Department of
Environmental Sciences, Informatics and Statistics

Cybersecurity

The laboratory carries out research and technology transfer activities in various areas of IT security:

Applied Cryptography;
Network and Web Security;
Software Security;
Embedded System Security;
Usable Security.

The research activity is carried out rigorously, with the aid of formal verification techniques, and is aimed at improving the state of the art of security of real systems. The laboratory, through some of its participants, has founded two spin-offs, Cryptosense and 10Sec, which transfer research results to industry through the development of highly innovative products in the field of cryptography and IoT.

Research group

Collaborators

Matteo Busi (Postdoc)
Francesco Palmarini (Postdoc)
Leonardo Veronese (Postdoc)
Alessia Michela Di Campi (PhD Student)
Lorenzo Cazzaro (PhD Student)

Collaborations

Vienna University of Technology
Masaryk University (with a dual PhD program in Cybsersecurity)
CISPA Helmholtz Center for Information Security

Publications

Riccardo Focardi and Flaminia Luccio. A formally verified configuration for Hardware Security Modules in the cloud. In Giovanni Vigna, Elaine Shi, Proceedings of the ACM Conference on Computer and Communications Security (ACM CCS), pp. 412-428
https://dl.acm.org/doi/10.1145/3460120.3484785 - 2021
Stefano Calzavara, Riccardo Focardi, Matús Nemec, Alvise Rabitti, Marco Squarcina: Postcards from the Post- HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem. IEEE Symposium on Security and Privacy (IEEE S&P 2019), pp. 281-298
https://ieeexplore.ieee.org/document/8835223 - 2019
Claudio Bozzato, Riccardo Focardi, Francesco Palmarini. Shaping the Glitch: Optimizing Voltage Fault Injection Attacks. In Transactions on Cryptographic Hardware and Embedded Systems (TCHES), vol. 2019, pp. 199-224 (ISSN 2569-2925)
https://tches.iacr.org/index.php/TCHES/article/view/7390 - 2019
Riccardo Focardi, Francesco Palmarini, Marco Squarcina, Graham Steel, Mauro Tempesta: Mind Your Keys? A Security Evaluation of Java Keystores. Proceedings of the Network and Distributed System Security Symposium (NDSS 2018).
http://dx.medra.org/10.14722/ndss.2018.23083 - 2018
Stefano Calzavara, Riccardo Focardi, Matteo Maffei, Clara Schneidewind, Marco Squarcina, Mauro Tempesta WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring , Proceedings of the 27th USENIX Security Symposium, pp. 1493-1510
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-calzavara.pdf - 2018

Case studies

The paper "Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem" on the security analysis of the Web in the wild has been presented at IEEE S&P 2019 and covered on Wired:

Lily Hay Newman, HTTPS Isn’t Always as Secure as it Seems, 28 March 2019, Wired
Catherine Chapman , False sense of security? HTTPS is no panacea, researchers warn, 16 May 2019, The Daily Swig (https://portswigger.net/daily-swig/false-sense-of-security-https-is-no-panacea-researchers-warn)
Preview video: https://www.youtube.com/watch?v=MVqR9qMwWRE

The paper "Mind Your Keys? A Security Evaluation of Java Keystores" has drastically improved the security of Java keystores after our findings. See the related vulnerability reports from Oracle:

CVE-2018-2794, Oracle Java, CVSS 3.0 Base Score 7.7 (HIGH)
CVE-2017-10356, Oracle Java, CVSS 3.0 Base Score 6.2 (MEDIUM)
CVE-2017-10345, Oracle Java, CVSS 3.0 Base Score 3.1 (LOW)

Research projects

SOFT: Security Oriented Formal Techniques (Principal Investigator: Riccardo Focardi)
PRIN - Research Projects of National Relevance, funded by the Italian Ministry of University and Research, Length: 09/2008 - 09/2010
DOMHO: Secure IoT home automation system for smart buildings (Local PI: Riccardo Focardi)
ROP ERDF: Regional Operational Programme, European Regional Development Fund, Length: 11/2017 - 10/2020
SAFE PLACE: IoT systems for healthy and safe living environments (Local PI: Riccardo Focardi)
ROP ERDF: Regional Operational Programme, European Regional Development Fund, Length: 01/2021 - 12/2022
Cybersecurity in IOT Devices for smart building (Local PI: Flaminia Luccio)
Funded by Confindustria Vento SIAV Spa, AVI/077A/19, Length: 06/2020 - 12/2021
Securing Smartibuilding Devices (Local PI: Flaminia Luccio)
Funded by BFT SpA, Length: 07/2020 - 12/2020
UniKey (Local PI: Flaminia Luccio)
Project co-funded by the SMACT competence center in collaboration with Keyline SpA, Length: 07/2020 - 12/2020
FilieraSicura: Security of national infrastructures (Local PI: Riccardo Focardi)
Research project funded by CISCO and Leonardo, Length: 01/2017 - 12/2019
Security Horizons (Local PI: Riccardo Focardi)
PRIN - Research Projects of National Relevance, funded by the Italian Ministry of University and Research, Length: 02/2013 - 02/2016
Formal methods for security (Local PI: Riccardo Focardi)
PRIN - Research Projects of National Relevance, funded by the Italian Ministry of University and Research, Length: 12/2001 - 12/2003
MyThS: Models and Types for Security in Mobile Distributed Systems (Local PI: Michele Bugliesi, Key personnel: Riccardo Focardi)
FET-Global Computing, IST-2001-32617, Length: 2002 - 2004

Last update: 17/04/2024

Type	Name	Sender (Domain)	Description	Duration	Policy
Essential	_shibsession[], _shibsstate[]	Unive.it (www.unive.it)	They maintain the session data of the SingleSignOn.	session	Information
Essential	PHPSESSID	Unive.it (www.unive.it)	Unique user identifier for the website applications.	session	Information
Essential	cookie[*]	Unive.it (www.unive.it)	It stores the user's preferences on cookies. user preferences on cookies.	1 month	Information
Essential	cookie	idp.unive.it	It stores the user's preferences on cookies.	1 month	Information
Essential	fe_typo_user	Unive.it (www.unive.it)	Unique user identifier for the reserved area of the website	session	Information
Essential	JSESSIONID	Unive.it (www.unive.it)	Used to create web sessions into the Personal Area.	session	Information
Essential	ADMCMD_prev	Unive.it (www.unive.it)	Used to create web sessions into the Personal Area.	session	Information
Essential	unive.it	Unive.it (www.unive.it)	It stores the user's preferences on cookies.	6 months	Information
Essential	noiframe	Unive.it (www.unive.it)	It stores the user's preferences on cookies.	6 months	Information
Essential	_pk_id[*]	unive/WAI	*	30 days	Information
Essential	_pk_ses[*]	unive/WAI	*	1 day	Information
Essential	_pk_ref[*]	unive/WAI	*	6 months	Information
Essential	_gsas[*]	unive/google	It stores the user's preferences on cookies.	3 months	Information
Essential	_opensaml_req_cookie%[*]	unive	Authentication and SingleSignOn (shibboleth)	session	Information
Google - Youtube	__Secure-1PAPISID	Google (google.com)	Used for targeting purposes in order to acquire web visitors' interests and show them pertinent and customised Google advertising.	2 years	Information
Google - Youtube	CONSENT	Google (google.com)	Used by Google to store the user's preferences.	17 years	Information
Google - Youtube	__Secure-1PSID	Google (google.com)	Used for targeting purposes in order to acquire web visitors' interests and show them pertinent and customised Google advertising.	2 years	Information