Development of security extensions based on Chrome APIs

Client-side attacks against web sessions are a real concern for many applications. Realizing protection mechanisms on the client side, e.g. as browser extensions, has become a popular approach for securing the Web. In this paper we report on our experience in the implementation of SessInt, an extension for Google Chrome that protects users against a variety of client-side attacks, and we discuss some limitations of the browser APIs that negatively impacted on the design process

WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring

We present WPSE, a browser-side security monitor for web protocols designed to ensure compliance with the intended protocol flow, as well as confidentiality and integrity properties of messages. We formally prove that WPSE is expressive enough to protect web applications from a wide range of protocol implementation bugs and web attacks. We discuss concrete examples of attacks which can be prevented by WPSE on OAuth 2.0 and SAML 2.0, including a novel attack on the Google implementation of SAML 2.0 which we discovered by formalizing the protocol specification in WPSE. Moreover, we use WPSE to carry out an extensive experimental evaluation of OAuth 2.0 in the wild. Out of 90 tested websites, we identify security flaws in 55 websites (61.1%), including new critical vulnerabilities introduced by tracking libraries such as Facebook Pixel, all of which fixable by WPSE. Finally, we show that WPSE works flawlessly on 83 websites (92.2%), with the 7 compatibility issues being caused by custom implementations deviating from the OAuth 2.0 specification, one of which introducing a critical vulnerability

Firewall management with FireWall synthesizer

Firewalls are notoriously hard to configure and maintain. Policies are written in low-level, system-specific languages where rules are inspected and enforced along non-trivial control flow paths. Moreover, firewalls are tightly related to Network Address Translation (NAT) since filters need to be specified taking into account the possible translations of packet addresses, further complicating the task of network administrators. To simplify this job, we propose FIRE WALL SYNTHESIZER (FWS), a tool that decompiles real firewall configurations from different systems into an abstract specification. This representation highlights the meaning of a configuration, i.e., the allowed connections with possible address translations. We show the usage of FWS in analyzing and maintaining a configuration on a simple (yet realistic) scenario and we discuss how the tool scales on real-world policies

The First AGILE Solar Flare Catalog

We report the Astrorivelatore Gamma ad Immagini LEggero (AGILE) observations of solar flares, detected by the on board anticoincidence system in the 80-200 keV energy range, from 2007 May 1st to 2022 August 31st. In more than 15 yr, AGILE detected 5003 X-ray, minute-lasting transients, compatible with a solar origin. A cross-correlation of these transients with the Geostationary Operational Environmental Satellites (GOES) official solar flare database allowed to associate an intensity class (i.e., B, C, M, or X) to 3572 of them, for which we investigated the main temporal and intensity parameters. The AGILE data clearly revealed the solar activity covering the last stages of the 23rd cycle, the whole 24th cycle, and the beginning of the current 25th cycle. In order to compare our results with other space missions operating in the high-energy range, we also analyzed the public lists of solar flares reported by RHESSI and Fermi Gamma-ray Burst Monitor. This catalog reports 1424 events not contained in the GOES official dataset, which, after statistical comparisons, are compatible with low-intensity, short-duration solar flares. Besides providing a further dataset of solar flares detected in the hard X-ray range, this study allowed to point out two main features: a longer persistence of the decay phase in the high-energy regime, with respect to the soft X-rays, and a tendency of the flare maximum to be reached earlier in the soft X-rays with respect to the hard X-rays. Both these aspects support a two-phase acceleration mechanism of electrons in the solar atmosphere.Comment: 22 pages, 10 figure

Study of radiation damage and substrate resistivity effects from beam test of silicon microstrip detectors using LHC readout electronics

We present the beam test results of single-sided silicon microstrip detectors, with different substrate resistivities. The effects of radiation damage are studied for a detector irradiated to a fluence of 2.4 multiplied by 10**1**4 n/cm**2. The detectors are read out with the APV6 chip, which is compatible with the 40 MHz LHC clock. The performance of different detectors and readout modes are studied in terms of signal-to-noise ratio and efficiency

Assembly of the Inner Tracker Silicon Microstrip Modules

This note describes the organization of the mechanical assembly of the nearly 4000 silicon microstrip modules that were constructed in Italy for the Inner Tracker of the CMS experiment. The customization and the calibration of the robotic system adopted by the CMS Tracker community, starting from a general pilot project realized at CERN, is described. The step-by-step assembly procedure is illustrated in detail. Finally, the results for the mechanical precision of all assembled modules are reported

Surviving the Web: A Journey into Web Session Security

In this article, we survey the most common attacks against web sessions, that is, attacks that target honest web browser users establishing an authenticated session with a trusted web application. We then review existing security solutions that prevent or mitigate the different attacks by evaluating them along four different axes: Protection, usability, compatibility, and ease of deployment. We also assess several defensive solutions that aim at providing robust safeguards against multiple attacks. Based on this survey, we identify five guidelines that, to different extents, have been taken into account by the designers of the different proposals we reviewed. We believe that these guidelines can be helpful for the development of innovative solutions approaching web security in a more systematic and comprehensive way