1,721,079 research outputs found
Riccardo Focardi. MUDE 2016
No full textRiccardo Focardi, docente di Informatica presso l\u27Università Ca\u27 Foscari, durante il suo intervento
Sicurezza delle reti. Intervento di Riccardo Focardi
No full textPrimo intervento del convegno "Un mercato unico digitale per l’Europa", tenuto da Riccardo Focardi, riguardante la protezione dei sistemi e delle reti, con riferimenti circa la sicurezza di dispositivi crittografici e hardware, in particolare rivolta alle transazioni bancarie e alle aziende
Filmato dell\u27intervento "Sicurezza delle reti" di Riccardo Focardi
No full textFilmato del primo intervento, al convegno "Un mercato unico digitale per l’Europa", tenuto da Riccardo Focardi, e riguardante la protezione dei sistemi e delle reti, con riferimenti circa la sicurezza di dispositivi crittografici e hardware, in particolare rivolta alle transazioni bancarie e alle aziende
Classification of Security Properties (Part II: Network Security)
No full textMany security properties of cryptographic protocols can be all formalized as specific instances of a general scheme, called Generalized Non Deducibility on Composition (GNDC). This scheme derives from the NDC property we proposed a few years ago for studying information flow in computer systems. The theory is formulated for CryptoSPA, a process algebra we introduced for the specification of cryptographic protocols. One of the advantages of our unifying GNDC-based theory is that that formal comparison among security properties become easier, being them all instances of a unique general property. Moreover, the full generality of the approach has helped us in finding a few undocumented attacks on cryptographic protocols.
This paper is based on the results of [20,22–25] and covers the second part of the course “Classification of Security Properties” given by Roberto Gorrieri and Riccardo Focardi at the FOSAD’00 and FOSAD’01 schools
Security Analysis of the OWASP Benchmark with Julia
Full text linkAmong the various facets of cybersecurity, software security plays a crucial role. This requires the assessment of the security of programs and web applications exposed to the external world and consequently potential targets of attacks like SQL-injections, crosssite scripting, boundary violations, and command injections. The OWASP Benchmark Project developed a Java benchmark that contains thousands of test programs, featuring such security breaches. Its goal is to measure the ability of an analysis tool to identify vulnerabilities and its precision. We present how the Julia static analyzer, a sound tool based on abstract interpretation, performs on this benchmark in terms of soundness and precision. We discuss the details of its security analysis over a taint analysis of data, implemented through binary decision diagrams
A Classification of Security Properties (Extended Abstract)
No full text) Riccardo Focardi Roberto Gorrieri Technical Report UBLCS-93-21 October 1993 Laboratory for Computer Science University of Bologna Piazza di Porta S. Donato, 5 40127 Bologna (Italy) The University of Bologna Laboratory for Computer Science Research Technical Reports are available via anonymous FTP from the area ftp.cs.unibo.it:/pub/TR/UBLCS in compressed PostScript format. Abstracts are available from the same host in the directory /pub/TR/UBLCS/ABSTRACTS in plain text format. All local authors can be reached via e-mail at the address [email protected]. UBLCS Technical Report Series 93-1 Consistent Global States of Distributed Systems: Fundamental Concepts and Mechanism, by O. Babao glu and K. Marzullo, January 1993. 93-2 Understanding Non-Blocking Atomic Commitment, by O. Babao glu and S. Toueg, January 1993. 93-3 Anchors and Paths in a Hypertext Publishing System, by C. Maioli and F. Vitali, February 1993. 93-4 A Formalization of Priority Inversion, by O. Babao glu, K. Marz..
Principles of Security and Trust - 4th International Conference, POST 2015
No full textThis book constitutes the refereed proceedings of the 4th International Conference on Principles of Security and Trust, POST 2015, held as part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, in London, UK, in April 2015. The 17 regular papers presented in this volume were carefully reviewed and selected from 57 submissions. In addition, one invited talk is included. The papers have been organized in topical sections on information flow and security types, risk assessment and security policies, protocols, hardware and physical security and privacy and voting
An Enhanced Dataflow Analysis to Automatically Tailor Side Channel Attack Countermeasures to Software Block Ciphers
Full text linkProtecting software implementations of block ciphers from side channel attacks is a significant concern to realize secure embedded computation platforms. The relevance of the issue calls for the automation of the side channel vulnerability assessment of a block cipher implementation, and the automated application of provably secure defenses. The most recent methodology in the field is an application of a specialized data-flow analysis, performed by means of the LLVM compiler framework, detecting in the AES cipher the portions of the code
amenable to key extraction via side channel analysis. The contribution of this work is an enhancement to the existing data-flow analysis which extending it to tackle any block cipher implemented in software. In particular, the extended strategy takes fully into account the data dependencies present in the key schedule of a block cipher, regardless of its complexity, to obtain consistently sound results. This paper details the analysis strategy and presents new results on the tailored application of power and electro-magnetic emission analysis countermeasures, evaluating the performances on both the ARM Cortex-M and the MIPS ISA. The experimental evaluation reports a case study on two block ciphers: the first designed to achieve a high security margin at a non-negligible computational cost, and a lightweight one. The results show that, when side-channel-protected implementations are considered, the high-security block cipher is indeed more efficient than the lightweight one
Tracking sensitive and untrustworthy data in IoT
Full text linkThe Internet of Things (IoT) produces and processes large amounts of data. Among
these data, some must be protected and others must be carefully handled because they
come from untrusted sources. Taint analysis techniques can be used to for marking data and for monitoring their propagation at run time, so to determine how they influence the rest of the computation.
Starting from the specification language IoT-LySa, we propose
a Control Flow Analysis for statically predicting how tainted data spread across an IoT system and for checking whether those computations considered security critical are not affected by tainted data
Detection of malicious scripting code through discriminant and adversary-aware API analysis
Full text linkJavaScript and ActionScript are powerful scripting languages that do not only allow the delivery of advanced multimedia contents, but that can be also used to exploit critical vulnerabilities of third-party applications. To detect both ActionScript- and JavaScript-based malware, we propose in this paper a machine-learning methodology that is based on extracting discriminant information from system API methods, attributes and classes. Our strategy exploits the similarities between the two scripting languages, and has been devised by also considering the possibility of targeted attacks that aim to deceive the employed classification algorithms. We tested our method on PDF and SWF data, respectively embedding JavaScript and ActionScript codes. Results show that the proposed strategy allows us to detect most of the tested malicious files, with low false positive rates. Finally, we show that the proposed methodology is also reasonably robust against evasive and targeted attacks
- …
