Proposte di tesine – e tesi di laurea
Transcript
Proposte di tesine – e tesi di laurea
Proposte di tesine – e tesi di laurea – per il corso di Sicurezza Informatica (03GSD) del Politecnico di Torino AA 2016-2017 Prof. Antonio Lioy < lioy @ polito.it > versione 3.2 del 8/2/2017 1 Tesine voto massimo: max 27 per la relazione scritta max 3 per la presentazione orale (opzionale) relazione: in Latex (vedere esempio sul sito) circa 20-30 pagine (opzionale) slide PPT per una breve presentazione sull’argomento (15-20’) possono essere consegnate in qualunque periodo ma per registrare il voto in una certa sessione bisogna TASSATIVAMENTE rispettare le seguenti scadenze: 15/2/16 per registrare il voto a febbraio 2016 27/6/16 per registrare il voto a luglio 2016 19/9/16 per registrare il voto a settembre 2016 2 Outline tesine incontro col tutor per definire il piano di lavoro mettere per iscritto il piano di lavoro ed inviarlo al tutor ed al docente per approvazione / conoscenza inviare aggiornamenti periodici a tutor e docente molto sintetici con riferimento al piano di lavoro (già fatto / da fare) almeno ogni 15 giorni è possibile – e consigliabile – consegnare UNA (o max DUE) versioni in bozza per ricevere commenti da tutor e docente: purché la bozza sia consegnata con largo anticipo rispetto alla scadenza di consegna una volta consegnata la tesina non sarà più possibile correggere eventuali mancanze docente / tutori NON disponibili nel mese di Agosto 3 Relazione introduzione e stato dell’arte descrizione della nuova tecnica / soluzione analizzata vantaggi e svantaggi rischi residui (se applicabile) analisi sperimentale delle prestazioni se la tesina ha comportato lo sviluppo o l’uso di codice: manuale utente (come si installa e si usa) manuale del programmatore (logica del programma, dati e funzioni, come si crea l'eseguibile) bibliografia / sitografia DEVE DIMOSTRARE CONOSCENZA DEGLI ARGOMENTI DEL CORSO … ma senza inutili ripetizioni 4 Modalità di assegnazione contattare preventivamente il tutor della tesina per valutare: interesse al tema pre-requisiti le tesine già assegnate sono marcate con una o più X nel titolo (una X per ogni persona a cui è stata assegnata, fino al numero massimo di studenti indicati per la tesina; quando il numero massimo di studenti non è indicato si assume pari a uno) 5 Note sulle tesine svolte da più persone il ruolo di ciascuna persona deve essere chiaramente evidenziato e valutabile individualmente nel contempo deve essere anche chiaro il valore aggiunto di aver svolto una tesina in collaborazione, con una qualche parte a fattor comune (es. uno studio introduttivo o la parte sperimentale) 6 Tesina e tesi di laurea la tesina può costituire il primo capitolo di una tesi di laurea comunicarlo prima dell’inizio della tesina in modo da impostarla subito nel modo giusto in questo caso non scegliere una tesina ma scegliere un progetto di tesi e contattare il docente per un argomento specifico all'interno del progetto tutte le tesi associate a progetti di ricerca europei possono condurre (dopo la laurea) a: stage/lavoro presso uno dei partner industriali un dottorato di ricerca 7 Note finali prestare attenzione agli aggiornamenti di questo document (tesi/tesine già assegnate, aggiunta di nuovi argomenti) ogni versiona è identificata come X.Y (major.minor) il major number cambia quando vengono aggiunti nuovi argomenti il minor number cambia quando un argomento viene assegnato ad uno studente chi è interessato alla sicurezza ma non trova un argomento adatto in questa lista (davvero?) può provare a proporre un nuovo argomento 8 Elenco dei progetti di ricerca per tesi / Possible research projects for thesis 9 Research projects (I) SHIELD project (www.shield-h2020.eu) EU project for using SDN, NFV, and TC to create a virtualized scure and trusted network infrastructure for various use cases such as: protection of an Intranet outsourced network management partners: POLITO, Telefonica, HP, … possible subjects: security policies (specification, management and translation) automatic network and system configuration of security parameters security optimization trusted network connections trusted execution environment (based on virtual machines) remote attestation requirements: C or Java programming environment: Linux (preferred) or Windows contact: LIOY / [email protected] / 011 0907021 10 Trusted Computing, i.e. what is my trust foundation? in my network are there only my computers? my computers are running only the sw selected by me? is the sw configured in the proper way? when I use a public network (e.g. Internet) rather than a private network, am I really connected to the expected node? when I am connected to a server, how can I verify its application sw is the “good” one or it has been altered? TRUST & INTEGRITY answers: Trusted Computing (and Trusted Network Connection) TPM for desktop, MTM for mobile (or equivalent solutions) TC-enhanced Linux + trusted virtualization remote attestation & TLS 11 Components of a TC system local / remote attestation proof of configuration (whole sw stack) secure I/O towards the user among various components isolation execution in separate domains / compartments / environments protected memory hw key container data encryption data sealing 12 Research projects (II) ASPIRE project (www.aspire-fp7.eu) research objectives remote software attestation software optimization empirical analysis of software protection remote attestation develop a framework to add remote attestation functionality to an existing program investigate new criteria for attesting software formal model of software attacks and protection models to understand how to protect a software given the assets given attacks and software protection dependencies optimization of software protection given the formal model, define optimization programs to select which is the best way to protect a software ASPIRE Consortium Research projects (III) FICEP project for connecting the Italian e-ID system to the EU e-ID interoperability architecture (eIDAS) possible subjects: digital identity (SAML, XACML, id federation) public-key certificates, digital signatures, PKI e-ID implementation (smart-card, smartphones, NFC, …) e-government applications requirements: Java programming web programming environment: Linux (preferred) or Windows contact: LIOY / [email protected] / 011 0907021 15 Elenco delle tesine / tesi proposte (in aggiunta alle tesi sui progetti di ricerca) / Possible homeworks and thesis (in addition to the thesis subjects associated to the research projects) 16 Hacking tools (homework or thesis) [ X – ] tutor: LIOY / [email protected] / 011 0907021 topic: evaluate open-source testing and hacking tools create guidelines for security testing with open-source tools people: up to 4 (homework) = Dario Platania, Carmelo Riolo up to 2 (thesis) sample references: https://www.concise-courses.com/hacking-tools/top-ten/ https://www.hackread.com/top-14-best-hacking-tools/ http://sectools.org/ other tools that you will find (e.g. those that are part of Kali Linux) outline: read documentation, experiment with the tools, and write the report required skills: Linux user for some tools specific scripting languages (e.g. python, Lua) 17 Security best practices (homework or thesis) [ X ] tutor: LIOY / [email protected] / 011 0907021 topic: analyze best practices suggested by various bodies suggest and experiment with open-source tools to implement best practices people: up to 2 (homework) or 1 (thesis) Cassese (thesis) sample references: http://www.agid.gov.it/sites/default/files/documentazione/misure_minime_di_sicur ezza_v.1.0.pdf http://www.mass.gov/anf/research-and-tech/cyber-security/security-for-stateemployees/risk-assessment/risk-assessment-guideline.html http://www.cybersecurityframework.it/ https://www.nist.gov/cyberframework other guidelines from various bodies outline: read documentation, find appropriate support tools, experiment, and write report required skills: 18 various Security automation (homework or thesis) tutor: LIOY / [email protected] / 011 0907021 topic: analyze various standards in the SCAP framework (e.g. CVE, CVSS, OVAL) to evaluate operational risks experimental evaluation of open-source tools (or development for thesis) to implement various SCAP components people: up to 2 (homework) or 1 (thesis) sample references: http://csrc.nist.gov/publications/drafts/800-126-rev3/sp800_126_r3_draft.pdf https://www.open-scap.org/ outline: read documentation, experiment with the tools, and write the report required skills: various 19 Advances in TLS / HTTP security (homework) [ X – ] tutor: LIOY / [email protected] / 011 0907021 topic: HTTP Strict Transport Security (STS) Extended Validation (EV) certificates HTTP Public Key Pinning other advances … people: 1-2 = BONINA Biagio + ? sample references: IETF TLS WG = https://datatracker.ietf.org/wg/tls/charter/ https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security https://blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09Marlinspike-Defeating-SSL.pdf https://en.wikipedia.org/wiki/Extended_Validation_Certificate https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning outline: read documentation, experiment (if supported by browsers) and write the report required skills: HTTP, TLS 20 Evolution of X.509 / PKIX (homework) [ X ] tutor: LIOY / [email protected] / 011 0907021 topic: IETF evolution of the X.509 certificates people: 1 = CUCCI Luca outline: analyze most important documents by the PKIX WG describe features of certificates and related management protocols perform experiments, whenever possible required skills: TCP/IP, X.509, asymmetric cryptography references: https://datatracker.ietf.org/wg/pkix/documents/ 21 eIDAS signatures, seals, … (homework) tutor: LIOY / [email protected] / 011 0907021 BERBECARU / [email protected] / 011 0907081 topic: technical aspects of the eIDAS EU regulation (e-signature part) advanced e-sig, qualified e-sig, qualified cert, time-stamps, seals, trust services people: up to 2 outline: describe the technical solutions adopted by eIDAS and related technical standards by ETSI evaluate pros and cons compare to state-of-the-art required skills: asymmetric cryptography, X.509 certificates, TLS references: https://en.wikipedia.org/wiki/EIDAS + … 22 IETF security (homework) tutor: LIOY / [email protected] / 011 0907021 topic: trends on security aspects of Internet look at the current active security WGs at IETF and find an interesting one https://datatracker.ietf.org/wg/#sec people: up to 4 outline: describe the problem addressed by the WG describe the approach, solutions, activities compare to state-of-the-art required skills: depend upon the selected WG references: https://datatracker.ietf.org/wg/#sec 23 Electronic identity (homework or thesis) tutor: LIOY / [email protected] / 011 0907021 BERBECARU / [email protected] / 011 0907081 SMIRAGLIA / [email protected] / 011 0907192 topic: OpenID Connect = http://openid.net/connect/ WebID = https://www.w3.org/wiki/WebID SCIM = http://www.simplecloud.info/ other necessary components (e.g. WebFinger) people: up to 4 (if homework) or 2 (if thesis) outline: analyze the technical aspects of the selected e-ID system compare to state-of-the-art implement a testbed with available open-source components required skills: cryptography, X.509 certificates, TLS references: see above 24 Modern secure and trusted networks (thesis) tutor: LIOY/ [email protected] / 011 0907021 topic: creation of a trusted and secure L2 / L3 network overlay … using trusted computing and the new MACsec standard (IEEE 802.1AE) … for application with traditional router/switches as well as SDN ones cooperation with HP Labs (Bristol, UK) and Telefonica (ES), as part of SHIELD people: up to 2 outline: study IEEE 802.1AE, IPsec, and remote attestation design an architecture for a secure and trusted overlay implement the architecture required skills: TCP/IP, packet capture, C programming, system programming 25 Security of IoT (homework) [ X X ] tutor: LIOY/ [email protected] / 011 0907021 collaboration with Prof. CORNO topic: analysis of security issues in IoT networks (Zigbee, Zwave, BT-LE, …) analysis of security issues IoT communication towards the cloud/app analysis of security proposals for IoT experimental evaluation of IoT security on some available devices people: 1-2 = GIOBERGIA Flavio (ZigBee) + AMATO Mario (BT) required skills: attendance of the Prof. Corno's course Security of IoT (thesis) tutor: LIOY/ [email protected] / 011 0907021 collaboration with Prof. CORNO topic: analysis of security problems in IoT analysis of security proposals for IoT design and implementation of security solution for IoT people: 1-2 required skills: attendance of the Prof. Corno's course SAML 2.0 Holder of Key profile in eIDAS (homework) tutor: BERBECARU / [email protected] / 011 0907081 topic: support for a strong security profile (SAML 2.0 HoK) in a pan-European eID infrastructure to protect againt MiTM and MiTB attacks people: 1 example references: eIDAS technical specification eIDAS reference implementation outline: description of SAML 2.0 HoK profile implementation of SAML 2.0 HoK profile in an eIDAS node analysis and discussion of pros and cons in adopting HoK profile (e.g. with respect to other security solutions) required skills: Java SAML 2.0 Holder of Key profile in Shibboleth and SimpleSAMLphp (homework) tutor: BERBECARU / [email protected] / 011 0907081 topic: support for a strong security profile (SAML 2.0 HoK) in Shibboleth people: 1 example references: Shibboleth = https://shibboleth.net/ SimpleSAMLphp = https://simplesamlphp.org/ outline: description of SAML 2.0 HoK profile installation of Shibboleth and simpleSAMLphp (latest versions) document the implementation of SAML 2.0 HoK profile in Shibboleth and simpleSAMLphp perform interoperability tests Shibboleth/simpleSAMLphp (if applicable) required skills: Java European Trusted Lists (homework) tutor: BERBECARU / [email protected] / 011 0907081 topic: document the format of European (EU) Trusted Lists, the services supported and the tools that may be employed to generate/manipulate such list automatically people: 1 example references: EU TL manager = https://joinup.ec.europa.eu/software/tlmanager/home ETSI TS 102 231 (V.3.1.2) outline: description of the EU Trusted Lists analysis of the EU Trusted Lists published by the EU countries document the services supported tools for EU Trusted List creation and manipulation: state-of-the-art, installation and testing required skills: Java Certificate validation (homework) [ X ] tutor: BERBECARU / [email protected] / 011 0907081 topic: analysis of the current state in website certificate validation people: 1 = VISENTIN Davide example references: RFC-5280 papers on certificate validation (provided) outline: description of the (complete) certificate validation process: steps, parties involved attacks and incidents affecting certificate validation: issuing rogue certificates (e.g. as done by Verisign, Comodo DigiNotar), revocation checking (OCSP/CRL and support for them in browsers), a.s.o. investigate, document and test countermeasures: e.g. in some browsers (like Firefox) some tools/add-ons can be used to support certificate validation, e.g. Certificate Patrol, CertLock, Conspiracy, Doublecheck, while in others it is possible to adopt stricter validation policies like certificate and CA pinning in Chrome Data models for NSF description tutor: BASILE / [email protected] / 011 0907173 VALENZA / [email protected] / 011 0907192 topic: NSF, network security policies, modelling, NFV people: 1 example references: Netconf/Yang, Tosca, SID,OVF https://datatracker.ietf.org/doc/draft-baspez-i2nsf-capabilities/ project (details to be agreed with the tutor): analysis of the NFV description languages selection of the best language for model the NSFs extensions to support the advanced policy management services (SECURED) required skills: XML/XSD, JSON, UML Policy driven NSFs provisioning tutor: BASILE / [email protected] / 011 0907173 VALENZA / [email protected] / 011 0907192 topic: NSF, security policies, optimization, NFV people: 1 example references: http://link.springer.com/chapter/10.1007/978-3-319-25360-2_6#page-1 http://link.springer.com/article/10.1007/s10922-014-9307-7 project (details to be agreed with the tutor): definition of innovative optimization models for NSF allocations that also consider security policy information integration in a real NFV Management and Orchestrator (MANO) required skills: attitude to mathematical modelling, optimization models Java, Linux (advance sysadmin knowledge), XML/XSD, JSON, UML Conflict analysis for SDN/NFV languages tutor: BASILE / [email protected] / 011 0907173 VALENZA / [email protected] / 011 0907192 topic: NSF, security policies, conflict analysis, NFV/SDN people: 1 example references: http://onlinelibrary.wiley.com/doi/10.1002/nem.1917/full http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6912577 project (details to be agreed with the tutor): analysis of the SDN/NVF specification languages definition of conflict classification models integration in a real NFV architecture required skills: Java, Linux (advance sysadmin knowledge), XML/XSD, JSON, UML attitude to mathematical modelling SECURED services from OpenMano to OpenSourceMano tutor: BASILE / [email protected] / 011 0907173 VALENZA / [email protected] / 011 0907192 topic: NSF, NFV, SDN, MANO people: 1 example references: https://github.com/nfvlabs/openmano https://osm.etsi.org/ project (details to be agreed with the tutor): analysis of the OpenSourceMano initiative analysis of SECURED services currently deployed in OpenMANO porting of services from OpenMANO to OpenSourceMANO required skills: Java, Linux (basic sysadmin knowledge) VANET tools (thesis) [ X – ] tutor: BASILE / [email protected] / 011 0907173 with Panos Panadimitratos from KTH Stockholm topic: VANET (Vehicular Ad hoc NETwork) is an emerging standard. It may offer new services to drivers, on the other hand it may create privacy issues a privacy solution has been proposed using pseudonyms location information can be used to exploit new services people: 1-2 = Bruccolieri + … references: selected documents (papers + project internal documents) project (details to be agreed with the tutor): defining the threat model for VANET applications using location info provide new Apps (services) based on location (accident reconstruction, road policy violations) Automatic analysis of Software Attacks [ X ] tutor: BASILE / [email protected] / 011 0907173 CANAVESE / [email protected] / 011 0907192 topic: software risk analysis, software attacks people: 1 = Maietta example references: https://www.researchgate.net/publication/308277481_Towards_Automatic_Risk_ Analysis_and_Mitigation_of_Software_Applications?ev=prf_pub https://www.researchgate.net/publication/308837378_Automatic_Discovery_of_S oftware_Attacks_via_Backward_Reasoning project (details to be agreed with the tutor): definition of automatic methods to discover software attacks against application assets extension of the previous models required skills: Java attitude to mathematical modelling Automatic software analysis for software protection tutor: BASILE / [email protected] / 011 0907173 CANAVESE / [email protected] / 011 0907192 topic: software risk analysis, SW protection, decision support people: 1 example references: confidential material that will be shared with the selected candidate project (details to be agreed with the tutor): analysis of software applications with static and analysis tools classification of and reasoning about extracted information use of the extracted information for software protection purposes (e.g., to propose better protections or for a more effective enforcement of a protection) required skills: Java, C, Linux (basic sysadmin knowledge) VM monitoring by using network IDS (thesis) tutor: VALLINI/SMIRAGLIA/DE BENEDICTIS ([email protected] /7192) topic: problem: monitoring the network behavior of a virtual machine to dynamically detect misconfigurations and unwanted communications trace and classify network traffic of a virtual machine by defining high-level policies forensics activities (configurable network tracing) people: 1-2 references: selected documents (papers + howtos) project (details to be agreed with the tutor): (1) analysis of available open source network IDS (Snort, Suricata, BRO) and rule-based configuration (to trace network traffic) (2) define a set of high-level policies useful to trace network behavior (3) develop a methodology and a prototype to generate IDS configuration starting from high-level policies requirements: high-level skills on managing GNU/Linux OS and network configuration 41 VM monitoring by using host IDS (thesis) tutor: VALLINI/SMIRAGLIA/DE BENEDICTIS ([email protected] /7192) topic: problem: monitoring the host behavior of a virtual machine to dynamically detect misconfigurations and attacks trace and identify file changes (integrity), running processes, etc. of a virtual machine by defining high-level policies forensics activities (configurable network tracing) people: 1 references: selected documents (papers + howtos) project (details to be agreed with the tutor): (1) analysis of available open source host IDS (OSSEC, Aide, md5deep) and rule-based configuration (2) define a set of high-level policies useful to trace behavior (3) develop a methodology and a prototype to generate host IDS configuration starting from high-level policies requirements: high-level skills on managing GNU/Linux OS 42 Monitoring and profiling with logs (thesis) tutor: VALLINI/SMIRAGLIA/DE BENEDICTIS ([email protected] /7192) topic: collection of logs from cloud-like infrastructures integration of logging management framework with IDS and IPS (real time) analysis of logs in order to monitor and profile computing and network units (e.g. virtual machines, router, firewall) people: 1-2 references: selected documents (papers + howtos) project (details to be agreed with the tutor): (1) analysis of available open source logging frameworks (e.g. ELK, Graylog) (2) definition of high-level policies to manage and deploy the configuration of the logging in the whole environment (3) definition of high-level policies to monitor and profile the environment units (4) implementation of the adaptation layers (if needed) requirements: expert on managing GNU/Linux OS programming and scripting languages (e.g. Python, Ruby, Bash, Java) 43 Adaptive mobile malware identification tutor: ATZENI / [email protected] / 011 0907173 topic: mobile malicious developers often combine portions of code from available samples to create new malware variants and exploit available knowledge from open repository and online antivirus to make the identification harder. The goal of the thesis is to develop an identification methodology to counteract these mobile malware anti-identification techniques. people: 1-2 possible co-work with Telecom references: [1] Graziano et al "Needles in a haystack: mining information from public dynamic analysis sandboxes for malware intelligence." In 24th USENIX Security Symposium (USENIX Security 15), pp. 1057-1072. 2015 [2] https://koodous.com outline: 1) analysis and test of state-of-the-art identification methodologies, 2) design, implementation and testing of a methodology to adapt to malware evolution. required skills: Android (app and system level) 44 Usable security (thesis) tutor: ATZENI / [email protected] / 011 0907173 topic: Since end users are largely unaware of security principles, many security issues are caused by usability problems. Purpose of this thesis is to identify usability issues in widespread security procedures and tools, define a benchmarking methodology to assess usability in security, and propose policies to develop secure nd usable products people: 1-2 possible co-work with Bournemouth University Example reference: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.89.6079&rep=rep1&ty pe=pdf (+selected documents to be discussed with the tutor) outline: Analysis of state-of-the-art in usability evaluation of security, selection of target security tools and procedures, analysis of selected items, synthesis and refinement of available evaluation methodology, definition of policy and rules to avoid usable security pitfalls. preferred skills: usability, human-computer interaction, interest in cognitive science 48 SSG – Security Serious Games (thesis) tutor: ATZENI / [email protected] / 011 0907173 topic: serious games are a recent tendency to exploit games for specific training. Even if some serious game has been developed in the field of security (e.g. Computer Forensics) the security field has still not been addressed. Purpose of the thesis is to apply serious game methodology for developing a proof of concept security serious game people: 1-2 possible co-work with Bournemouth University references: selected document to be discussed with the tutor (past thesis and homeworks on the matter) outline: design of the game requirements (goals, user models) development of the proof of concept experimental evaluation required skills: programming. preferred skills: browser-based development, knowledge of unity framework 49 Scenario-based authorisation framework (thesis) tutor: ATZENI / [email protected] / 011 0907173 topic: this thesis aims to develop a flexible and context-aware authorization system, exploiting a model of the scenario in which the authorization must be granted (developed in CAIRIS) and an extensible on-line authorization framework (SAFAX) people: 1-2 possible co-work with Bournemouth University and Eindhoven University of Technology (TU/e) references: CAIRIS: http://cairis.org/ SAFAX: http://security1.win.tue.nl/safax/ (+selected document to be discussed with the tutor) outline: definition of scenarios of usage, development and implementation (using CAIRIS and SAFAX compatible workflow), comparison with other authorization framework solutions. required skills: programming, preferred skills: modelisation, authZ framework. 50 eIDAS Shibboleth (thesis) [ X ] tutor: ATZENI / [email protected] / 011 0907173 SMIRAGLIA / [email protected] / 011 0907192 topic: Shibboleth is a world-wide federated identity solution, flexible and open source. eIDAS is an European regulation for electronic Identification and signature, allowing different EU countries to federate their authentication systems. Aim of this thesis is the enrichment of eIDAS infrastructure (e.g. adding an attribute provider) adopting shibboleth components. people: 1 = Pellone references: https://joinup.ec.europa.eu/software/cefeid/document/eidas-technicalspecifications-v10 https://shibboleth.net/ outline: Shibboleth last version analysis eIDAS technical specification understanding development of shibboleth modules. required skills: SAML, Java 51 Testing of authentication mechanisms (homework) tutor: ATZENI / [email protected] / 011 0907173 SMIRAGLIA / [email protected] / 011 0907192 topic: This homework aims to install and test modern authentication procedures and tools (based, for example, on google authenticator, OATH, FIDO, …) people: 1-2 example references: open authentication initiative (https://openauthentication.org/) YubiKey (https://www.yubico.com/products/yubikey-hardware/) outline: selection of relevant authentication mechanisms set-up of authentication mechanisms usability and performance test of authentication mechanisms 52 Android’s apps obfuscation (thesis) tutor: ATZENI / [email protected] / 011 0907173 topic: many obfuscation techniques exists in various OS (widely used, for example, in malware applications). This work aims to compare Android current situation versus desktop OS and evolve mobile current techniques, challenging present mobile detection tools. people: 1 possible co-work with Telecom references: selected documents (malware obfuscation techniques and malware analysis tools review) outline: state of the art (about Android obfuscation techniques, e.g. in malware apps) practical test of existing obfuscation techniques versus detection tools development and test of novel Android obfuscation techniques required skills: Android (app and system level), programming 53 Android’s mobile application danger level evaluator (thesis) tutor: ATZENI / [email protected] / 011 0907173 topic: This thesis aims to enrich a framework for analysis and evaluation of Android applications dangerousness, integrating and evolving Android apps evaluation techniques, both on-line and off-line, in a practical apps analysis toolkit. people: 1 possible co-work with Telecom references: selected documents (previous thesis done on this aspect) outline: analysis of the state-of-the-art for application security evaluation development, implementation, testing and integration of different modules to analyse apps required skills: Android (app and system level), programming 54 Security analysis of NFC tickets [X] tutor: LIOY / [email protected] / 011 0907021 topic: are NFC tickets really secure? people: 1 = SANFILIPPO FRITTOLA Marco references: NFC datasheets outline: analysis of NFC tickets security issues and possible solutions required skills: Android (app and system level), Java programming, NFC 55 Remote attestation of Docker containers [X] tutor: LIOY / [email protected] / 011 0907021 topic: extend remote attestation to support Docker containers people: 1 = VALLONE Fabio references: documnetation about RA, Docker, and EBPF outline: adapt RA to work with the latest version of Docker evaluate EBPF to perform attestation and (possibly) policy enforcement evaluate techniques to perform run-time attestation required skills: Linux and Docker internals 56