Giampaolo Bella

University of Catania | UNICT · Department of Mathematics and Computer Science (DMI)

This article investigates the extent to which modern car drivers understand the implications that cars may have on their privacy. Such implications stem from the variety of services that modern cars offer upon the basis of the personal data that they collect about their drivers. The core of the research lies in a questionnaire aimed to distil out d...

Physical persons playing the role of car drivers consume data that is sourced from the Internet and, at the same time, themselves act as sources of relevant data. It follows that citizens' privacy is potentially at risk while they drive, hence the need to model privacy threats in this application domain. This paper addresses the privacy threats by...

The IoT is getting more and more pervasive. Even the simplest devices, such as a light bulb or an electrical plug, are made "smart" and controllable by our smartphone. This paper describes the findings obtained by applying the PETIoT kill chain to conduct a Vulnerability Assessment and Penetration Testing session on a smart bulb, the Tapo L530E by...

Cybersecurity, which notoriously concerns both human and technological aspects, is becoming more and more regulated by a number of textual documents spanning several pages, such as the European GDPR Regulation and the NIS Directive. This paper introduces an approach that leverages techniques of semantic representation and reasoning, hence an ontolo...

Foundational ontologies devoted to the effective representation of processes and procedures are not widely investigated at present, thereby limiting the practical adoption of semantic approaches in real scenarios where the precise instructions to follow must be considered. Also, the representation ought to include how agents should carry out the ac...

Large documents written in juridical language are difficult to interpret, with long sentences leading to intricate and intertwined relations between the nouns. The present paper frames this problem in the context of recent European security directives. The complexity of their language is here thwarted by automating the extraction of the relevant in...

Legal language can be understood as the language typically used by those engaged in the legal profession and, as such, it may come both in spoken or written form. Recent legislation on cybersecurity obviously uses legal language in writing, thus inheriting all its interpretative complications due to the typical abundance of cases and sub-cases as w...

Semantic representation is a key enabler for several application domains, and the multi-agent systems realm makes no exception. Among the methods for semantically representing agents, one has been essentially achieved by taking a behaviouristic vision, through which one can describe how they operate and engage with their peers. The approach essenti...

Modern cars are getting so computerised that ENISA's phrase "smart cars" is a perfect fit. The amount of personal data that they process is very large and, yet, increasing. Hence, the need to address citizens' privacy while they drive and, correspondingly, the importance of privacy threat modelling (in support of a respective risk assessment, such...

This paper questions how to approach threat modelling in the automotive domain at both an abstract level that features no domain-specific entities such as the CAN bus and, separately, at a detailed level. It addresses such questions by contributing a systematic method that is currently affected by the analyst's subjectivity because most of its inne...

Attackers may attempt exploiting Internet of Things (IoT) devices to operate them unduly as well as to gather personal data of the legitimate device owners'. Vulnerability Assessment and Penetration Testing (VAPT) sessions help to verify the effectiveness of the adopted security measures. However, VAPT over IoT devices, namely VAPT targeted at IoT...

Fuzz testing (or fuzzing) is an effective technique used to find security vulnerabilities. It consists of feeding a software under test with malformed inputs, waiting for a weird system behaviour (often a crash of the system). Over the years, different approaches have been developed, and among the most popular lies the coverage-based one. It relies...

The advanced and personalised experience that modern cars offer makes them more and more data-hungry. For example, the cabin preferences of the possible drivers must be recorded and associated to some identity, while such data could be exploited to deduce sensitive information about the driver’s health. Therefore, drivers’ privacy must be taken ser...

This article recognises the widespread application of risk assessment in ICT and aims at reducing the influence of human subjectivity and distraction by means of a methodology for the Automated and Intelligent Likelihood Assignment (AILA). The AILA Methodology, with its various components, applies when risk assessment proceeds exclusively upon info...

Fuzz testing (or fuzzing) is an effective technique used to find security vulnerabilities. It consists of feeding a software under test with malformed inputs, waiting for a weird system behaviour (often a crash of the system). Over the years, different approaches have been developed, and among the most popular lies the coverage-based one. It relies...

This paper questions how to approach threat modelling in the automotive domain at both an abstract level that features no domain-specific entities such as the CAN bus and, separately, at a detailed level. It addresses such questions by contributing a systematic method that is currently affected by the analyst's subjectivity because most of its inne...

Fuzzing has become one of the best-established methods to uncover software bugs. Meanwhile, the market of embedded systems, which binds the software execution tightly to the very hardware architecture, has grown at a steady pace, and that pace is anticipated to become yet more sustained in the near future. Embedded systems also benefit from fuzzing...

An increasing number of Electronic Control Units (ECUs) communicate with each other to accomplish the functionalities of modern vehicles. ECUs form an in-vehicle network that is precisely regulated and must be adequately protected from malicious activity, which has had several outbreaks in recent years. Therefore, we present CINNAMON, an AUTOSAR-ba...

When we use secure computer systems, we engage with carefully orchestrated and ordered interactions called “security ceremonies”, all of which exist to assure security. A great deal of attention has been paid to improving the usability of these ceremonies over the last two decades, to make them easier for end-users to engage with. Yet, usability im...

Socio-Technical Systems (STSs) combine the operations of technical systems with the choices and intervention of humans, namely the users of the technical systems. Designing such systems is far from trivial due to the interaction of heterogeneous components, including hardware components and software applications, physical elements such as tickets,...

Printing over a network and calling over VoIP technology are routine at present. This article investigates to what extent these services can be attacked using freeware in the real world if they are not configured securely. In finding out that attacks of high impact, termed the Printjack and Phonejack families, could be mounted at least from insider...

We present Alexa versus Alexa (AvA), a novel attack that leverages audio files containing voice commands and audio reproduction methods in an offensive fashion, to gain control of Amazon Echo devices for a prolonged amount of time. AvA leverages the fact that Alexa running on an Echo device correctly interprets voice commands originated from audio...

IP cameras have always been part of the Internet of Things (IoT) and are among the most widely used devices in both home and professional environments. Unfortunately, the vulnerabilities of IP cameras have attracted malicious activities. For example, in 2016, a massive attack resulted in thousands of cameras and IoT devices being breached and used...

Printing over a network and calling over VoIP technology are routine at present. This article investigates to what extent these services can be attacked using freeware in the real world if they are not configured securely. In finding out that attacks of high impact, termed the Printjack and Phonejack families, could be mounted at least from insider...

Risk assessment is core to any institution’s evaluation of risk, no- tably for what concerns people’s privacy. The assessment often re- lies on information stated in a policy shaped as a text document. The risk assessor, or analyst in brief, is called to understand documenta- tion that can be long, unclear or incomplete, hence subjectivity or distr...

Security ceremonies still fail despite decades of efforts by researchers and practitioners. Attacks are often a cunning amalgam of exploits for technical systems and of forms of human behaviour. For example, this is the case with the recent news headline of a large-scale attack against Electrum Bitcoin wallets, which manages to spread a malicious u...

Blockchains are gaining momentum due to the interest of industries and people in decentralized applications (Dapps), particularly in those for trading assets through digital certificates secured on blockchain, called tokens. As a consequence, providing a clear unambiguous description of any activities carried out on blockchains has become crucial,...

The introduction of Information and Communication Technology (ICT) in transportation systems leads to several advantages (efficiency of transport, mobility, traffic management). However, it may bring some drawbacks in terms of increasing security challenges, also related to human behaviour. As an example , in the last decades attempts to characteri...

Decentralized applications (in short, DApps) built on blockchains are disrupting the digital commerce foundations by pursuing new business models based on trustless, decentralized transactions, where intermediaries and central authorities are discarded. One of those emerging means are the digital tokens, certificates emitted and exchanged on the bl...

The Controller Area Network (CAN) is the most common protocol interconnecting the various control units of modern cars. Its vulnerabilities are somewhat known but we argue they are not yet fully explored -- although the protocol is obviously not secure by design, it remains to be thoroughly assessed how and to what extent it can be maliciously expl...

Printers are common devices whose networked use is vastly unsecured, perhaps due to an enrooted assumption that their services are somewhat negligible and, as such, unworthy of protection. This article develops structured arguments and conducts technical experiments in support of a qualitative risk assessment exercise that ultimately undermines tha...

Modern cars are no longer purely mechanical devices but shelter so much digital technology that they resemble a network of computers. Electronic Control Units (ECUs) need to exchange a large amount of data for the various functions of the car to work, and such data must be made secure if we want those functions to work as intended despite malicious...

This paper introduces CINNAMON, a software module that extends and seamlessly integrates with the AUTOSAR "Secure Onboard Communication" (SecOC) module to also account for confidentiality of data in transit. It stands for Confidential, INtegral aNd Authentic on board coMunicatiON (CINNAMON). It takes a resource-efficient and practical approach to e...

Modern cars technologies are evolving quickly. They collect a variety of personal data and treat it on behalf of the car manufacturer to improve the drivers' experience. The precise terms of such a treatment are stated within the privacy policies accepted by the user when buying a car or through the infotainment system when it is first started. Thi...

VoIP phones are early representatives as well as present enhancers of the IoT. This paper observes that they are still widely used in a traditional, unsecured configuration and demonstrates the Phonejack family of attacks: Phonejack 1 conjectures the exploitation of phone vulnerabilities; Phonejack 2 demonstrates how to mount a denial-of-service at...

Modern cars are evolving in many ways. Technologies such as infotainment systems and companion mobile applications collect a variety of personal data from drivers to enhance the user experience. This paper investigates the extent to which car drivers understand the implications for their privacy, including that car manufacturers must treat that dat...

Blockchains are gaining momentum due to the interest of industries and people in \emph{decentralized applications} (Dapps), particularly in those for trading assets through digital certificates secured on blockchain, called tokens. As a consequence, providing a clear unambiguous description of any activities carried out on blockchains has become cr...

Modern cars are evolving in many ways. Technologies such as infotainment systems and companion mobile applications collect a variety of personal data from drivers to enhance the user experience. This paper investigates the extent to which car drivers understand the implications for their privacy, including that car manufacturers must treat that dat...

Modern cars technologies are evolving quickly. They collect a variety of personal data and treat it on behalf of the car manufacturer to improve the drivers’ experience. The precise terms of such a treatment are stated within the privacy policies accepted by the user when buying a car or through the infotainment system when it is first started. Thi...

Cyber risks associated with modern cars are often referred to safety. However, modern cars expose a variety of digital services and process a variety of personal data, at least of the driver’s. This paper unfolds the argument that car (cyber-)security and drivers’ privacy are worthy of additional consideration, and does so by advancing “COSCA”, a f...

The introduction of Information and Communication Technology (ICT) in transportation systems leads to several advantages (efficiency of transport, mobility, traffic management). However, it may bring some drawbacks in terms of increasing security challenges, also related to human behaviour. As an example , in the last decades attempts to characteri...

This paper introduces CINNAMON, a software module that extends and seamlessly integrates with the AU-TOSAR "Secure Onboard Communication" (SecOC) module [3], [5] to also account for confidentiality of data in transit. It stands for Confidential, INtegral aNd Authentic on board coMunica-tiON (CINNAMON). It takes a resource-efficient and practical ap...

Purpose Security ceremonies still fail despite decades of efforts by researchers and practitioners. Attacks are often a cunning amalgam of exploits for technical systems and of forms of human behaviour. For example, this is the case with the recent news headline of a large-scale attack against Electrum Bitcoin wallets, which manages to spread a mal...

VoIP phones are early representatives as well as present enhancers of the IoT. This paper observes that they are still widely used in a traditional, unsecured configuration and demonstrates the Phonejack family of attacks: Phonejack 1 conjectures the exploitation of phone vulnerabilities; Phonejack 2 demonstrates how to mount a denial-of-service at...

Formal methods are vast and varied. This paper reports the essentials of what I have observed and learned by teaching the Inductive Method for security protocol analysis for nearly twenty years. My general finding is something I realised after just a couple of years, that my target audience of post-graduate students with generally little appreciati...

Printers are common devices whose networked use is vastly unsecured, perhaps due to an enrooted assumption that their services are somewhat negligible and, as such, unworthy of protection. This article develops structured arguments and conducts technical experiments in support of a qualitative risk assessment exercise that ultimately undermines tha...

Modern vehicles embed a lot of software that turns them into Cyper-Physical Systems (CPS). Electronic Control Units (ECUs) communicate through the CAN bus protocol, which was not designed to be secure. This paper presents a proof-of-concept of TOUCAN, a new security protocol designed to secure CAN bus communications following the AUTOSAR standard....

Modern vehicles abound with Electronic Control Units (ECUs) that need to speak with each other. They adopt a binary language and form an in-vehicle network that must be precisely regulated. This was the aim for the inception of "Controller Area Network" protocol, also known as CAN bus [1] and is widespread today. It is standardised in ISO 11898-1:2...

Modern cars are no longer purely mechanical devices but shelter so much digital technology that they resemble a network of computers. Electronic Control Units (ECUs) need to exchange a large amount of data for the various functions of the car to work, and such data must be made secure if we want those functions to work as intended despite malicious...

We address the fundamental question of what are, and how to define, the threat models for a security protocol and its expected human users, the latter pair forming a heterogeneous system that is typically called a security ceremony. Our contribution is the systematic definition of an encompassing method to build the full threat model chart for secu...

“Beautiful Security” is a paradigm that requires security ceremonies to contribute to the ‘beauty’ of a user experience. The underlying assumption is that people are likely to be willing to engage with more beautiful security ceremonies. It is hoped that such ceremonies will minimise human deviations from the prescribed interaction, and that securi...

The debate on people's right to privacy and on its meaning is ongoing worldwide, for example in Europe with the newly adopted General Data Protection Regulation. By contrast, works in the area of formal e-voting privacy analysis, which aim at assessing the privacy preservation of a target e-voting system by means of mathematical rigour, appear to h...

The Controller Area Network (CAN) is the most common protocol interconnecting the various control units of modern cars. Its vulnerabilities are somewhat known but we argue they are not yet fully explored—although the protocol is obviously not secure by design, it remains to be thoroughly assessed how and to what extent it can be maliciously exploit...

The authentication of a web server is a crucial procedure in the security of web browsing. It relies on certificate validation, a process that may require the participation of the user. Thus, the security of certificate validation is socio-technical as it depends on traditional security technology as well as on social elements such as cultural valu...

In the last decades, digital security has gone through many theoretical breakthroughs, practical developments, worldwide deployments and subtle flaws in a continuous loop. It is mainly understood as a property of a technical system, which is eventually built as a tangible piece of technology for common people to use. It has therefore been assessed...

I’m presenting joint work with Luca Viganò and Bruce, and it’s all going to be about what I like to call invisible security.

Secure systems for voting, exams, auctions and conference paper management are theorised to address the same problem, that of secure evaluations. In support of such a unifying theory comes a model for Secure Evaluation Systems (SES), which offers innovative common grounds to understand all four groups. For example, all rest on submissions, respecti...

Historically, exam security has mainly focused on threats ascribed to candidate cheating. Such threats have been normally mitigated by invigilation and anti-plagiarism methods. However, as recent exam scandals confirm, also invigilators and authorities may pose security threats. The introduction of computers into the different phases of an exam, su...

Relying on a trusted third party (TTP) in the design of a security protocol introduces obvious risks. Although the risks can be mitigated by distributing the trust across several parties, it still requires at least one party to be trustworthy. In the domain of exams this is critical because parties typically have conflicting interests, and it may b...

Mobile systems are becoming more and more ubiquitous. With the number of people using mobile devices that are continuously connected to the Internet or exchange information via peering and other near-field transmission technologies, these devices are now an essential part of our social interactions in a globalised world. The use of mobile devices h...

In the movie “Life is Beautiful”, Guido Orefice, the character interpreted by Roberto Benigni, convinces his son Giosuè that they have been interned in a nazi concentration camp not because they are Jews but because they are actually taking part in a long and complex game in which they, and in particular Giosuè, must perform the tasks that the guar...

This paper introduces an empirical study to investigate and compare learning vocabulary using different interaction systems (static, adaptable and an adaptive) learning websites. The purpose of this study is to measure learning vocabulary achievements on non-English language speakers. The participants were Arabic speakers. The aim of the study is t...

Despite their crucial goal of assisting the elderly through their daily routine, Independent Living Support systems still are at their inception. This paper postulates that such systems be designed with a number of requirements in mind, and in particular with safety, security and privacy as fundamental ones. It then correspondingly articulates the...

An exam is a practise for assessing the knowledge of a candidate from an examination she takes. Exams are used in various contexts, such as in university tests and public competitions. We begin by identifying various security and privacy requirements that modern exams should meet, especially in the prospect of them being supported by information an...

There is a widely accepted need for methodologies to verify the security of services. A typical service requires user data and then makes them available through the Internet independently from access platforms or user locations, but the layman is rarely aware of the entailed risks and seldom acts cautiously. The combined human-and-technology system...

The Inductive Method is among the most established tools to analyse security protocols formally. It has successfully coped with large, deployed protocols, and its findings are widely published. However, perhaps due to its embedding in a theorem prover or to the lack of tutorial publications, it is at times criticised to require super-specialised sk...

In the 2009 Security Protocols Workshop, the Pretty Good Democracy scheme was presented. This scheme has the appeal of allowing voters to cast votes remotely, e.g. via the Internet, and confirm correct receipt in a single session. The scheme provides a degree of end-to-end verifiability: receipt of the correct acknowledgement code provides assuranc...

Electronic exam systems are pieces of software employed in online educations to assess performances of students. However, both the security of the protocols they reply upon and a general understanding of the possible threats is still to be met. This manuscript outlines a Ph.D. research work wherein we attempt to shed some light in the area. We iden...

Authenticating a web server is crucial to the security of web browsing. It relies on TLS certificate validation, a property whose enforcement may require getting the user involved. Thus, certificate validation is a socio-technical property - it relies on traditional security technology as well as on social elements such as cultural values, trust an...

To authenticate a web server, modern browsers check whether a TLS certificate is valid. This check is socio-technical because, when the technical validation fails, it may request the user to decide, intertwining the usual technical issues with social elements, such as trust and cultural values. Hence the need for a methodology aimed at a socio-tech...

The increasing official use of security protocols for electronic voting deepens the need for their trustworthiness, hence for their formal verification. The impossibility of linking a voter to her vote, often called voter privacy or ballot secrecy, is the core property of many such protocols. Most existing work relies on equivalence statements in c...

A power-aware route maintenance protocol for Mobile Ad Hoc Networks (MANETs) is introduced. Termed Dynamic Path Switching (DPS), the new protocol puts an overloaded node to sleep before a route link breaks because that node runs out of energy, and brings other suitable nodes into play instead. When the battery charge of a node reaches a stated leve...

Unified Modeling Language (UML) is an effective tool to model information systems and to develop effective system specifications. Context Aware systems possess a dynamic behaviour based on parameters such as time and location which makes the task of modelling a context aware system quite complex namely the security requirements of the system. Since...

A security ceremony expands a security protocol with everything that is considered out of band for it. Notably, it incorporates the user, who, according to their belief systems and cultural values, may be variously targeted by social engineering attacks. This makes ceremonies complex and varied, hence the need for their formal analysis aimed at the...

STAST, the workshop on Socio-Technical Aspects in Security and Trust, is an international event to support such interdisciplinary research. It reaches its second edition in 2012. The workshop??s topics of interest define a number of challenges for socio-technical research in security.