Call November 2022

Trusted Execution Environments for Advanced Data Protection

This proposal resulted in the following thesis:

  • Ion Andy Ditu (Bachelor's Thesis, University of Trento, 2023)
    Leveraging Trusted Execution Environment for Efficient Revocation and Security in Cryptographic Access Control
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from curious service providers while enforcing access control policies. Unfortunately, CAC usually incurs significant computational overhead that limits its applicability in real-world scenarios [1]. The main goal of this project is to investigate how Trusted Execution Environments (TEEs) such as Intel SGX [2] can synergize with CAC to relieve these computational overheads and efficiently guarantee advanced data protection.

Level: BSc/MSc

Supervisors: Silvio Ranise

Co-supervisor: Roberto Carbone, Stefano Berlato

Time frame: From February 2023

Prerequisites:

  • Basic knowledge of IT security
  • Basic knowledge of cryptography from cryptography-related courses
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin)

Objectives:

  • Familiarization and study of the state of the art in the use of TEEs for advanced data protection.
  • Evaluation of available techniques and design of a solution joining CAC with TEEs to reduce the cryptographic computational overhead.
  • Implementation of the proposed approach in a tool [3] developed and actively maintained by the Security&Trust unit in FBK [4].

Topics: Access Control, Cryptography, TEE

References:

  1. W. C. Garrison, A. Shull, S. Myers and A. J. Lee, "On the Practicality of Cryptographically Enforcing Dynamic Access Control Policies in the Cloud," 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 819-838, doi: 10.1109/SP.2016.54
  2. https://software.intel.com/content/www/us/en/develop/topics/software-guard-extensions.html
  3. stfbk/CryptoAC
  4. Stefano Berlato, Roberto Carbone, Silvio Ranise. Cryptographic Enforcement of Access Control Policies in the Cloud: Implementation and Experimental Assessment In 18th International Conference on Security and Cryptography (SECRYPT 2021)

Call November 2023

Enhancing Cryptographic Access Control with Predicates and Negative Permissions

This proposal resulted in the following thesis:

  • Simone Brunello (Bachelor's Thesis, University of Trento, 2024)
    Hybrid Enforcement for Role-based Cryptographic Access Control
    Supervisors: Silvio Ranise | Co-supervisors: Roberto Carbone, Stefano Berlato

Description:

Cryptographic Access Control (CAC) is often employed to protect the confidentiality of Cloud-hosted sensitive data from both external attackers and curious service providers while enforcing access control policies. In CAC, the sensitive data is encrypted, and the permission to access the encrypted data is embodied by the (secret) decrypting key. Unfortunately, CAC usually incurs significant computational overhead — mainly due to cryptographic computations — that limits its applicability in real-world scenarios. Moreover, by itself, CAC does not provide suitable abstractions for specifying additional information and constraints (e.g., on how much a user is trusted) that may instead be useful to relieve such a computational overhead. Put in the context of an already ongoing collaboration with the University of Pittsburgh, the main goal of this project is to enhance CAC by investigating one or more of the following ideas:

  1. Logic Predicates: express assumptions and requirements about users and resources;
  2. Negative Permissions: deny accesses explicitly through a careful distribution of cryptographic keys;
  3. Improved Performance: investigate other means (e.g., use of symmetric vs. asymmetric cryptography) to directly relieve the computational overhead of CAC.

Level: BScMSc

Supervisors: Silvio Ranise

Co-supervisor: Roberto Carbone, Stefano Berlato

Time frame: From October 2023

Prerequisites:

  • Basic knowledge of IT security.
  • Basic knowledge of cryptography from cryptography-related courses.
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin).

Objectives:

  • Familiarization and study of the state of the art in the use of the CAC techniques for advanced data protection.
  • Evaluation of the aforementioned ideas and design of solutions to enhance the capabilities of CAC.
  • Implementation of the proposed solutions in a tool developed and actively maintained by the FBK's Center for Cybersecurity [1].

Topics: Access Control, Cryptography

Notes: The objectives may be weighted differently according to interest, availability, and the chosen topic.

References:

  1. stfbk/CryptoAC

Multi-Objective Microservice Orchestration

This proposal resulted in the following thesis:

  • Marco Soldera (Bachelor's Thesis, University of Trento, 2024)
    A Risk Assessment Methodology for VSNF Placement in Cloud Native Applications
    Supervisors: Domenico Siracusa | Co-supervisors: Stefano Berlato, Silvio Cretti

Description:

Microservices are the basic building blocks for modern Cloud-native applications. However, the orchestration — and especially the placement — of microservices should be aware of the functional and security requirements of the underlying applications. The main goal of this project revolves around the design of a methodology and a toolset for orchestrating (microservices in) Cloud-native applications to balance the minimization of risks due to the possible presence of security threats (e.g., malicious insider attackers, curious tenants) and the achievement of service performance requirements (e.g., expressed on computational resources, network throughput and latency).

Level: BScMSc

Supervisors: Domenico Siracusa

Co-supervisor: Stefano Berlato, Silvio Cretti

Prerequisites:

  • Basic knowledge of IT security.
  • Basic knowledge of object-oriented programming languages (i.e., Kotlin).
  • Knowledge of the microservice architectural paradigm and orchestrators (e.g., Kubernetes) would be highly advantageous.

Objectives:

  • Familiarization and study of the state of the art in the orchestration of microservices.
  • Study and elicitation of requirements for applications deployed in prominent use case scenarios.
  • Design and implementation of a methodology for the effective orchestration of microservices in a tool developed and actively maintained by the FBK's Center for Cybersecurity [1].

Topics: Cloud-native Applications, Security, Multi-Objective Optimization

References:

  1. stfbk/FogAtlas