Luca ViganoKing's College London | KCL · Department of Informatics
Luca Vigano
Professor
About
165
Publications
19,068
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
4,092
Citations
Publications
Publications (165)
People increasingly use digital platforms to exchange resources in accordance to some policies stating what resources users offer and what they require in return. In this paper, we propose a formal model of these environments, focussing on how users' policies are defined and enforced, so ensuring that malicious users cannot take advantage of honest...
In multiagent systems autonomous agents interact with each other to achieve individual and collective goals. Typical interactions concern negotiation and agreement on resource exchanges. Modeling and formalizing these agreements pose significant challenges, particularly in capturing the dynamic behaviour of agents, while ensuring that resources are...
There is an increasing number of cyber-systems (e.g., systems for payment, transportation, voting, critical infrastructures) whose security depends intrinsically on human users. In this paper, we introduce a novel approach for the formal and automated analysis of security ceremonies. A security ceremony expands a security protocol to include human...
When we use secure computer systems, we engage with carefully orchestrated and ordered interactions called “security ceremonies”, all of which exist to assure security. A great deal of attention has been paid to improving the usability of these ceremonies over the last two decades, to make them easier for end-users to engage with. Yet, usability im...
In a decentralized environment, exchanging resources requires users to bargain until an agreement is found. Moreover, human agreements involve a combination of collaborative and selfish behavior and often induce circularity, complicating the evaluation of exchange requests. We introduce MuAC, a policy language that allows users to state in isolatio...
Software engineers and analysts traditionally focus on cyber systems as technical systems, which are built only from software processes, communication protocols, crypto algorithms, etc. They often neglect, or choose not, to consider the human user as a component of the system’s security as they lack the expertise to fully understand human factors a...
Arpanet, Internet, Internet of Services, Internet of Things, Internet of Skills. What next? We conjecture that in a few years from now, we will have the Internet of Neurons, in which humans will be able to connect bi-directionally to the net using only their brain. The Internet of Neurons will provide new, tremendous opportunities thanks to constan...
A current research problem in the area of business process management deals with the specification and checking of constraints on resources (e.g., users, agents, autonomous systems, etc.) allowed to be committed for the execution of specific tasks. Indeed, in many real-world situations, role assignments are not enough to assign tasks to the suitabl...
The Event-Based Time-Stamped Claim Logic that we define in this paper allows one to reason about distributed time-stamped claims that can change through time by the occurrence of events. Such a logic is interesting for theoretical reasons, i.e., as a logic per se, but also because it can be applied in a number of different disciplines and applicati...
A Simple Temporal Network (STN) consists of time points modeling temporal events and constraints modeling the minimal and maximal temporal distance between them. A Simple Temporal Network with Decisions (STND) extends an STN to model temporal plans with decisions. STNDs label time points and constraints by conjunctions of literals saying for which...
There is an increasing number of cyber-systems (e.g., payment, transportation, voting, critical-infrastructure systems) whose security depends intrinsically on human users. A security ceremony expands a security protocol with everything that is considered out-of-band to it, including, in particular, the mistakes that human users might make when par...
We propose a formal and automated approach that allows one to (i) reason about vulnerabilities of web applications and (ii) combine multiple vulnerabilities for the identification of complex, multi-stage attacks. We have developed WAFEx, an automatic tool that implements our approach and we show its efficiency by applying it to real-world case stud...
Over the last few years, there has been an almost exponential increase in the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that...
The main objective of this paper is to define a logic for reasoning about distributed time-stamped claims. Such a logic is interesting for theoretical reasons, i.e. as a logic per se, but also because it has a number of practical applications, in particular when one needs to reason about a huge amount of pieces of evidence collected from different...
We apply formal methods to lay and streamline theoretical foundations to reason about Cyber-Physical Systems (CPSs) and physics-based attacks, i.e., attacks targeting physical devices. We focus on a formal treatment of both integrity and denial of service attacks to sensors and actuators of CPSs, and on the timing aspects of these attacks. Our cont...
A Conditional Simple Temporal Network with Uncertainty (CSTNU) is a formalism able to model temporal plans subject to both conditional constraints and uncertain durations. The combination of these two characteristics represents the uncontrollable part of the network. That is, before the network starts executing, we do not know completely which time...
The main objective of this paper is to define a logic for reasoning about distributed time-stamped claims. Such a logic is interesting for theoretical reasons, i.e., as a logic per se, but also because it has a number of practical applications, in particular when one needs to reason about a huge amount of pieces of evidence collected from different...
Conditional simple temporal networks with uncertainty (CSTNUs) allow for the representation of temporal plans subject to both conditional constraints and uncertain durations. Dynamic controllability (DC) of CSTNUs ensures the existence of an execution strategy able to execute the network in real time (i.e., scheduling the time points under control)...
We apply formal methods to lay and streamline theoretical foundations to reason about Cyber-Physical Systems (CPSs) and physics-based attacks, i.e., attacks targeting physical devices. We focus on a formal
treatment of both integrity and denial of service attacks to sensors and actuators of CPSs, and on the timing aspects of these attacks. Our cont...
Constraint Networks (CNs) are a framework to model the Constraint Satisfaction Problem (CSP), which is the problem of finding an assignment of values to a set of variables satisfying a set of given constraints. Therefore, CSP is a satisfiability problem. When the CSP turns conditional, consistency analysis extends to finding also an assignment to t...
We address the fundamental question of what are, and how to define, the threat models for a security protocol and its expected human users, the latter pair forming a heterogeneous system that is typically called a security ceremony. Our contribution is the systematic definition of an encompassing method to build the full threat model chart for secu...
“Beautiful Security” is a paradigm that requires security ceremonies to contribute to the ‘beauty’ of a user experience. The underlying assumption is that people are likely to be willing to engage with more beautiful security ceremonies. It is hoped that such ceremonies will minimise human deviations from the prescribed interaction, and that securi...
An access controlled workflow (ACWF) specifies a set of tasks that have to be executed by authorized users with respect to some partial order in a way that all authorization constraints are satisfied. Recent research focused on weak, strong and dynamic controllability of ACWFs under conditional uncertainty showing that directional consistency is a...
It won't be long until our prostheses, ECG personal monitors, subcutaneous insulin infusors, glasses, etc. become devices of the Internet of Things (IoT), always connected for monitoring, maintenance, charging and tracking. This will be the dawn of the Smart Human, not just a user of the IoT but a Thing in the Internet. How long would it then take...
What if someone built a "box" that applies quantum superposition not just to quantum bits in the microscopic but also to macroscopic everyday "objects", such as Schr\"odinger's cat or a human being? If that were possible, and if the different "copies" of a man could exploit quantum interference to synchronize and collapse into their preferred state...
Consider the following set-up for the plot of a possible future episode of the TV series Black Mirror: human brains can be connected directly to the net and MiningMind Inc. has developed a technology that merges a reward system with a cryptojacking engine that uses the human brain to mine cryptocurrency (or to carry out some other mining activity)....
Web applications have become one of the preferred means for users to perform a number of crucial and security‐sensitive operations such as selling and buying goods or managing bank accounts, official documents, personal health records, and smart houses. The pervasive adoption of such web applications calls for an extensive security analysis in orde...
Diagnostic tests are used to determine anomalies in complex systems such as organisms or built structures. Once a set of tests is performed, the experts interpret their results and make decisions based on them. This process is named diagnostic reasoning. In diagnostic reasoning a decision is established by using both rules and general knowledge on...
The frequency and harmfulness of cyber-attacks are increasing every day, and with them also the amount of data that the cyber-forensics analysts need to collect and analyze. In this paper, we propose a formal analysis process that allows an analyst to filter the enormous amount of evidence collected and either identify crucial information about the...
The Defense Advanced Research Projects Agency (DARPA) recently launched the Explainable Artificial Intelligence (XAI) program that aims to create a suite of new AI techniques that enable end users to understand, appropriately trust, and effectively manage the emerging generation of AI systems. In this paper, inspired by DARPA's XAI program, we prop...
Arpanet, Internet, Internet of Services, Internet of Things, Internet of Skills. What next? We conjecture that in 15-20 years from now we will have the Internet of Neurons, a new Internet paradigm in which humans will be able to connect bi-directionally to the net using only their brain. The Internet of Neurons will provide new, tremendous opportun...
What if we delegated so much to autonomous AI and intelligent machines that They passed a law that forbids humans to carry out a number of professions? We conceive the plot of a new episode of Black Mirror to reflect on what might await us and how we can deal with such a future.
Temporal role-based access control models support the specification and enforcement of several temporal constraints on role enabling, role activation, and temporal role hierarchies among others. In this paper, we define three mappings that preserve the solutions to a class of policy problems: they map security analysis problems in presence of stati...
The frequency and harmfulness of cyber-attacks are increasing every day, and with them also the amount of data that the cyber-forensics analysts need to collect and analyze. In this paper, we propose a formal analysis process that allows an analyst to filter the enormous amount of evidence collected and either identify crucial information about the...
Consider the following set-up for the plot of a possible future episode of the TV series Black Mirror: human brains can be connected directly to the net and MiningMind Inc. has developed a technology that merges a reward system with a cryptojacking engine that uses the human brain to mine cryptocurrency (or to carry out some other mining activity)....
What if we delegated so much to autonomous AI and intelligent machines that They passed a law that forbids humans to carry out a number of professions We conceive the plot of a new episode of Black Mirror to reflect on what might await us and how we can deal with such a future.
This article is summarized in: the morning paper
an interesting/influe...
Over the last few years, there has been an almost exponential increase of the number of mobile applications that deal with sensitive data, such as applications for e-commerce or health. When dealing with sensitive data, classical authentication solutions based on username-password pairs are not enough, and multi-factor authentication solutions that...
The Fregean-inspired Principle of Compositionality of Meaning (PoC) for formal languages asserts that the meaning of a compound expression is analysable in terms of the meaning of its constituents, taking into account the mode in which these constituents are combined so as to form the compound expression. From a logical point of view, this amounts...
Interpolation has been successfully applied in formal methods for model checking and test-case generation for sequential programs. Security protocols, however, exhibit idiosyncrasies that make them unsuitable for the direct application of interpolation.We address this problem and present an interpolation-based method for security protocol verificat...
A workflow (WF) is a formal description of a business process in which single atomic work units (tasks), organized in a partial order, are assigned to processing entities (agents) in order to achieve some business goal(s). A workflow management system must coordinate the execution of tasks and WF instances. Usually, the assignment of tasks to agent...
Cyber-Physical Systems (CPSs) are integrations of networking and distributed computing systems with physical processes that monitor and control entities in a physical environment, with feedback loops where physical processes affect computations and vice versa. In this paper, we apply formal methods to lay and streamline theoretical foundations to r...
In the last decades, digital security has gone through many theoretical breakthroughs, practical developments, worldwide deployments and subtle flaws in a continuous loop. It is mainly understood as a property of a technical system, which is eventually built as a tangible piece of technology for common people to use. It has therefore been assessed...
We propose a formal approach that allows one to (i) reason about file-system vulnerabilities of web applications and (ii) combine file-system vulnerabilities and SQL-Injection vulnerabilities for complex, multi-stage attacks. We have developed an automatic tool that implements our approach and we show its efficiency by discussing four real-world ca...
We propose a topological categorization of agents that makes use of the multiple-channel logic (MCL) framework, a recently developed model of reasoning about agents. We firstly introduce a complete formalization of prejudices on agents’ attitudes and propose an extension of the rules of the MCL framework. We then use RCC5 (the Region Connection Cal...
Web applications require access to the file-system for many different tasks. When analyzing the security of a web application, secu- rity analysts should thus consider the impact that file-system operations have on the security of the whole application. Moreover, the analysis should take into consideration how file-system vulnerabilities might in-...
Cyber-Physical Systems (CPSs) are integrations of networking and distributed computing systems with physical processes that monitor and control entities in a physical environment, with feedback loops where physical processes affect computations and vice versa. In this paper, we apply formal methods to lay and streamline theoretical foundations to r...
We present a formal approach for the analysis of attacks that exploit SQLi to violate security properties of web applications. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency...
We present a formal approach that exploits attacks related to SQL Injection (SQLi) searching for security flaws in a web application. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its eff...
We present the Chained Attacks approach, an automated model-based approach to test the security of web applications that does not require a background in formal methods. Starting from a set of HTTP conversations and a configuration file providing the testing surface and purpose, a model of the System Under Test (SUT) is generated and given in input...
Workflows and role-based access control models need to be suitably merged, in
order to allow users to perform processes in a correct way, according to the
given data access policies and the temporal constraints. Given a mapping
between workflow models and simple temporal networks with uncertainty, we
discuss a mapping between role temporalities and...
This paper defines the “ultimate” formal semantics for Alice and Bob notation, i.e., what actions the honest agents have to perform, in the presence of an arbitrary set of cryptographic operators and their algebraic theory. Despite its generality, this semantics is mathematically simpler than any previous attempt. For practical applicability, we in...
We integrate, and improve upon, prior relative soundness results of two kinds. The first kind are typing results showing that any security protocol that fulfils a number of sufficient conditions has an attack if it has a well-typed attack. The second kind considers the parallel composition of protocols, showing that when running two protocols in pa...
In security protocol analysis, the traditional choice to consider a single Dolev-Yao attacker is supported by the fact that models with multiple collaborating Dolev-Yao attackers are reducible to models with one Dolev-Yao attacker. In this paper, we take a fundamentally different approach and investigate the case of multiple non-collaborating attac...
Temporal role based access control models support the specification and enforcement of several temporal constraints on role enabling, role activation, and temporal role hierarchies among others. In this paper, we define three mappings that preserve the solutions to a class of policy problems (they map security analysis problems in presence of stati...
In the movie “Life is Beautiful”, Guido Orefice, the character interpreted by Roberto Benigni, convinces his son Giosuè that they have been interned in a nazi concentration camp not because they are Jews but because they are actually taking part in a long and complex game in which they, and in particular Giosuè, must perform the tasks that the guar...
Let me start by saying this is joint work with Giampaolo Bella, and that what we have actually written, and that you can find in the proceedings, is not just a position paper, but actually a pro-position paper, where we are using the word pro-position not with the meaning of a true statement or false statement, but rather as something that we state...
TheDistributedTemporalLogicDTLallowsonetoreasonabouttem- poral properties of a distributed system from the local point of view of the sys- tem’s agents, which are assumed to execute independently and to interact by means of event sharing. In this paper, we introduce the Quantum Branching Dis- tributed Temporal Logic QBDTL, a variant of DTL able to...
The Distributed Temporal Logic DTL allows one to reason about temporal properties of a distributed system from the local point of view of the system’s agents, which are assumed to execute independently and to interact by means of event sharing. In this paper, we introduce the Quantum Branching Distributed Temporal Logic \(\textsf{QBDTL}\), a varian...
Vertical composition of security protocols means that an application protocol (e.g., a banking service) runs over a channel established by another protocol (e.g., a secure channel provided by TLS). This naturally gives rise to a compositionality question: given a secure protocol P1 that provides a certain kind of channel as a goal and another secur...
Guessing attacks in security protocols arise when honest agents make use of data easily guessable by an intruder, such as passwords generated from a small dictionary. A way to model such attacks is to formalize a Dolev–Yao style model with inference rules that capture the additional capabilities of the intruder concerning guessable data. In this pa...
Security protocols are often found to be flawed after their deployment. We
present an approach that aims at the neutralization or mitigation of the
attacks to flawed protocols: it avoids the complete dismissal of the interested
protocol and allows honest agents to continue to use it until a corrected
version is released. Our approach is based on th...
Welcome back from the coffee break. Let me start by saying that this is joint work with two PhD students of mine at the University of Verona: Michele Peroli, who is in the audience, and Matteo Zavatteri. In the meantime, I have left Verona and am now at King’s College London, but we are still working together of course. I will also mention some of...
Formally specifying privacy goals is not trivial. The most widely used approach in formal methods is based on the static equivalence of frames in the applied π-calculus, basically asking whether or not the intruder is able to distinguish two given worlds. A subtle question is how we can be sure that we have specified all pairs of worlds to properly...
In many real-life situations making a decision entails evaluating the risks associated with the decision, which in turn requires reasoning about events and their relations. In addition to the simpler and better-understood notions of causation and precondition, in this paper we focus on block (or prevention), which is the relation established betwee...
Interpolation has been successfully applied in formal methods for model checking and test-case generation for sequential programs. Security protocols, however, exhibit such idiosyncrasies that make them unsuitable to the direct application of such methods. In this paper, we address this problem and present an interpolation-based method for security...
We propose an approach for defining labeled natural deduction systems for the class of Peircean branching temporal logics, seen as logics in their own right rather than as sub logics of Ockhamist systems. In particular, we give a system for the logic UB, i.e., the until-free fragment of CTL, and show that it is sound and complete. We also study nor...
In order to evaluate the effectiveness of the security measures undertaken to protect a distributed system (e.g., protecting privacy of data in a network or in an information system) one should, among other things, perform a risk assessment. In this paper, we introduce a logical framework that allows one to reason about risk by means of operators t...
We present an extension of the mosaic method aimed at capturing many-dimensional modal logics. As a proof-of-concept, we define the method for logics arising from the combination of linear tense operators with an “orthogonal” S5-like modality. We show that the existence of a model for a given set of formulas is equivalent to the existence of a suit...
We describe the SPaCIoS project, illustrating its main objectives, the results obtained so far and those that we expect to achieve, in particular, the development of the SPaCIoS Tool, an integrated platform that takes as input a formal description of the system under validation, the expected security goals, and a description of the capabilities of...
In this short paper, we describe the SPaCIoS (“Secure Provision and Consumption in the Internet of Services”) project, illustrating its main objectives, the results obtained so far and those that we expect to achieve, in particular the development of the SPaCIoS Tool, an integrated platform that takes as input a formal description of the system und...
Evaluating the effectiveness of the security measures undertaken to protect a distributed system (e.g., protecting privacy of data in a network or in an information system) is a difficult task that, among other things, requires a risk assessment. We introduce a logical framework that allows one to reason about risk by means of operators that formal...
Cutting-edge network infrastructures such as Service-Oriented Architectures (SOAs) or, more generally, the Internet of Services (IoS) entail a major paradigm shift in the way ICT systems and applications are designed, implemented, deployed and consumed: they are no longer the result of programming components in the traditional meaning but are built...
The advance of web services technologies promises to have far-reaching
effects on the Internet and enterprise networks allowing for greater
accessibility of data. The security challenges presented by the web services
approach are formidable. In particular, access control solutions should be
revised to address new challenges, such as the need of usi...
In scenarios with multiple non-collaborating attackers, interference between simultaneous attack procedures can emerge. Interference has a wide range of consequences: it demands network models capable of supporting concurrence, it marks an unexpected complexity of the network environment, it can be exploited to construct partial defenses for vulner...
The AVANTSSAR Platform is an integrated toolset for the formal specification and automated validation of trust and security of service-oriented architectures and other applications in the Internet of Services. The platform supports application-level specification languages (such as BPMN and our custom languages) and features three validation backen...
Traditionally security protocol analysis relies on a single Dolev-Yao attacker. This type of attacker is so powerful that overall attack power does not change if additional attackers cooperate. In this paper, we take a fundamentally different approach and investigate the case of multiple non-collaborating attackers. We show how non-collaboration be...
We give a sound and complete labelled natural deduction system for a bundled branching temporal logic, namely the until-free
version of BCTL*. The logic BCTL* is obtained by referring to a more general semantics than that of CTL*, where we only require that the set of paths in a model is closed under taking suffixes (i.e. is suffix-closed) and is c...
Security-sensitive business processes are business processes that must comply with security requirements such as authorization constraints or separation or binding of duty. As such, they are difficult to design and notoriously prone to error, and a number of approaches have been proposed to formalizing and reasoning about models of such processes t...
The distributed temporal logic DTL is an expressive logic, well suited for formalizing properties of concurrent, communicating agents. We show how DTL can be used as a metalogic to reason about and relate different security protocol models. This includes reasoning about model simplifications, where models are transformed to have fewer agents or beh...
In security protocol analysis, the traditional choice to consider a single
Dolev-Yao attacker is supported by the fact that models with multiple
collaborating Dolev-Yao attackers have been shown to be reducible to models
with one Dolev-Yao attacker. In this paper, we take a fundamentally different
approach and investigate the case of multiple non-c...
The specification of distributed service-oriented applications spans several levels of abstraction, e.g., the protocol for
exchanging messages, the set of interface functionalities, the types of the manipulated data, the workflow, the access policy,
etc. Many (even executable) specification languages are available to describe each level in separati...
Service designers and developers, while striving to meet the requirements posed by application scenarios, have a hard time
to assess the trust and security impact of an option, a minor change, a combination of functionalities, etc., due to the subtle
and unforeseeable situations and behaviors that can arise from this panoply of choices. This often...
Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed ...
Web services supporting business and administrative transactions between several parties over the Internet are more and more widespread. Their development involves several security issues ranging from authentication to the management of the access to shared resources according to given business and legal models. The capability of validating designs...
Meaning negotiation (MN) is the general process with which agents reach an
agreement about the meaning of a set of terms. Artificial Intelligence scholars
have dealt with the problem of MN by means of argumentations schemes, beliefs
merging and information fusion operators, and ontology alignment but the
proposed approaches depend upon the number o...
We introduce two modal natural deduction systems, MSQS and MSpQS, which are suitable to represent and reason about transformations of quantum states in an abstract, qualitative, way. Our systems provide a modal framework for reasoning about operations on quantum states (unitary transformations and measurements) in terms of possible worlds (as abstr...
Although computer security typically revolves around threats, attacks and defenses, the sub-field of security protocol analysis (SPA) has so far focused almost exclusively on attacks. In this paper, we show that such focus on attacks depends on few critical assumptions that have been characteristic of the field and have governed its mindset, approa...
In security protocol analysis, the traditional choice to consider a single Dolev-Yao attacker is supported by the fact that models with multiple collaborating Dolev-Yao attackers have been shown to be reducible to models with one Dolev-Yao attacker. In this paper, we take a fundamentally different approach and investigate the case of multiple non-c...
Similar to what happens between humans in the real world, in open multi-agent systems distributed over the Internet, such as online social networks or wiki technologies, agents often form coalitions by agreeing to act as a whole in order to achieve certain common goals. However, agent coalitions are not always a desirable feature of a system, as ma...
We formalize automated analysis techniques for the validation of web services specified in BPEL and a RBAC variant tailored to BPEL. The idea is to use decidable fragments of first-order logic to describe the state space of a certain class of web services and then use state-of-the-art SMT solvers to handle their reach ability problems. To assess th...
Similar to what happens between humans in the real world, in open multi-agent systems distributed over the Internet, such as online social networks or wiki technologies, agents often form coalitions by agreeing to act as a whole in order to achieve certain common goals. However, agent coalitions are not always a desirable feature of a system, as ma...
Several different secure routing protocols have been proposed for determining the appropriate paths on which data should be transmitted in ad hoc networks. In this paper, we focus on two of the most relevant such protocols, ARAN and end air A, and present the results of a formal analysis that we have carried out using the AVISPA Tool, an automated...
Until is a notoriously difficult temporal operator as it is both existential and universal at the same time: AB holds at the current time instant w iff either B holds at w or there exists a time instant w' in the future at which B holds and such that A holds in all the time instants between the current one and [wacute]. This “ambivalent” nature pos...
We formalize automated analysis techniques for the validation of web services specified in BPEL and a RBAC variant tailored to BPEL. The idea is to use decidable fragments of first-order logic to describe the state space of a certain class of web services and then use state-of-the-art SMT solvers to handle their reachability problems. To assess the...