Proposals

(Assigned) User-defined Privacy in Android

Advisor: Alessio Merlo

Co-Advisors: Davide Caputo, Francesco Pagano

Type: Research

Topic(s): Mobile Security, Mobile Privacy, App Virtualization

Validity: March 2022 - October 2022

General description:
User privacy on mobile is assuming an increasingly relevant role. At the state of the art, few solutions try to anonymize the user's sensitive information that uses the app. We developed the HideDroid methodology, which is the first solution that tries to deal with this problem. This thesis will focus on the usage of virtualization techniques to overcome the limitations of the current HideDroid implementation.

Objective(s): 

Activity Schedule:

Prerequisites:

Pre-thesis evaluation:

Links and Documents:

Security Analysis of the Fuchsia Ecosystem

Advisor: Alessio Merlo

Co-Advisors: Luca Verderame, Francesco Pagano

Type: Research

Topic(s): Mobile Security, OS Security, Software Testing

Validity: March 2022 - October 2022

General description:
Fuchsia OS is a new operating system developed by Google to support a wide range of devices, from IoT devices to fully-fledged PC. In fact, the main purpose of the Fuchsia OS is to simplify the development of apps on different kinds of devices by supporting multiple application environments. However, the use of heterogeneous technologies makes their security analysis more difficult than in other environments.

Objective(s): 

Activity Schedule:

Prerequisites:

Pre-thesis evaluation:

Links and Documents:

In collaboration with 

(Assigned) Automatic Dynamic Analysis of iOS Apps

Advisor: Alessio Merlo

Co-Advisors: Davide Caputo, Luca Verderame, Andrea Romdhana

Type: Standard

Topic(s): Mobile Security, Mobile Testing

Validity: March 2022 - October 2022

General description:
From the point of view of security, mobile apps can be analyzed statically and dynamically. In the second case, the apps are installed in a test environment, and their behavior is monitored at runtime. However, this procedure often requires the app to be stimulated manually. This thesis aims to develop an automated tool capable of interacting and stimulating an iOS app in a completely automatic way.

Objective(s): 

Activity Schedule:

Prerequisites:

Pre-thesis evaluation:

Links and Documents:

(Assigned) Enhanced Automatic Dynamic Analysis of Android Apps

Advisor: Alessio Merlo

Co-Advisors: Davide Caputo, Luca Verderame, Andrea Romdhana

Type: Standard

Topic(s): Mobile Security, Mobile Testing

Validity: March 2022 - October 2022

General description:
From a security perspective, mobile apps can be analyzed statically and dynamically. In the second case, the apps are installed in a test environment, and their behavior is monitored at runtime. However, currently available tools are limited to testing only the public surface. The thesis aim is to develop a tool capable of recognizing the registration/login screens and overcoming them by performing the actions required by the app.

Objective(s): 

Activity Schedule:

Prerequisites:

Pre-thesis evaluation:

Links and Documents:

In collaboration with 

Toward the European Digital Identity Wallet

Advisors: Silvio Ranise <ranise@fbk.eu>, Giada Sciarretta <giada.sciarretta@fbk.eu>

Co-Advisors: Alessandro Tomasi <altomasi@fbk.eu>

Type: Research

Topic(s): Identity Management, Mobile Security

Validity: From November 2021

General description:
To ensure better privacy, interoperability, and data exchange, identity management solutions are moving from a centralized ecosystem (e.g. SAML 2.0 and OpenID Connect) to a decentralized one in which the user manages the exchange of their own data. In the context of a collaboration with Istituto Poligrafico Zecca dello Stato (IPZS), we are interested in exploring the feasibility of Self Sovereign Identity (SSI) systems that let users generate on demand identities containing strictly necessary information, by aggregating validated identity attributes from different attribute authorities via the use of Verifiable Credentials stored in a mobile eWallet (as suggested by the revised eIDAS regulation).

Objective(s): 

Activity Schedule:

Prerequisites:

Pre-thesis evaluation:

Links and Documents:

Dematerialized Identity

Advisors: Silvio Ranise <ranise@fbk.eu>, Giada Sciarretta <giada.sciarretta@fbk.eu>

Co-Advisors: Tahir Ahmad <ahmad@fbk.eu>

Type: Research

Topic(s): Identity Management, Mobile Security

Validity: From November 2021

General description:
Technology has already transformed the world of border security and efficient processing of passengers, for example through electronic Machine Readable Travel Documents (eMRTD), automated eGates, and use of biometrics. However, a newer generation of secure and efficient solutions are just beginning with the development of the Digital Travel Credential (DTC). In the context of a collaboration with Istituto Poligrafico Zecca dello Stato (IPZS), we are interested in the design and implementation of an Android application to store and show DTCs. This topic can also involve two students, the final goal (develop a prototype mobile app for storing/showing dematerialized documents) will be in common, while the type of document will be different (e.g., DTC and mobile Driving Licence - mDL).

Objective(s): 

Activity Schedule:

Prerequisites:

Pre-thesis evaluation:

Links and Documents:

Trusted Execution Environments for Advanced Data Protection

Advisors: Silvio Ranise <ranise@fbk.eu>, Roberto Carbone <carbone@fbk.eu>

Co-Advisors: Stefano Berlato <sberlato@fbk.eu>

Type: Research

Topic(s): Access Control, Cryptography, Cloud

Validity: From October 2021

General description:
Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from curious Cloud providers while also enforcing access control policies. Unfortunately, CAC usually incurs significant computational overheads that limit its applicability in real-world scenarios [1]. The main goal of this thesis is to investigate how Trusted Execution Environments (TEEs) such as Intel SGX [2] can synergize with CAC to relieve these computational overheads and efficiently guarantee advanced data protection.

Objective(s): 

Activity Schedule:

Prerequisites:

Pre-thesis evaluation:

Links and Documents:

Attribute-based Encryption for 

Advanced Data Protection in IoT with MQTT

Advisors: Silvio Ranise <ranise@fbk.eu>, Roberto Carbone <carbone@fbk.eu>

Co-Advisors: Stefano Berlato <sberlato@fbk.eu>

Type: Research

Topic(s): Access Control, Cryptography, Cloud

Validity: From October 2021

General description:
While yielding many benefits, emerging paradigms such as the Edge and the Internet-of-Things (IoT) threaten the confidentiality of users' sensitive data. In such a complex and dynamic scenario, fine-grained Access Control (AC) policies are necessary to control data sharing. However, traditional approaches to AC leave data unencrypted and at the mercy of curious service providers. The main goal of this thesis is to investigate how Attribute-based Encryption (ABE) can guarantee advanced data protection from all unauthorized entities while enforcing fine-grained Attribute-based AC (ABAC) policies in IoT scenarios using the MQTT protocol.

Objective(s): 

Activity Schedule:

Prerequisites:

Pre-thesis evaluation:

Links and Documents:

Blockchain Meets Cryptographic Access Control for Advanced Data Protection

Advisors: Silvio Ranise <ranise@fbk.eu>, Roberto Carbone <carbone@fbk.eu>

Co-Advisors: Stefano Berlato <sberlato@fbk.eu>

Type: Research

Topic(s): Access Control, Cryptography, Blockchain

Validity: From October 2021

General description:
Given the limited trust and the distributed nature of IoT and Edge scenarios, the Blockchain may be the solution to guarantee integrity and confidentiality of sensitive data at the cost of addressing scalable performance and consensus protocols. The main goal of this thesis is to investigate how Blockchain technologies such as Hyperledger [1] can synergize with cryptographic access control to efficiently guarantee advanced data protection.

Objective(s): 

Activity Schedule:

Prerequisites:

Pre-thesis evaluation:

Links and Documents: