The “fair trial” principle: a comparative analysis starting from the Knox Case

openLa tesi avrà ad oggetto il "delitto di Perugia" analizzato in un'ottica nazionale ed internazionale

Velieri di Camogli: immagini del mare a confronto

This study compares the sea image represented in a number of paintings depicting sailing ships of Camogli shipowners in XIX century. These pieces of art have been collected in the local Museo Marinaro Gio Bono Ferrari and in the sanctuary of Nostra Signora del Boschetto. The paintings in the museum are intended to celebrate the qualities of the ships and to show the social role played by their owners while the paintings collected in the Sanctuary are ex-votos, offered to the Marian temple in memory of episodes that had put at risk the sailors’ safety.These are opposing visions of the sea, on the one hand it is represented as a source of wealth and social pride, and on the other it is represented as a cause of danger. The analysis brings out how “the idea of landscape represents […] a way in which some Europeans have represented to themselves and to others the world around them and their relations with it, and through which they have commented on social relations” (Cosgrove 1990, 23)

Can i take your subdomain? Exploring same-site attacks in the modern web

Related-domain attackers control a sibling domain of their target web application, e.g., as the result of a subdomain takeover. Despite their additional power over traditional web attackers, related-domain attackers received only limited attention from the research community. In this paper we define and quantify for the first time the threats that related-domain attackers pose to web application security. In particular, we first clarify the capabilities that related-domain attackers can acquire through different attack vectors, showing that different instances of the related-domain attacker concept are worth attention. We then study how these capabilities can be abused to compromise web application security by focusing on different angles, including cookies, CSP, CORS, postMessage, and domain relaxation. By building on this framework, we report on a large-scale security measurement on the top 50k domains from the Tranco list that led to the discovery of vulnerabilities in 887 sites, where we quantified the threats posed by related-domain attackers to popular web applications

Run-Time Attack Detection in Cryptographic APIs

Cryptographic APIs are often vulnerable to attacks that compromise sensitive cryptographic keys. In the literature we find many proposals for preventing or mitigating such attacks but they typically require to modify the API or to configure it in a way that might break existing applications. This makes it hard to adopt such proposals, especially because security APIs are often used in highly sensitive settings, such as financial and critical infrastructures, where systems are rarely modified and legacy applications are very common. In this paper we take a different approach. We propose an effective method to monitor existing cryptographic systems in order to detect, and possibly prevent, the leakage of sensitive cryptographic keys. The method collects logs for various devices and cryptographic services and is able to detect, offline, any leakage of sensitive keys, under the assumption that a key fingerprint is provided for each sensitive key. We define key security formally and we prove that the method is sound, complete and efficient. We also show that without key fingerprinting completeness is lost, i.e., some attacks cannot be detected. We discuss possible practical implementations and we develop a proof-of-concept log analysis tool for PKCS#11 that is able to detect, on a significant fragment of the API, all key-management attacks from the literature

Postcards from the post-HTTP world: Amplification of HTTPS vulnerabilities in the web ecosystem

HTTPS aims at securing communication over the Web by providing a cryptographic protection layer that ensures the confidentiality and integrity of communication and enables client/server authentication. However, HTTPS is based on the SSL/TLS protocol suites that have been shown to be vulnerable to various attacks in the years. This has required fixes and mitigations both in the servers and in the browsers, producing a complicated mixture of protocol versions and implementations in the wild, which makes it unclear which attacks are still effective on the modern Web and what is their import on web application security. In this paper, we present the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities. We specify attack conditions against TLS using attack trees and we crawl the Alexa Top 10k to assess the import of these issues on page integrity, authentication credentials and web tracking. Our results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts. This empirically, yet systematically demonstrates how a relatively limited number of exploitable HTTPS vulnerabilities are amplified by the complexity of the web ecosystem

WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring

We present WPSE, a browser-side security monitor for web protocols designed to ensure compliance with the intended protocol flow, as well as confidentiality and integrity properties of messages. We formally prove that WPSE is expressive enough to protect web applications from a wide range of protocol implementation bugs and web attacks. We discuss concrete examples of attacks which can be prevented by WPSE on OAuth 2.0 and SAML 2.0, including a novel attack on the Google implementation of SAML 2.0 which we discovered by formalizing the protocol specification in WPSE. Moreover, we use WPSE to carry out an extensive experimental evaluation of OAuth 2.0 in the wild. Out of 90 tested websites, we identify security flaws in 55 websites (61.1%), including new critical vulnerabilities introduced by tracking libraries such as Facebook Pixel, all of which fixable by WPSE. Finally, we show that WPSE works flawlessly on 83 websites (92.2%), with the 7 compatibility issues being caused by custom implementations deviating from the OAuth 2.0 specification, one of which introducing a critical vulnerability

From early stress to 12-month development in very preterm infants: Preliminary findings on epigenetic mechanisms and brain growth

Very preterm (VPT) infants admitted to Neonatal Intensive Care Unit (NICU) are at risk for altered brain growth and less-than-optimal socio-emotional development. Recent research suggests that early NICU-related stress contributes to socio-emotional impairments in VPT infants at 3 months through epigenetic regulation (i.e., DNA methylation) of the serotonin transporter gene (SLC6A4). In the present longitudinal study we assessed: (a) the effects of NICU-related stress and SLC6A4 methylation variations from birth to discharge on brain development at term equivalent age (TEA); (b) the association between brain volume at TEA and socio-emotional development (i.e., Personal-Social scale of Griffith Mental Development Scales, GMDS) at 12 months corrected age (CA). Twenty-four infants had complete data at 12-month-age. SLC6A4 methylation was measured at a specific CpG previously associated with NICU-related stress and socio-emotional stress. Findings confirmed that higher NICU-related stress associated with greater increase of SLC6A4 methylation at NICU discharge. Moreover, higher SLC6A4 discharge methylation was associated with reduced anterior temporal lobe (ATL) volume at TEA, which in turn was significantly associated with less-than-optimal GMDS Personal-Social scale score at 12 months CA. The reduced ATL volume at TEA mediated the pathway linking stress-related increase in SLC6A4 methylation at NICU discharge and socio-emotional development at 12 months CA. These findings suggest that early adversity-related epigenetic changes might contribute to the long-lasting programming of socio-emotional development in VPT infants through epigenetic regulation and structural modifications of the developing brain

Run-time analysis of PKCS#11 attacks

The goal of this paper is to report on the development of a tool aimed at the automatic detection of attacks against PKCS#11 devices. Instead of modifying or configuring the API, we propose a stateful run-time monitor which is able to track key usage over time, for the identification of operations that might result in the leakage of sensitive keys. We briefly report on the components developed for implementing the monitor and discuss new challenges and open issues