This list is not exhaustive, we are open to other proposals.
- Machine Learning
Automatic software vulnerability detection
Formal modeling and verification techniques have the potential to provide the strongest security guarantee and to support full automation. However, implementing effective vulnerability detection tools based on these techniques is still an open issue. The main reasons are the poor scalability and the lack of formal semantics of real programming languages. The goal of this project is to investigate novel methodologies that (i) provide formal security guarantees and (ii) can be applied to real world software. Many types of analysis may be considered, including, for instance, symbolic exploration, model checking and security testing.
Formal methods; vulnerability analysis; security testing; evolutionary testing; white-box testing; code analysis.
G. Costa, A. Valenza: “Why Charles Can Pen-test: an Evolutionary Approach to Vulnerability Testing”,
A. Valenza, G. Costa, A. Armando: “Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners”, 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020),
The continuous evolution of threats as well as the growing complexity of modern infrastructures makes the security assessment of critical systems harder. Cyber ranges are virtual infrastructures that mimic real ones to support security-related activities such as testing, training and incident simulation. The development of a cyber range poses several theoretical and technical issues. The goal of this project is to study new approaches to improve the simulation quality and the training experience of cyber ranges. The activity also includes practical testing and integration with the already existing cyber range infrastructure owned by IMT Lucca.
Cyber range; security assessment; Cybersecurity training; simulation.
E. Russo, G. Costa, A. Armando: “Building next generation Cyber Ranges with CRACK”. Computers and Security, 2020
Translation validation for security
High-level languages provide a variety of abstractions and mechanisms (e.g. types, modules, automatic memory management) that enforce good programming practices and ease programmers in writing correct and secure code. However, those high-level abstractions do not always have counterparts when a program is compiled into a low-level language. This discrepancy can be dangerous when the source level abstractions are used to enforce security: if the target language provides no mechanism to preserve such properties, the resulting code is vulnerable to attacks.
The emerging field of formally secure compilation aims at granting that the security properties at the source level are preserved as they are at the object level. Currently, many papers propose to manually prove (with the help of a proof-assistant) once and for all that the compiler is security preserving. Although these manual proofs are very effective, they require huge efforts in terms of time and resources, even when one considers simple languages.
Instead of proving that a compiler is security preserving once and for all, a possible alternative is to use translation validation to prove that the compilation of a specific program preserves all security properties of interest.
The goal of this project is to design and implement a translation validation technique to automatically check that a given compilation run does not break security.
Secure compilation; translation validation; static analysis
M. Busi, and L. Galletta, “A Brief Tour of Formally Secure Compilation” in 3th Italian Conference on Cyber Security (ITASEC), 2019
M. Busi, P. Degano, L. Galletta, “Translation Validation for Security Properties”, PriSC 2019
Provably secure hardware-based countermeasures against software-exploitable side channels
Computer systems often provide hardware support for isolation mechanisms that are intended to confine the interactions between two isolated programs to a well-defined communication interface. A well known example of these isolation mechanisms is enclaved execution, which supports the software modules that runs isolated from all other software on the same platform, including system software such as the operating system. The isolation guarantees offered by enclaved execution are simple: data of a module can only be manipulated by code of the same module, external (untrusted) code cannot access the internal state of a module. Untrusted code can only interact with the enclave by calling a function in its public interface. Recently, security researchers have shown that enclaved execution can be attacked by means of software-exploitable side channels. Such side channels have been shown to violate integrity of victim programs, as well as their confidentiality. These attacks often exploit, or at least rely on, specific hardware features that were designed without security in mind. Thus, any architectural or micro-architectural feature of a processor brings a risk of introducing new software-based side-channel attacks. A recent class of attacks exploited the ability of an attacker to control the power supply of a computer system, or the API provided by modern microprocessors to control and schedule frequency and voltage. The goal of this project is to use programming language techniques developed in the field of secure compilation to design and prove secure countermeasures against this kind of attacks.
Secure compilation; enclaved execution; formal methods; formal verification
M. Busi, J. Noorman, J. Van Bulck, L. Galletta, P. Degano, J. T. Mühlberg, F. Piessens, “Provably secure isolation for interruptible enclaved execution on small microprocessors”, 33rd IEEE Computer Security Foundations Symposium, CSF 2020
Security in Critical Information Infrastructure
Information and communications technologies (ICTs) are increasingly common in our daily activities. Some of the ICT systems, services, networks, and infrastructures form a vital part of our society, providing essential goods and services or constituting the underpinning platform of other critical infrastructures. They are typically regarded as critical information infrastructures (CIIs) as their disruption would seriously impact vital societal functions. Since cyber threats to CIIs could potentially affect the safety of citizens, many of these systems require a high level of security.
Security engineering for CIIs is a multidisciplinary field involving various topics ranging from secure software development and cryptography to embedded systems design and network security. Cyber-ranges represent an invaluable tool for testing the capabilities and effectiveness of the proposed solutions in a multipurpose virtual environment, which is also suitable as a platform for security training.
This project aims to study new methodologies for the security assessment of CIIs with the support of cyber-ranges. The research topics include multilevel security investigations involving, for instance, network security, protocol security, and application security.
Network security; protocol security; vulnerability analysis; cyber-range; security assessment.
S. Soderi. “Evaluation of industrial wireless communications systems’ security”. Ph.D. Thesis, University of Oulu, Faculty of Information Technology and Electrical Engineering; Centre for Wireless Communications, June 2016.
Physical-layer Security in 6G networks
The sixth-generation (6G) mobile communication technology is one of the most prominent emerging research areas which will change our society and business. Its launch is expected to occur around 2030 when our society becomes data-driven and unlimited wireless connectivity.
We live in a hyper-connected society where sensors can exchange data even without any need for human interactions. Internet of Things (IoT) systems generate a massive amount of data transmitted via a networking infrastructure in which plenty of computing devices communicate among them. The physical-layer security techniques could represent an efficient solution to secure IoT. Indeed, physical-layer security aims at securing communications exploiting the physical properties of the communication channel. The next generation of low-power sensor networks is an area where physical-layer security can provide better computations than cryptography and low energy consumption, extending the battery life.
This project aims to develop and prove new physical-layer algorithms that enhance IoT security by exploiting signal processing techniques (e.g., watermarking) or even through an alternative medium (e.g., visible light communications, acoustic communications).
Physical-layer security; 6G; IoT; visible light communications.
S. Soderi. “Enhancing Security in 6G Visible Light Communications”. 2nd 6G Wireless Summit (6G SUMMIT). 2020.
Machine learning for Cultural Heritage
The application of Machine Learning (ML) to Cultural Heritage (CH) has evolved since basic statistical approaches such as Linear Regression to complex Deep Learning (DL) models. Typically, in this context the data are coming from different sources such as text, scanned images, photos, 3D models, and so on. The main task required to Machine Learning researchers is to make available to CL experts the possibility to access, query, and explore all these sources of information together. However, despite the evolution of ML/DL image and text processing systems, multimodal matching remains a challenging problem. This requires the development of new methods that are able to combine the information gathered from several sources in order to retrieve them in an efficient way. Thus, the goal of this process is to explore and implement new multimodal machine learning approaches and applications on top of them.
Deep learning, Machine learning, cultural heritage, pattern recognition, Natural language processing
M. Fiorucci, M. Khoroshiltseva, M. Pontil, A. Traviglia, A. Del Bue, S. James Machine Learning for Cultural Heritage: A Survey Pattern Recognition Letter, 2020
Deep learning for trajectory data
The study of human mobility, and mobility in general, is crucial due to its impact on several aspects of our society, such as disease spreading, urban planning, well-being, pollution, immigrations and so on. The proliferation of digital mobility data, such as phone records, GPS traces, and social media posts, combined with the outstanding predictive power of artificial intelligence, triggered the application of deep learning to human mobility. In particular, the literature is focusing on several tasks, just to name fews: next-location prediction, crowd trajectory prediction, trajectory reconstruction, mobility pattern detection, and so on. The goal of this project is to develop new and advanced deep learning methods applied to trajectory data in order to solve one of the above mentioned problems to be applied in different contexts from urban mobility to vessel mobility.
Machine learning, Urban mobility, deep learning
M. Luca, G. Barlacchi, B. Lepri, L. Pappalardo. “Deep Learning for Human Mobility: a Survey on Data and Models”
Understanding business firms performance through the lens of Machine Learning
Thanks to the increasing availability of granular, yet high-dimensional, firm level data, machine learning (ML) algorithms have been successfully applied to address multiple research questions related to firm dynamics. Especially supervised learning (SL), the branch of ML dealing with the prediction of labelled outcomes, has been used to better predict firms’ performance. In this contribution, we will illustrate a series of SL approaches to be used for prediction tasks, relevant at different stages of the company life cycle. The goal of this project is the application and development of new ML methods to firm level data in order to investigate firm performance over the years.
Machine learning, Econometrics, Business performance, Statistics
F. J. Bargagli-Stoffi, J. Niederreiter, M. Riccaboni. “Supervised learning for the prediction of firm dynamics”