Alessandro Armando

Alessandro Armando
Università degli Studi di Genova | UNIGE · Dipartimento di Informatica, Bioingegneria, Robotica e Ingegneria dei Sistemi (DIBRIS)

Ph.D.

About

186
Publications
31,241
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
3,972
Citations
Additional affiliations
May 2016 - June 2017
Università degli Studi di Genova
Position
  • Professor (Full)
April 2010 - present
Fondazione Bruno Kessler
Position
  • Head of Research Unit

Publications

Publications (186)
Preprint
Full-text available
Operation of radar equipment is one of the key facilities used by navigators to gather situational awareness about their surroundings. With an ever increasing need for always-running logistics and tighter shipping schedules, operators are relying more and more on computerized instruments and their indications. As a result, modern ships have become...
Conference Paper
A Security Operation Centre (SOC) is a powerful and versatile infrastructure for cybersecurity due to the capabilities of monitoring and improving the security posture of an organization. While they found great diffusion in companies to defend IT/OT infrastructures, their employment in the maritime domain is still narrow but required. Nevertheless,...
Preprint
Full-text available
The rising of the Cyber-Physical System (CPS) and the Industry 4.0 paradigms demands the design and the implementation of Digital Twin Frameworks (DTFs) that may support the quick build of reliable Digital Twins (DTs) for experimental and testing purposes. Most of the current DTF proposals allow generating DTs at a good pace but affect generality,...
Conference Paper
Full-text available
The first step of every attack is reconnaissance, i.e., to acquire information about the target. A common belief is that there is almost no risk in scanning a target from a remote location. In this paper we falsify this belief by showing that scanners are exposed to the same risks as their targets. Our methodology is based on a novel attacker model...
Preprint
Full-text available
The first step of every attack is reconnaissance, i.e., to acquire information about the target. A common belief is that there is almost no risk in scanning a target from a remote location. In this paper we falsify this belief by showing that scanners are exposed to the same risks as their targets. Our methodology is based on a novel attacker model...
Article
Full-text available
Fog Computing is an emerging distributed computational paradigm that moves the computation towards the edge (i.e., where data are produced). Although Fogoperating systems provide basic security mechanisms, security controls over the behavior of applications running on Fog nodes are limited. For this reason, applications are prone to a variety of at...
Article
Full-text available
Cyber Ranges are complex infrastructures hosting high quality exercises that simulate cybersecurity scenarios of real-world complexity. Building the computing infrastructure is only the first step towards the successful execution of the cyber exercises. The design, verification and deployment of scenarios are costly and error-prone activities. As a...
Chapter
Full-text available
IoT devices often operate unsupervised in ever-changing environments for several years. Therefore, they need to be updated on a regular basis. Current approaches for software updates on IoT, like the recent SUIT proposal, focus on granting integrity and confidentiality but do not analyze the content of the software update, especially the IoT applic...
Preprint
Full-text available
A cyber range is an environment used for training security experts and testing attack and defence tools and procedures. Usually, a cyber range simulates one or more critical infrastructures that attacking (red) and defending (blue) teams must compromise and protect, respectively. The infrastructure can be physically assembled, but much more conveni...
Conference Paper
IoT devices often operate unsupervised in ever-changing environments for several years. Therefore, they need to be updated on a regular basis. Current approaches for software updates on IoT, like the recent SUIT proposal, focus on granting integrity and confidentiality but do not analyze the content of the software update, especially the IoT applic...
Conference Paper
Cyber Ranges are (virtual) infrastructures for the execution of cyber exercises of the highest quality that simulate cyber scenarios of real-world complexity. Building the computing infrastructure is only the first step towards the successful execution of the cyber exercises. The design, validation and deployment of scenarios are costly and error-p...
Conference Paper
Full-text available
A cyber range is an environment used for training security experts and testing attack and defence tools and procedures. Usually, a cyber range simulates one or more critical infrastructures that attacking (red) and defending (blue) teams must compromise and protect, respectively. The infrastructure can be physically assembled, but much more conveni...
Chapter
Threat detection systems collect and analyze a large amount of security data logs for detecting potential attacks. Since log data from enterprise systems may contain sensitive and personal information access should be limited to the data relevant to the task at hand as mandated by data protection regulations. To this end, data need to be pre-proces...
Chapter
Mobile applications, aka apps, mark the perimeter of the ecosystems of many service providers. Thus, their security assessment is crucial for any company aiming at protecting both customer data and other strategic assets. In fact, software analysts face an extremely hard problem due to, for example, continuous and fast development of new apps and t...
Article
While there exist many secure authentication and authorization solutions for web applications, their adaptation in the mobile context is a new and open challenge. In this paper, we argue that the lack of a proper reference model for Single Sign-On (SSO) for mobile native applications drives many social network vendors (acting as Identity Providers)...
Conference Paper
Intrusion and threat detection systems analyze large amount of security-related data logs for detecting potentially harmful patterns. However, log data often contain sensitive and personal information, and their access and processing should be minimized. Anonymization can provide the technical mean to reduce the privacy risk, but it should carefull...
Article
The swift and continuous evolution of mobile devices is encouraging both private and public organizations to adopt the . Bring Your Own Device (BYOD) paradigm. As a matter of fact, the BYOD paradigm drastically reduces costs and increases productivity by allowing employees to carry out business tasks on their personal devices. However, it also incr...
Conference Paper
An Industrial Control System (ICS) is a system of physical entities whose functioning heavily relies on information and communication technology components and infrastructures. ICS are ubiquitous and can be found in a number of safety-critical areas including energy, chemical processes, health-care, aerospace, manufacturing, and transportation. Whi...
Conference Paper
The correct labelling of all information at its point of origin is a critical enabler for effective information access control in modern military systems. If information is not properly labeled it cannot be shared between different communities of interest and coalition partners, which affects the responsibility to share and potentially impedes ongo...
Conference Paper
NATO is developing a new IT infrastructure that will enable automated information sharing between different information security domains and provide strong separation between different communities of interest while supporting dynamic and flexible enforcement of the need-to-know principle. In this context, the Content-based Protection and Release (C...
Article
Android has a layered architecture that allows applications to leverage services provided by the underlying Linux kernel. However, Android does not prevent applications from directly triggering the kernel functionalities through system call invocations. As recently shown in the literature, this feature can be abused by malicious applications and th...
Conference Paper
The increasing availability of large and diverse datasets (big data) calls for increased flexibility in access control so to improve the exploitation of the data. Risk-aware access control systems offer a natural approach to the problem. We propose a novel access control framework that combines trust with risk and supports access control in dynamic...
Conference Paper
Full-text available
The security assessment of mobile applications is of paramount importance for both the service providers and their customers. As a matter of fact, nowadays smartphones are the primary access mean for the internet of services. Needless to say, malicious or flawed applications can disruptively compromise the sensitive data they handle. As a major sta...
Conference Paper
Near Field Communication (NFC) promises to boost mobile transactions and payments. Indeed, NFC-enabled devices can emulate smartcards, so allowing payments, loyalty programs, card access, transit passes and other custom services, through a mobile phone. Although many modern mobile devices mount a NFC transceiver, card emulation is still a rare feat...
Conference Paper
Full-text available
The Android Security Framework controls the executions of applications through permissions which are statically granted by the user during installation. However, the definition of security policies over permissions is not supported. Security policies must be therefore manually encoded into the application by the developer, which is a dangerous prac...
Article
We present SATMC 3.0, a SAT-based bounded model checker for security-critical systems that stems from a successful combination of encoding techniques originally developed for planning with techniques developed for the analysis of reactive systems. SATMC has been successfully applied in a variety of application domains (security protocols, security-...
Conference Paper
NATO is developing a new IT infrastructure for automated information sharing between different information security domains and supporting dynamic and flexible enforcement of the need-to-know principle. In this context, the Content-based Protection and Release (CPR) model has been introduced to support the specification and enforcement of NATO acce...
Conference Paper
The tremendous success of the mobile application paradigm is due to the ease with which new applications are uploaded by developers, distributed through the application markets (e.g. Google Play), and finally installed by the users. Yet, the very same model is causing serious security concerns, since users have no or little means to ascertain the t...
Article
Full-text available
Risk-aware access control systems grant or deny access to resources based on the notion of risk. It has many advantages compared to classical approaches, allowing for more flexibility, and ultimately supporting for a better exploitation of data. The authors propose and demonstrate a risk-aware access control framework for information disclosure, wh...
Chapter
Full-text available
Risk-aware access control systems grant or deny access to resources based on some notion of risk. In this paper we propose a model that considers the risk of leaking privacy-critical information when querying, e.g., datasets containing personal information. While querying databases containing personal information it is current practice to assign al...
Article
Full-text available
The success of the mobile application model is mostly due to the ease with which new applications are uploaded by developers, distributed through the application markets (e.g. Google Play), and installed by users. Yet, the very same model is cause of serious security concerns, since users have no or little means to ascertain the trustworthiness of...
Article
An increasing number of attacks by mobile malware have begun to target critical infrastructure assets. Since malware attempts to defeat the security mechanisms provided by an operating system, it is of paramount importance to understand the strengths and weaknesses of the security frameworks of mobile device operating systems such as Android. Many...
Conference Paper
Full-text available
Mobile security is a hot research topic. Yet most of available techniques focus on securing individual applications and therefore cannot possibly tackle security weaknesses stemming from the combined use of one or more applications (e.g. confused deputy attacks). Preventing these types of attacks is crucial in many important application scenarios....
Article
Full-text available
The emerging Bring Your Own Device (BYOD) paradigm is pushing the adoption of employees' personal mobile devices (e.g., smartphones and tablets) inside organizations for professional usage. However, allowing private, general purpose devices to interact with proprietary, possibly critical infrastructures enables obvious threats. Unfortunately, curre...
Article
Full-text available
The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of...
Article
Extensions of Role-Based Access Control (RBAC) policies taking into account contextual information (such as time and space) are increasingly being adopted in real-world applications. Their administration is complex since they must satisfy rapidly evolving needs. For this reason, automated techniques to identify unsafe sequences of administrative ac...
Article
Full-text available
The current mobile application distribution model cannot cope with the complex security requirements of the emerging "bring your own device" (BYOD) paradigm. A secure metamarket architecture supports the definition and enforcement of BYOD policies and offers a promising prototype implementation tested under realistic conditions. The Web extra at ht...
Conference Paper
We present SATMC 3.0, a SAT-based bounded model checker for security-critical systems that stems from a successful combination of encoding techniques originally developed for planning with techniques developed for the analysis of reactive systems. SATMC has been successfully applied in a variety of application domains (security protocols, security-...
Article
Full-text available
In the context of energy efficiency, smart metering solutions are receiving growing attention as they support the automatic collection of (fine-grained) consumption data of appliances. While the capability of a stakeholder (such as a consumer, an utility, or a third-party service) to access smart metering data can give rise to innovative services f...
Article
Business processes are usually expected to meet high level authorization requirements (e.g., Separation of Duty). Since violation of authorization requirements may lead to economic losses and/or legal implications, ensuring that a business process meets them is of paramount importance. Previous work showed that model checking can be profitably used...
Conference Paper
In the context of energy efficiency, smart metering solutions are receiving growing attention as they support the automatic collection of (fine-grained) consumption data of appliances. While the capability of a stakeholder (such as a consumer, an utility, or a third-party service) to access smart metering data can give rise to innovative services f...
Chapter
The successful operation of NATO missions requires the effective and secure sharing of information among coalition partners and external organizations, while avoiding the disclosure of sensitive information to unauthorized users. To resolve the conflict between confidentiality and availability in a dynamic coalition and network environment while be...
Article
Full-text available
Predicate abstraction refinement is one of the leading approaches to software verification. The key idea is to abstract the input program into a Boolean Program (i.e. a program whose variables range over the Boolean values only and model the truth values of predicates corresponding to properties of the program state), and refinement searches for ne...
Conference Paper
Full-text available
The Android OS consists of a Java stack built on top of a native Linux kernel. A number of recently discovered vulnerabilities suggest that some security issues may be hidden in the interplay between the Java stack and the Linux kernel. We have conducted an empirical security evaluation of the interaction between layers. Our experiments indicate th...
Conference Paper
The successful operation of NATO missions requires effective and secure sharing of information among coalition partners and external organizations, while avoiding the disclosure of sensitive information to untrusted users. To resolve the conflict between confidentiality and availability, NATO is developing a new information sharing infrastructure,...
Conference Paper
As the number of security-critical, online applications grows, the protection of the digital identities of the users is becoming a growing concern. Strong authentication protocols provide additional security by requiring the user to provide at least two independent proofs of identity for the authentication to succeed. In this paper we provide a for...
Article
The security model of the Android OS is based on the effective combination of a number of well-known security mechanisms (e.g. statically defined permissions for applications, the isolation offered by the Dalvik Virtual Machine, and the well-known Linux discretionary access control model). Although each security mechanism has been extensively teste...
Conference Paper
Full-text available
Modern mobile devices offer users powerful computational capabilities and complete customization. As a matter of fact, today smartphones and tablets have remarkable hardware profiles and a cornucopia of applications. Yet, the security mechanisms offered by most popular mobile operating systems offer only limited protection to the threats posed by m...
Conference Paper
Full-text available
Nowadays web services pervade the network experience of the users. Indeed, most of our activities over the internet consist in accessing remote services and interact with them. Clearly, this can happen only when two elements are available: (i) a compatible device and (ii) a suitable network connection. The recent improvement of the computational ca...
Article
Browser-based Single Sign-On (SSO) protocols relieve the user from the burden of dealing with multiple credentials thereby improving the user experience and the security. In this paper we show that extreme care is required for specifying and implementing the prototypical browser-based SSO use case. We show that the main emerging SSO protocols, name...
Article
Business processes under authorization control are sets of coordinated activities subject to a security policy stating which agent can access which resource. Their behavior is difficult to predict due to the complex and unexpected interleaving of different execution flows within the process. Therefore, serious flaws may go undetected and manifest t...
Conference Paper
The administration of access control policies is a task of paramount importance for distributed systems. A crucial analysis problem is to foresee if a set of administrators can give a user an access permission. We consider this analysis problem in the context of the Administrative Role-Based Access Control (ARBAC), one of the most widespread admini...
Conference Paper
Full-text available
We provide a formal model and a security analysis of the Private Billing Protocol. This formal analysis allowed us to spell out precisely the details of the protocol, the security assumptions as well as the expected security goals. For the formal analysis we used SATMC, a model checker for security protocol analysis that supports the speci cation o...
Article
Full-text available
The number of devices (phones, tablets, smart TVs, ...) using Android OS is continuously and rapidly growing. Together with the devices, also the amount of applications and on-line application marketplaces is increasing. Unfortunately, security guarantees are not evolving concurrently and security flaws have been reported. Far from discouraging the...
Conference Paper
We study the decidability of the safety problem in the usage control (UCON) model. After defining a formal model, we identify sufficient conditions for the decidability of the safety problem for UCON systems whose attributes are allowed to range over infinite domains and updates in one process may affect the state of another. Our result is a signif...
Conference Paper
Full-text available
Android OS is currently the most widespread mobile operating system and is very likely to remain so in the near future. The number of available Android applications will soon reach the staggering figure of 500,000, with an average of 20,000 applications being introduced in the Android Market over the last 6 months. Since many applications (e.g., ho...
Article
Full-text available
The security of Android has been recently challenged by the discovery of a number of vulnerabilities involving different layers of the Android stack. We argue that such vulnerabilities are largely related to the interplay among layers composing the Android stack. Thus, we also argue that such interplay has been underestimated from a security point-...
Conference Paper
Full-text available
We consider an extension of the Role-Based Access Control model in which rules assign users to roles based on attributes. We consider an open (allow-by-default) policy approach in which rules can assign users negated roles thus preventing access to the permissions associated to the role. The problems of detecting redundancies and inconsistencies ar...
Article
Administrative Role Based Access Control ARBAC is one of the most widespread framework for the management of access-control policies. Several automated analysis techniques have been proposed to help maintaining desirable security properties of ARBAC policies. One of the main limitation of available analysis techniques is that the set of users is bo...
Conference Paper
Full-text available
We present a previously undisclosed vulnerability of Android OS which can be exploited by mounting a Denial-of-Service attack that makes devices become totally unresponsive. We discuss the characteristics of the vulnerability - which affects all versions of Android - and propose two different fixes, each involving little patching implementing a few...
Article
The Program Chairs are pleased to welcome attendees to the second workshop on Semantic Computing and Security. This is a new area of research focus, and the papers accepted by the reviewers represent some of the several dimensions that exist in the intersection of the two areas. The program committee and all reviewers worked hard to complete the re...
Conference Paper
Full-text available
The AVANTSSAR Platform is an integrated toolset for the formal specification and automated validation of trust and security of service-oriented architectures and other applications in the Internet of Services. The platform supports application-level specification languages (such as BPMN and our custom languages) and features three validation backen...
Conference Paper
Full-text available
The User Authorization Query (UAQ) Problem for Role- Based Access Control (RBAC) amounts to determining a set of roles to be activated in a given session in order to achieve some permissions while satisfying a collection of authorization constraints governing the activation of roles. Techniques ranging from greedy algorithms to reduction to (varian...
Article
Business processes under authorization control are sets of coordinated activities subject to a security policy stating which agent can access which resource. Their behavior is difficult to predict due to the complex and unexpected interleaving of different execution flows within the process. Serious flaws may thus go undetected and manifest themsel...
Conference Paper
Full-text available
Model checkers have been remarkably successful in finding flaws in security protocols. In this paper we present an approach to binding specifications of security protocols to actual implementations and show how it can be effectively used to automatically test implementations against putative attack traces found by the model checker. By using our ap...