Luigi Romano

Elliptic Curve Cryptography Engineering

In recent years, elliptic curve cryptography (ECC) has gained widespread exposure and acceptance, and has already been included in many security standards. Engineering of ECC is a complex, interdisciplinary research field encompassing such fields as mathematics, computer science, and electrical engineering. In this paper, we survey ECC implementation issues as a prominent case study for the relatively new discipline of cryptographic engineering. In particular,we show that the requirements of efficiency and security considered at the implementation stage affect not only mere low-level, technological aspects but also, significantly, higher level choices, ranging from finite field arithmetic up to curve mathematics and protocols.

Effective fault treatment for improving the dependability of COTS and legacy-based applications

This paper proposes a novel methodology and an architectural framework for handling multiple classes of faults (namely, hardware-induced software errors in the application, process and/or host crashes or hangs, and errors in the persistent system stable storage) in a COTS and legacy-based application. The basic idea is to use an evidence-accruing fault tolerance manager to choose and carry out one of multiple fault recovery strategies, depending upon the perceived severity of the fault. The methodology and the framework have been applied to a case study system consisting of a legacy system, which makes use of a COTS DBMS for persistent storage facilities. A thorough performability analysis has also been conducted via combined use of direct measurements and analytical modeling. Experimental results demonstrate that effective fault treatment, consisting of careful diagnosis and damage assessment, plays a key role in leveraging the dependability of COTS and legacy-based applications

Carry-save Montgomery modular exponentiation on reconfigurable hardware

In this paper we present a hardware implementation of the RSA algorithm for public-key cryptography. Basically, the RSA algorithm entails a modular exponentiation operation on large integers, which is considerably time-consuming to implement. To this end, we adopted a novel algorithm combining the Montgomerys technique and the carry-save representation of numbers. A highly modular, bit-slice based architecture has been designed for executing the algorithm in hardware. We also propose an FPGA-based implementation of the architecture developed. The characteristics of the algorithm, the regularity of the architecture, and the data-flow aware placement of the FPGA resources resulted in a considerable performance improvement, as compared to other implementations presented in the literature.

An Intrusion Detection System for Critical Information Infrastructures using Wireless Sensor Network technologies

Wireless Sensor Network (WSN) technology is being increasingly used for data collection in Critical Infrastructures (CIs). The paper presents an Intrusion Detection System (IDS), which is able to protect a CI from attacks directed to its WSN-based parts. By providing accurate and timely detection of malicious activities, the proposed IDS solution ultimately results in a dramatic improvement in terms of protection, since opportunities are given for performing proper remediation/reconfiguration actions, which counter the attack and/or allow the system to tolerate it. We present the basic ideas, discuss the main implementation issues, and perform a preliminary experimental campaign. Not only have experiments demonstrated the effectiveness of the proposed approach in protecting the system against two very serious attacks to WSNs (namely: sinkhole, and bogus packet), but they have also proved that the stringent requirements (in terms of limited availability of resources) which are typical of current state-of-the-art WSN technologies, are met.

FPGA-Based Implementation of a Serial RSA Processor

In this paper we present an hardware implementation of the RSA algorithm for public-key cryptography. The RSA algorithm consists in the computation of modular exponentials on large integers, that can be reduced to repeated modular multiplications. We present a serial implementation of RSA, which is based upon an optimized version of the RSA algorithm originally proposed by P.L. Montgomery (1985). The proposed architecture is innovative, and it widely exploits specific capabilities of Xilinx programmable devices. As compared to other solutions in the literature, the proposed implementation of the RSA processor has smaller area occupation and comparable performance. The final performance level is a function of the serialization factor We provide a thorough discussion of design tradeoffs, in terms of area requirements vs performance, for different values of the key length and of the serialization factor.

Adaptable Parsing of Real-Time Data Streams

Todays business processes are rarely accomplished inside the companies domains. More often they involve entities geographically distributed which interact in a loosely coupled cooperation. While cooperating, these entities generate transactional data streams, such as sequences of stock-market buy/sell orders, credit-card purchase records, Web server entries, and electronic fund transfer orders. Such streams are often collections of events stored and processed locally, and they thus have typically ad-hoc, heterogeneous formats. On the other hand, elements in such data streams usually share a common semantics and indeed they can be profitably mined in order to obtain combined global events. In this paper, we present an approach to the parsing of heterogeneous data streams based on the definition of format-dependent grammars and automatic production of ad-hoc parsers. The stream-dependent parsers can be obtained dynamically in a totally automatic way, provided that the appropriate grammar, written in a common format, is fed into the system. We also present a fully working implementation, that has been successfully integrated into a telecommunication environment for real-time processing of billing information flows

A Generic Intrusion Detection and Diagnoser System Based on Complex Event Processing

This work presents a generic Intrusion Detection and Diagnosis System, which implements a comprehensive alert correlation workflow for detection and diagnosis of complex intrusion scenarios in Large scale Complex Critical Infrastructures. The on-line detection and diagnosis process is based on an hybrid and hierarchical approach, which allows to detect intrusion scenarios by collecting diverse information at several architectural levels, using distributed security probes, as well as perform complex event correlation based on a Complex Event Processing Engine. The escalation process from intrusion symptoms to the identified target and cause of the intrusion is driven by a knowledge-base represented by an ontology. A prototype implementation of the proposed Intrusion Detection and Diagnosis framework is also presented.

A hierarchical approach for dependability analysis of a commercial cache-based RAID storage architecture

We present a hierarchical simulation approach for the dependability analysis and evaluation of a highly available commercial cache-based RAID storage system. The architecture is complex and includes several layers of overlapping error detection and recovery mechanisms. Three abstraction levels have been developed to model the cache architecture, cache operations, and error detection and recovery mechanism. The impact of faults and errors occurring in the cache and in the disks is analyzed at each level of the hierarchy. A simulation submodel is associated with each abstraction level. The models have been developed using DEPEND, a simulation-based environment for system-level dependability analysis, which provides facilities to inject faults into a functional behavior model, to simulate error detection and recovery mechanisms, and to evaluate quantitative measures. Several fault models are defined for each submodel to simulate cache component failures, disk failures, transmission errors, and data errors in the cache memory and in the disks. Some of the parameters characterizing fault injection in a given submodel correspond to probabilities evaluated from the simulation of the lower-level submodel. Based on the proposed methodology, we evaluate and analyze: the system behavior under a real workload and high error rate (focusing on error bursts); the coverage of the error detection mechanisms implemented in the system and the error latency distributions; and the accumulation of errors in the cache and in the disks.

A Weight-Based Symptom Correlation Approach to SQL Injection Attacks

Web applications are vulnerable to a variety of new security threats. SQL Injection Attacks (SQLIAs) are one of the most significant of such threats. Researchers have proposed a wide variety of anomaly detection techniques to address SQLIAs, but all existing solutions have limitations in terms of effectiveness and practicality. %In particular, We claim that the main cause of such limitations is reliance on a single detection model and/or on information generated by a single source. Correlation of information from diverse sources has been proven to be an effective approach for improving detection performance, i.e. reducing both the rate of false positives and the percentage of undetected intrusions. In order to do so, we collect symptoms of attacks against web-based applications at different architectural layers, and correlate them via a systematic approach that applies a number of different anomaly detection models to combine data from multiple feeds, which are located in different locations within the system, and convey information which is diverse in nature. Preliminary experimental results show that, by rearranging alerts based on knowledge about the ability of individual security probes of spotting a specific malicious action, the proposed approach does indeed reduce false positives rates and increase the detection coverage.

Exploring the design-space for FPGA-based implementation of RSA

Abstract In this paper, we present two alternative architectures for implementing the Rivest–Shamir–Adleman (RSA) algorithm on reconfigurable hardware. Both architectures are innovative, especially with respect to the implementation of modular multiplication. As to the area vs time trade-off, the two solutions are at the extremes of the design-space, since one adopts a word serial approach, while the other has a fully parallel organization. Based on the analysis of these architectures for different values of the serialization factor, we explore the design-space for the field-programmable gate array (FPGA)-based implementation of the RSA algorithm. We systematically analyze and compare the results of the two design processes with respect to two fundamental metrics, namely execution time and FPGA resource usage. We emphasize pros and cons and comment trade-offs of the two design alternatives.