Lower Bounds for Complementation of omega-Automata Via the Full Automata Technique

In this paper, we first introduce a lower bound technique for the state complexity of transformations of automata. Namely we suggest first considering the class of full automata in lower bound analysis, and later reducing the size of the large alphabet via alphabet substitutions. Then we apply such technique to the complementation of nondeterministic \omega-automata, and obtain several lower bound results. Particularly, we prove an \omega((0.76n)^n) lower bound for B\"uchi complementation, which also holds for almost every complementation or determinization transformation of nondeterministic omega-automata, and prove an optimal (\omega(nk))^n lower bound for the complementation of generalized B\"uchi automata, which holds for Streett automata as well

The Wadge Hierarchy of Deterministic Tree Languages

We provide a complete description of the Wadge hierarchy for deterministically recognisable sets of infinite trees. In particular we give an elementary procedure to decide if one deterministic tree language is continuously reducible to another. This extends Wagner's results on the hierarchy of omega-regular languages of words to the case of trees.Comment: 44 pages, 8 figures; extended abstract presented at ICALP 2006, Venice, Italy; full version appears in LMCS special issu

The Complexity of Enriched Mu-Calculi

The fully enriched μ-calculus is the extension of the propositional μ-calculus with inverse programs, graded modalities, and nominals. While satisfiability in several expressive fragments of the fully enriched μ-calculus is known to be decidable and ExpTime-complete, it has recently been proved that the full calculus is undecidable. In this paper, we study the fragments of the fully enriched μ-calculus that are obtained by dropping at least one of the additional constructs. We show that, in all fragments obtained in this way, satisfiability is decidable and ExpTime-complete. Thus, we identify a family of decidable logics that are maximal (and incomparable) in expressive power. Our results are obtained by introducing two new automata models, showing that their emptiness problems are ExpTime-complete, and then reducing satisfiability in the relevant logics to these problems. The automata models we introduce are two-way graded alternating parity automata over infinite trees (2GAPTs) and fully enriched automata (FEAs) over infinite forests. The former are a common generalization of two incomparable automata models from the literature. The latter extend alternating automata in a similar way as the fully enriched μ-calculus extends the standard μ-calculus.Comment: A preliminary version of this paper appears in the Proceedings of the 33rd International Colloquium on Automata, Languages and Programming (ICALP), 2006. This paper has been selected for a special issue in LMC

Sub-session hijacking on the web: Root causes and prevention

Since cookies act as the only proof of a user identity, web sessions are particularly vulnerable to session hijacking attacks, where the browser run by a given user sends requests associated to the identity of another user. When n > 1 cookies are used to implement a session, there might actually be n sub-sessions running at the same website, where each cookie is used to retrieve part of the state information related to the session. Sub-session hijacking breaks the ideal view of the existence of a unique user session by selectively hijacking m sub-sessions, with m < n. This may reduce the security of the session to the security of its weakest sub-session. In this paper, we take a systematic look at the root causes of sub-session hijacking attacks and we introduce sub-session linking as a possible defense mechanism. Out of two flavors of sub-session linking desirable for security, which we call intra-scope and inter-scope sub-session linking respectively, only the former is relatively smooth to implement. Luckily, we also identify programming practices to void the need for inter-scope sub-session linking. We finally present Warden, a server-side proxy which automatically enforces intra-scope sub-session linking on incoming HTTP(S) requests, and we evaluate it in terms of protection, performances, backward compatibility and ease of deployment

An overview of Boxed Ambients (Abstract)

AbstractIn this lecture we present some work we published in [2,3] and hint at some new current lines of research on information flow and security.More precisely, we describe the calculus of Boxed Ambients a variant of Cardelli and Gordon's Mobile Ambients [4] a calculus of mobile and dynamically reconfigurable agents. Boxed Ambients inherit from Mobile Ambients (part of) the mobility primitives but rely on a completely different model of communication. The new communication primitives fit nicely the design principles of Mobile Ambients, and complement the existing constructs for ambient mobility with finer-grained, and more effective, mechanisms for ambient interaction. As a result Boxed Ambients retain the expressive power and the computational flavor of Ambient Calculus, as well as the elegance of its formal presentation. In addition, they enhance the flexibility of typed communications over Mobile Ambients, and provide new insight into the relationship between synchronous and asynchronous input-output

Channel Abstractions for Network Security

Process algebraic techniques for distributed systems are increasingly being targeted at identifying abstractions adequate both for high-level programming and specification, and for security analysis and verification. Drawing on our earlier work in [Bugliesi & Focardi 2008] F08}, we investigate the expressive power of a core set of security and network abstractions that provide high-level primitives for the specifications of the honest principals in a network, while at the same time enabling an analysis of the network-level adversarial attacks that may be mounted by an intruder. We analyze various bisimulation equivalences for security, arising from endowing the intruder with (i) different adversarial capabilities and (ii) increasingly powerful control on the interaction among the distributed principals of a network. By comparing the relative strength of the bisimulation equivalences, we obtain a direct measure of the discriminating power of the intruder, hence of the expressiveness of the corresponding intruder model

Security Protocol Specification and Verification with AnBx

Designing distributed protocols is complex and requires actions at very different levels: from the design of an interaction flow supporting the desired application-specific guarantees, to the selection of the most appropriate network-level protection mechanisms. To tame this complexity, we propose AnBx, a formal protocol specification language based on the popular Alice & Bob notation. AnBx offers channels as the main abstraction for communication, providing different authenticity and/or confidentiality guarantees for message transmission. AnBx extends existing proposals in the literature with a novel notion of forwarding channels, enforcing specific security guarantees from the message originator to the final recipient along a number of intermediate forwarding agents. We give a formal semantics of AnBx in terms of a state transition system expressed in the AVISPA Intermediate Format. We devise an ideal channel model and a possible cryptographic implementation, and we show that, under mild restrictions, the two representations coincide, thus making AnBx amenable to automated verification with different tools. We demonstrate the benefits of the declarative specification style distinctive of AnBx by revisiting the design of two existing e-payment protocols, iKP and SET

UNA REPUBBLICA DA DIGITALIZZARE

Il lavoro analizza lo stato dell’arte della digitalizzazione in Italia, a partire dai dati che emergono dall'Indice DESI, per poi soffermarsi su una valutazione della strategia nazionale alla luce delle sfide della formazione digitale, nei diversi livelli del nostro sistema educativo (dalle scuole all'università ai programmi di formazione continua). Lo studio si conclude con una breve illustrazione del programma associato al Fondo per la Repubblica Digitale, recentemente istituito dai Ministeri delle Finanze e della Transizione Digitale in cooperazione con ACRI, l'Associazione delle Fondazioni di Risparmio e delle Casse di Risparmio

Semantics-based analysis of content security policy deployment

Content Security Policy (CSP) is a recentW3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this article, we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP deployment, using the formal semantics to substantiate our methodology and to assess the impact of the detected issues. We focus on four key aspects that affect the effectiveness of CSP: browser support,website adoption, correct configuration, and constant maintenance. Our analysis shows that browser support for CSP is largely satisfactory, with the exception of a few notable issues. However, there are several shortcomings relative to the other three aspects. CSP appears to have a rather limited deployment as yet and, more crucially, existing policies exhibit a number of weaknesses and misconfiguration errors. Moreover, content security policies are not regularly updated to ban insecure practices and remove unintended security violations. We argue that many of these problems can be fixed by better exploiting the monitoring facilities of CSP, while other issues deserve additional research, being more rooted into the CSP design

Dr Cookie and Mr Token - Web session implementations and how to live with them

The implementation of web sessions is a somewhat anarchic and largely unstructured process. Our goal with the present paper is to provide a disciplined perspective of which are the relative strengths and weaknesses of the most common techniques to implement web sessions, with a particular focus on their security. We clarify common misconceptions in the recent "cookies vs tokens" debate and we propose a more useful classification of web session implementations, based on where session information and session credentials are stored. We then propose a new implementation technique for web sessions which combines the strengths of existing web technologies to overcome their weaknesses and we successfully deploy our solution on top of WordPress and the Auth0 library for web authentication to demonstrate its feasibility