Roberto Di Pietro

Secure virtualization for cloud computing

Cloud computing adoption and diffusion are threatened by unresolved security issues that affect both the cloud provider and the cloud user. In this paper, we show how virtualization can increase the security of cloud computing, by protecting both the integrity of guest virtual machines and the cloud infrastructure components. In particular, we propose a novel architecture, Advanced Cloud Protection System (ACPS), aimed at guaranteeing increased security to cloud resources. ACPS can be deployed on several cloud solutions and can effectively monitor the integrity of guest and infrastructure components while remaining fully transparent to virtual machines and to cloud users. ACPS can locally react to security breaches as well as notify a further security management layer of such events. A prototype of our ACPS proposal is fully implemented on two current open source solutions: Eucalyptus and OpenECP. The prototype is tested against effectiveness and performance. In particular: (a) effectiveness is shown testing our prototype against attacks known in the literature; (b) performance evaluation of the ACPS prototype is carried out under different types of workload. Results show that our proposal is resilient against attacks and that the introduced overhead is small when compared to the provided features.

Transparent security for cloud

Large distributed systems such as clouds are increasingly becoming targets of attacks. Virtualization can be leveraged to increase the security of such systems by protecting the integrity of guest components. This paper discusses the integrity protection problem in the clouds and sketches a novel architecture, Transparent Cloud Protection System (TCPS) for increased security of cloud resources. TCPS can be tailored to different cloud flavors to monitor the integrity of guests and infrastructure components while remaining transparent to virtual machines.

KvmSec: a security extension for Linux kernel virtual machines

Virtualization is increasingly being used in regular desktop PCs, data centers and server farms. One of the advantages of introducing this additional architectural layer is to increase overall system security. In this paper we propose an architecture (KvmSec) that is an extension to the Linux Kernel Virtual Machine aimed at increasing the security of guest virtual machines. KvmSec can protect guest virtual machines against attacks such as viruses and kernel rootkits. KvmSec enjoys the following features: it is transparent to guest machines; it is hard to access even from a compromised virtual machine; it can collect data, analyze them, and act consequently on guest machines; it can provide secure communication between each of the guests and the host; and, it can be deployed on Linux hosts and at present supports Linux guest machines. These features are leveraged to implement a real-time monitoring and security management system. Further, differences and advantages over previous solutions are highlighted, as well as a concrete roadmap for further development.

CUDA Leaks: A Detailed Hack for CUDA and a (Partial) Fix

Graphics processing units (GPUs) are increasingly common on desktops, servers, and embedded platforms. In this article, we report on new security issues related to CUDA, which is the most widespread platform for GPU computing. In particular, details and proofs-of-concept are provided about novel vulnerabilities to which CUDA architectures are subject. We show how such vulnerabilities can be exploited to cause severe information leakage. As a case study, we experimentally show how to exploit one of these vulnerabilities on a GPU implementation of the AES encryption algorithm. Finally, we also suggest software patches and alternative approaches to tackle the presented vulnerabilities.

Location privacy and resilience in wireless sensor networks querying

Due to the wireless nature of communication in sensor networks, the communication patterns between sensors could be leaked regardless of the adoption of encryption mechanisms-those would just protect the message content. However, communication patterns could provide valuable information to an adversary. For instance, this is the case when sensors reply to a query broadcast by a Base Station (BS); an adversary eavesdropping the communication traffic could realize which sensors are the ones that possibly match the query (that is, the ones that replied). This issue is complicated by the severe resource constrained environment WSNs are subject to, that call for efficient and scalable solutions. In this paper, we have addressed the problem of preserving the location privacy of the sensors of a wireless sensor network when they send a reply to a query broadcast by the BS. In particular, we deal with one of the worst scenarios for privacy: When sensors are queried by a BS to provide the MAX of their stored readings. We provide a probabilistic and scalable protocol to compute the MAX that enjoys the following features: (i) it guarantees the location privacy of the sensors replying to the query; (ii) it is resilient to an active adversary willing to alter the readings sent by the sensors; and, (iii) it allows to trade-off the accuracy of the result with (a small) overhead increase. Finally, extensive simulations support our analysis, showing the quality of our proposal.

Fame for sale

Fake followers are those Twitter accounts specifically created to inflate the number of followers of a target account. Fake followers are dangerous for the social platform and beyond, since they may alter concepts like popularity and influence in the Twittersphere-hence impacting on economy, politics, and society. In this paper, we contribute along different dimensions. First, we review some of the most relevant existing features and rules (proposed by Academia and Media) for anomalous Twitter accounts detection. Second, we create a baseline dataset of verified human and fake follower accounts. Such baseline dataset is publicly available to the scientific community. Then, we exploit the baseline dataset to train a set of machine-learning classifiers built over the reviewed rules and features. Our results show that most of the rules proposed by Media provide unsatisfactory performance in revealing fake followers, while features proposed in the past by Academia for spam detection provide good results. Building on the most promising features, we revise the classifiers both in terms of reduction of overfitting and cost for gathering the data needed to compute the features. The final result is a novel Class A classifier, general enough to thwart overfitting, lightweight thanks to the usage of the less costly features, and still able to correctly classify more than 95% of the accounts of the original training set. We ultimately perform an information fusion-based sensitivity analysis, to assess the global sensitivity of each of the features employed by the classifier.The findings reported in this paper, other than being supported by a thorough experimental methodology and interesting on their own, also pave the way for further investigation on the novel issue of fake Twitter followers.

A mechanism to enforce privacy in vehicle-to-infrastructure communication

Privacy-related issues are crucial for the wide diffusion of Vehicular Communications (VC). In particular, traffic analysis is one of the subtler threats to privacy in VC. In this paper we first briefly review current work in literature addressing privacy issues and survey vehicular mobility models. Then we present VIPER: a Vehicle-to-Infrastructure communication Privacy Enforcement pRotocol. VIPER is inspired to solutions provided for the Internet-mix-and cryptography-universal re-encryption. The protocol is shown to be resilient to traffic analysis attacks and analytical results suggest that it also performs well with respect to key performance indicators: queue occupancy, message path length and message delivery time; simulation results support our analytical findings. Finally, a comprehensive analysis has been performed to assess the overhead introduced by our mechanism. Simulation results show that the overhead introduced by VIPER in terms of extra bits required, computations, time delay, and message overhead is feasible even for increasing requirements on the security of the underlying cryptographic mechanisms.

Titans' revenge: Detecting Zeus via its own flaws

Malware is one of the main threats to the Internet security in general, and to commercial transactions in particular. However, given the high level of sophistication reached by malware (e.g. usage of encrypted payload and obfuscation techniques), malware detection tools and techniques still call for effective and efficient solutions. In this paper, we address a specific, dreadful, and widely diffused financial malware: Zeus. The contributions of this paper are manifold: first, we propose a technique to break the encrypted malware communications, extracting the keystream used to encrypt such communications; second, we provide a generalization of the proposed keystream extraction technique. Further, we propose Cronus, an IDS that specifically targets Zeus malware. The implementation of Cronus has been experimentally tested on a production network, and its high quality performance and effectiveness are discussed. Finally, we highlight some principles underlying malware-and Zeus in particular-that could pave the way for further investigation in this field.

A tunable proof of ownership scheme for deduplication using Bloom filters

Deduplication is a widely used technique in storage services, since it affords a very efficient usage of resources-being especially effective for consumer-grade storage services (e.g. Dropbox). Deduplication has been shown to suffer from several security weaknesses, the most severe ones enabling a malicious user to obtain possession of a file it is not entitled to. Standard solutions to this problem require users to prove possession of data prior to its upload. Unfortunately, the schemes proposed in the literature are very taxing on either the server or the client side. In this paper, we introduce a novel solution based on Bloom filters that provides a flexible, scalable, and provably secure solution to the weaknesses of deduplication, and that overcomes the deficiencies of existing approaches. We provide a formal description of the scheme, a thorough security analysis, and compare our solution against multiple existing ones, both analytically and by means of extensive benchmarking. Our results confirm the quality and viability of our approach.

A business-driven decomposition methodology for role mining

It is generally accepted that role mining - that is, the discovery of roles through the automatic analysis of data from existing access control systems - must count on business requirements to increase its effectiveness. Indeed, roles elicited without leveraging on business information are unlikely to be intelligible by system administrators. A business-oriented categorization of users and permissions (e.g., organizational units, job titles, cost centers, business processes, etc.) could help administrators identify the job profiles of users and, as a consequence, which roles should be assigned to them. Nonetheless, most of the existing role mining techniques yield roles that have no clear relationship with the business structure of the organization where the role mining is being applied. To face this problem, we propose a methodology that allows role engineers to leverage business information during the role finding process. The key idea is decomposing the dataset to analyze into several partitions, in a way that each partition is homogeneous from a business perspective. Each partition groups users or permissions with the same business categorization (e.g., all the users belonging to the same department, or all the permissions that support the execution of the same business process). Such partitions are then role-mined independently, hence achieving three main results: (1) elicited roles have a clearer relationship with business information; (2) mining algorithms do not seek to find commonalities among users with fundamentally different job profiles or among uncorrelated permissions; and, (3) any role mining algorithm can be used in conjunction with our approach. When several business attributes are available, analysts need to figure out which one produces the decomposition that leads to the most intelligible roles. In this paper, we describe three indexes that drive the decomposition process by measuring the quality of a given decomposition: entrustability, minability gain, and similarity gain. We compare these indexes, pointing out pros and cons. Finally, we apply our methodology on real enterprise data, showing its effectiveness and efficiency in supporting role engineering.