The Global Systems for Mobile communications (GSM) is the most widespread mobile communication technology existing nowadays. Despite being a mature technology, its introduction dates back to the late eighties, it suffers from several... more
The Global Systems for Mobile communications (GSM) is
the most widespread mobile communication technology existing nowadays. Despite being a mature technology, its introduction dates back to the late eighties, it suffers from several security vulnerabilities, which have been targeted by many attacks aimed to break the underlying communication protocol. Most of these attacks focuses on the A5/1 algorithm used to protect over-the-air communication between the two parties of a phone call. This algorithm has been superseded by new and more secure algorithms. However, it is still in use in the GSM networks as a fallback option, thus still putting at risk the security of the GSM based conversations. The objective of this work is to review some of the most relevant results in this field and discuss their practical feasibility. To this end, we consider not only the contributions coming from the canonical scientific literature but also those that have been proposed in a more informal context, such as during hacker conferences
the most widespread mobile communication technology existing nowadays. Despite being a mature technology, its introduction dates back to the late eighties, it suffers from several security vulnerabilities, which have been targeted by many attacks aimed to break the underlying communication protocol. Most of these attacks focuses on the A5/1 algorithm used to protect over-the-air communication between the two parties of a phone call. This algorithm has been superseded by new and more secure algorithms. However, it is still in use in the GSM networks as a fallback option, thus still putting at risk the security of the GSM based conversations. The objective of this work is to review some of the most relevant results in this field and discuss their practical feasibility. To this end, we consider not only the contributions coming from the canonical scientific literature but also those that have been proposed in a more informal context, such as during hacker conferences
Research Interests:
The Global Systems for Mobile communications (GSM) is actually the most widespread mobile communication technology existing nowadays. Despite being a mature technology, its introduction dates back to the late eighties, it suffers from... more
The Global Systems for Mobile communications (GSM) is actually the
most widespread mobile communication technology existing nowadays. Despite being a mature technology, its introduction dates back to the late eighties, it suffers from several security vulnerabilities, which have been targeted by many attacks aimed to break the underlying communication protocol. Most of these attacks focuses on the A5/1 algorithm used to protect over-the-air communication between the two parties of a phone call. This algorithm has been superseded by new and more secure algorithms.
However, it is still in use in the GSM networks as a fallback option, thus still putting at risk the security of the GSM based conversations. The objective of this work is to review
some of the most relevant results in this field and discuss their practical feasibility. To this end, we consider not only the contributions coming from the canonical scientific literature but also those that have been proposed in a more informal context, such as during hacker conferences.
most widespread mobile communication technology existing nowadays. Despite being a mature technology, its introduction dates back to the late eighties, it suffers from several security vulnerabilities, which have been targeted by many attacks aimed to break the underlying communication protocol. Most of these attacks focuses on the A5/1 algorithm used to protect over-the-air communication between the two parties of a phone call. This algorithm has been superseded by new and more secure algorithms.
However, it is still in use in the GSM networks as a fallback option, thus still putting at risk the security of the GSM based conversations. The objective of this work is to review
some of the most relevant results in this field and discuss their practical feasibility. To this end, we consider not only the contributions coming from the canonical scientific literature but also those that have been proposed in a more informal context, such as during hacker conferences.
Research Interests:
In this paper, we propose a novel security protocol for the implementation of CAPTCHA tests that feature advance mechanisms against man-in-the-middle (MITM, for short) attacks. This type of attack is fulfilled by a malicious entity, the... more
In this paper, we propose a novel security protocol for the implementation of CAPTCHA tests that feature advance mechanisms against man-in-the-middle (MITM, for short) attacks. This type of attack is fulfilled by a malicious entity, the MITM, that leverages on unaware users to mass-solve CAPTCHA tests shielding the access to a service. The protocol that we propose uses collision-resistant hash functions modeled as random oracles to guarantee that the solution to a CAPTCHA test solved by an end user is valid only for the server to which the user is connected to. This will prevent MITM attacks because the user is not directly connected to the server. We developed a reference implementation for our protocol that has a low impact and is easy to use, featuring a software plug-in running in the Firefox web browser, on the client side, and a Java servlet-based application, on the server side.
Research Interests:
The Web is experiencing an explosive growth in the last years. New technologies are introduced at a very fast pace with the aim of narrowing the gap between web-based applications and traditional desktop applications. The results are web... more
The Web is experiencing an explosive growth in the last years. New technologies are introduced at a very fast pace with the aim of narrowing the gap between web-based applications and traditional desktop applications. The results are web applications that look and feel almost like desktop applications while retaining the advantages of being originated from the Web. However, these advancements come at a price. The same technologies used to build responsive, pleasant, and fully featured web applications can also be used to write web malware able to escape detection systems. In this article, we present new obfuscation techniques, on the basis of some of the features of the upcoming HTML5 standard, which can be used to deceive malware detection systems. The proposed techniques have been experimented on a reference set of obfuscated malware. Our results show that the malware rewritten using our obfuscation techniques goes undetected while being analyzed by a large number of detection systems. The same detection systems were able to correctly identify the same malware in its original unobfuscated form. We also provide some hints about how the existing malware detection systems can be modified in order to cope with these new techniques.
Research Interests:
It is quite usual in the world of scientific software development to use, as black boxes, algorithmic software libraries without any prior assessment of their efficiency. This approach relies on the assumption that the experimental... more
It is quite usual in the world of scientific software development to use, as black boxes, algorithmic software libraries without any prior assessment of their efficiency. This approach relies on the assumption that the experimental performance of these libraries, although correct, will match the theoretical expectation of their algorithmic counterparts.
In this paper we discuss the case of SEESMS (Secure Extensible and Efficient SMS). It is a software framework that allows two peers to exchange encrypted and digitally signed SMS messages. The cryptographic part of SEESMS is implemented on top of the Java BC library (The Legion of Bouncy Castle, 2010), a widely used open-source library. The preliminary experimentations conducted on SEESMS, discussed in Castiglione et al. (2010), revealed some unexpected phenomena like the ECDSA-based cryptosystem being generally and significantly slower than the RSA-based equivalent. In this paper, we analyze these phenomena by profiling the code of SEESMS and expose the issues causing its bad performance. Then, we apply some algorithmic and programming optimizations techniques. The resulting code exhibits a significant performance boost with respect to the original implementation, and requires less memory in order to be run.
In this paper we discuss the case of SEESMS (Secure Extensible and Efficient SMS). It is a software framework that allows two peers to exchange encrypted and digitally signed SMS messages. The cryptographic part of SEESMS is implemented on top of the Java BC library (The Legion of Bouncy Castle, 2010), a widely used open-source library. The preliminary experimentations conducted on SEESMS, discussed in Castiglione et al. (2010), revealed some unexpected phenomena like the ECDSA-based cryptosystem being generally and significantly slower than the RSA-based equivalent. In this paper, we analyze these phenomena by profiling the code of SEESMS and expose the issues causing its bad performance. Then, we apply some algorithmic and programming optimizations techniques. The resulting code exhibits a significant performance boost with respect to the original implementation, and requires less memory in order to be run.
Research Interests:
We report our findings on an extensive empirical study on several algorithms for maintaining minimum spanning trees in dynamic graphs. In particular, we have implemented and tested a variant of the polylogarithmic algorithm by Holm et... more
We report our findings on an extensive empirical study on several algorithms for maintaining minimum spanning trees in dynamic graphs. In particular, we have implemented and tested a variant of the polylogarithmic algorithm by Holm et al., sparsification on top of Frederickson’s algorithm, and compared them to other (less sophisticated) dynamic algorithms. In our experiments, we considered as test sets several random, semi-random and worst-case inputs previously considered in the literature.
Research Interests:
Research Interests:
Large and inexpensive memory devices may suffer from faults, where some bits may arbitrarily flip and corrupt the values of the affected memory cells. The appearance of such faults may seriously compromise the correctness and performance... more
Large and inexpensive memory devices may suffer from faults, where some bits may arbitrarily flip and corrupt the values of the affected memory cells. The appearance of such faults may seriously compromise the correctness and performance of computations. In recent years, several algorithms for computing in the presence of memory faults have been introduced in the literature: in particular, we say that an algorithm or a data structure is resilient if it is able to work correctly on the set of uncorrupted values. In this invited talk, we contribute carefully engineered implementations of recent resilient algorithms and data structures and report the main results of a preliminary experimental evaluation of our implementations.
Research Interests:
We address the problem of sorting in the presence of faults that may arbitrarily corrupt memory locations, and investigate the impact of memory faults both on the correctness and on the running times of mergesort-based algorithms. To... more
We address the problem of sorting in the presence of faults that may arbitrarily corrupt memory locations, and investigate the impact of memory faults both on the correctness and on the running times of mergesort-based algorithms. To achieve this goal, we develop a software testbed that simulates different fault injection strategies, and perform a thorough experimental study using a combination of several fault parameters. Our experiments give evidence that simple-minded approaches to this problem are largely impractical, while the design of more sophisticated resilient algorithms seems really worth the effort. Another contribution of our computational study is a carefully engineered implementation of a resilient sorting algorithm, which appears robust to different memory fault patterns.
Research Interests: Computational Geometry, Modeling, Approximation Algorithms, Localization, Computing, and 11 moreMultidisciplinary, Case Study, Algorithmics, APPROXIMATION ALGORITHM, Fault Injection, Incomplete Information, Experimental Study, Sorting, Cutting Stock Problem, Approximate Algorithm, and Sorting Algorithm
We address the problem of sorting in the presence of faults that may arbitrarily corrupt memory locations, and investigate the impact of memory faults both on the correctness and on the running times of mergesort-based algorithms. To... more
We address the problem of sorting in the presence of faults that may arbitrarily corrupt memory locations, and investigate the impact of memory faults both on the correctness and on the running times of mergesort-based algorithms. To achieve this goal, we develop a software testbed that simulates different fault injection strategies, and we perform a thorough experimental study using a combination of several fault parameters. Our experiments give evidence that simple-minded approaches to this problem are largely impractical, while the design of more sophisticated resilient algorithms seems really worth the effort. Another contribution of our computational study is a carefully engineered implementation of a resilient sorting algorithm, which appears robust to different memory fault patterns.
Research Interests: Computational Geometry, Modeling, Approximation Algorithms, Localization, Computing, and 11 moreMultidisciplinary, Case Study, Algorithmics, APPROXIMATION ALGORITHM, Fault Injection, Incomplete Information, Experimental Study, Sorting, Cutting Stock Problem, Approximate Algorithm, and Sorting Algorithm
We address the problem of implementing data structures resilient to memory faults which may arbitrarily corrupt memory locations. In this framework, we focus on the implementation of dictionaries, and perform a thorough experimental study... more
We address the problem of implementing data structures resilient to memory faults which may arbitrarily corrupt memory locations. In this framework, we focus on the implementation of dictionaries, and perform a thorough experimental study using a testbed that we designed for this purpose. Our main discovery is that the best-known (asymptotically optimal) resilient data structures have very large space overheads. More precisely, most of the space used by these data structures is not due to key storage. This might not be acceptable in practice since resilient data structures are meant for applications where a huge amount of data (often of the order of terabytes) has to be stored. Exploiting techniques developed in the context of resilient (static) sorting and searching, in combination with some new ideas, we designed and engineered an alternative implementation which, while still guaranteeing optimal asymptotic time and space bounds, performs much better in terms of memory without compromising the time efficiency.
Research Interests:
Research Interests:
Research Interests:
Research Interests:
In this paper we present an integrated framework for developing and running micropayment services. Our framework is multi-channel, as it allows a micropayment service to be used, at the same time, by clients using different types of... more
In this paper we present an integrated framework for developing and running micropayment services. Our framework is multi-channel, as it allows a micropayment service to be used, at the same time, by clients using different types of communication channels. It is also multi-scheme, because it allows to have on the same server different types of micropayment schemes. The framework has been designed in such a way to simplify the distribution and the replication of its server components across several machines, thus increasing the overall efficiency. On the client side, it includes two library of classes that can be used to run micropayment services on Java applications running on a desktop computer, in a Web browser or on a mobile phone. The framework also includes the implementation of two traditional micropayment schemes, as well as the communication modules needed to implement micropayment schemes over HTTP based and SMS based communication channels.
Research Interests:
... Alfredo De Santis Dipartimento di Informatica ed Applicazioni "RM Capocelli", Universita di Salerno, Via Ponte don Melillo, 1-84084 ... LEGAL PARTIES: Alice, Bob MALICIOUS PARTIES: Charlie INITIAL CONTEXT:... more
... Alfredo De Santis Dipartimento di Informatica ed Applicazioni "RM Capocelli", Universita di Salerno, Via Ponte don Melillo, 1-84084 ... LEGAL PARTIES: Alice, Bob MALICIOUS PARTIES: Charlie INITIAL CONTEXT: The teacher creates a document d in Alice's workspace (Le., the ...
Research Interests:
... by Maria Barra , Tania Cillo , Antonio De Santis , Umberto Ferraro Petrillo , Alberto Negro , Vittorio Scarano , Umberto Ferraro , Petrillo Alberto , Negro Vittorio Scarano. In Poster Proceedings of the Ninth Annual World ...
Research Interests:
Research Interests:
Nowadays, there is a strong trend toward the integration of public communication networks. This is especially the case of the mobile phone networks and the Internet, which are becoming increasingly interconnected as to create a single... more
Nowadays, there is a strong trend toward the integration of public communication networks. This is especially the case of the mobile phone networks and the Internet, which are becoming increasingly interconnected as to create a single unified network. One of the possible consequences of this integration is that the security issues, which already exist within each of these networks, become even more menacing in such an enlarged context. The possibility to operate voice calls is one of the most popular services that run on these networks. At the time of this writing, the user who calls another user by means of a mobile phone or a desktop computer equipped with Voice-over-IP software is subject to several threats. In this paper, we examine some of these threats and present SPEECH, a software system for making “secure” calls by using Windows Mobile 2003 powered handheld devices and a wireless data communication channel. The notion of Security implemented by SPEECH is stronger than the one available in other secure conversation software, because it includes the mutual authentication of the endpoints of the conversation, the end-to-end digital encryption of the content of a conversation and the possibility to digitally sign the conversation content for non-repudiation purpose. SPEECH is able to operate on different types of networks and adapt its behaviour to the bandwidth of the underlying network while guaranteeing a minimal-acceptable quality of service (currently GSM and TCPIIP networks are supported). This has been achieved by adopting a very light communication protocol and by using a software codec explicitly optimized for the compression of voice data streams while retaining a good sampling quality. As a result, SPEECH is able to work in full-duplex mode, with just a slight delay in the conversation, even when using a 9600 bps communication channel, such as the one provided by GSM networks. There are several application areas for SPEECH. For example, it can be used in an economic transaction conducted over a public phone line to verify the real identities of the parties who are participating to the transaction, to prevent the possibility for an eavesdropper to access the content of the conversation and to ensure that either party of the call could not deny the content of the conversation in a later moment.
Research Interests:
JIVE (Java interactive software visualization environment) is a system for the visualization of Java coded algorithms and data structures. It supports the rapid development of interactive animations through the adoption of an object... more
JIVE (Java interactive software visualization environment) is a system for the visualization of Java coded algorithms and data structures. It supports the rapid development of interactive animations through the adoption of an object oriented approach. JIVE introduces several significant innovations such as a distributed architecture able to separate transparently the visualization activity from the underlying communication needed to support it. Therefore, it becomes possible to use JIVE in a variety of scenarios ranging from debugging algorithms to software visualization in virtual classrooms environments. Moreover, JIVE uses a zoomable user interface for representing algorithms: seamless visualization of both small and large data sets is achieved by using semantic zooming. Finally, JIVE comes with a collection of already animated data types including data structures provided by the Java standard library
Research Interests:
In this paper, an experimental evaluation of one of the most effective source camera identification techniques proposed so far, by Lukáš et al., is presented. This method uses the characteristic noise left by the sensor on a digital... more
In this paper, an experimental evaluation of one of the most effective source camera identification techniques proposed so far, by Lukáš et al., is presented. This method uses the characteristic noise left by the sensor on a digital picture as a fingerprint in order to identify the source camera used to take the picture. The aim of the experiments is to assess the effectiveness of this technique when used with pictures that were previously modified using several common image-processing functions coming with photo-editing tools. The results seem to confirm that, in most cases, the method by Lukáš et al. is resilient to the modifications introduced by the considered image-processing functions. However, it was possible to identify several cases where the quality of the identification process deteriorated because of the noise introduced by the image-processing.
Research Interests:
Research Interests:
In the Grid computing model a remote service is provided by a resource owner to a client. The resource owner executes a client job and charges the client for a corresponding fee. In this paper we discuss the main weakness of many existing... more
In the Grid computing model a remote service is provided by a resource owner to a client. The resource owner executes a client job and charges the client for a corresponding fee. In this paper we discuss the main weakness of many existing models for performing such a kind of transaction, i.e., the strong assumption that both the resource owner and the clients are honest. Then, we propose a new security model in which either the resource owners or the clients (or both) may not be honest. Our model introduces a trusted third party, referred to as “Grid Manager”. We describe in details the role of the Grid Manager and argue the advantages of our proposal with respect to the current state-of-the art.
Research Interests:
Research Interests:
ABSTRACT In this paper we present the key principles of the architecture of Teach++, a cooperative environment specialized for distance learning, and its implementation as a didactic instrument for teaching programming languages. Our... more
ABSTRACT In this paper we present the key principles of the architecture of Teach++, a cooperative environment specialized for distance learning, and its implementation as a didactic instrument for teaching programming languages. Our system is designed to be multi-user, ...
Research Interests:
Research Interests:
Research Interests:
Web-Based Enterprise Management (WBEM) is an emerging standard solution for remote management of heterogeneous devices. It allows to remotely operate and administer a group of hardware and software devices while preserving some security... more
Web-Based Enterprise Management (WBEM) is an emerging standard solution for remote management of heterogeneous devices. It allows to remotely operate and administer a group of hardware and software devices while preserving some security features. The aim of this paper is two-fold: 1) We raise concerns regarding security weaknesses of the architecture of WBEM. 2) We propose a lightweight security model for WBEM based on the concept of Attribute Authority and show its effectiveness in preserving both the security and the performance of the system. Moreover, we address the concept of accountability and present guidelines for an implementation of our model.