Proposals

User-defined Privacy in Android

Advisor: Alessio Merlo

Co-Advisors: Davide Caputo, Francesco Pagano

Type: Research

Topic(s): Mobile Security, Mobile Privacy, App Virtualization

Validity: March 2022 - October 2022

General description:
User privacy on mobile is assuming an increasingly relevant role. At the state of the art, few solutions try to anonymize the user's sensitive information that uses the app. We developed the HideDroid methodology, which is the first solution that tries to deal with this problem. This thesis will focus on the usage of virtualization techniques to overcome the limitations of the current HideDroid implementation.

Objective(s):

  • Developing an app that uses virtualization techniques to improve HideDroid performances

  • Implementation of more anonymization algorithms (e.g., CAHD) to extend the compatibility with more data structure

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and empirical evaluation (M5)

  • M5 - M6: Thesis Writing

Prerequisites:

  • Basic knowledge of mobile security

  • Medium knowledge of Android applications structure

  • Basic knowledge of Data privacy

Pre-thesis evaluation:

  • Informal interview at DIBRIS

  • Verification of prerequisites

Links and Documents:

Anti-repackaging for IoT firmware

Advisor: Alessio Merlo

Co-Advisors: Luca Verderame, Antonio Ruggia

Type: Research

Topic(s): IoT Security, Anti-tampering

Validity: March 2022 - October 2022

General description:
The firmware delivery and update processes play a central role in ensuring firmware integrity. Unfortunately, most of the existing solutions lack proper integrity verification, leaving firmware exposed to repackaging attacks. This thesis will focus on the design self-protecting scheme for IoT that allows the injection of integrity checks, called anti-tampering (AT) controls, directly into the firmware.

Objective(s):

  • Definition of an enhanced self-protection scheme for IoT firmware

  • Development of a new prototype for applying the scheme to multiple IoT distribution processes and environments

  • Extensive test (functional, security, and performance) in a real environment

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and empirical evaluation

  • M5 - M6: Thesis Writing

Prerequisites:

  • Basic knowledge of cyber-security

  • Knowledge of C/C++ programming language

  • Knowledge of scripting languages (e.g., python)

  • Familiarity with reverse engineering and IoT technologies will be considered an advantage

Pre-thesis evaluation:

  • Informal interview at DIBRIS

  • Verification of prerequisites

Links and Documents:

Security Analysis of the Fuchsia Ecosystem

Advisor: Alessio Merlo

Co-Advisors: Luca Verderame, Francesco Pagano

Type: Research

Topic(s): Mobile Security, OS Security, Software Testing

Validity: March 2022 - October 2022

General description:
Fuchsia OS is a new operating system developed by Google to support a wide range of devices, from IoT devices to fully-fledged PC. In fact, the main purpose of the Fuchsia OS is to simplify the development of apps on different kinds of devices by supporting multiple application environments. However, the use of heterogeneous technologies makes their security analysis more difficult than in other environments.

Objective(s):

  • Design of a methodology to automate the security analysis of Fuchsia apps

  • Development of a PoC of the methodology

  • Testing in a real Fuchsia ecosystem

  • Analysis of the results

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and empirical evaluation (M5)

  • M5 - M6: Thesis Writing

Prerequisites:

  • Basic knowledge of cyber-security

  • Familiarity with security analysis of mobile apps (static and dynamic analysis), like Android apps, will be considered an advantage

  • Medium knowledge of C/C++, Rust, Python programming languages

  • Basic Knowledge of Android app development would help

Pre-thesis evaluation:

  • Informal interview at DIBRIS

  • Verification of prerequisites

Links and Documents:

In collaboration with

Automatic Dynamic Analysis of iOS Apps

Advisor: Alessio Merlo

Co-Advisors: Davide Caputo, Luca Verderame, Andrea Romdhana

Type: Standard

Topic(s): Mobile Security, Mobile Testing

Validity: March 2022 - October 2022

General description:
From the point of view of security, mobile apps can be analyzed statically and dynamically. In the second case, the apps are installed in a test environment, and their behavior is monitored at runtime. However, this procedure often requires the app to be stimulated manually. This thesis aims to develop an automated tool capable of interacting and stimulating an iOS app in a completely automatic way.

Objective(s):

  • Design of a methodology to automate the interaction with the iOS apps and the iOS simulator

  • Development of a PoC of the methodology

  • Testing on several iOS apps

  • Analysis of the results

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and empirical evaluation (M5)

  • M5 - M6: Thesis Writing

Prerequisites:

  • Basic knowledge of cyber-security

  • Medium knowledge of Python programming languages

  • Basic Knowledge of Android app or iOS app development would help

Pre-thesis evaluation:

  • Informal interview at DIBRIS

  • Verification of prerequisites

Links and Documents:

Enhanced Automatic Dynamic Analysis of Android Apps

Advisor: Alessio Merlo

Co-Advisors: Davide Caputo, Luca Verderame, Andrea Romdhana

Type: Standard

Topic(s): Mobile Security, Mobile Testing

Validity: March 2022 - October 2022

General description:
From a security perspective, mobile apps can be analyzed statically and dynamically. In the second case, the apps are installed in a test environment, and their behavior is monitored at runtime. However, currently available tools are limited to testing only the public surface. The thesis aim is to develop a tool capable of recognizing the registration/login screens and overcoming them by performing the actions required by the app.

Objective(s):

  • Design of a methodology able to recognize the login or registration screen, and that it is able to perform the action required

  • Development of a PoC of the methodology

  • Testing on several Android apps

  • Analysis of the results

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and empirical evaluation (M5)

  • M5 - M6: Thesis Writing

Prerequisites:

  • Basic knowledge of cyber-security

  • Medium knowledge of Python programming languages

  • Basic Knowledge of Android app development would help

Pre-thesis evaluation:

  • Informal interview at DIBRIS

  • Verification of prerequisites

Links and Documents:

Enhanced Automatic Dynamic Analysis of Android Apps

Advisor: Alessio Merlo

Co-Advisors: Davide Caputo, Luca Verderame, Andrea Romdhana

Type: Standard

Topic(s): Mobile Security, Mobile Testing

Validity: March 2022 - October 2022

General description:
From a security perspective, mobile apps can be analyzed statically and dynamically. In the second case, the apps are installed in a test environment, and their behavior is monitored at runtime. However, currently available tools are limited to testing only the public surface. The thesis aim is to develop a tool capable of recognizing the registration/login screens and overcoming them by performing the actions required by the app.

Objective(s):

  • Design of a methodology able to recognize the login or registration screen, and that it is able to perform the action required

  • Development of a PoC of the methodology

  • Testing on several Android apps

  • Analysis of the results

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and empirical evaluation (M5)

  • M5 - M6: Thesis Writing

Prerequisites:

  • Basic knowledge of cyber-security

  • Medium knowledge of Python programming languages

  • Basic Knowledge of Android app development would help

Pre-thesis evaluation:

  • Informal interview at DIBRIS

  • Verification of prerequisites

Links and Documents:

In collaboration with

Toward the European Digital Identity Wallet

Advisors: Silvio Ranise <ranise@fbk.eu>, Giada Sciarretta <giada.sciarretta@fbk.eu>

Co-Advisors: Alessandro Tomasi <altomasi@fbk.eu>

Type: Research

Topic(s): Identity Management, Mobile Security

Validity: From November 2021

General description:
To ensure better privacy, interoperability, and data exchange, identity management solutions are moving from a centralized ecosystem (e.g. SAML 2.0 and OpenID Connect) to a decentralized one in which the user manages the exchange of their own data. In the context of a collaboration with Istituto Poligrafico Zecca dello Stato (IPZS), we are interested in exploring the feasibility of Self Sovereign Identity (SSI) systems that let users generate on demand identities containing strictly necessary information, by aggregating validated identity attributes from different attribute authorities via the use of Verifiable Credentials stored in a mobile eWallet (as suggested by the revised eIDAS regulation).

Objective(s):

  • Design and implementation of an e-Wallet solution in Android to store and exchange Verifiable Credentials.

  • Study on the link between a personal DID with a national electronic id (e.g., CIE or SPID).

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and evaluation

  • M5 - M6: Thesis Writing

Prerequisites:

  • Experience of Android development

  • Basic knowledge of cyber-security

Pre-thesis evaluation:

  • Informal interview (DIBRIS-FBK)

  • Verification of prerequisites

Links and Documents:

Dematerialized Identity

Advisors: Silvio Ranise <ranise@fbk.eu>, Giada Sciarretta <giada.sciarretta@fbk.eu>

Co-Advisors: Tahir Ahmad <ahmad@fbk.eu>

Type: Research

Topic(s): Identity Management, Mobile Security

Validity: From November 2021

General description:
Technology has already transformed the world of border security and efficient processing of passengers, for example through electronic Machine Readable Travel Documents (eMRTD), automated eGates, and use of biometrics. However, a newer generation of secure and efficient solutions are just beginning with the development of the Digital Travel Credential (DTC). In the context of a collaboration with Istituto Poligrafico Zecca dello Stato (IPZS), we are interested in the design and implementation of an Android application to store and show DTCs. This topic can also involve two students, the final goal (develop a prototype mobile app for storing/showing dematerialized documents) will be in common, while the type of document will be different (e.g., DTC and mobile Driving Licence - mDL).

Objective(s):

  • Study and design solutions based on DTC/mDL

  • Develop a prototype mobile app for storing/showing the DTC/mDL

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and evaluation

  • M5 - M6: Thesis Writing

Prerequisites:

  • Experience of Android development

  • Basic knowledge of cyber-security

Pre-thesis evaluation:

  • Informal interview (DIBRIS-FBK)

  • Verification of prerequisites

Links and Documents:

Trusted Execution Environments for Advanced Data Protection

Advisors: Silvio Ranise <ranise@fbk.eu>, Roberto Carbone <carbone@fbk.eu>

Co-Advisors: Stefano Berlato <sberlato@fbk.eu>

Type: Research

Topic(s): Access Control, Cryptography, Cloud

Validity: From October 2021

General description:
Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from curious Cloud providers while also enforcing access control policies. Unfortunately, CAC usually incurs significant computational overheads that limit its applicability in real-world scenarios [1]. The main goal of this thesis is to investigate how Trusted Execution Environments (TEEs) such as Intel SGX [2] can synergize with CAC to relieve these computational overheads and efficiently guarantee advanced data protection.

Objective(s):

  • Familiarization and study of the state of the art in the use of TEEs for advanced data protection.

  • Evaluation of available techniques and design of a solution joining CAC with TEEs to reduce the cryptographic computational overhead.

  • Implementation of the proposed approach in a tool (https://github.com/stfbk/CryptoAC) developed and actively maintained by the Security&Trust unit in FBK [3].

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and evaluation

  • M5 - M6: Thesis Writing

Prerequisites:

  • Basic knowledge of IT security

  • Basic knowledge of cryptography from cryptography-related courses

  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Pre-thesis evaluation:

  • Informal interview (DIBRIS-FBK)

  • Verification of prerequisites

Links and Documents:

    • [1] W. C. Garrison, A. Shull, S. Myers and A. J. Lee, "On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud," 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 819-838, doi: 10.1109/SP.2016.54.

    • [2] https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions.html

    • [3] Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021).

Attribute-based Encryption for

Advanced Data Protection in IoT with MQTT

Advisors: Silvio Ranise <ranise@fbk.eu>, Roberto Carbone <carbone@fbk.eu>

Co-Advisors: Stefano Berlato <sberlato@fbk.eu>

Type: Research

Topic(s): Access Control, Cryptography, Cloud

Validity: From October 2021

General description:
While yielding many benefits, emerging paradigms such as the Edge and the Internet-of-Things (IoT) threaten the confidentiality of users' sensitive data. In such a complex and dynamic scenario, fine-grained Access Control (AC) policies are necessary to control data sharing. However, traditional approaches to AC leave data unencrypted and at the mercy of curious service providers. The main goal of this thesis is to investigate how Attribute-based Encryption (ABE) can guarantee advanced data protection from all unauthorized entities while enforcing fine-grained Attribute-based AC (ABAC) policies in IoT scenarios using the MQTT protocol.

Objective(s):

  • Familiarization and study of the state of the art in the use of ABE for advanced data protection in IoT scenarios with MQTT.

  • Evaluation of available techniques and design of a solution for cryptographic enforcement of ABAC policies in IoT scenarios with MQTT.

  • Implementation of the proposed approach in a tool (https://github.com/stfbk/CryptoAC) developed and actively maintained by the Security&Trust unit in FBK [1].

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and evaluation

  • M5 - M6: Thesis Writing

Prerequisites:

  • Basic knowledge of IT security

  • Basic knowledge of cryptography from cryptography-related courses

  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Pre-thesis evaluation:

  • Informal interview (DIBRIS-FBK)

  • Verification of prerequisites

Links and Documents:

    • [1] Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021).

Blockchain Meets Cryptographic Access Control for Advanced Data Protection

Advisors: Silvio Ranise <ranise@fbk.eu>, Roberto Carbone <carbone@fbk.eu>

Co-Advisors: Stefano Berlato <sberlato@fbk.eu>

Type: Research

Topic(s): Access Control, Cryptography, Blockchain

Validity: From October 2021

General description:
Given the limited trust and the distributed nature of IoT and Edge scenarios, the Blockchain may be the solution to guarantee integrity and confidentiality of sensitive data at the cost of addressing scalable performance and consensus protocols. The main goal of this thesis is to investigate how Blockchain technologies such as Hyperledger [1] can synergize with cryptographic access control to efficiently guarantee advanced data protection.

Objective(s):

  • Familiarization and study of the state of the art in the use of the Blockchain for advanced data protection.

  • Evaluation of available techniques and design of a solution joining CAC with the Blockchain for high-assurance of data integrity and confidentiality.

  • Implementation of the proposed approach in a tool (https://github.com/stfbk/CryptoAC) developed and actively maintained by the Security&Trust unit in FBK [2].

Activity Schedule:

  • M1: Context investigation & Requirements definition

  • M2 - M3: Design and development of the solution

  • M4 - M5: Testing setup and evaluation

  • M5 - M6: Thesis Writing

Prerequisites:

  • Basic knowledge of IT security

  • Basic knowledge of cryptography from cryptography-related courses

  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Pre-thesis evaluation:

  • Informal interview (DIBRIS-FBK)

  • Verification of prerequisites

Links and Documents:

    • [1] https://www.hyperledger.org/

    • [2] Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021).