
"Hiding in the particles: dematerializing software through code reuse techniques"(Relatore: Daniele Cono D'Elia).
Software can be one of the most worthy assets in a company. Proprietary software brings value to a company selling services or shipping unique features through its functionalities. As any valuable asset, software is subject to cyber attacks. While software running remotely may be the target of exploitation attempts, locally running software may be the target of reverse engineering attacks. Software obfuscation is a powerful tool to protect programs from reverse engineering attacks. By transforming applications into semantically equivalent, highly complicated counterparts, the time required for an attacker to understand the inner workings of a software will increase by orders of magnitude. Code Reuse techniques have historically been considered a powerful exploitation paradigm, allowing an attacker to carry out an attack without having to inject any code in a vulnerable application thanks to their Turing-complete expressive power. Return-Oriented Programming (ROP) is the most widely known embodiment of the Code Reuse paradigm, with attackers concatenating code fragments already present in the application by leveraging ret instructions. In this thesis we make a perspective shift on ROP using it as a defensive technique: by exploiting the destructured control flow resulting from ROP payloads, we design a strong and general code obfuscation technique against reverse engineering attacks. Expressing code fragments through ROP provides a difficult-to-understand code, while its semantics is preserved: this matches the definition of code obfuscation. We provide the first design and evaluation of a ROP Obfuscator able to deal with complex real-world code and resilient to state-of-the-art deobfuscation approaches, suggesting that Code Reuse is a direction worth embracing in the realm of strong obfuscation techniques. Our obfuscator maps a compiled code to an intermediate representation that we use to transform native instructions and control-flow constructs into short sequences of equivalent ROP gadgets. Its implementation ships as a compiler-like infrastructure in the form of a binary rewriter that targets functions selected by the user, turning them into ROP chains that can operate seamlessly with the parts left unobfuscated. The obfuscator introduces additional transformations designed to take advantage of the underpinnings of code reuse mechanisms, with the goal of effectively hiding the original control flow by hitting the weak points in the scalability of existing deobfuscation analyses. The thesis presents an extensive evaluation of the level of protection that our obfuscator can achieve with respect to state-of-the-art deobfuscation techniques. We show how our tool increases the time required for an attacker to deobfuscate its target and reverse the original program by order of magnitudes, without introducing costly execution time overheads during its normal use. We compare our proposal with virtualization obfuscation, nowadays perceived as the state-of-the-art obfuscation technique. We perform better than the Tigress Virtualization Obfuscator in all our experiments, where we consider deobfuscation time and run-time overhead from the obfuscation. In particular, in deobfuscation attempts our technique exhausted a larger resource budget (time and memory) than the one required to break virtualization obfuscation. To show the generality of the approach and also validate our implementation, we obfuscate the Linux Coreutils in their entirety and then run their extensive test suite. These programs are largely used in software testing research as they exercise heterogeneous programming behaviors, and the obfuscated version we produce obtains a 100% success rate for the tests. By providing the community with a complete design and implementation able to protect realistic programs against both manual and automatic attacks, we hope to make a strong contribution towards better software protection systems against reverse engineering attacks.
Link esterno al gruppo di ricerca: https://season-lab.github.io/
Daniele Ferla (Dipartimento di Informatica, Scienza e Ingegneria - Università di Bologna)
"ROPfuscator: machine code obfuscation through Return Oriented Programming"
"ROPfuscator: machine code obfuscation through Return Oriented Programming"Daniele Ferla (Dipartimento di Informatica, Scienza e Ingegneria - Università di Bologna)
"ROPfuscator: machine code obfuscation through Return Oriented Programming"
(Relatore: Rebecca Montanari).
With the advancement of reverse-engineering techniques, analysts are capable of reconstructing the behaviour of a program even without having access to its source code. Static analysis tools, such as IDA Pro or Ghidra, can be used to obtain a higher-level representation of the program code just from the executable binary, often achieving levels of expressiveness comparable to programming languages such as C and C++. By coupling those tools with symbolic execution engines, it is possible to optimise and simplify the overall reverse-engineering process, reducing the amount of time that is required to understand how a program internally works. Software obfuscation is a branch of computer security that aims to protect software from any attempt of analysing its inner workings, avoiding, or at least hindering, Intellectual Property (IP) theft from unauthorised adversaries. This kind of protection is used by software houses to avoid the proliferation of unlicensed copies of their software, thus protecting their business. In general, obfuscation provides a more accessible and cheaper technical means to protect software, in opposition to complex legal forms of protections, such as copyright, trademarks, and patents. In this thesis work, we present ROPfuscator, a software obfuscator that uses Return Oriented Programming (ROP) to perform obfuscating transformations on arbitrary programs. Differently from the techniques used on other software obfuscation solutions, ROP is a programming technique that, until now, has been solely employed in the field of exploit development. This work consisted in adapting such technique to the obfuscation use case, extending it with different new features that can increase its applicability and reliability even in systems in which protections such as ASLR and W^X are enabled. Furthermore, ROPfuscator leverages on opaque predicates to interfere with symbolic execution engines, so that they cannot be used as an aid during the reverse-engineering process.
"ROPfuscator: machine code obfuscation through Return Oriented Programming"(Relatore: Rebecca Montanari).
With the advancement of reverse-engineering techniques, analysts are capable of reconstructing the behaviour of a program even without having access to its source code. Static analysis tools, such as IDA Pro or Ghidra, can be used to obtain a higher-level representation of the program code just from the executable binary, often achieving levels of expressiveness comparable to programming languages such as C and C++. By coupling those tools with symbolic execution engines, it is possible to optimise and simplify the overall reverse-engineering process, reducing the amount of time that is required to understand how a program internally works. Software obfuscation is a branch of computer security that aims to protect software from any attempt of analysing its inner workings, avoiding, or at least hindering, Intellectual Property (IP) theft from unauthorised adversaries. This kind of protection is used by software houses to avoid the proliferation of unlicensed copies of their software, thus protecting their business. In general, obfuscation provides a more accessible and cheaper technical means to protect software, in opposition to complex legal forms of protections, such as copyright, trademarks, and patents. In this thesis work, we present ROPfuscator, a software obfuscator that uses Return Oriented Programming (ROP) to perform obfuscating transformations on arbitrary programs. Differently from the techniques used on other software obfuscation solutions, ROP is a programming technique that, until now, has been solely employed in the field of exploit development. This work consisted in adapting such technique to the obfuscation use case, extending it with different new features that can increase its applicability and reliability even in systems in which protections such as ASLR and W^X are enabled. Furthermore, ROPfuscator leverages on opaque predicates to interfere with symbolic execution engines, so that they cannot be used as an aid during the reverse-engineering process.
Serena Ferracci (Sapienza Università di Roma)
"Detecting Cache-based Side Channel Attacks using Hardware Performance Counters"
"Detecting Cache-based Side Channel Attacks using Hardware Performance Counters"Serena Ferracci (Sapienza Università di Roma)
"Detecting Cache-based Side Channel Attacks using Hardware Performance Counters"
(Relatore: Alessandro Pellegrini).
In this thesis we explore a different approach to the more standard prevention of attacks, namely that of detection. A system based on detection does not pay high costs related to patches which make it impossible to carry out some security breach, rather it is able to determine at runtime if some malicious application is trying to perform unauthorized tasks. If the detection is fast and accurate, the system can undertake corrective actions which prevent on demand the attacker to complete its breach. Technically, we have focused on cache-based side channel attacks. These attacks ground on optimizations introduced by hardware vendors over time to improve the performance of applications. Unexpectedly, some of these hardware optimizations have exposed systems to a new family of attacks, which are able to circumvent the sandboxes created by traditional operating systems to isolate processes from each other. In this family of attacks fall, e.g., Spectre, Meltdown and Foreshadow. These attacks break confidentiality by leaking secret information otherwise inaccessible, by forcing side effects in the cache subsystem and observing from a separate process these effects. These attacks have been devastating, as they have torn apart fundamental building blocks of most relevant computing systems and applications. As such, software patches have been promptly put in place to prevent or mitigate these types of attacks. Some attacks require to disable some hardware features of modern processors, thus significantly impairing the overall performance of modern applications. Moreover, these software patches are not completely suitable for the prevention/mitigation purpose: some are specific for a single type of attack, so once they are publicly known, more advanced attacks can be envisaged to bypass them. Our detection approach aims to define a low-overhead attack-agnostic methodology to perform system-wide detection of cache-based side channel attacks. To do this, we continuously monitor the entire system with non-intrusive (performance-wise) methodologies to detect behaviors that deviate from normal execution. Non-intrusiveness is based on the availability of specialized hardware on most off-the-shelf machines, namely Performance Monitoring Counters (PMCs). This support, originally designed to profile applications to collect performance/resource usage information, has been used in my thesis to observe the behavior of running processes, so as to identify possible malicious patterns. We use PMCs to perform a system-wide detection, yet at the grain of single processes. A noteworthy aspect is that with our approach we can detect an ongoing attack only looking at potential attacker, while all similar proposals in the literature required to also know who was the victim, to carry out a correct detection. Our proposal therefore drops this unrealistic assumption about detection system models. Information obtained from PMCs is, anyhow, related to performance metrics. We have therefore profiled a large number of malicious/non-malicious applications to combine these performance-oriented measures into higher-level metrics, which allow us to declare (with a certain degree of accuracy) if an attack is in progress or not. To stress-test the correctness of these metrics, we have observed their capability to detect an ongoing attack also when considering malicious applications not taken into account during their definition. We have shown the benefits of our detection approach by measuring the overhead added by our methodology, which has been shown to be reasonably lower than that added by software patches aiming at prevention of attacks. We have relied on a wide range of different application with different execution profiles (e.g., CPU-intensive, syscall-intensive), so as to simulate a realistic use of the system. We have also experimentally shown that, with our approach, we have a 100% success ratio in the detection of a large number of side-channel attack.
"Detecting Cache-based Side Channel Attacks using Hardware Performance Counters"(Relatore: Alessandro Pellegrini).
In this thesis we explore a different approach to the more standard prevention of attacks, namely that of detection. A system based on detection does not pay high costs related to patches which make it impossible to carry out some security breach, rather it is able to determine at runtime if some malicious application is trying to perform unauthorized tasks. If the detection is fast and accurate, the system can undertake corrective actions which prevent on demand the attacker to complete its breach. Technically, we have focused on cache-based side channel attacks. These attacks ground on optimizations introduced by hardware vendors over time to improve the performance of applications. Unexpectedly, some of these hardware optimizations have exposed systems to a new family of attacks, which are able to circumvent the sandboxes created by traditional operating systems to isolate processes from each other. In this family of attacks fall, e.g., Spectre, Meltdown and Foreshadow. These attacks break confidentiality by leaking secret information otherwise inaccessible, by forcing side effects in the cache subsystem and observing from a separate process these effects. These attacks have been devastating, as they have torn apart fundamental building blocks of most relevant computing systems and applications. As such, software patches have been promptly put in place to prevent or mitigate these types of attacks. Some attacks require to disable some hardware features of modern processors, thus significantly impairing the overall performance of modern applications. Moreover, these software patches are not completely suitable for the prevention/mitigation purpose: some are specific for a single type of attack, so once they are publicly known, more advanced attacks can be envisaged to bypass them. Our detection approach aims to define a low-overhead attack-agnostic methodology to perform system-wide detection of cache-based side channel attacks. To do this, we continuously monitor the entire system with non-intrusive (performance-wise) methodologies to detect behaviors that deviate from normal execution. Non-intrusiveness is based on the availability of specialized hardware on most off-the-shelf machines, namely Performance Monitoring Counters (PMCs). This support, originally designed to profile applications to collect performance/resource usage information, has been used in my thesis to observe the behavior of running processes, so as to identify possible malicious patterns. We use PMCs to perform a system-wide detection, yet at the grain of single processes. A noteworthy aspect is that with our approach we can detect an ongoing attack only looking at potential attacker, while all similar proposals in the literature required to also know who was the victim, to carry out a correct detection. Our proposal therefore drops this unrealistic assumption about detection system models. Information obtained from PMCs is, anyhow, related to performance metrics. We have therefore profiled a large number of malicious/non-malicious applications to combine these performance-oriented measures into higher-level metrics, which allow us to declare (with a certain degree of accuracy) if an attack is in progress or not. To stress-test the correctness of these metrics, we have observed their capability to detect an ongoing attack also when considering malicious applications not taken into account during their definition. We have shown the benefits of our detection approach by measuring the overhead added by our methodology, which has been shown to be reasonably lower than that added by software patches aiming at prevention of attacks. We have relied on a wide range of different application with different execution profiles (e.g., CPU-intensive, syscall-intensive), so as to simulate a realistic use of the system. We have also experimentally shown that, with our approach, we have a 100% success ratio in the detection of a large number of side-channel attack.
Federico Griscioli (Ingegneria Informatica e Automazione)
"Cybersecurity of Industrial Control Systems: Innovative solutions to enhance the security posture."
"Cybersecurity of Industrial Control Systems: Innovative solutions to enhance the security posture."Federico Griscioli (Ingegneria Informatica e Automazione)
"Cybersecurity of Industrial Control Systems: Innovative solutions to enhance the security posture."
(Relatore: Maurizio Pizzonia).
Industrial control systems (ICSs) are changing rapidly to satisfy requests of higher interconnectivity (e.g., connection between enterprise and process zone) and introduction of additional features that can boost up the governance (e.g., IT-typical components and data analytics process). This revolution exposes these systems to a new infection vectors from which is challenging to protect considering the complexity of deploying new components, especially in the process zone. Common protections adopted by ICSs seem not to be effective against innovative attacks (e.g., Advanced Persistent Threats) performed by high and motivated attacker who aim at penetrating into target-systems with a traffic that looks like legitimate. An analysis of techniques used by such innovative attacks targeting ICS suggested the USB thumb drives are effective infection vectors that can be used to bypass the perimeter of defence and jump directly into the critical part of the system (i.e., critical machines) that has to be carefully protected. Leveraging a USB thumb drive allows attackers to compromised also system that are strongly isolated by means of airgap. We propose techniques that, along with traditional defences, can enhance the improvement of the cyber security posture of ICS. Especially, we show methods and hardware-based solutions that are able to prevent malware infection, also due to zero-days, spread through USB thumb drives without changing the ability perceived by end users. We protect both against infection coming from software (e.g., script embedded in files) and against modified-firmware that aim at impersonating a different USB peripheral like, for instance, a mouse of a keyboard. We also introduce a methodology and a software architecture, based on Software Defined Networking paradigm, that allow an ICS operator to use the spare bandwidth that might be available in over-provisioned networks to forward replicas of traffic streams towards a single intrusion detection system placed at an arbitrary location. Furthermore, we present an overview of a solution developed within the context of an European project (Preemptive) devised to improve the cyber security of ICSs adopting an innovative approach. This solution encompasses several detection and prevention tools. Each of them aims at addressing a specified security aspect and use data collected in different part of the system. All data are integrated and correlate in order to decrease false positives and increase the chance to detect also APT-like attacks. Then, we show a protocol for a key-value storage service that provides ADS-enabled integrity-protected queries and updates without impairing scalability, even in the presence of large network latencies between trusted clients and an untrusted server. This solution could be valuable in industrial control systems context where many unintelligent devices (e.g., sensors) store data in a remote private cloud. In this case, the integrity of data store in the cloud is guaranteed while maintaining the possibility to achieve high throughput keeping limited latency.
"Cybersecurity of Industrial Control Systems: Innovative solutions to enhance the security posture."(Relatore: Maurizio Pizzonia).
Industrial control systems (ICSs) are changing rapidly to satisfy requests of higher interconnectivity (e.g., connection between enterprise and process zone) and introduction of additional features that can boost up the governance (e.g., IT-typical components and data analytics process). This revolution exposes these systems to a new infection vectors from which is challenging to protect considering the complexity of deploying new components, especially in the process zone. Common protections adopted by ICSs seem not to be effective against innovative attacks (e.g., Advanced Persistent Threats) performed by high and motivated attacker who aim at penetrating into target-systems with a traffic that looks like legitimate. An analysis of techniques used by such innovative attacks targeting ICS suggested the USB thumb drives are effective infection vectors that can be used to bypass the perimeter of defence and jump directly into the critical part of the system (i.e., critical machines) that has to be carefully protected. Leveraging a USB thumb drive allows attackers to compromised also system that are strongly isolated by means of airgap. We propose techniques that, along with traditional defences, can enhance the improvement of the cyber security posture of ICS. Especially, we show methods and hardware-based solutions that are able to prevent malware infection, also due to zero-days, spread through USB thumb drives without changing the ability perceived by end users. We protect both against infection coming from software (e.g., script embedded in files) and against modified-firmware that aim at impersonating a different USB peripheral like, for instance, a mouse of a keyboard. We also introduce a methodology and a software architecture, based on Software Defined Networking paradigm, that allow an ICS operator to use the spare bandwidth that might be available in over-provisioned networks to forward replicas of traffic streams towards a single intrusion detection system placed at an arbitrary location. Furthermore, we present an overview of a solution developed within the context of an European project (Preemptive) devised to improve the cyber security of ICSs adopting an innovative approach. This solution encompasses several detection and prevention tools. Each of them aims at addressing a specified security aspect and use data collected in different part of the system. All data are integrated and correlate in order to decrease false positives and increase the chance to detect also APT-like attacks. Then, we show a protocol for a key-value storage service that provides ADS-enabled integrity-protected queries and updates without impairing scalability, even in the presence of large network latencies between trusted clients and an untrusted server. This solution could be valuable in industrial control systems context where many unintelligent devices (e.g., sensors) store data in a remote private cloud. In this case, the integrity of data store in the cloud is guaranteed while maintaining the possibility to achieve high throughput keeping limited latency.
francesco lorenzi (Università degli studi di Roma Tor Vergata)
"Blockchain e Sanità : opportunità e prospettive per gli EHR"
"Blockchain e Sanità : opportunità e prospettive per gli EHR"francesco lorenzi (Università degli studi di Roma Tor Vergata)
"Blockchain e Sanità : opportunità e prospettive per gli EHR"
(Relatore: Agostino La Bella).
La lavoro presentato in questo elaborato ha studiato la fattibilità applicativa del binomio tra una tecnologia così all'avanguardia come Blockchain e il cosiddetto Elettronic Health Record del paziente. Si tratta di un primo modello applicato ad un piccolo numero di reparti ospedalieri, i quali potranno condividere, trasferire, immettere informazioni sulla piattaforma in totale sicurezza garantita dall'utilizzo di questa tecnologia. L'applicazione della tecnologia Blockchain in ambito sanitario rivoluzionerà il settore come mai prima, andando ad esemplificare la pratica medica, renderà più efficiente e snello l'intero iter pubblico sanitario del paziente, dal momento della registrazione fino al momento della dimissione. Inoltre il paziente potrà tenere tutti i suoi dati personali sanitari in modo sicuro , grazie alla decentralizzazione del database, e potrà decidere se condividerli o meno concedendo l'autorizzazione nel momento e alla persona desiderata.
"Blockchain e Sanità : opportunità e prospettive per gli EHR"(Relatore: Agostino La Bella).
La lavoro presentato in questo elaborato ha studiato la fattibilità applicativa del binomio tra una tecnologia così all'avanguardia come Blockchain e il cosiddetto Elettronic Health Record del paziente. Si tratta di un primo modello applicato ad un piccolo numero di reparti ospedalieri, i quali potranno condividere, trasferire, immettere informazioni sulla piattaforma in totale sicurezza garantita dall'utilizzo di questa tecnologia. L'applicazione della tecnologia Blockchain in ambito sanitario rivoluzionerà il settore come mai prima, andando ad esemplificare la pratica medica, renderà più efficiente e snello l'intero iter pubblico sanitario del paziente, dal momento della registrazione fino al momento della dimissione. Inoltre il paziente potrà tenere tutti i suoi dati personali sanitari in modo sicuro , grazie alla decentralizzazione del database, e potrà decidere se condividerli o meno concedendo l'autorizzazione nel momento e alla persona desiderata.
Marco Pernpruner (Dipartimento di Informatica - Università degli Studi di Verona)
"A passwordless out-of-band authentication protocol based on eID cards and push notifications: Design and formal security analysis"
Link esterno al gruppo di ricerca: https://ict.fbk.eu/units/st/
"A passwordless out-of-band authentication protocol based on eID cards and push notifications: Design and formal security analysis"Link esterno al gruppo di ricerca: https://ict.fbk.eu/units/st/
Marco Pernpruner (Dipartimento di Informatica - Università degli Studi di Verona)
"A passwordless out-of-band authentication protocol based on eID cards and push notifications: Design and formal security analysis"
(Relatore: Prof. Massimo Merro).
Everyday life is strongly marked by new technologies which – just a few years ago – were considered unbelievable. Smart devices, mobile applications for every purpose, automated houses which can be simply controlled through an app: this is now reality, so who knows what else the future has in store. Thanks to that, people can now carry out almost any kind of operations without even leaving their couch. Although this is amazing from a convenience perspective, it may result in several potential security issues, as many online operations require users to be properly identified in order to prevent other users from accessing those operations' restricted data. These requirements led to the establishment of authentication strategies, most of which rely on a set of credentials (username and password) to be inserted by the user. Actually, as can be imagined, passwords suffer from lots of vulnerabilities related to the need for remembering them throughout the different websites. As a result, chosen passwords are quite easy, thus making common attacks as password guessing extremely feasible for a malicious agent. Because of that, in order to strengthen authentication protocols, further layers of protection have to be established: thus, in addition to something they know, users will be also requested something they have and/or something they are; such protocols – based on different authentication factors – are thus called multi-factor authentication protocols. Moreover, to prevent password-related attacks, authentication strategies are moving towards a passwordless approach, relying on alternative means rather than passwords. When dealing with Public Administration's online services, identification is required as well as authentication, as online identities must be linked to real identities due to the sensitive context. In this regard, the DigiMat Lab between Poligrafico e Zecca dello Stato Italiano and Fondazione Bruno Kessler has been founded, aiming at developing and assessing secure authentication protocols leveraging the Italian eID card (CIE 3.0) for identification purpose. Currently, this technology can be used to authenticate users from the browser of their smartphone on a Service Provider; this protocol has been approved by the European Commission and will be used to authenticate Italian citizens to the digital services of the member states, in compliance with the eIDAS European regulation. Here is where this work takes place: we extended the current scenario by designing and implementing a protocol to authenticate users from their personal computers' browser relying on both their CIE (through NFC) and push notifications delivered to their mobile devices. Beyond that, we also analysed the security of the proposed solution through different techniques, and thus different levels of granularity. These analyses allowed us to gradually refine the protocol, reaching an acceptable level of security.
Link esterno al gruppo di ricerca: https://ict.fbk.eu/units/st/
"A passwordless out-of-band authentication protocol based on eID cards and push notifications: Design and formal security analysis"(Relatore: Prof. Massimo Merro).
Everyday life is strongly marked by new technologies which – just a few years ago – were considered unbelievable. Smart devices, mobile applications for every purpose, automated houses which can be simply controlled through an app: this is now reality, so who knows what else the future has in store. Thanks to that, people can now carry out almost any kind of operations without even leaving their couch. Although this is amazing from a convenience perspective, it may result in several potential security issues, as many online operations require users to be properly identified in order to prevent other users from accessing those operations' restricted data. These requirements led to the establishment of authentication strategies, most of which rely on a set of credentials (username and password) to be inserted by the user. Actually, as can be imagined, passwords suffer from lots of vulnerabilities related to the need for remembering them throughout the different websites. As a result, chosen passwords are quite easy, thus making common attacks as password guessing extremely feasible for a malicious agent. Because of that, in order to strengthen authentication protocols, further layers of protection have to be established: thus, in addition to something they know, users will be also requested something they have and/or something they are; such protocols – based on different authentication factors – are thus called multi-factor authentication protocols. Moreover, to prevent password-related attacks, authentication strategies are moving towards a passwordless approach, relying on alternative means rather than passwords. When dealing with Public Administration's online services, identification is required as well as authentication, as online identities must be linked to real identities due to the sensitive context. In this regard, the DigiMat Lab between Poligrafico e Zecca dello Stato Italiano and Fondazione Bruno Kessler has been founded, aiming at developing and assessing secure authentication protocols leveraging the Italian eID card (CIE 3.0) for identification purpose. Currently, this technology can be used to authenticate users from the browser of their smartphone on a Service Provider; this protocol has been approved by the European Commission and will be used to authenticate Italian citizens to the digital services of the member states, in compliance with the eIDAS European regulation. Here is where this work takes place: we extended the current scenario by designing and implementing a protocol to authenticate users from their personal computers' browser relying on both their CIE (through NFC) and push notifications delivered to their mobile devices. Beyond that, we also analysed the security of the proposed solution through different techniques, and thus different levels of granularity. These analyses allowed us to gradually refine the protocol, reaching an acceptable level of security.
Link esterno al gruppo di ricerca: https://ict.fbk.eu/units/st/
Luca Puggioninu (DIEE - Università degli Studi di Cagliari)
"Un approccio combinato alla rilevazione delle pagine di Phishing basato sull’utilizzo di motori di ricerca e meccanismi di black & white-listing"
"Un approccio combinato alla rilevazione delle pagine di Phishing basato sull’utilizzo di motori di ricerca e meccanismi di black & white-listing"Luca Puggioninu (DIEE - Università degli Studi di Cagliari)
"Un approccio combinato alla rilevazione delle pagine di Phishing basato sull’utilizzo di motori di ricerca e meccanismi di black & white-listing"
(Relatore: Giorgio Giacinto).
L’avanzamento della tecnologia cresce esponenzialmente giorno per giorno tanto che si è arrivati al punto di condurre la maggior parte delle attività sociali, lavorative, di svago tramite l’utilizzo di mezzi tecnologici e di Internet. Questo ha sicuramente comportato ampie possibilità di crescita per la società , in quanto l’e-commerce, l’e-government, l’home banking, il trading online rendono più efficienti e veloci gli scambi e le comunicazioni. Parallelamente, la pervasività e l’evoluzione della tecnologia hanno favorito il fatto che diventassero più sofisticati i metodi e le tecniche per effettuare frodi informatiche. Con il presente elaborato si intende trattare ed approfondire la tecnica di frode informatica conosciuta come Phishing, volta a carpire informazioni personali tramite svariate modalità fraudolente al fine di commettere illeciti attraverso la rete, investigando inoltre le tecniche di difesa e le contromisure utilizzate attualmente. L’elaborato propone inoltre un sistema di identificazione di pagine di phishing tramite l'utilizzo di un motore di ricerca e algoritmi di machine learning. Dalle sperimentazioni si è raggiunta un'accuratezza del 98,39% su un dataset di circa 20.000 campioni. I dataset per l'addestramento del classificatore basato sulla fusione di un albero decisionale e un motore di ricerca sono Majestic per quanto riguarda le pagine legittime e DeltaPhish per quelle di phishing.
"Un approccio combinato alla rilevazione delle pagine di Phishing basato sull’utilizzo di motori di ricerca e meccanismi di black & white-listing"(Relatore: Giorgio Giacinto).
L’avanzamento della tecnologia cresce esponenzialmente giorno per giorno tanto che si è arrivati al punto di condurre la maggior parte delle attività sociali, lavorative, di svago tramite l’utilizzo di mezzi tecnologici e di Internet. Questo ha sicuramente comportato ampie possibilità di crescita per la società , in quanto l’e-commerce, l’e-government, l’home banking, il trading online rendono più efficienti e veloci gli scambi e le comunicazioni. Parallelamente, la pervasività e l’evoluzione della tecnologia hanno favorito il fatto che diventassero più sofisticati i metodi e le tecniche per effettuare frodi informatiche. Con il presente elaborato si intende trattare ed approfondire la tecnica di frode informatica conosciuta come Phishing, volta a carpire informazioni personali tramite svariate modalità fraudolente al fine di commettere illeciti attraverso la rete, investigando inoltre le tecniche di difesa e le contromisure utilizzate attualmente. L’elaborato propone inoltre un sistema di identificazione di pagine di phishing tramite l'utilizzo di un motore di ricerca e algoritmi di machine learning. Dalle sperimentazioni si è raggiunta un'accuratezza del 98,39% su un dataset di circa 20.000 campioni. I dataset per l'addestramento del classificatore basato sulla fusione di un albero decisionale e un motore di ricerca sono Majestic per quanto riguarda le pagine legittime e DeltaPhish per quelle di phishing.
Andrea Salvati (DIAG - Sapienza Università di Roma)
"ROPDissector: An Analysis Framework for ROP Programs"
Link esterno al gruppo di ricerca: https://season-lab.github.io/
"ROPDissector: An Analysis Framework for ROP Programs"Link esterno al gruppo di ricerca: https://season-lab.github.io/
Andrea Salvati (DIAG - Sapienza Università di Roma)
"ROPDissector: An Analysis Framework for ROP Programs"
(Relatore: Camil Demetrescu).
In spite of mitigations that modern operating systems put in place to avoid remote code injection attacks, memory corruption vulnerabilities remain a major source of concern. In particular, code reuse techniques get regularly used today to get around mechanisms such as code signing and data execution prevention. Return Oriented Programming (or ROP for short) is currently the most popular embodiment of the code reuse principle. The complexity of ROP payloads is on the rise as a response to ever growing mitigation mechanisms for exploitation in mainstream systems. Furthermore, several research works have hinted at ROP as a possibly effective code obfuscation technique. For how ROP code is structured, understanding its semantics at first glance is very hard. To get such information, a thorough analysis process is required: this task can be very time consuming to be performed manually, and usually hinges on dynamic analysis to capture all relevant details. Control flow operations such as branches are hard to spot even during such an analysis, as they rely on odd mechanisms for conditional manipulation of the CPU flags and stack pointer register. This thesis presents ROPDissector, a static analysis framework for ROP programs that can ease the analysis of complex ROP code by providing control flow identification, memory access tracing, system and library call detection, multi-path exploration, and semantic annotation of code through emulation of the x86 ISA in the Unicorn engine. The focus of the analysis are 32-bit payloads for Windows, which represent the most common instance of ROP code, while future improvements might include support for Linux exploits and the x64 architecture. ROPDissector requires forensic analysts to provide the ROP payload and the application component from which ROP gadgets (the computational components of a ROP payload) are borrowed. The thesis also discusses automatic techniques to guess such components from a database of plausible candidates by leveraging implementation characteristics of Address Space Layout Randomization in Windows with respect to relative distances of valid image bases for DLL code modules. Such techniques can be useful to automate the analysis of payloads observed over the network and most importantly in malicious PDF files. In particular, the latter typically contain ROP chains targeting the code of specific versions of PDF viewers like Adobe Reader: without this information a dynamic analysis would likely yield misleading results, missing a behavior that can kick in only in the right execution environment and configuration. The framework provides a good deal of flexibility that allows for building follow-up research on top of it, for instance not only to analyze existing payloads, but also to validate the correctness of ROP code when writing it. Compared to the state of the art for ROP code analysis in the literature, the ideas presented in this thesis reduce the burden on forensic analysis and reverse engineering actors, as they are no longer required to reproduce the activation context of the ROP payload, a step that was necessary for taking a full memory dump for subsequent analysis. Parts of this thesis appeared in the “Static analysis of ROP code†paper published within the 12th European Workshop on Systems Security (EUROSEC 2019) earlier this year. The source code of ROPDissector and the datasets used for its evaluation are available to the community at the following address: https://github.com/season-lab/ropdissector
Link esterno al gruppo di ricerca: https://season-lab.github.io/
"ROPDissector: An Analysis Framework for ROP Programs"(Relatore: Camil Demetrescu).
In spite of mitigations that modern operating systems put in place to avoid remote code injection attacks, memory corruption vulnerabilities remain a major source of concern. In particular, code reuse techniques get regularly used today to get around mechanisms such as code signing and data execution prevention. Return Oriented Programming (or ROP for short) is currently the most popular embodiment of the code reuse principle. The complexity of ROP payloads is on the rise as a response to ever growing mitigation mechanisms for exploitation in mainstream systems. Furthermore, several research works have hinted at ROP as a possibly effective code obfuscation technique. For how ROP code is structured, understanding its semantics at first glance is very hard. To get such information, a thorough analysis process is required: this task can be very time consuming to be performed manually, and usually hinges on dynamic analysis to capture all relevant details. Control flow operations such as branches are hard to spot even during such an analysis, as they rely on odd mechanisms for conditional manipulation of the CPU flags and stack pointer register. This thesis presents ROPDissector, a static analysis framework for ROP programs that can ease the analysis of complex ROP code by providing control flow identification, memory access tracing, system and library call detection, multi-path exploration, and semantic annotation of code through emulation of the x86 ISA in the Unicorn engine. The focus of the analysis are 32-bit payloads for Windows, which represent the most common instance of ROP code, while future improvements might include support for Linux exploits and the x64 architecture. ROPDissector requires forensic analysts to provide the ROP payload and the application component from which ROP gadgets (the computational components of a ROP payload) are borrowed. The thesis also discusses automatic techniques to guess such components from a database of plausible candidates by leveraging implementation characteristics of Address Space Layout Randomization in Windows with respect to relative distances of valid image bases for DLL code modules. Such techniques can be useful to automate the analysis of payloads observed over the network and most importantly in malicious PDF files. In particular, the latter typically contain ROP chains targeting the code of specific versions of PDF viewers like Adobe Reader: without this information a dynamic analysis would likely yield misleading results, missing a behavior that can kick in only in the right execution environment and configuration. The framework provides a good deal of flexibility that allows for building follow-up research on top of it, for instance not only to analyze existing payloads, but also to validate the correctness of ROP code when writing it. Compared to the state of the art for ROP code analysis in the literature, the ideas presented in this thesis reduce the burden on forensic analysis and reverse engineering actors, as they are no longer required to reproduce the activation context of the ROP payload, a step that was necessary for taking a full memory dump for subsequent analysis. Parts of this thesis appeared in the “Static analysis of ROP code†paper published within the 12th European Workshop on Systems Security (EUROSEC 2019) earlier this year. The source code of ROPDissector and the datasets used for its evaluation are available to the community at the following address: https://github.com/season-lab/ropdissector
Link esterno al gruppo di ricerca: https://season-lab.github.io/
Valeria Suriano (Dipartimento di Informatica/Università degli studi di Bari Aldo Moro)
"Homomorphic encryption: biometric data protection in signature authentication system"
"Homomorphic encryption: biometric data protection in signature authentication system"Valeria Suriano (Dipartimento di Informatica/Università degli studi di Bari Aldo Moro)
"Homomorphic encryption: biometric data protection in signature authentication system"
(Relatore: Ing. Prof. Donato Impedovo).
In recent years the biometric systems used for authentication and identification of people are witnessing a growing popularity thanks to the unique and indissoluble link between any individual and his biometric features, representing a reliable tool. However, given the high sensitivity of the biometric data processed, any loss of the same would seriously compromise the privacy of the subjects involved. Biometric templates should thus be protected, storing irreversibly transformed or encrypted biometric signals, while preserving the unprotected system’s performance. The recent advances in the field of cryptography has allowed to produce a technology, the homomorphic cryptography, which can be used to encrypt the data so that the storage can be outsourced to an untrusted cloud and the computation can be performed on the data in a significant way in encrypted form, without access to the decryption keys. In this work is presented a biometric template protection scheme, in particular signature verification system, based on Full Homomorphic Encryption (FHE), where only encrypted data is stored or exchanged, in order to achieve more secure and privacy-preserving system.
"Homomorphic encryption: biometric data protection in signature authentication system"(Relatore: Ing. Prof. Donato Impedovo).
In recent years the biometric systems used for authentication and identification of people are witnessing a growing popularity thanks to the unique and indissoluble link between any individual and his biometric features, representing a reliable tool. However, given the high sensitivity of the biometric data processed, any loss of the same would seriously compromise the privacy of the subjects involved. Biometric templates should thus be protected, storing irreversibly transformed or encrypted biometric signals, while preserving the unprotected system’s performance. The recent advances in the field of cryptography has allowed to produce a technology, the homomorphic cryptography, which can be used to encrypt the data so that the storage can be outsourced to an untrusted cloud and the computation can be performed on the data in a significant way in encrypted form, without access to the decryption keys. In this work is presented a biometric template protection scheme, in particular signature verification system, based on Full Homomorphic Encryption (FHE), where only encrypted data is stored or exchanged, in order to achieve more secure and privacy-preserving system.
Carlotta Tagliaro (Department of Information Engineering and Computer Science - Università degli Studi di Trento)
"Security and Performance tradeoffs in the Internet of Things"
Link esterno al gruppo di ricerca: https://st.fbk.eu/
"Security and Performance tradeoffs in the Internet of Things"Link esterno al gruppo di ricerca: https://st.fbk.eu/
Carlotta Tagliaro (Department of Information Engineering and Computer Science - Università degli Studi di Trento)
"Security and Performance tradeoffs in the Internet of Things"
(Relatore: Prof. Silvio Ranise).
The use of Internet-connected devices is pervasive: according to Gartner, their number is estimated to reach 25 billion by 2021, from smart home assistants to industry- and military-oriented applications. Despite its widespread adoption, the well-known importance of securing the Internet of Things (IoT) devices and their machine-to-machine communication, and the many available guidelines and best practices, security is still not a primary concern in current IoT solutions. In my preliminary investigation over MQTT, one of the most widely used IoT messaging protocols, I was able to confirm the alarming trend highlighted by past and current literature: most of the deployments do not support the Transport Layer Security (TLS) protocol or implement inadequate security measures, typically due to strict delivery schedule or resource-constrained scenarios. A similar lack of awareness is present in CoAP, a UDP-based IoT messaging protocol developed for resource-constrained devices that supports the use of Datagram TLS (DTLS) to secure message exchanges. To address this problem I analyzed the main security threats to MQTT and CoAP, and the security properties of TLS and DTLS. Considering the widespread adoption of MQTT, I deployed and assessed an MQTT-based use case from the security and performance perspective: four different configurations with different levels of security (default configuration, password-based authentication, use of TLS with certificate-based authentication, and TLS-PSK) have been tested with two automated analysis tools: MQTT Security Assistant (MQTTSA) and TLS Assistant. The report of both tools have been used to investigate suggested vulnerabilities and advise adequate mitigations in the configuration of Mosquitto, the most widely adopted MQTT open-source broker. Since no support was found for TLS-PSK analysis, I created a Python script to perform brute-force attacks on PSK-based scenarios. A part of the thesis investigates the performance tradeoffs when supporting TLS in MQTT: this is fundamental to avoid data tampering and information disclosure even when adopting resource-constrained devices. The analysis focused on registering the overhead of different cipher-suites when devices connect and exchange messages. To foster the adoption of the most adequate security measures in Mosquitto, I developed web-based interface to assist developers in configuring the authentication and authorization mechanisms, together with the use of TLS and on-the-fly certificate generation based on Let’s Encrypt. Based on the configuration created by the user, the interface reports the overall level of security, security warnings and common vulnerabilities.
Link esterno al gruppo di ricerca: https://st.fbk.eu/
"Security and Performance tradeoffs in the Internet of Things"(Relatore: Prof. Silvio Ranise).
The use of Internet-connected devices is pervasive: according to Gartner, their number is estimated to reach 25 billion by 2021, from smart home assistants to industry- and military-oriented applications. Despite its widespread adoption, the well-known importance of securing the Internet of Things (IoT) devices and their machine-to-machine communication, and the many available guidelines and best practices, security is still not a primary concern in current IoT solutions. In my preliminary investigation over MQTT, one of the most widely used IoT messaging protocols, I was able to confirm the alarming trend highlighted by past and current literature: most of the deployments do not support the Transport Layer Security (TLS) protocol or implement inadequate security measures, typically due to strict delivery schedule or resource-constrained scenarios. A similar lack of awareness is present in CoAP, a UDP-based IoT messaging protocol developed for resource-constrained devices that supports the use of Datagram TLS (DTLS) to secure message exchanges. To address this problem I analyzed the main security threats to MQTT and CoAP, and the security properties of TLS and DTLS. Considering the widespread adoption of MQTT, I deployed and assessed an MQTT-based use case from the security and performance perspective: four different configurations with different levels of security (default configuration, password-based authentication, use of TLS with certificate-based authentication, and TLS-PSK) have been tested with two automated analysis tools: MQTT Security Assistant (MQTTSA) and TLS Assistant. The report of both tools have been used to investigate suggested vulnerabilities and advise adequate mitigations in the configuration of Mosquitto, the most widely adopted MQTT open-source broker. Since no support was found for TLS-PSK analysis, I created a Python script to perform brute-force attacks on PSK-based scenarios. A part of the thesis investigates the performance tradeoffs when supporting TLS in MQTT: this is fundamental to avoid data tampering and information disclosure even when adopting resource-constrained devices. The analysis focused on registering the overhead of different cipher-suites when devices connect and exchange messages. To foster the adoption of the most adequate security measures in Mosquitto, I developed web-based interface to assist developers in configuring the authentication and authorization mechanisms, together with the use of TLS and on-the-fly certificate generation based on Let’s Encrypt. Based on the configuration created by the user, the interface reports the overall level of security, security warnings and common vulnerabilities.
Link esterno al gruppo di ricerca: https://st.fbk.eu/
Federico Turrin (Dipartimento di Ingegneria dell'Informazione - Università degli Studi di Padova)
"Novel Methods for Cyber-Physical Security Analysis on Operational Technology Systems"
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
"Novel Methods for Cyber-Physical Security Analysis on Operational Technology Systems"Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Federico Turrin (Dipartimento di Ingegneria dell'Informazione - Università degli Studi di Padova)
"Novel Methods for Cyber-Physical Security Analysis on Operational Technology Systems"
(Relatore: Prof. Mauro Conti).
The recent evolution of smart automation favored a wild interconnection of the industrial systems, opening dangerous surfaces of vulnerabilities. In this Industry 4.0 scenario, due to the insecure interactions between Information Technology (IT) and Operational Technology (OT) networks, cyber-physical threats could lead to destructive consequences for environments and population safety. To deal with industrial cyber-physical security, modern anomaly detection systems implement innovative Machine Learning techniques. Unfortunately, current solutions still fail to provide an effective prevention to complex industrial threats. In this work, we present an Intrusion Detection System framework based on Machine Learning. To the best of our knowledge, our work is the first solution that looks independently at IT and OT traffic, but also from sensors deployed to capture side-channel physical processes data (e.g., vibrations, background noise). Thanks to this feature, our system can detect attacks that other systems would ignore. We summarize our contributions as follows: * we perform an analysis of supervised and unsupervised Machine Learning based algorithms for anomaly detection and we discuss how Machine Learning based techniques can represent an added value for the detection of threats affecting Industrial Control Systems; * we present an Intrusion Detection architecture based on unsupervised Machine Learning techniques capable of analyzing simultaneously traffic from IT/OT networks and physical side-channel data coming from the plant devices; * we test and evaluate our framework under different attacks in a simulated scenario. The aim of our security framework is to analyze the system status in multiple points combining the information of the various modules to detect immediately potential anomalies. Our framework exploits Variational Autoencoders, an unsupervised neural network model, to monitor the status of both network traffic and physical devices in multiple network points. Relying on the analysis of the individual modules and from their joint information, our detection system is able to detect possible anomalies of the Industrial Control System. We evaluate the detection capabilities and performances of our detection methodology in a proof of concept simulated industrial scenario under cyber-physical attacks. Due to the lack of public testbed, we implemented a scaled-down Industrial Control System scenario with the help of Mininet, a network simulation tool. The tests show that our framework is able to correctly identify most of the attacks we implemented. Furthermore, the framework is able to exploit the correlation of the anomaly to discover complex attack. The main contribution of this work is to introduce a detection methodology that can be used by the community to improve the level of security of CPSs. Our framework can be used, for example, in combination with other detection tools, such as signature-based, in order to increase the detection capabilities spectrum and detect complex attacks. The development of an accurate detection system for Industrial Control Systems can prevent possible attacks or system malfunctions. Indeed, due to the critical nature of these infrastructures, early detection can prevent catastrophic consequences both on the country and the population. In general, ensuring the security of Cyber-Physical Systems is a priority both for the companies directly involved and for the intelligence agencies that monitor the security of a country. Furthermore, from the companies' point of view, anomaly detection is considered an economical alternative to replacing legacy devices. For this reason, I believe that my project could find wide commercially applications.
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
"Novel Methods for Cyber-Physical Security Analysis on Operational Technology Systems"(Relatore: Prof. Mauro Conti).
The recent evolution of smart automation favored a wild interconnection of the industrial systems, opening dangerous surfaces of vulnerabilities. In this Industry 4.0 scenario, due to the insecure interactions between Information Technology (IT) and Operational Technology (OT) networks, cyber-physical threats could lead to destructive consequences for environments and population safety. To deal with industrial cyber-physical security, modern anomaly detection systems implement innovative Machine Learning techniques. Unfortunately, current solutions still fail to provide an effective prevention to complex industrial threats. In this work, we present an Intrusion Detection System framework based on Machine Learning. To the best of our knowledge, our work is the first solution that looks independently at IT and OT traffic, but also from sensors deployed to capture side-channel physical processes data (e.g., vibrations, background noise). Thanks to this feature, our system can detect attacks that other systems would ignore. We summarize our contributions as follows: * we perform an analysis of supervised and unsupervised Machine Learning based algorithms for anomaly detection and we discuss how Machine Learning based techniques can represent an added value for the detection of threats affecting Industrial Control Systems; * we present an Intrusion Detection architecture based on unsupervised Machine Learning techniques capable of analyzing simultaneously traffic from IT/OT networks and physical side-channel data coming from the plant devices; * we test and evaluate our framework under different attacks in a simulated scenario. The aim of our security framework is to analyze the system status in multiple points combining the information of the various modules to detect immediately potential anomalies. Our framework exploits Variational Autoencoders, an unsupervised neural network model, to monitor the status of both network traffic and physical devices in multiple network points. Relying on the analysis of the individual modules and from their joint information, our detection system is able to detect possible anomalies of the Industrial Control System. We evaluate the detection capabilities and performances of our detection methodology in a proof of concept simulated industrial scenario under cyber-physical attacks. Due to the lack of public testbed, we implemented a scaled-down Industrial Control System scenario with the help of Mininet, a network simulation tool. The tests show that our framework is able to correctly identify most of the attacks we implemented. Furthermore, the framework is able to exploit the correlation of the anomaly to discover complex attack. The main contribution of this work is to introduce a detection methodology that can be used by the community to improve the level of security of CPSs. Our framework can be used, for example, in combination with other detection tools, such as signature-based, in order to increase the detection capabilities spectrum and detect complex attacks. The development of an accurate detection system for Industrial Control Systems can prevent possible attacks or system malfunctions. Indeed, due to the critical nature of these infrastructures, early detection can prevent catastrophic consequences both on the country and the population. In general, ensuring the security of Cyber-Physical Systems is a priority both for the companies directly involved and for the intelligence agencies that monitor the security of a country. Furthermore, from the companies' point of view, anomaly detection is considered an economical alternative to replacing legacy devices. For this reason, I believe that my project could find wide commercially applications.
Link esterno al gruppo di ricerca: https://spritz.math.unipd.it/
Alessandro Visintin (Dipartimento di Matematica - Università di Padova)
"SAFE^d: Self-Attestation For Networks of Heterogeneous Embedded Devices"
"SAFE^d: Self-Attestation For Networks of Heterogeneous Embedded Devices"Alessandro Visintin (Dipartimento di Matematica - Università di Padova)
"SAFE^d: Self-Attestation For Networks of Heterogeneous Embedded Devices"
(Relatore: Prof. Mauro Conti).
In the last decade, we have been witnessing the rise of a new way of computing and collecting data, defined as the Internet of Things (IoT).\r\nIoT refers to a set of new technologies that allow building sophisticated applications by using groups of small devices.\r\nThe strength of this approach resides in the adaptability of the network itself, whose applications can range from industrial control systems to small home-appliances.\r\nHowever, as usual, not all that glitters is gold: while IoT networks are opening the door to a variety of new applications, IoT devices are often constrained systems without a proper security design and are called to handle sensitive information and safety-critical tasks. \r\nThe lack of strong security defenses can lead to disastrous results, as witnessed with the Mirai botnet case.\r\nThis malware managed to infect a large number of embedded devices and took the Internet down in late 2016 by performing a huge distributed denial-of-service attack. \r\nClassic defense mechanisms cannot be easily applied to IoT devices due to the high architecture complexity required.\r\nTherefore, researchers and industries are investigating suitable solutions specifically designed for such constrained environment.\r\nTo enhance the security properties of IoT networks, Remote attestation (RA) techniques have been proposed.\r\nClassic RA approaches require a trusted entity (Verifier) that (verifies) a remote one (Prover). \r\nThe Verifier sends a challenge to the Prover and receives a measure of its status as a report. \r\nIt then compares the measurement with a database of proofs previously saved to check the correctness of the Prover\'s status. \r\nThis approach, often defined as single-verifier RA, is well-established but it needs to be extended and adapted to address the novel challenges proposed by IoT networks (heterogeneity, scalability, dynamicity).\r\nThis thesis presents SAFE^d: the first self-attestation for networks of heterogeneous embedded devices.\r\nSAFE^d introduces a completely new approach that enables a swarm of IoT devices to validate itself without the need for a central and powerful entity, usually called Verifier.\r\nThe solution extends the concept of Distributed Hash Tables (DHT). In particular, this proof-of-concept opted for Chord as groundwork.\r\nThe thesis revolves around the idea of a device randomly taking on both the roles of Verifier and Prover inside the network. \r\nWhen a Verifier challenges a Prover, the devices belonging to the DHT collaborate to retrieve the original proof and validate the attestation report.\r\nTo introduce resiliency, the same network maintains parallel DHTs (called overlays) through which the same proofs are replicated in different devices.\r\nSAFE^d introduces the possibility of handling networks of heterogeneous devices that mount different applications with different types of\r\nThe results show that SAFE^d can handle up to 50 devices with a logarithmic overhead for the network and the single device.\r\nThey also show the resilient ability of SAFE^d to recover up to 99.7% of lost proofs.\r\nSAFE^d proposes a new and fundamental perspective on the problem.\r\nThe hope is that this work will help developing stronger networks of IoT devices and secure DHTs, preparing the path for more autonomous systems.
"SAFE^d: Self-Attestation For Networks of Heterogeneous Embedded Devices"(Relatore: Prof. Mauro Conti).
In the last decade, we have been witnessing the rise of a new way of computing and collecting data, defined as the Internet of Things (IoT).\r\nIoT refers to a set of new technologies that allow building sophisticated applications by using groups of small devices.\r\nThe strength of this approach resides in the adaptability of the network itself, whose applications can range from industrial control systems to small home-appliances.\r\nHowever, as usual, not all that glitters is gold: while IoT networks are opening the door to a variety of new applications, IoT devices are often constrained systems without a proper security design and are called to handle sensitive information and safety-critical tasks. \r\nThe lack of strong security defenses can lead to disastrous results, as witnessed with the Mirai botnet case.\r\nThis malware managed to infect a large number of embedded devices and took the Internet down in late 2016 by performing a huge distributed denial-of-service attack. \r\nClassic defense mechanisms cannot be easily applied to IoT devices due to the high architecture complexity required.\r\nTherefore, researchers and industries are investigating suitable solutions specifically designed for such constrained environment.\r\nTo enhance the security properties of IoT networks, Remote attestation (RA) techniques have been proposed.\r\nClassic RA approaches require a trusted entity (Verifier) that (verifies) a remote one (Prover). \r\nThe Verifier sends a challenge to the Prover and receives a measure of its status as a report. \r\nIt then compares the measurement with a database of proofs previously saved to check the correctness of the Prover\'s status. \r\nThis approach, often defined as single-verifier RA, is well-established but it needs to be extended and adapted to address the novel challenges proposed by IoT networks (heterogeneity, scalability, dynamicity).\r\nThis thesis presents SAFE^d: the first self-attestation for networks of heterogeneous embedded devices.\r\nSAFE^d introduces a completely new approach that enables a swarm of IoT devices to validate itself without the need for a central and powerful entity, usually called Verifier.\r\nThe solution extends the concept of Distributed Hash Tables (DHT). In particular, this proof-of-concept opted for Chord as groundwork.\r\nThe thesis revolves around the idea of a device randomly taking on both the roles of Verifier and Prover inside the network. \r\nWhen a Verifier challenges a Prover, the devices belonging to the DHT collaborate to retrieve the original proof and validate the attestation report.\r\nTo introduce resiliency, the same network maintains parallel DHTs (called overlays) through which the same proofs are replicated in different devices.\r\nSAFE^d introduces the possibility of handling networks of heterogeneous devices that mount different applications with different types of\r\nThe results show that SAFE^d can handle up to 50 devices with a logarithmic overhead for the network and the single device.\r\nThey also show the resilient ability of SAFE^d to recover up to 99.7% of lost proofs.\r\nSAFE^d proposes a new and fundamental perspective on the problem.\r\nThe hope is that this work will help developing stronger networks of IoT devices and secure DHTs, preparing the path for more autonomous systems.
BACHECA TESI EDIZIONI PASSATE
Edizione 2022Edizione 2022
Edizione 2021
Edizione 2020
Edizione 2019
Edizione 2018
Edizione 2017
Edizione 2016
Edizione 2015
Edizione 2014
Edizione 2013
Edizione 2012
Edizione 2011
Edizione 2010
Edizione 2009
Edizione 2008
Edizione 2007
