Run-Time Attack Detection in Cryptographic APIs

Cryptographic APIs are often vulnerable to attacks that compromise sensitive cryptographic keys. In the literature we find many proposals for preventing or mitigating such attacks but they typically require to modify the API or to configure it in a way that might break existing applications. This makes it hard to adopt such proposals, especially because security APIs are often used in highly sensitive settings, such as financial and critical infrastructures, where systems are rarely modified and legacy applications are very common. In this paper we take a different approach. We propose an effective method to monitor existing cryptographic systems in order to detect, and possibly prevent, the leakage of sensitive cryptographic keys. The method collects logs for various devices and cryptographic services and is able to detect, offline, any leakage of sensitive keys, under the assumption that a key fingerprint is provided for each sensitive key. We define key security formally and we prove that the method is sound, complete and efficient. We also show that without key fingerprinting completeness is lost, i.e., some attacks cannot be detected. We discuss possible practical implementations and we develop a proof-of-concept log analysis tool for PKCS#11 that is able to detect, on a significant fragment of the API, all key-management attacks from the literature

Postcards from the post-HTTP world: Amplification of HTTPS vulnerabilities in the web ecosystem

HTTPS aims at securing communication over the Web by providing a cryptographic protection layer that ensures the confidentiality and integrity of communication and enables client/server authentication. However, HTTPS is based on the SSL/TLS protocol suites that have been shown to be vulnerable to various attacks in the years. This has required fixes and mitigations both in the servers and in the browsers, producing a complicated mixture of protocol versions and implementations in the wild, which makes it unclear which attacks are still effective on the modern Web and what is their import on web application security. In this paper, we present the first systematic quantitative evaluation of web application insecurity due to cryptographic vulnerabilities. We specify attack conditions against TLS using attack trees and we crawl the Alexa Top 10k to assess the import of these issues on page integrity, authentication credentials and web tracking. Our results show that the security of a consistent number of websites is severely harmed by cryptographic weaknesses that, in many cases, are due to external or related-domain hosts. This empirically, yet systematically demonstrates how a relatively limited number of exploitable HTTPS vulnerabilities are amplified by the complexity of the web ecosystem

Run-time analysis of PKCS#11 attacks

The goal of this paper is to report on the development of a tool aimed at the automatic detection of attacks against PKCS#11 devices. Instead of modifying or configuring the API, we propose a stateful run-time monitor which is able to track key usage over time, for the identification of operations that might result in the leakage of sensitive keys. We briefly report on the components developed for implementing the monitor and discuss new challenges and open issues

WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring

We present WPSE, a browser-side security monitor for web protocols designed to ensure compliance with the intended protocol flow, as well as confidentiality and integrity properties of messages. We formally prove that WPSE is expressive enough to protect web applications from a wide range of protocol implementation bugs and web attacks. We discuss concrete examples of attacks which can be prevented by WPSE on OAuth 2.0 and SAML 2.0, including a novel attack on the Google implementation of SAML 2.0 which we discovered by formalizing the protocol specification in WPSE. Moreover, we use WPSE to carry out an extensive experimental evaluation of OAuth 2.0 in the wild. Out of 90 tested websites, we identify security flaws in 55 websites (61.1%), including new critical vulnerabilities introduced by tracking libraries such as Facebook Pixel, all of which fixable by WPSE. Finally, we show that WPSE works flawlessly on 83 websites (92.2%), with the 7 compatibility issues being caused by custom implementations deviating from the OAuth 2.0 specification, one of which introducing a critical vulnerability

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

Il Futuro della Cybersecurity in Italia: Ambiti Progettuali Strategici

Il presente volume nasce come continuazione del precedente, con l’obiettivo di delineare un insieme di ambiti progettuali e di azioni che la comunità nazionale della ricerca ritiene essenziali a complemento e a supporto di quelli previsti nel DPCM Gentiloni in materia di sicurezza cibernetica, pubblicato nel febbraio del 2017. La lettura non richiede particolari conoscenze tecniche; il testo è fruibile da chiunque utilizzi strumenti informatici o navighi in rete. Nel volume vengono considerati molteplici aspetti della cybersecurity, che vanno dalla definizione di infrastrutture e centri necessari a organizzare la difesa alle azioni e alle tecnologie da sviluppare per essere protetti al meglio, dall’individuazione delle principali tecnologie da difendere alla proposta di un insieme di azioni orizzontali per la formazione, la sensibilizzazione e la gestione dei rischi. Gli ambiti progettuali e le azioni, che noi speriamo possano svilupparsi nei prossimi anni in Italia, sono poi accompagnate da una serie di raccomandazioni agli organi preposti per affrontare al meglio, e da Paese consapevole, la sfida della trasformazione digitale. Le raccomandazioni non intendono essere esaustive, ma vanno a toccare dei punti che riteniamo essenziali per una corretta implementazione di una politica di sicurezza cibernetica a livello nazionale. Politica che, per sua natura, dovrà necessariamente essere dinamica e in continua evoluzione in base ai cambiamenti tecnologici, normativi, sociali e geopolitici. All’interno del volume, sono riportati dei riquadri con sfondo violetto o grigio; i primi sono usati nel capitolo introduttivo e nelle conclusioni per mettere in evidenza alcuni concetti ritenuti importanti, i secondi sono usati negli altri capitoli per spiegare il significato di alcuni termini tecnici comunemente utilizzati dagli addetti ai lavori. In conclusione, ringraziamo tutti i colleghi che hanno contribuito a questo volume: un gruppo di oltre 120 ricercatori, provenienti da circa 40 tra Enti di Ricerca e Università, unico per numerosità ed eccellenza, che rappresenta il meglio della ricerca in Italia nel settore della cybersecurity. Un grazie speciale va a Gabriella Caramagno e ad Angela Miola che hanno contribuito a tutte le fasi di produzione del libro. Tra i ringraziamenti ci fa piacere aggiungere il supporto ottenuto dai partecipanti al progetto FILIERASICURA

On the feasability of latency control via extrapolation in video streaming

openSi studia l’effetto dell’ estrapolazione nello streaming video, confrontando tempi di elaborazione e qualità del risultato.The effect of extrapolation in video streaming is being studied by comparing processing times and result quality