Clemente Galdi

ERBAC: event-driven RBAC

Context-aware access control systems should reactively adapt access control decisions to dynamic environmental conditions. In this paper we present an extension of the TRBAC model that allows the specification and enforcement of general reactive policies. Then we extend XACML to support the new model, and illustrate a prototype implementation of the PDP.

On the security of a two-factor authentication scheme

In this paper we evaluate the security of a two-factor Graphical Password scheme proposed in [1]. As in the original paper, we model the attack of a passive adversary as a boolean formula whose truth assignment corresponds to the user secret. We show that there exist a small number of secrets that a passive adversary cannot extract, independently from the amount information she manages to eavesdrop. We then experimentally evaluate the security of the scheme. Our tests show that the number of sessions the adversary needs to gather in order to be able to extract the users secret is relatively small. However, the amount of time needed to actually extract the user secret from the collected information grows exponentially in the system parameters, making the secret extraction unfeasible. Finally we observe that the graphical password scheme can be easily restated in as a device-device authentication mechanism.

Analysis of a two-factor graphical password scheme

Graphical passwords are a promising research branch, but implementation of many proposed schemes often requires considerable resources (e.g., data storage, high quality displays) making difficult their usage on small devices, such as old-fashioned ATM terminals. Furthermore, most of the time, such schemes lack a careful security analysis. In this paper, we analyze the security and usability for an authentication mechanism that can be instantiated as a graphical password scheme. We model the information an adversary might extract by analyzing the transcripts of authentication sessions as a boolean formula. Our experiments show that the time needed by a passive adversary to extract the user secret in the last presented protocol grows exponentially in the system parameter, giving evidence of the security of the proposed scheme.

E-Auctions for Multi-Cloud Service Provisioning

The cloud computing paradigm requires solutions supporting customers in the selection of services that satisfy their functional and non-functional requirements. These solutions must i) support the dynamic, multi-cloud nature of service provisioning, ii) manage scenarios where no total preference relation over service properties is available, and iii) prevent providers from misrepresenting or overstating their properties. In this paper we put forward the idea of modeling multi-cloud provisioning scenarios as procurement e-auctions (where the auctioneer is the customer and the bidders are service providers). We introduce a service selection process based on matching and ranking algorithms, and an e-auction mechanism that addresses the above requirements, encouraging trustworthy bids and therefore improving the truthfulness on the e-auction outcome. Finally we describe the implementation of a prototype used to evaluate the performance of our approach with respect to traditional query-based engines.

Towards a mechanism for incentivating privacy

The economic value of rich user profiles is an incentive for providers to collect more personal (and sensitive) information than the minimum amount needed for deploying services effiectively and securely. With a game-the-oretic approach, we show that provider competition can reduce such information requests. The key is a suitable mechanism, roughly reminiscent of a Vickrey auction subject to integrity constraints. We show that our mechanism induces rational providers to ask exactly for the user information strictly necessary to deliver their service effiectively and securely. In this framework, maximal attribute disclosures become more diaecult to achieve.

Hiding Information in Image Mosaics

Information hiding techniques allow a player to hide secret information in some innocent-looking document. In this paper we present a novel approach to information hiding. We investigate the possibilityof embeddinginformation usingthe intrinsicentropyof some classes of cover-documents. In particular we provide algorithms for embedding any binary string in an image mosaic (i.e. an image consisting of a mosaic of smaller images). The algorithms presented allow different levels of security for the information hidden in the cover-document. We also show some techniques to reduce the amount of information the users have to secretly store.

On user authentication by means of video events recognition

Graphical password schemes have been widely analyzed in the last couple of decades. Typically such schemes are not resilient to adversaries who are able to collect a considerable amount of session transcripts, and can process them automatically in order to extract the secret. In this paper we discuss a possible enhancement to graphical passwords aiming at making infeasible to the attacker to automatically process the collected transcripts. In particular, we investigate the possibility of replacing static graphical challenges with on-the-fly edited videos. In our approach, the system challenges the user by showing her a short film containing a number of pre-defined pass-events and the user replies with the proof that she recognized such events. We present a proof-of-concept prototype, FilmPW, and discuss some issues related to event life-cycle management. Our preliminary experiments show that such an authentication mechanism is well accepted by users and achieves low error rates.

Optimality and Complexity of Inference-Proof Data Filtering and CQE

The ample literature on confidentiality-preserving data publishing --- and controlled query evaluation CQE in particular --- leaves several questions open. Are the greedy data-filtering algorithms adopted in the literature maximally cooperative? Can novel secure view formats or answer distortion methods improve security or cooperativeness? What is the inherent complexity of confidentiality-preserving data publishing under different constraints, such as cooperativeness and availability? Can the theoretical results on CQE be systematically extended to more general settings? In this paper we answer the above questions using a completely generic, abstract data filtering framework, independent from any syntactic details and data source encodings, and compatible with all possible distortion methods. Some of the main results are: Refusal-based filterings can be adopted as a normal form for all kinds of filterings; greedy refusal-based filterings are optimal; cooperativeness checks and some availability checks are coNP-hard in the simplest case.

Event-driven RBAC

Context-aware access control systems should reactively adapt access control decisions to dynamic environmental conditions. In this paper we present ERBAC - an event-driven extension of the TRBAC model that allows the specification and enforcement of general reactive policies - and its implementation. While almost all the individual features of ERBAC occur separately in some previous model, the detailed design of the policy language, its implementation in XACML, and its testing contribute to the development of expressive, event-driven policy frameworks by demonstrating that this rich model can be satisfactorily implemented, and that its expressivity and performance are compatible with a variety of realistic application scenarios. In particular, a number of examples illustrate ERBACs expressive power, and its ability of handling exceptional situations in a flexible way, while keeping policies compact and manageable. The prototype extends XACMLs language and the implementation of the PDP to support the new model. Systematic scalability experiments show that the computational cost of policy rule evaluation in ERBAC is compatible with real-world applications.

Auctions for Partial Heterogeneous Preferences

Online privacy provides fresh motivations to generalized auctions where: (i) preferences over bids may be partial, because of lack of knowledge and formalization difficulties; (ii) the preferences of auctioneers and bidders may be heterogeneous and unrelated. We tackle these generalized scenarios by introducing a few natural generalizations of second-price auctions, and by investigating which of their classical properties are preserved under which conditions.