Michele Bugliesi

• PhD
• Professor at Ca' Foscari University of Venice

We present an empirical evaluation of Large Language Models in code understanding associated with non-trivial, semantic-preserving program transformations such as copy propagation or constant folding. Our findings show that LLMs fail to judge semantic equivalence in approximately 41\% of cases when no context is provided and in 29\% when given a si...

Smart contracts are central to a myriad of critical blockchain applications, from financial transactions to supply chain management. However, their adoption is hindered by security vulnerabilities that can result in significant financial losses. Most vulnerability detection tools and methods available nowadays leverage either static analysis method...

Decentralized blockchain platforms support the secure exchange of assets among users without relying on trusted third parties. These exchanges are programmed with smart contracts, computer programs directly executed by blockchain nodes. Multiple smart contract languages are available nowadays to developers, each with its own distinctive features, s...

Web sessions are fragile and can be attacked at many different levels. Classic attacks like session hijacking, session fixation and cross-site request forgery are particularly dangerous for web session security, because they allow the attacker to breach the integrity of honest users’ sessions by forging requests which get authenticated on the victi...

Web sessions are fragile and can be attacked at many different levels. Classic attacks like session hijacking, session fixation and cross-site request forgery are particularly dangerous for web session security, because they allow the attacker to breach the integrity of honest users' sessions by forging requests which get authenticated on the victi...

Content Security Policy (CSP) is a W3C standard designed to prevent and mitigate the impact of content injection vulnerabilities on websites. CSP is supported by all major web browsers and routinely used by thousands of web developers in the world to improve the security of their web applications. In this paper we review our formalization of a core...

Content Security Policy (CSP) is a W3C standard designed to prevent and mitigate the impact of content injection vulnerabilities on websites. CSP is supported by all major web browsers and routinely used by thousands of web developers in the world to improve the security of their web applications. In this paper we review our formalization of a core...

Since cookies act as the only proof of a user identity, web sessions are particularly vulnerable to session hijacking attacks, where the browser run by a given user sends requests associated to the identity of another user. When n > 1 cookies are used to implement a session, there might actually be n sub-sessions running at the same website, where...

The implementation of web sessions is a somewhat anarchic and largely unstructured process. Our goal with the present paper is to provide a disciplined perspective of which are the relative strengths and weaknesses of the most common techniques to implement web sessions, with a particular focus on their security. We clarify common misconceptions in...

Content Security Policy (CSP) is a W3C standard designed to prevent and mitigate the impact of content injection vulnerabilities on websites by means of browser-enforced security policies. Though CSP is gaining a lot of popularity in the wild, previous research questioned one of its key design choices, namely the use of static white-lists to define...

Il 1868 è l’anno di origine dell’Università Ca’ Foscari Venezia e della Carpenè Malvolti. Quelle che allora erano la Scuola Superiore di Commercio di Venezia e la Società Enologica della Provincia di Treviso a Conegliano furono fondate da uomini del Risorgimento, profondamente convinti che la scienza avrebbe cambiato l’Italia e il Veneto. Centocinq...

Content Security Policy (CSP) is a recent W3C standard introduced to prevent and mitigate the impact of content injection vulnerabilities on websites. In this article, we introduce a formal semantics for the latest stable version of the standard, CSP Level 2. We then perform a systematic, large-scale analysis of the effectiveness of the current CSP...

Content Security Policy (CSP) is an emerging W3C standard introduced to mitigate the impact of content injection vulnerabilities on websites. We perform a systematic, large-scale analysis of four key aspects that impact on the effectiveness of CSP: browser support, website adoption, correct configuration and constant maintenance. While browser supp...

In the last few years, many security researchers proposed to endow the web platform with more rigorous foundations, thus allowing for a precise reasoning on web security issues. Given the complexity of the Web, however, research efforts in the area are scattered around many different topics and problems, and it is not easy to understand the import...

Designing distributed protocols is complex and requires actions at very different levels: from the design of an interaction flow supporting the desired application-specific guarantees to the selection of the most appropriate network-level protection mechanisms. To tame this complexity, we propose AnBx, a formal protocol specification language based...

Designing distributed protocols is complex and requires actions at very different levels: from the design of an interaction flow supporting the desired application-specific guarantees to the selection of the most appropriate network-level protection mechanisms. To tame this complexity, we propose AnBx, a formal protocol specification language based...

Session cookies constitute one of the main attack targets against client authentication on the Web. To counter these attacks, modern web browsers implement native cookie protection mechanisms based on the HttpOnly and Secure flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been pro...

Recent research has shown that it is possible to leverage general-purpose theorem-proving techniques to develop powerful type systems for the verification of a wide range of security properties on application code. Although successful in many respects, these type systems fall short of capturing resource-conscious properties that are crucial in larg...

Designing distributed protocols is complex and requires actions at very different levels: from the design of an interaction flow supporting the desired application-specific guarantees, to the selection of the most appropriate network-level protection mechanisms. To tame this complexity, we propose AnBx, a formal protocol specification language base...

Browser-based defenses have recently been advocated as an effective mechanism to protect potentially insecure web applications against the threats of session hijacking, fixation, and related attacks. In existing approaches, all such defenses ultimately rely on client-side heuristics to automatically detect cookies containing session information, to...

Even though their architecture relies on robust security principles, it is well-known that poor programming practices may expose browser extensions to serious security flaws, leading to privilege escalations by untrusted web pages or compromised extension components. We propose a formal security analysis of browser extensions in terms of a fine-gra...

Liferay is the leading opensource portal for the enterprise, implementing a role-based access control (RBAC) mechanism for user and content management. Despite its critical importance, however, the access control system implemented in Liferay is poorly documented and lacks automated tools to assist portal administrators in configuring it correctly....

Sessions on the web are fragile. They have been attacked successfully in many ways, by network-level attacks, by direct attacks on session cookies (the main mechanism for implementing the session concept) and by application-level attacks where the integrity of sessions is violated by means of cross-site request forgery or malicious script inclusion...

We present a logic-based verification framework for multilevel security and transactional correctness of service oriented architectures. The framework is targeted at the analysis of data confidentiality, enforced by non-interference, and of service responsiveness, captured by a notion of compliance that implies deadlock and livelock freedom. We iso...

Enforcing protection at the browser side has recently become a popular approach for securing web authentication. Though interesting, existing attempts in the literature only address specific classes of attacks, and thus fall short of providing robust foundations to reason on web authentication security. In this paper we provide such foundations, by...

Browser-based defenses have recently been advocated as an effective mechanism to protect web applications against the threats of session hijacking, fixation, and related attacks. In existing approaches, all such defenses ultimately rely on client-side heuristics to automatically detect cookies containing session information, to then protect them ag...

Session cookies constitute one of the main attack targets against client authentication on the Web. To counter that, modern web browsers implement native cookie protection mechanisms based on the Secure and HttpOnly flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about...

Finding typed encodings of object-oriented into procedural or functional programming sheds light on the theoretical foundations of object-oriented languages and their specific typing constructs and techniques. This paper describes a type preserving and computationally adequate interpretation of a full-fledged ob-ject calculus that supports message...

The widespread adoption of Android devices has attracted the attention of a growing computer security audience. Fundamental weaknesses and subtle design flaws of the Android architecture have been identified, studied and fixed, mostly through techniques from data-flow analysis, runtime protection mechanisms, or changes to the operating system. This...

Recent research has shown that it is possible to leverage general-purpose theorem proving techniques to develop powerful type systems for the verification of a wide range of security properties on ap-plication code. Although successful in many respects, these type systems fall short of capturing resource-conscious properties that are crucial in lar...

Connectivity and communication interference are two key aspects in mobile ad-hoc networks (MANETs). This paper proposes a process algebraic model targeted at the analysis of both such aspects. The framework includes a probabilistic process calculus and a suite of analytical techniques based on a probabilistic observational congruence and an interfe...

Maintenance of COBOL applications that still exist and work today is an open issue for many companies that have not yet undertaken the crucial decision of migrating to a modern development platform. And even those who did, most likely had to face a major challenge: understanding what those million lines of code do and what business processes they o...

In this paper we show the Casanova language (and its accompanying design pattern, Rule-Script-Draw) in action by building a series of games with it. In particular we discuss how Casanova is suitable for making games regardless of their genre: the Game of Life, a shooter game, an adventure game and a strategy game. We also discuss the difference bet...

Connectivity and communication interference are two key aspects in mobile ad-hoc networks (MANETs). We propose a process algebraic model targeted at the analysis of both such aspects of MANETs. The framework includes a probabilistic process calculus and a suite of analytical techniques based on a probabilistic observational congruence and an interf...

Refinement type systems have proved very effective for se-curity policy verification in distributed authorization systems. In earlier work [12], we have proposed an extension of existing refinement typing techniques to exploit sub-structural logics and affine typing in the analy-sis of resource aware authorization, with policies predicating over ac...

In this paper we present the specification and preliminary assessment of Casanova, a newly designed computer language which integrates knowledge about many areas of game development with the aim of simplifying the process of engineering a game. Casanova is designed as a fully-fledged language, as an extension language to F#, but also as a pervasive...

Role-based Access Control (RBAC) is one of the most widespread security mechanisms in use today. Given the growing complexity of policy languages and access con-trol systems, verifying that such systems enforce the desired invariants is recognized as a security problem of crucial importance. In the present paper, we develop a framework for the form...

As virtual worlds grow more and more complex, virtual reality browsers and engines face growing challenges. These challenges are centered on performance on one hand (an interactive framerate is always required) and complexity on the other hand (the larger and more articulated a virtual world, the more immersive the experience). The usual implementa...

Games are complex pieces of software which give life to animated virtual worlds. Game developers carefully search the difficult balance between quality and efficiency in their games. In this paper we present the Casanova language. This language allows the building of games with three important advantages when compared to traditional approaches: sim...

Type systems for authorization are a popular device for the specification and verification of security properties in cryptographic applications. Though promis- ing, existing frameworks exhibit limited expressive power, as the underlying specification languages fail to account for powerful notions of authorization based on access counts, usage bound...

Many business applications today still rely on COBOL programs written decades ago that are difficult to maintain and upgrade due to technological limitations and lack of experts in the language. Several companies have been trying to migrate their software base to modern platforms, but code translation is problematic because most business processes...

Preface to the `Logical Methods in Computer Science', special issue dedicated to ICALP 2006, Track B: Logic, Semantics and Theory of Programming

Designing distributed protocols is challenging, as it requires actions at very different levels: from the choice of network-level mechanisms to protect the exchange of sensitive data, to the definition of structured interaction patterns to convey application-specific guarantees. Current security infrastructures provide very limited support for the...

We introduce a calculus with mobile names, distributed principals and primitives for secure remote communication, without any reference to explicit cryptography. The calculus is equipped with a system of types and effects providing static guarantees of secrecy and authenticity in the presence of a Dolev-Yao intruder. The novelty with respect to exi...

Process algebraic techniques for distributed systems are increasingly being targeted at identifying abstractions that are adequate for both high-level programming and specification and security analysis and verification. Drawing on our earlier work in Bugliesi and Focardi, (2008), we investigate the expressive power of a core set of security and ne...

Compliance is a basic property of web-service architectures that ensures the absence of deadlocks and livelocks during execution. Following recent attempts in the literature, we interpret compliance as an experiment, much like the experiments made by a test process in testing theories, and use it as the basis for a notion of compliance preserving s...

Discretionary Access Control (DAC) systems provide powerful resource management mechanisms based on the selective distribution of capabilities to selected classes of principals. We study a type-based theory of DAC models for a process calculus that extends Cardelli, Ghelli and Gordon's pi-calculus with groups (Cardelli et al. 2005). In our theory,...

Process algebraic specifications of distributed systems are increasingly being targeted at identifying security primitives well-suited as high-level programming abstractions, and at the same time adequate for security analysis and verification. Drawing on our earlier work along these lines [Bugliesi, M. and R. Focardi, Language based secure communi...

Secure communication in distributed systems is notoriously hard to achieve due to the variety of attacks an adversary can mount, based on message interception, modification, redirection, eavesdropping or, even more subtly, on traffic analysis. In the literature on process calculi, traditional solutions to the problem either draw on low-level crypto...

Service oriented architectures draw heavily on techniques for reusing and assembling off-the-shelf software components. While powerful, this programming practice is not without a cost: the software architect must ensure that the off-the-shelf components interact safely and in ways that conform with the specification. We develop a new theory for ada...

Traditional static typing systems for the pi-calculus are built around capability types that control the read/write access rights on channels and describe the type of the channels’ payload. While static typing has proved adequate for reasoning on process behavior in typed contexts, dynamic techniques have often been advocated as more effective for...

We propose a type and effect system for authentication protocols built upon a tagging scheme that formalizes the intended semantics of ciphertexts. The main result is that the validation of each component in isolation is provably sound and fully compositional: if all the protocol participants are independently validated, then the protocol as a whol...

Resource control has attracted increasing interest in foundational research on distributed systems. This paper focuses on space control and develops an analysis of space usage in the context of an ambient calculus with bounded capacities and weighed processes, where migration and activation require space. A type system controls the dynamics of the...

The challenges hidden in the implementation of high-level process calculi into low-level environments are well understood (1). This paper develops a secure implementation of a typed pi calculus, in which type capabilities are employed to realize the policies for the access to communication channels. Our implementation translates the typed capabilit...

Most algorithms of computational geometry are designed for the Real-RAM and non-degenerate input. We call such algorithms idealistic. Executing an idealistic algorithm with floating point arithmetic may fail. Controlled perturbation replaces an input x by a random nearby in the δ-neighborhood of x and then runs the floating point version of the ide...

Boxed Ambients (BA) replace Mobile Ambients’ open capability with communication primitives acting across ambient boundaries. The expressiveness of the new communication model is achieved at the price of communication interferences whose resolution requires synchronisation of activities at multiple, distributed locations. We study a variant of BA ai...

This paper contrasts two existing type-based techniques for the analysis of authentication protocols. The former, proposed by Gordon and Jeffrey, uses dependent types for nonces and cryptographic keys to statically regulate the way that nonces are created and checked in the authentication exchange. The latter, proposed by the authors, relies on a c...

The use of types to control the behavior of processes in the pi-calculus is a long known and well established technique.

We develop new proof techniques, based on Non-Interference, for the analysis of safety and liveness properties of cryptographic protocols expressed as terms of the process algebra CtyptoSPA. Our approach draws on new notions of behavioral equivalence, built on top of a context-sensitive labeled transition system that allows us to characterize the b...

We propose a type and effect system for authentication protocols built upon a tagging scheme that formalizes the intended semantics of ciphertexts. The main result is that the validation of each component in isolation is provably sound and fully compositional: if all the protocol participants are independently validated, then the protocol as a whol...

Discretionary Access Control (DAC)systems provide powerful mech- anisms for resource management based on the selective distribution of capabili- ties to selected classes of principals. We study a type-based theory of DAC mod- els for concurrent and distributed systems represented as terms of Cardelli, Ghelli and Gordon's pi calculus with groups (3)...

We propose a new method for the static analysis of entity authentication pro-tocols. We develop our approach based on a dialect of the spi-calculus as the underlying formalism for expressing protocol narrations. Our analysis validates the honest protocol participants against static (hence decidable) conditions that provide formal guarantees of enti...

The paper surveys the literature on high-level name-passing process calculi, and their extensions with cryptographic primitives. The survey is by no means exhaustive, for essentially two reasons. First, in trying to provide a coherent presentation of different ideas and techniques, one inevitably ends up leaving out the approaches that do not fit t...

Boxed Ambients are a variant of Mobile Ambients that result from dropping the open capability and introducing new primitives for ambient communication. The new model of communication is faithful to the principles of distribution and location-awareness of Mobile Ambients, and complements the constructs in and out for mobility with finer-grained mech...

The paper surveys the literature on high-level name-passing process calculi, and their extensions with cryptographic primitives. The survey is by no means exhaustive, for essentially two reasons. First, in trying to provide a coherent presentation of different ideas and techniques, one inevitably ends up leaving out the approaches that do not fit t...

The paper surveys the literature on high-level name-passing process calculi, and their extensions with cryptographic primitives. The survey is by no means exhaustive, for essentially two reasons. First, in trying to provide a coherent presentation of different ideas and techniques, one inevitably ends up leaving out the approaches that do not f...

Resource control has attracted increasing interest in foundational research on distributed systems. This paper focuses on space control and develops an analysis of space usage in the context of an ambient-like calculus with bounded capacities and weighed processes, where migration and activation require space. A type system complements the dyna...

First Workshop on Object Oriented DevelopmentsThis volume contains the Proceedings of the First Workshop on Object Oriented Developments (WOOD'2003). The Workshop was held in Warsaw, Poland on April 13, 2003, as a satellite event to ETAPS'2003.Object-oriented programming languages have long been the subject of extensive foundational and applied res...

We develop new proof techniques, based on non-interference, for the analysis of safety and liveness properties of cryptographic protocols expressed as terms of the process algebra CryptoSPA. Our approach draws on new notions of behavioral equivalence, built on top of a context-sensitive labelled transition system, that allow us to characterize the...

Boxed Ambients (BA) replace Mobile Ambients’ open capability with communication primitives acting across ambient boundaries. Expressiveness is achieved at the price of communication interferences on message reception whose resolution requires synchronisation of activities at multiple, distributed locations. We study a variant of BA aimed at control...

We investigate the protection of migrating agents against the untrusted sites they traverse. The resulting calculus provides a formal framework to reason about protection policies and security protocols over distributed, mobile infrastructures, and aims to stand to ambients as the spi calculus stands to π. We present a type system that separates tr...

We develop new proof techniques, based on non-interference, for the analysis of safety and liveness properties of cryptographic protocols expressed as terms of the process algebra CryptoSPA. Our approach draws on new notions of behavioral equivalence, built on top of a context-sensitive labelled transition system, that allow us to characterize the...

We study the roles of message components in authentication protocols. In particular, we investigate how a certain component contributes to the task of achieving entity authentication. To this aim, we isolate a core set of roles that enables us to extract general principles that should be followed to avoid attacks.

We study the roles of message components in authentication protocols. In particular, we inves- tigate how a certain component contributes to the task of achieving entity authentication. To this aim, we isolate a minimal set of roles that enables us to extract general principles that should be followed to avoid attacks. We then formalize these princ...

We study the problem of secure information flow for Boxed Ambients in terms of non-interference. We develop a sound type system that provides static guarantees of absence of unwanted flow of information for well typed processes. Non-interference is stated, and proved, in terms of a typed notion of contextual equivalence for Boxed Ambients akin to t...

We investigate the protection of migrating agents against the untrusted sites they traverse. The resulting calculus provides a formal framework to reason about protection policies and security protocols over distributed, mobile infrastructures, and aims to stand to ambients as the spi calculus stands to ?. We present a type system that separates tr...

Resource control has attracted increasing interest in foundational research on distributed systems. This paper focuses on space control and develops an analysis of space usage in the context of an ambient-like calculus with bounded capacities and weighed processes, where migration and activation require space. A type system complements the dynamics...

Existing type systems for object calculi [1] are based on invariant subtyping. Subtyping invariance is required for soundness of static typing in the presence of method overrides, but it is often in the way of the expressive power of the type system. Flexibility of static typing can be recovered in different ways: in first-order systems, by the ado...

We study the problem of secure information flow for Boxed Ambients in terms of noninterference. We develop a sound type system that provides static guarantees of absence of unwanted flow of information for well typed processes. Non-interference is stated, and proved, in terms of a typed notion of contextual equivalence for Boxed Ambients akin to th...

In [BCC00], we presented a general framework for extending calculi of mobile agents with object-oriented features, and we studied a typed instance of that model based on Cardelli and Gordon's Mobile Ambients. Here, we refine our previous work and define a new calculus which is based on Remote Procedure Call as the underlying protocol for method inv...

Boxed Ambients are a variant of Mobile Ambients, that result from (i) dropping the open capability and (ii) providing new primitives for ambient communication while retaining the constructs in and out for mobility. The new model of communication is faithful to the principles of distribution and locationawareness of Mobile Ambients, and complements...

The paper gives an assessment of security for Mobile Ambients, with specific focus on mandatory access control (MAC) policies in multilevel security systems. The first part of the paper reports on different formalization attempts for MAC policies in the Ambient Calculus, and provides an in-depth analysis of the problems one encounters. As it turns...

Existing type systems for object calculi are based on invariant subtyping. Subtyping invariance is required for soundness of static typing in the presence of method overrides, but it is often in the way of the expressive power of the type system. Flexibility of static typing can be recovered in different ways: in first-order systems by the adoption...

We present a type-theoretic encoding of extensible objects and types. The ambient theory is a higher-order -calculus with polymorphic types, recursive types and operators, and subtyping. Using this theory, we give a type preserving and computationally adequate translation of a full-fledged object calculus that includes object extension and override...

This paper extends the Lambda Calculus of Objects as proposed in [5] with a new support for incomplete objects. Incomplete objects behave operationally as standard" objects; their typing, instead, is dierent, as they may be typed even though they contain references to methods that are yet to be added. As a byproduct, incomplete objects may be typed...

Finding typed encodings of object-oriented into procedural or functional programming sheds light on the theoretical foundations of object-oriented languages and their specific typing constructs and techniques. This article describes a type preserving and computationally adequate interpretation of a full-fledged object calculus that supports message...

We present a new type system for the Lambda Calculus of Objects [16], based on matching. The new system retains the property of type safety of the original system, while using implicit match-bounded quanti cation over type variables instead of implicit quanti cation over row schemes (as in [16]) to capture Mytype polymorphic types for methods.

We introduce a typed variant of Safe Ambients, named Secure Safe Ambients (SSA), whose type sys- tem allows behavioral invariants of ambients to be expressed and veried. The most signicant aspect of the type system is its ability to capture both explicit and implicit process and ambient behavior: process types account not only for immediate behavio...

This paper presents a linear logic programming language, called O Gammaffi , that gives a complete account of an object-oriented calculus with inheritance and override. This language is best understood as a logical counterpart the object and record extensions of functional programming that have recently been proposed in the literature. From these p...