Nuova ricerca

LUCA FERRETTI

Ricercatore t.d. art. 24 c. 3 lett. B presso: Dipartimento di Scienze Fisiche, Informatiche e Matematiche sede ex-Matematica


Home | Curriculum(pdf) | Didattica |


Pubblicazioni

2021 - Verifiable and auditable authorizations for smart industries and industrial Internet-of-Things [Articolo su rivista]
Ferretti, L.; Longo, F.; Merlino, G.; Colajanni, M.; Puliafito, A.; Tapas, N.
abstract

Modern industrial systems are enriched by cyber–physical devices and interconnections with business processes that enable flexible production, remote monitoring, control and maintenance. These systems are typically subject to multiple authorities which must cooperate with each other, as in the case of segmented industrial environments and supply chains. In similar contexts, voluntary or unintentional damages may be caused by cyber attacks or by misbehaving authorized parties. We propose an original architecture that regulates accesses to industrial systems’ resources through authorization delegation procedures. It guarantees several benefits that include the possibility of auditing authorizations released by delegated third parties, of detecting misconducts and possible attacks, and of assuring attribution of misconducts. The proposed solution is compatible with constraints characterizing industrial environments and with security and performance requirements of industrial architectures. The performance and latencies of the auditing mechanisms are evaluated through a prototype.


2020 - An experimental analysis of ECQV implicit certificates performance in VANETs [Relazione in Atti di Convegno]
Pollicino, F.; Stabili, D.; Ferretti, L.; Marchetti, M.
abstract

Emerging Cooperative Intelligent Transportation Systems (C-ITS) enable improved driving experience and safety guarantees, but require secure Vehicular Ad-hoc NETworks (VANETs) that must comply to strict performance constraints. Specialized standards have been defined to these aims, such as the IEEE 1609.2 that uses network-efficient cryptographic protocols to reduce communication latencies. The reduced latencies are achieved through a combination of the Elliptic Curve Qu-Vantstone (ECQV) implicit certificate scheme and the Elliptic Curve Digital Signature Algorithm (ECDSA), to guarantee data integrity and authenticity. However, literature lacks implementations and evaluations for vehicular systems. In this paper, we consider the IEEE 1609.2 standard for secure VANETs and investigate the feasibility of ECQV and ECDSA schemes when deployed in C-ITSs. We propose a prototype implementation of the standard ECQV scheme to evaluate its performance on automotive-grade hardware. To the best of our knowledge, this is the first open implementation of the scheme for constrained devices that are characterized by low computational power and low memory. We evaluate its performance against C-ITS communication latency constraints and show that, although even highly constrained devices can support the standard, complying with stricter requirements demands for higher computational resources.


2019 - Addressing Adversarial Attacks Against Security Systems Based on Machine Learning [Relazione in Atti di Convegno]
Apruzzese, Giovanni; Colajanni, M.; Ferretti, Luca; Marchetti, M.
abstract


2019 - Efficient License Management Based on Smart Contracts Between Software Vendors and Service Providers [Relazione in Atti di Convegno]
Magnanini, Federico; Ferretti, Luca; Colajanni, Michele
abstract


2019 - Fog-based secure communications for low-power IoT devices [Articolo su rivista]
Ferretti, L.; Marchetti, M.; Colajanni, M.
abstract

Designing secure, scalable, and resilient IoT networks is a challenging task because of resource-constrained devices and no guarantees of reliable network connectivity. Fog computing improves the resiliency of IoT, but its security model assumes that fog nodes are fully trusted. We relax this latter constraint by proposing a solution that guarantees confidentiality of messages exchanged through semi-honest fog nodes thanks to a lightweight proxy re-encryption scheme. We demonstrate the feasibility of the solution by applying it to IoT networks of low-power devices through experiments on microcontrollers and ARM-based architectures.


2018 - A symmetric cryptographic scheme for data integrity verification in cloud databases [Articolo su rivista]
Ferretti, Luca; Marchetti, Mirco; Andreolini, Mauro; Colajanni, Michele
abstract

Cloud database services represent a great opportunity for companies and organizations in terms of management and cost savings. However, outsourcing private data to external providers leads to risks of confidentiality and integrity violations. We propose an original solution based on encrypted Bloom filters that addresses the latter problem by allowing a cloud service user to detect unauthorized modifications to his outsourced data. Moreover, we propose an original analytical model that can be used to minimize storage and network overhead depending on the database structure and workload. We assess the effectiveness of the proposal as well as its performance improvements with respect to existing solutions by evaluating storage and network costs through micro-benchmarks and the TPC-C workload standard.


2018 - Analyses of secure automotive communication protocols and their impact on vehicles life-cycle [Relazione in Atti di Convegno]
Stabili, D.; Ferretti, L.; Marchetti, M.
abstract

Modern vehicles are complex cyber physical systems where communication protocols designed for physically isolated networks are now employed to connect Internet-enabled devices. This unforeseen increase in connectivity creates novel attack surfaces, and exposes safety-critical functions of the vehicle to cyber attacks. As standard security solutions are not applicable to vehicles due to resource constraints and compatibility issues, research is proposing tailored approaches to cope with existing systems and to design next generations vehicles. In this paper we focus on solutions based on cryptographic protocols to protect in-vehicle communications and prevent unauthorized manipulation of the vehicle behaviors. Existing proposals consider vehicles as monolithic systems and evaluate performance and costs of the proposed solutions without considering the complex life-cycle of automotive components and the multifaceted automotive ecosystem that includes a large number of actors. The main contribution of this paper is a study of the impact of security solutions by considering vehicles life-cycle. We model existing proposals and highlight their impacts on vehicles production and maintenance operations by taking into consideration interactions among multiple players. Finally, we give insights on the requirements of architectures for secure intra-vehicular protocols.


2018 - Message from the siw 2018 workshop chairs [Relazione in Atti di Convegno]
Bringer, J.; Ferretti, L.; Marchetti, M.
abstract


2018 - On the effectiveness of machine and deep learning for cyber security [Relazione in Atti di Convegno]
Apruzzese, G.; Colajanni, M.; Ferretti, L.; Guido, A.; Marchetti, M.
abstract


2017 - Verifiable Delegated Authorization for User-Centric Architectures and an OAuth2 Implementation [Relazione in Atti di Convegno]
Ferretti, Luca; Marchetti, Mirco; Colajanni, Michele
abstract

Delegated authorization protocols have become wide-spread to implement Web applications and services, where some popular providers managing people identity information and personal data allow their users to delegate third party Web services to access their data. In this paper, we analyze the risks related to untrusted providers not behaving correctly, and we solve this problem by proposing the first verifiable delegated authorization protocol that allows third party services to verify the correctness of users data returned by the provider. The contribution of the paper is twofold: we show how delegated authorization can be cryptographically enforced through authenticated data structures protocols, we extend the standard OAuth2 protocol by supporting efficient and verifiable delegated authorization including database updates and privileges revocation.


2016 - Guaranteeing correctness of bulk operations in outsourced databases [Relazione in Atti di Convegno]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco
abstract

The adoption of public cloud services, as well as other data outsourcing solutions, raises concerns about confidentiality and integrity of information managed by a third party. By focusing on data integrity, we propose a novel protocol that allows cloud customers to verify the correctness of results produced by key-value databases. The protocol is designed for supporting efficient insertion and retrieval of large sets of data through bulk operations in read and append-only workloads. In these contexts, the proposed protocol improves state-of-the-art by reducing network overheads thanks to an original combination of aggregate bilinear map signatures and extractable collision resistant hash functions.


2016 - Implementation of Verified Set Operation Protocols Based on Bilinear Accumulators [Relazione in Atti di Convegno]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco
abstract

This paper proposes an efficient protocol for verifiable delegation of computation over outsourced set collections. It improves state of the art protocols by using asymmetric bilinear pairing settings for improved performance with respect to previous proposals based on symmetric settings. Moreover, it extends update operations by supporting efficient modifications over multiple sets. With respect to previous work the proposed protocol has a modular design, that clearly identifies its main building blocks and well-defined interfaces among them. This novel conceptualization allows easier auditing of the protocol security properties and serves as the blueprint of a novel implementation that is released publicly (https://​weblab.​ing.​unimore.​it/​people/​ferretti/​versop/​). To the best of our knowledge, this is the first public implementation of a protocol for verifiable sets operations.


2015 - Enforcing Correct Behavior without Trust in Cloud Key-Value Databases [Relazione in Atti di Convegno]
Andreoli, Andrea; Ferretti, Luca; Marchetti, Mirco; Colajanni, Michele
abstract

Traditional computation outsourcing and modern cloud computing are affected by a common risk of distrust between service requestor and service provider. We propose a novel protocol, named Probus, that offers guarantees of correct behavior to both parts without assuming any trust relationship between them in the context of cloud-based key-value databases. Probus allows a service requestor to have evidence of cloud provider misbehavior on its data, and a cloud provider to defend itself from false accusations by demonstrating the correctness of its operations. Accusation and defense proofs are based on cryptographic mechanisms that can be verified by a third party. Probus improves the state-of-the-art by introducing novel solutions that allow for efficient verification of data security properties and by limiting the overhead required to provide its security guarantees. Thanks to Probus it is possible to check the correctness of all the results generated by a cloud service, thus improving weaker integrity assurance based on probabilistic verifications that are adopted by related work.


2014 - Distributed, concurrent and independent access to encrypted cloud databases [Articolo su rivista]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco
abstract

Placing critical data in the hands of a cloud provider should come with the guarantee of security and availability for data at rest, in motion, and in use. Several alternatives exist for storage services, while data confidentiality solutions for the database as a service paradigm are still immature. We propose a novel architecture that integrates cloud database services with data confidentiality and the possibility of executing concurrent operations on encrypted data. This is the first solution supporting geographically distributed clients to connect directly to an encrypted cloud database, and to execute concurrent and independent operations including those modifying the database structure. The proposed architecture has the further advantage of eliminating intermediate proxies that limit the elasticity, availability, and scalability properties that are intrinsic in cloud-based solutions. The efficacy of the proposed architecture is evaluated through theoretical analyses and extensive experimental results based on a prototype implementation subject to the TPC-C standard benchmark for different numbers of clients and network latencies.


2014 - Efficient detection of unauthorized data modification in cloud databases [Relazione in Atti di Convegno]
Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco; Missiroli, Marcello
abstract

Cloud services represent an unprecedented opportunity, but their adoption is hindered by confidentiality and integrity issues related to the risks of outsourcing private data to cloud providers. This paper focuses on integrity and proposes an innovative solution that allows cloud tenants to detect unauthorized modifications to outsourced data while minimizing storage and network overheads. Our approach is based on encrypted Bloom filters, and is designed to allow efficient integrity verification for databases stored in the cloud. We assess the effectiveness of the proposal as well as its performance improvements with respect to existing solutions by evaluating storage and network costs.


2014 - Performance and cost evaluation of an adaptive encryption architecture for cloud databases [Articolo su rivista]
Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco
abstract

The cloud database as a service is a novel paradigm that can support several Internet-based applications, but its adoption requires the solution of information confidentiality problems. We propose a novel architecture for adaptive encryption of public cloud databases that offers an interesting alternative to the trade-off between the required data confidentiality level and the flexibility of the cloud database structures at design time. We demonstrate the feasibility and performance of the proposed solution through a software prototype. Moreover, we propose an original cost model that is oriented to the evaluation of cloud database services in plain and encrypted instances and that takes into account the variability of cloud prices and tenant workload during a medium-term period.


2014 - Scalable architecture for multi-user encrypted SQL operations on cloud database services [Articolo su rivista]
Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco
abstract

The success of the cloud database paradigm is strictly related to strong guarantees in terms of service availability, scalability and security, but also of data confidentiality. Any cloud provider assures the security and availability of its platform, while the implementation of scalable solutions to guarantee confidentiality of the information stored in cloud databases is an open problem left to the tenant. Existing solutions address some preliminary issues through SQL operations on encrypted data. We propose the first complete architecture that combines data encryption, key management, authentication and authorization solutions, and that addresses the issues related to typical threat scenarios for cloud database services. Formal models describe the proposed solutions for enforcing access control and for guaranteeing confidentiality of data and metadata. Experimental evaluations based on standard benchmarks and real Internet scenarios show that the proposed architecture satisfies also scalability and performance requirements.


2013 - Access control enforcement on query-aware encrypted cloud databases [Relazione in Atti di Convegno]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco
abstract

The diffusion of cloud database services requires a lot of efforts to improve confidentiality of data stored in external infrastructures. We propose a novel scheme that integrates data encryption with users access control mechanisms. It can be used to guarantee confidentiality of data with respect to a public cloud infrastructure, and to minimize the risks of internal data leakage even in the worst case of a legitimate user colluding with some cloud provider personnel. The correctness and feasibility of the proposal is demonstrated through formal models, while the integration in a cloud-based architecture is left to future work.


2013 - Security and Confidentality Solutions for Public Cloud Database Services [Relazione in Atti di Convegno]
Ferretti, Luca; Pierazzi, Fabio; Colajanni, Michele; Marchetti, Mirco
abstract

The users perception that the confidentiality of their data is endangered by internal and external attacks is limiting the diffusion of public cloud database services. In this context, the use of cryptography is complicated by high computational costs and restrictions on supported SQL operations over encrypted data. In this paper, we propose an architecture that takes advantage of adaptive encryption mechanisms to guarantee at runtime the best level of data confidentiality for any type of SQL operation. We demonstrate through a large set of experiments that these encryption schemes represent a feasible solution for achieving data confidentiality in public cloud databases, even from a performance point of view.


2013 - Transparent access on encrypted data distributed over multiple cloud infrastructures [Relazione in Atti di Convegno]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco; Adriano Enrico, Scaruffi
abstract

Using cloud infrastructures to store and backup data is becoming a popular alternative that guarantees performance and scalability at reasonable prices. However, standard cloud solutions could raise some concerns about data confidentiality and dependency on a single provider. We aim to address these issues by using cloud storage of multiple cloud providers. Our solution ciphers, partitions and replicates data among multiple cloud architectures, thus augmenting availability and confidentiality, and avoiding lock-in of one cloud provider. The proposed model is implemented through open source software that leverages data storage offered by multiple providers. This prototype demonstrates the effectiveness of the geographically distributed architecture in several real case scenarios.


2012 - Supporting security and consistency for cloud database [Relazione in Atti di Convegno]
Ferretti, Luca; Colajanni, Michele; Marchetti, Mirco
abstract

Typical Cloud database services guarantee high availability and scalability, but they rise many concerns about data confidentiality. Combining encryption with SQL operations is a promising approach although it is characterized by many open issues. Existing proposals, which are based on some trusted intermediate server, limit availability and scalability of original cloud database services. We propose an alternative architecture that avoids any intermediary component, thus achieving availability and scalability comparable to that of unencrypted cloud database services. Moreover, our proposal guarantees data consistency in scenarios in which independent clients concurrently execute SQL queries, and the structure of the database can be modified.