ISE School 2022

E-mail mariano.ceccato@univr.it

Mariano Ceccato is tenure track associate professor in the Computer Science department in University of Verona, Italy. Until 2019, he was tenured researcher in the Software Engineering research unit and later in the Security & Trust research unit in Fondazione Bruno Kessler, Trento, where he was principal investigator of several competitive publicly funded research projects. He was recently visiting research scientist in the Software Verification and Validation Laboratory led by Lionel Briand, University of Luxembourg.
Mariano received the Best Paper Award in ICPC-2017 for a study involving professional hackers, in ICST-2022 and ICST-2020 and Distinguished Paper Award in ICPC-2017 and ASE-2016. He is author or coauthor of more than 90 research papers published in international journals and conferences/workshops, including top venues (e.g., IEEE-TSE, ACM-TOSEM, EMSE, ICSE, ASE). His research interests include software testing, security testing, penetration testing, code hardening and empirical studies.

Session Title: Security Testing of Android Apps

Abstract: Android facilitates apps interoperation and integration through inter-process communication mechanism, by allowing an app to request a task from another app that is installed on the same device. However, this interoperation mechanism poses security risks if an app does not implement it properly, such as permission re-delegation vulnerabilities, i.e., a form of privilege escalation where unprivileged malicious apps exploit vulnerable privileged apps to take privileged actions on the attacker behalf.
Static analysis techniques as well as run-time protections have been proposed to detect permission re-delegation vulnerabilities. However, as acknowledged by their authors, most of these approaches are affected by many false positives because they do not discriminate between benign task requests and actual permission re-delegation vulnerabilities.
In this talk, I will present a recent approach aiming at filling this gap and at bridging static and dynamic analysis with security testing for precise detection of permission re-delegation vulnerabilities. This approach first groups a large set of benign and non-vulnerable apps into different clusters, based on their similarities in terms of functional descriptions. It then generates permission re-delegation model for each cluster, which characterizes common permission re-delegation behaviors of the apps in the cluster. Given an app under test, this approach checks whether it has permission re-delegation behaviors that deviate from the model of the cluster it belongs to. If that is the case, it generates test cases to detect the vulnerabilities, that show how the vulnerabilities can be exploited.
Empirical validation suggests that this security testing approach outperforms state-of-the-art in terms of vulnerability detection precision.

E-mail aburiro@unibz.it

Attaullah Buriro is currently an Assistant Professor at the Faculty of Computer Science at Free University of Bolzano-Bozen (UNIBZ), Italy. Prior to that he held a postdoctoral researcher position at UNIBZ (1st Sep. 2019 - 30th Aug. 2020) and DISI Security Lab, University of Trento (1st Mar. 2017 - Aug. 30th 2019). He earned his PhD. degree in Information and Communication Technology (security and privacy) from the University of Trento, Italy, in February 2017. His research interests include biometrics, access control, Internet of Things (IoT), Computer Vision, machine learning, artificial intelligence, and data mining. He has developed several secure, user-friendly, and implicit behavioral biometricbased authentication solutions for smartwatches, smartphones, and critical infrastructures.

Session Title: Behavioral Biometrics

Abstract: the process of verifying the identity of an individual based on their behavioral characteristics (keystroke, mouse, internet usage, etc.), has widely been used to secure access to the critical infrastructure and the new generation devices such as smartphones, smartwatches, etc. Behavioral biometrics leverages machine learning to extract the users' digital behavioral signatures to profile them and use them for their identity verification. Behavioral biometrics has shown to be advantageous in recent years because (i) of their ability to work passively in the background, (ii) they don't need any additional hardware, and (iii) their enhanced usability. Thus, behavioral biometric-based authentication solutions have shown to be well accepted both in academia and in the industry, in recent years. The tutorial aims at covering the following topics in detail:

• Why behavioral biometrics? basics, challenges, and trends.
• Behavioral biometrics systems for new generation devices.
• Potential attacks on behavioral biometric-based systems.
• Future Trends and some innovative applications.

E-mail ifalcomata@enforcer.it

Igor Falcomatà works as security consultant and ethical hacker, conducting penetration tests and risk analysis for public and private companies. He is founder and CEO of Enforcer, an "offensive security" consulting company. He is also founder of Sikurezza.org, one of the first Italian infosecurity communities, an independent and hacker-centric place for information exchange and interaction between the underground, the academic world, researchers and users.

Session Title: Cybersecurity in production reality

Abstract: An introduction to the cybersecurity issues and challenges for the Industrial and Productions environments: what are the risks, what are the consequences, how can we avoid them?

Agenda:

• History, background and context
• Cybersecurity Trends in ICT & OT
• Cybersecurity for OT (Operational Technology)
• Cybersecurity for (I)IoT (Industrial Internet of Things)

E-mail cotroneo@unina.it

Domenico Cotroneo is currently full Professor at DIETI, the Department of Electrical Engineering and Information Technology of Federico II University of Naples. He is also IEEE senior Member. Domenico has supervised 7 PhD students. Every PhD student has spent at least six months visiting a prestigious university or institution abroad. He is proud that his former PhD students are having bright careers either in companies or in academic research. He has served on the Technical Program Committee of important conferences on Dependability and Software Reliability, eg., IEEE/IFIP DSN, IEEE SRDS, Safecomp, IEEE ISSRE, IEEE ICDS. He is member of the IFIP Working group 10.4 on Dependable computing and Fault Tolerance. He is member of the steering committee of the International Symposium of Software Reliability Engineering (ISSRE). Domenico’s research activities in 20 years cover the following areas: Dependability and Security assessment of complex software systems; Software Fault Injection; Software performance degradation analysis; automatic software exploit generation and threat emulation. Domenico Cotroneo has (co-)authored more than 170 publications in peer-refereed international journals and conferences.

Session Title:What is Software Security Development Lifecycle and why it is so important

Abstract:A brief introduction on Software Security will be provided, highlighting fundamental concepts : from memory management vulnerabilities to static and dynamic Analysis. The talk will than present the Secure Development Lifecycle (SDL), i.e., the process of including security artifacts in the Software Development Lifecycle (SDLC). SDLCvconsists of a detailed plan that defines the process organizations use to build an application from inception until decommission. SDL can coexist with different development models, such as Waterfall, Iterative or Agile.

Session Title:Improving Software Security via Automatic Exploit Generation

Abstract:This talk describes the research arctivities that ahve been carrying out at DESSERT lab of Univ. di Napoli Federico II. The security of software paltforms and application depends upon effective techniques to detect vulnerabilities commonly exploited by malicious attacks. Due to poor coding practices or human error, a known vulnerability discovered and patched in one code location may often exist in many other unpatched code locations. Furthermore, patches are often error-prone, resulting in new vulnerabilities.
The focus of this talk is on software offensive security, i.e., testing software security from an adversary perspective. In this light, the generation of effective software exploits is a fundamental step to validating security controls, by discovering as many vulnerabilities as possible. Software exploit refers to a piece of software that can allow hackers to take control over a system, exploiting its vulnerabilities. The more effective the generated exploits, the more vulnerabilities are discovered.
Unfortunately, this is hard to achieve due to the limitation of scope, the access of penetration testers to the testing environment, tools used by the tester, and the available budget. To overcome the above limitations, we envision an approach where the tester could write the exploit in a natural language and an “intelligent” engine can translate the exploit description into a real and effective software exploit.
The second part of talk will present a project that aims to automatically generate attack scenarios in the form of emulation plans suitable for any open source adversary emulation tool, with the purpose of performing red team exercises without the need of highly specialized personnel. The main idea consists of taking advantage of threat and incident reports, along with open Cyber Threat Intelligence (CTI) data, as sources to extract information on tactics, techniques, and procedures (TTPs) [NIST SP 800-150] used by known APTs , together with other observable data and the operational flow underneath the opponent's strategy. The information gathered from all these sources will then be converted into a structured format. The approach aims to make easier the design process of an emulation plan, allowing operators to invest time in testing activities rather than planning ones. Introducing an easy way to test a system against several attack scenarios improves the resilience and defense mechanisms of a system, along with the ability to spot atypical activities and the awareness regarding risks and security controls fully embracing intelligence driven defense approach.

E-mail Svetlana.Abramova@uibk.ac.at

Svetlana Abramova is a Senior Researcher at the Department of Computer Science, University of Innsbruck, Austria. She has received her Ph.D. degree in Computer Science from the University of Innsbruck, Austria (2019) and her Master’s degree in Information Systems from the University of Münster, Germany (2012). Her research interests span empirical and theoretical perspectives on security, privacy, digital currencies, and payment systems, with a strong focus on economic, human, behavioural, and social aspects. She is particularly interested in interdisciplinary and multi-method research, at the frontier between computer science, information systems, economics, and the social sciences. Svetlana regularly serves as an Associate Editor and PC member at the renowned International and European Conferences on Information Systems (ICIS, ECIS) and the Workshop on the Economics of Information Security (WEIS). Prior to her Ph.D. studies, she worked as a senior IT consultant in a management consultancy in Germany.

Session Title: Game theory for cyber security and privacy

Abstract: Game theory, the study of conflict situations and strategic decision making, has proved to be a valuable tool in economics, social and political sciences, evolutionary biology, psychology, or computer science. The fundamental concepts, supported by proven mathematics, make game-theoretical approaches of interest in many cyber security and privacy research problems, too. Besides the most obvious attacker-defender scenario, game theory can be applied to study economic incentives in such real-world examples as interdependent security or privacy, collaborative anonymity, or mandatory breach reporting. This session will introduce the basic notions, elements, and solution concepts of game theory, supported by selected canonical games and examples from information security and privacy. In the second part, students will apply the learned game-theoretical apparatus, model a given security problem as a game in group work, and discuss the strengths as well as limitations of game theory.