-
Notifications
You must be signed in to change notification settings - Fork 18
/
publications.yml
2255 lines (2097 loc) · 193 KB
/
publications.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# PLEASE KEEP ALPHABETICAL ORDER BY ID WITHIN YEARS
## 2010
- id: DISC2010
id_iris: 21329
title: "Brief Announcement: Automated Support for the Design and Validation of Fault Tolerant Parameterized Systems - A Case Study"
authors:
- FrancescoAlberti
- SilvioGhilardi
- ElenaPagani
- SilvioRanise
- GianPaoloRossi
abstract: >
Background and motivations. Algorithms for ensuring fault tolerance are key ingredients in many applications such as avionics and networking. There is an increasing demand to integrate (formal) validation in the design process of these algorithms as they are often part of safety critical systems.When validation fails, the designer would benefit from tracking the sequence of events that led to an incorrect state to recover the error. To productively integrate formal verification in the design phase, tools should be able to return such error traces. Fault tolerant algorithms are often parametric, which makes their automated verification a daunting task. Indeed, checking that an algorithm satisfies a certain property requires to prove it for any number of processes.
destination: DISC2010
year: 2010
doi: 10.1007/978-3-642-15763-9_36
- id: HVC2010
id_iris: 270624
title: The SMT-LIB Initiative and the Rise of SMT
authors:
- ClarkBarrett
- LeonardoDeMoura
- SilvioRanise
- AaronStump
- CesareTinelli
abstract: >
Satisfiability modulo theories (SMT) is a branch of automated reasoning that builds on advances in propositional satisfiability and on decision procedures for first-order reasoning. Its defining feature is the use of reasoning methods specific to logical theories of interest in target applications. Advances in SMT research and technology have led in the last few years to the development of very powerful satisfiability solvers and to an explosion of applications. SMT solvers are now used for processor verification, equivalence checking, bounded and unbounded model checking, predicate abstraction, static analysis, automated test case generation, extended static checking, scheduling and optimization. While the roots of SMT go back to work in the late 1970s and early 1980s on using decision procedures in formal methods, the field was born in the late 1990s with various independent attempts to harness the power of modern SAT solvers, reaching the current level of sophistication with the research and development advances of the last decade. Major enablers for these advances were SMT-LIB, a standardization and benchmark collection initiative supported by a large number of SMT researchers and users world-wide, and its offsprings: the SMT workshop, an international workshop bringing together SMT researchers and users of SMT applications or techniques; SMT-COMP, an international competition for SMT solvers supporting the SMT-LIB input format; and SMT-EXEC, a public execution service allowing researchers to configure and execute benchmarking experiments on SMT solvers.
This talk provides historical perspectives on the development of the field and on the SMT-LIB initiative and its offsprings. It highlights the initiative’s milestones and main achievements, and the role of the authors and other major contributors in it. It then concludes with a brief discussion of a few promising directions for future research in SMT.
destination: HVC2010
year: 2010
doi: 10.1007/978-3-642-19583-9_2
- id: IJCAR2010
id_iris: 21309
title: "MCMT: A Model Checker Modulo Theories"
authors:
- SilvioGhilardi
- SilvioRanise
abstract: >
We describe mcmt, a fully declarative and deductive symbolic model checker for safety properties of infinite state systems whose state variables are arrays. Theories specify the properties of the indexes and the elements of the arrays. Sets of states and transitions of a system are described by quantified first-order formulae. The core of the system is a backward reachability procedure which symbolically computes pre-images of the set of unsafe states and checks for safety and fix-points by solving Satisfiability Modulo Theories (SMT) problems. Besides standard SMT techniques, efficient heuristics for quantifier instantiation, specifically tailored to model checking, are at the very heart of the system. mcmt has been successfully applied to the verification of imperative programs, parametrised, timed, and distributed systems.
destination: IJCAR2010
year: 2010
doi: 10.1007/978-3-642-14203-1_3
- id: LMCS2010
id_iris: 50380
title: "Backward Reachability of Array-based Systems by SMT solving: Termination and Invariant Synthesis"
authors:
- SilvioGhilardi
- SilvioRanise
abstract: >
The safety of infinite state systems can be checked by a backward reachability procedure. For certain classes of systems, it is possible to prove the termination of the procedure and hence conclude the decidability of the safety problem. Although backward reachability is property-directed, it can unnecessarily explore (large) portions of the state space of a system which are not required to verify the safety property under consideration. To avoid this, invariants can be used to dramatically prune the search space. Indeed, the problem is to guess such appropriate invariants. In this paper, we present a fully declarative and symbolic approach to the mechanization of backward reachability of infinite state systems manipulating arrays by Satisfiability Modulo Theories solving. Theories are used to specify the topology and the data manipulated by the system. We identify sufficient conditions on the theories to ensure the termination of backward reachability and we show the completeness of a method for invariant synthesis (obtained as the dual of backward reachability), again, under suitable hypotheses on the theories. We also present a pragmatic approach to interleave invariant synthesis and backward reachability so that a fix-point for the set of backward reachable states is more easily obtained. Finally, we discuss heuristics that allow us to derive an implementation of the techniques in the model checker MCMT, showing remarkable speed-ups on a significant set of safety problems extracted from a variety of sources.
destination: LMCS
year: 2010
doi: 10.2168/LMCS-6(4:10)2010
- id: STM2010
id_iris: 21635
title: Automated Symbolic Analysis of ARBAC Policies
authors:
- AlessandroArmando
- SilvioRanise
abstract: >
One of the most widespread framework for the management of access-control policies is Administrative Role Based Access Control (ARBAC). Several automated analysis techniques have been proposed to help maintaining desirable security properties of ARBAC policies. One limitation of many available techniques is that the sets of users and roles are bounded. In this paper, we propose a symbolic framework to overcome this difficulty. We design an automated security analysis technique, parametric in the number of users and roles, by adapting recent methods for model checking infinite state systems that use first-order logic and state-of-the-art theorem proving techniques. Preliminary experiments with a prototype implementations seem to confirm the scalability of our technique.
destination: STM2010
year: 2010
doi: 10.1007/978-3-642-22444-7_2
- id: SYNASC2010
id_iris: 50391
title: "WSSMT: Towards the Automated Analysis of Security-Sensitive Services and Applications"
authors:
- MicheleBarletta
- AlbertoCalvi
- SilvioRanise
- LucaViganò
- LucaZanetti
abstract: >
The security of service-oriented applications is crucial in several contexts such as e-commerce or e-governance. The design, implementation, and deployment of this kind of services are often so complex that serious vulnerabilities remain even after extensive application of traditional validation techniques, such as testing. Given the importance of security-sensitive service applications, the development of techniques for their automated validation is growing. In this paper, we illustrate our formal framework to the specification and validation of security-sensitive applications structured in two levels: the workflow level (dealing with the control of flow and the manipulation of data) and the policy level (describing trust relationships and access control). In our framework, verification problems are reduced to logical problems whose decidability can be shown under suitable assumptions, which permit the validation of practically relevant classes of services. As a by-product, it is possible to re-use state-of-the-art theorem-proving technology to mechanize the verification process. This is the idea underlying our prototype validation tool WSSMT, "Web-Service (validation by) Satisfiability Modulo Theories'', which has been successfully used on two industrial case studies taken from the FP7 European project AVANTSSAR.
destination: SYNASC2010
year: 2010
doi: 10.1109/SYNASC.2010.74
- id: SYNASC2010_Validation
id_iris: 50392
title: Automated Validation of Security-sensitive Web Services specified in BPEL and RBAC
authors:
- AlbertoCalvi
- SilvioRanise
- LucaViganò
abstract: >
We formalize automated analysis techniques for the validation of web services specified in BPEL and a RBAC variant tailored to BPEL. The idea is to use decidable fragments of first-order logic to describe the state space of a certain class of web services and then use state-of-the-art SMT solvers to handle their reach ability problems. To assess the practical viability of our approach, we have developed a prototype tool implementing our techniques and applied it to a digital contract signing service inspired by an industrial case study.
destination: SYNASC2010
year: 2010
doi: 10.1109/SYNASC.2010.75
## 2011
- id: ASIACCS2011
id_iris: 21617
title: Efficient Symbolic Automated Analysis of Administrative Attribute-based RBAC-Policies
authors:
- FrancescoAlberti
- AlessandroArmando
- SilvioRanise
abstract: >
Automated techniques for the security analysis of Role-Based Access Control (RBAC) access control policies are crucial for their design and maintenance. The definition of administrative domains by means of attributes attached to users makes the RBAC model easier to use in real scenarios but complicates the development of security analysis techniques, that should be able to modularly reason about a wide range of attribute domains. In this paper, we describe an automated symbolic security analysis technique for administrative attribute-based RBAC policies. A class of formulae of first-order logic is used as an adequate symbolic representation for the policies and their administrative actions. State-of-the-art automated theorem proving techniques are used (off-the-shelf) to mechanize the security analysis procedure. Besides discussing the assumptions for the effectiveness and termination of the procedure, we demonstrate its efficiency through an extensive empirical evaluation.
destination: ASIACCS2011
year: 2011
doi: 10.1145/1966913.1966935
- id: CADE2011
id_iris: 50384
title: "ASASP: Automated Symbolic Analysis of Security Policies"
authors:
- FrancescoAlberti
- AlessandroArmando
- SilvioRanise
abstract: >
We describe asasp, a symbolic reachability procedure for the analysis of administrative access control policies. The tool represents access policies and their administrative actions as formulae of the Bernays-Shönfinkel-Ramsey class and then uses a symbolic reachability procedure to solve security analysis problems. Checks for fix-point—reduced to satisfiability problems—are mechanized by Satisfiability Modulo Theories solving and Automated Theorem Proving. asasp has been successfully applied to the analysis of benchmark problems arising in (extensions of) the Role-Based Access Control model. Our tool shows better scalability than a state-of-the-art tool on a significant set of instances of these problems.
destination: CADE2011
year: 2011
doi: 10.1007/978-3-642-22438-6_4
- id: FroCoS2011
id_iris: 50387
title: A Combination of Rewriting and Constraint Solving for the Quantifier-Free Interpolation of Arrays with Integer Difference Constraints
authors:
- RobertoBruttomesso
- SilvioGhilardi
- SilvioRanise
abstract: >
The use of interpolants in model checking is progressively gaining importance. The application of encodings based on the theory of arrays, however, is limited by the impossibility of deriving quantifier-free interpolants in general. To overcome this problem, we have recently proposed a quantifier-free interpolation solver for a natural variant of the theory of arrays. However, arrays are usually combined with fragments of arithmetic over indexes in applications, especially those related to software verification. In this paper, we propose a quantifier-free interpolation solver for the variant of arrays considered in previous work when combined with integer difference logic over indexes.
destination: FroCoS2011
year: 2011
doi: 10.1007/978-3-642-24364-6_8
- id: IC2011
id_iris: 50382
title: Automatic Decidability and Combinability
authors:
- ChristopherLynch
- SilvioRanise
- ChristopheRingeissen
- DucKhahnTran
abstract: >
Verification problems can often be encoded as first-order validity or satisfiability problems. The availability of efficient automated theorem provers is a crucial pre-requisite for automating various verification tasks as well as their cooperation with specialized decision procedures for selected theories, such as Presburger Arithmetic. In this paper, we investigate how automated provers based on a form of equational reasoning, called paramodulation, can be used in verification tools. More precisely, given a theory T axiomatizing some data structure, we devise a procedure to answer the following questions. Is the satisfiability problem of T decidable by paramodulation? Can a procedure based on paramodulation for T be efficiently combined with other specialized procedures by using the Nelson–Oppen schema? Finally, if paramodulation decides the satisfiability problem of two theories, does it decide satisfiability in their union?
The procedure capable of answering all questions above is based on Schematic Saturation; an inference system capable of over-approximating the inferences of paramodulation when solving satisfiability problems in a given theory T. Clause schemas derived by Schematic Saturation describe all clauses derived by paramodulation so that the answers to the questions above are obtained by checking that only finitely many different clause schemas are derived or that certain clause schemas are not derived.
destination: IC
destinationAddon: Volume 209, Issue 7, July 2011, Pages 1026-1047
year: 2011
doi: 10.1016/j.ic.2011.03.005
- id: ICSC2011
id_iris: 50388
title: "Automated analysis of semantic-aware access control policies: a logic-based approach"
authors:
- AlessandroArmando
- RobertoCarbone
- SilvioRanise
abstract: >
As the number and sophistication of on-line applications increase, there is a growing concern on how access to sensitive resources (e.g., personal health records) is regulated. Since ontologies can support the definition of fine-grained policies as well as the combination of heterogeneous policies, semantic technologies are expected to play an important role in this context. But understanding the implications of the access control policies of the needed complexity goes beyond the ability of a security administrator. Automatic support to the analysis of access control policies is therefore needed. In this paper we present an automatic analysis technique for access control policies that reduces the reach ability problem for access control policies to satisfiability problems in a decidable fragment of first-order logic for which efficient solvers exist. We illustrate the application of our technique on an access control model inspired by a Personal Health Application of real-world complexity.
destination: ICSC2011
year: 2011
doi: 10.1109/ICSC.2011.74
- id: RP2011
id_iris: 50386
title: Automated Termination in Model Checking Modulo Theories
authors:
- AlessandroCarioni
- SilvioGhilardi
- SilvioRanise
abstract: >
We use a declarative SMT-based approach to model-checking of infinite state systems to design a procedure for automatically establishing the termination of backward reachability by using well-quasi-orderings. Besides showing that our procedure succeeds in many instances of problems covered by general termination results, we argue that it could predict termination also on single problems outside the scope of applicability of such general results.
destination: RP2011
year: 2011
doi: 10.1007/978-3-642-24288-5_11
- id: RTA2011
id_iris: 50383
title: Rewriting-based Quantifier-free Interpolation for a Theory of Arrays
authors:
- RobertoBruttomesso
- SilvioGhilardi
- SilvioRanise
abstract: >
The use of interpolants in model checking is becoming an enabling technology to allow fast and robust verification of hardware and software. The application of encodings based on the theory of arrays, however, is limited by the impossibility of deriving quantifier-free interpolants in general. In this paper, we show that, with a minor extension to the theory of arrays, it is possible to obtain quantifier-free interpolants. We prove this by designing an interpolating procedure, based on solving equations between array updates. Rewriting techniques are used in the key steps of the solver and its proof of correctness. To the best of our knowledge, this is the first successful attempt of computing quantifier-free interpolants for a theory of arrays.
destination: RTA2011
year: 2011
doi: 10.4230/LIPIcs.RTA.2011.171
- id: SCPE2011
id_iris: 50390
title: "Workflow and Access Control Reloaded: a Declarative Specification Framework for the Automated Analysis of Web Services"
authors:
- MicheleBarletta
- AlbertoCalvi
- SilvioRanise
- LucaViganò
- LucaZanetti
abstract: >
Web services supporting business and administrative transactions between several parties over the Internet are more and more widespread. Their development involves several security issues ranging from authentication to the management of the access to shared resources according to given business and legal models. The capability of validating designs against fast evolving requirements is of paramount importance for the adaptation of business and administrative models to changing regulations and rapidly evolving market needs. We present formal specification and analysis techniques that allow us to validate the designs of security-sensitive web services specified in the Business Process Execution Language and extensions of the Role-Based Access Control model. We also present a prototype tool, called \WSSMT{}, mechanizing our approach and describe our experience in using it on two industrial case studies, on in the e-business and one in the e-government area.
destination: SCPE
year: 2011
doi: 10.1007/s11761-010-0073-4
- id: SOCA2011
id_iris: 50381
title: A declarative two-level framework to specify and verify workflow and authorization policies in service-oriented architectures
authors:
- MicheleBarletta
- SilvioRanise
- LucaViganò
abstract: >
The specification of distributed service-oriented applications spans several levels of abstraction, e.g., the protocol for exchanging messages, the set of interface functionalities, the types of the manipulated data, the workflow, the access policy, etc. Many (even executable) specification languages are available to describe each level in separation. However, these levels may interact in subtle ways (for example, the control flow may depend on the values of some data variables) so that a precise abstraction of the application amounts to more than the sum of its per level components. This problem is even more acute in the design phase when automated analysis techniques may greatly help the difficult task of building “correct” applications faced by designers. To alleviate this kind of problems, this paper introduces a framework for the formal specification and automated analysis of distributed service-oriented applications in two levels: one for the workflow and one for the authorization policies. The former allows one to precisely describe the control and data parts of an application with their mutual dependencies. The latter focuses on the specification of the criteria for granting or denying third-party applications the possibility to access shared resources or to execute certain interface functionalities. These levels can be seen as abstractions of one or of several levels of specification mentioned above. The novelty of our proposal is the possibility to unambiguously specify the—often subtle—interplay between the workflow and policy levels uniformly in the same framework. Additionally, our framework allows us to define and investigate verification problems for service-oriented applications (such as executability and invariant checking) and give sufficient conditions for their decidability. These results are non-trivial because their scope of applicability goes well beyond the case of finite state spaces allowing for applications manipulating variables ranging over infinite domains. As proof of concept, we show the suitability and flexibility of our approach on two quite different examples inspired by industrial case studies.
destination: SOCA
year: 2011
doi: 10.1007/s11761-010-0073-4
- id: STM2011
id_iris: 50385
title: Automated Analysis of Infinite State Workflows with Access Control Policies
authors:
- AlessandroArmando
- SilvioRanise
abstract: >
Business processes are usually specified by workflows extended with access control policies. In previous works, automated techniques have been developed for the analysis of authorization constraints of workflows. One of main drawback of available approaches is that only a bounded number of workflow instances is considered and analyses are limited to consider intra-instance authorization constraints. Instead, in applications, several workflow instances execute concurrently, may synchronize, and be required to ensure inter-instance constraints. Performing an analysis by considering a finite but arbitrary number of workflow instances can give designers a higher confidence about the quality of their business process. In this paper, we propose an automated technique for the analysis of both intra- and inter-instance authorization constraints in workflow systems. We reduce the analysis problem to a model checking problem, parametric in the number of workflow instances, and identify a sub-class of workflow systems with a decidable analysis problem.
destination: STM2011
year: 2011
doi: 10.1007/978-3-642-29963-6_12
## 2012
- id: CAV2012
id_iris: 101402
title: "SAFARI: SMT-Based Abstraction for Arrays with Interpolants"
authors:
- FrancescoAlberti
- RobertoBruttomesso
- SilvioGhilardi
- SilvioRanise
- NatashaSharygina
abstract: >
We present SAFARI, a model checker designed to prove (possibly universally quantified) safety properties of imperative programs with arrays of unknown length. SAFARI is based on an extension of lazy abstraction capable of handling existentially quantified formulæ for symbolically representing states. A heuristics, called term abstraction, favors the convergence of the tool by “tuning” interpolants and guessing additional quantified variables of invariants to prune the search space efficiently.
destination: CAV2012
year: 2012
doi: 10.1007/978-3-642-31424-7_49
- id: CODASPY2012
id_iris: 101401
title: "Efficient run-time solving of RBAC user authorization queries: pushing the envelope"
authors:
- AlessandroArmando
- SilvioRanise
- FatihTurkmen
- BrunoCrispo
abstract: >
The User Authorization Query (UAQ) Problem for Role- Based Access Control (RBAC) amounts to determining a set of roles to be activated in a given session in order to achieve some permissions while satisfying a collection of authorization constraints governing the activation of roles. Techniques ranging from greedy algorithms to reduction to (variants of) the propositional satisfiability (SAT) problem have been used to tackle the UAQ problem. Unfortunately, available techniques su er two major limitations that seem to question their practical usability. On the one hand, authorization constraints over multiple sessions or histories are not considered. On the other hand, the experimental evaluations of the various techniques are not satisfactory since they do not seem to scale to larger RBAC policies.
In this paper, we describe a SAT-based technique to solve the UAQ problem which overcomes these limitations. First, we show how authorization constraints over multiple sessions and histories can be supported. Second, we carefully tune the reduction to the SAT problem so that most of the clauses need not to be generated at run-time but only in a pre-processing step. Finally, we present an extensive experimental evaluation of an implementation of our techniques on a significant set of UAQ problem instances that show the practical viability of our approach; e.g., problems with 300 roles are solved in less than a second.
destination: CODASPY2012
year: 2012
doi: 10.1145/2133601.2133631
- id: DBSec2012
id_iris: 101206
title: Automated and Efficient Analysis of Role-Based Access Control with Attributes
authors:
- AlessandroArmando
- SilvioRanise
abstract: >
We consider an extension of the Role-Based Access Control model in which rules assign users to roles based on attributes. We consider an open (allow-by-default) policy approach in which rules can assign users negated roles thus preventing access to the permissions associated to the role. The problems of detecting redundancies and inconsistencies are formally stated. By expressing the conditions on the attributes in the rules with formulae of theories that can be efficiently decided by Satisfiability Modulo Theories (SMT) solvers, we characterize the decidability and complexity of the problems of detecting redundancies and inconsistencies. The proof of the result is constructive and based on an algorithm that repeatedly solves SMT problems. An experimental evaluation with synthetic benchmark problems shows the practical viability of our technique.
destination: DBSec2012
year: 2012
doi: 10.1007/978-3-642-31540-4_3
- id: IJCAR2012
id_iris: 101205
title: From Strong Amalgamability to Modularity of Quantifier-Free Interpolation
authors:
- RobertoBruttomesso
- SilvioGhilardi
- SilvioRanise
abstract: >
The use of interpolants in verification is gaining more and more importance. Since theories used in applications are usually obtained as (disjoint) combinations of simpler theories, it is important to modularly re-use interpolation algorithms for the component theories. We show that a sufficient and necessary condition to do this for quantifier-free interpolation is that the component theories have the ‘strong (sub-)amalgamation’ property. Then, we provide an equivalent syntactic characterization, identify a sufficient condition, and design a combined quantifier-free interpolation algorithm handling both convex and non-convex theories, that subsumes and extends most existing work on combined interpolation.
destination: IJCAR2012
year: 2012
doi: 10.1007/978-3-642-31365-3_12
- id: JCS2012
id_iris: 121401
title: Scalable automated symbolic analysis of administrative role-based access control policies by SMT solving
authors:
- AlessandroArmando
- SilvioRanise
abstract: >
Administrative Role Based Access Control (ARBAC) is one of the most widespread framework for the management of access-control policies. Several automated analysis techniques have been proposed to help maintaining desirable security properties of ARBAC policies. One of the main limitation of available analysis techniques is that the set of users is bounded. In this paper, we propose a symbolic framework to overcome this limitation. We design an automated analysis technique that can handle both a bounded and an unbounded number of users by adapting recent methods for the symbolic model checking of infinite state systems that use first-order logic and SMT solving techniques. An extensive experimental evaluation confirms the scalability of the proposed technique.
destination: JCS
destinationAddon: vol. 20, no. 4, pp. 309-352
year: 2012
doi: 10.3233/JCS-2012-0461
- id: JSAT2012
id_iris: 101202
title: Universal Guards, Relativization of Quantifiers, and Failure Models in Model Checking Modulo Theories
authors:
- FrancescoAlberti
- SilvioGhilardi
- ElenaPagani
- SilvioRanise
- GianPaoloRossi
abstract: >
Model Checking Modulo Theories is a recent approach for the automated verification of safety properties of a class of infinite state systems manipulating arrays, called array-based systems. The idea is to repeatedly compute pre-images of a set of (unsafe) states by using certain classes of first-order formulae representing sets of states and transitions, and then reduce fix-point checks to Satisfiability Modulo Theories problems. Unfortunately, if the guards contain universally quantified index variables, the backward procedure cannot be fully automated. In this paper, we overcome the problem by describing a syntactic transformation on array-based systems, which can be seen as an instance of the well-known operation of relativization of quantifiers in first-order logic. Interestingly, when specifying and verifying distributed systems, the proposed syntactic transformation can be interpreted as the adoption of the crash-failure model, which is well-known in the literature of fault-tolerant systems. By eliminating universal quantifiers from guards, the transformation significantly extends the scope of applicability of the symbolic backward reachability procedure. To provide empirical evidence of this claim, we discuss our findings in applying the proposed technique to a significant case-study in the verification of some classical algorithms for reliable broadcast.
destination: JSAT
year: 2012
doi: 10.3233/SAT190087
- id: JSC2012
id_iris: 50389
title: On the Verification of Security-Aware E-services
authors:
- SilvioRanise
abstract: >
Web services providing E-commerce capabilities to support business transactions over the Internet are more and more widespread. The development of such services involves several security issues ranging from authentication to the management of the access to shared resources according to a given business model. The capability of validating designs against fast evolving requirements is of paramount importance for the adaptation of business models to changing regulations and rapidly evolving market needs. So, techniques for the specification and automated analysis of web services to be used in security-sensitive applications are crucial in the development of these systems.
In this paper, we propose an extension of the relational transducers introduced by Abiteboul, Vianu, Fordham, and Yesha for the specification of the transaction protocols of web services and their security properties. We investigate the decidability of relevant verification problems such as goal reachability (for the validation of use-case scenarios) and log validation (for detecting frauds) and provide sufficient conditions for their decidability. The extension we propose is two-fold. First, we add constraints to specify the algebraic structure of the resources manipulated by the transducers. Second, recursion is allowed (only) in policy rules to express important policy idioms such as delegation. Technically, decidability is obtained by a reduction to a decidable class of first-order formulae and fix-point computation to handle recursion.
destination: JSC
destinationAddon: Volume 47, Issue 9
year: 2012
doi: 10.1016/j.jsc.2011.12.033
- id: LMCS2012
id_iris: 101201
title: Quantifier-Free Interpolation of a Theory of Arrays
authors:
- RobertoBruttomesso
- SilvioGhilardi
- SilvioRanise
abstract: >
The use of interpolants in model checking is becoming an enabling technology to allow fast and robust verification of hardware and software. The application of encodings based on the theory of arrays, however, is limited by the impossibility of deriving quantifier- free interpolants in general. In this paper, we show that it is possible to obtain quantifier-free interpolants for a Skolemized version of the extensional theory of arrays. We prove this in two ways: (1) non-constructively, by using the model theoretic notion of amalgamation, which is known to be equivalent to admit quantifier-free interpolation for universal theories; and (2) constructively, by designing an interpolating procedure, based on solving equations between array updates. (Interestingly, rewriting techniques are used in the key steps of the solver and its proof of correctness.) To the best of our knowledge, this is the first successful attempt of computing quantifier- free interpolants for a variant of the theory of arrays with extensionality.
destination: LMCS
destinationAddon: Volume 8, Issue 2
year: 2012
doi: 10.2168/LMCS-8(2:4)2012
- id: LPAR2012
id_iris: 101204
title: Lazy Abstraction with Interpolants for Arrays
authors:
- FrancescoAlberti
- RobertoBruttomesso
- SilvioGhilardi
- SilvioRanise
- NatashaSharygina
abstract: >
Lazy abstraction with interpolants has been shown to be a powerful technique for verifying imperative programs. In presence of arrays, however, the method shows an intrinsic limitation, due to the fact that successful invariants usually contain universally quantified variables, which are not present in the program specification. In this work we present an extension of the interpolation-based lazy abstraction in which arrays of unknown length can be handled in a natural manner. In particular, we exploit the Model Checking Modulo Theories framework, to derive a backward reachability version of lazy abstraction that embeds array reasoning. The approach is generic, in that it is valid for both parameterized systems and imperative programs. We show by means of experiments that our approach can synthesize and prove universally quantified properties over arrays in a completely automatic fashion.
destination: LPAR
year: 2012
doi: 10.1007/978-3-642-28717-6_7
- id: NFM2012
id_iris: 101203
title: Automated Analysis of Parametric Timing-Based Mutual Exclusion Algorithms
authors:
- RobertoBruttomesso
- AlessandroCarioni
- SilvioGhilardi
- SilvioRanise
abstract: >
Deadlock-free algorithms that ensure mutual exclusion crucially depend on timing assumptions. In this paper, we describe our experience in automatically verifying mutual-exclusion and deadlock-freedom of the Fischer and Lynch-Shavit algorithms, using the model checker modulo theories mcmt. First, we explain how to specify timing-based algorithms in the mcmt input language as symbolic transition systems. Then, we show how the tool can verify all the safety properties used by Lynch and Shavit to establish mutual-exclusion, regardless of the number of processes in the system. Finally, we verify deadlock-freedom by following a reduction to “safety problems with lemmata synthesis” and using acceleration to avoid divergence. We also show how to automatically synthesize the bounds on the waiting time of a process to enter the critical section.
destination: NFM2012
year: 2012
doi: 10.1007/978-3-642-28891-3_28
- id: NSS2012
id_iris: 101403
title: "On the Automated Analysis of Safety in Usage Control: A New Decidability Result"
authors:
- SilvioRanise
- AlessandroArmando
abstract: >
We study the decidability of the safety problem in the usage control (UCON) model. After defining a formal model, we identify sufficient conditions for the decidability of the safety problem for UCON systems whose attributes are allowed to range over infinite domains and updates in one process may affect the state of another. Our result is a significant generalization of those available in the literature.
destination: NSS2012
year: 2012
doi: 10.1007/978-3-642-34601-9_2
- id: STM2012
id_iris: 101602
title: Boosting Model Checking to Analyse Large ARBAC Policies
authors:
- SilvioRanise
- TuanAnhTruong
- AlessandroArmando
abstract: >
The administration of access control policies is a task of paramount importance for distributed systems. A crucial analysis problem is to foresee if a set of administrators can give a user an access permission. We consider this analysis problem in the context of the Administrative Role-Based Access Control (ARBAC), one of the most widespread administrative models. Given the difficulty of taking into account the effect of all possible administrative actions, automated analysis techniques are needed. In this paper, we describe how a model checker can scale up to handle very large ARBAC policies while ensuring completeness. An extensive experimentation shows that an implementation of our techniques performs significantly better than Mohawk, a recently proposed tool that has become the reference for finding errors in ARBAC policies.
destination: STM2012
year: 2012
doi: 10.1007/978-3-642-38004-4_18
- id: STM2012_DAC
id_iris: 101601
title: Automated Analysis of Scenario-based Specifications of Distributed Access Control Policies with Non-Mechanizable Activities
authors:
- MicheleBarletta
- SilvioRanise
- LucaViganò
abstract: >
The advance of web services technologies promises to have far-reaching effects on the Internet and enterprise networks allowing for greater accessibility of data. The security challenges presented by the web services approach are formidable. In particular, access control solutions should be revised to address new challenges, such as the need of using certificates for the identification of users and their attributes, human intervention in the creation or selection of the certificates, and (chains of) certificates for trust management. With all these features, it is not surprising that analyzing policies to guarantee that a sensitive resource can be accessed only by authorized users becomes very difficult. In this paper, we present an automated technique to analyze scenario-based specifications of access control policies in open and distributed systems. We illustrate our ideas on a case study arising in the e-government area.
destination: STM2012
year: 2012
doi: 10.1007/978-3-642-38004-4_4
## 2013
- id: FMSD2013
id_iris: 180610
title: Symbolic backward reachability with effectively propositional logic
authors:
- SilvioRanise
abstract: >
We describe a symbolic procedure for solving the reachability problem of transition systems that use formulae of Effectively Propositional Logic to represent sets of backward reachable states. We discuss the key ideas for the mechanization of the procedure where fix-point checks are reduced to SMT problems. We also show the termination of the procedure on a sub-class of transition systems. Then, we discuss how reachability problems for this sub-class can be used to encode analysis problems of administrative policies in the Role-Based Access Control (RBAC) model that is one of the most widely adopted access control paradigms. An implementation of a refinement of the backward reachability procedure, called asasp, shows better flexibility and scalability than a state-of-the-art tool on a significant set of security problems.
destination: FMSD
year: 2013
doi: 10.1007/s10703-012-0157-1
- id: FroCoS2013
id_iris: 180614
title: Verification of Composed Array-based Systems with Applications to Security-Aware Workflows
authors:
- ClaraBertolissi
- SilvioRanise
abstract: >
We introduce a class of symbolic transition systems capable of representing collections of security-aware workflows and we study the verification of reachability properties of such systems. More precisely, we define composed array-based systems as an extension of array-based systems in which array variables are indexed over more than one type. For an application relevant sub-class of these systems we show how to mechanize a symbolic backward reachability procedure by modularly re-using the techniques developed for array-based systems. Finally, and most importantly, we find sufficient conditions for the termination of the procedure and we apply this result to derive the decidability of the reachability problems of two important classes of security-aware workflow systems.
destination: FroCoS2013
year: 2013
doi: 10.1007/978-3-642-40885-4_4
urlNews: /news/2013/06/06/paper-accepted-at-frocos-2013/
- id: FPS2013
id_iris: 226615
title: Formal Modelling of Content-Based Protection and Release for Access Control in NATO Operations
authors:
- AlessandroArmando
- SanderOudkerk
- SilvioRanise
- KonradWrona
abstract: >
The successful operation of NATO missions requires effective and secure sharing of information among coalition partners and external organizations, while avoiding the disclosure of sensitive information to untrusted users. To resolve the conflict between confidentiality and availability, NATO is developing a new information sharing infrastructure, called Content-based Protection and Release. We describe the architecture of access control in NATO operations, which is designed to be easily built on top of available (service-oriented) infrastructures for identity and access control management. We then present a use case scenario drawn from the NATO Passive Missile Defence system for simulating the consequences of intercepting missile attacks. In the system demonstration, we show how maps annotated with the findings of the system are filtered by the access control module to produce appropriate views for users with different clearances and terminals under given release and protection policies.
destination: FPS2013
year: 2013
doi: 10.1007/978-3-319-05302-8_14
urlNews: /news/2013/08/27/paper-accepted-at-fps2013/
- id: ICITST2013
id_iris: 222616
title: A methodology to build run-time monitors for security-aware workflows
authors:
- ClaraBertolissi
- SilvioRanise
abstract: >
Run-time monitors are crucial to the development of workflow management systems, which are at the heart of several modern E-services. In this paper, we propose a new methodology to build run-time monitors capable of ensuring the successful termination of workflows subject to authorization constraints. The methodology is based on state-of-the-art Satisfiability Modulo Theories techniques.
destination: ICITST2013
year: 2013
doi: 10.1109/ICITST.2013.6750251
- id: IJFCS2013
id_iris: 180611
title: Automated Termination in Model-Checking Modulo Theories
authors:
- AlessandroCarioni
- SilvioGhilardi
- SilvioRanise
abstract: >
We identify sufficient conditions to automatically establish the termination of a backward reachability procedure for infinite state systems by using well-quasi-orderings. Besides showing that backward reachability succeeds on many instances of problems covered by general termination results, we argue that it could predict termination also on interesting instances of the reachability problem that are outside the scope of applicability of such general results. We work in the declarative framework of Model Checking Modulo Theories that permits us to exploit recent advances in Satisfiability Modulo Theories solving and model-theoretic notions of first-order logic.
destination: IJFCS
year: 2013
doi: 10.1142/S012905411340008X
- id: SACMAT2013
id_iris: 180613
title: Content-based information protection and release in NATO operations
authors:
- AlessandroArmando
- MatteoGrasso
- SanderOudkerk
- SilvioRanise
- KonradWrona
abstract: >
The successful operation of NATO missions requires effective and secure sharing of information among coalition partners and external organizations, while avoiding the disclosure of sensitive information to untrusted users. To resolve the conflict between confidentiality and availability, NATO is developing a new information sharing infrastructure, called Content-based Protection and Release. We describe the architecture of access control in NATO operations, which is designed to be easily built on top of available (service-oriented) infrastructures for identity and access control management. We then present a use case scenario drawn from the NATO Passive Missile Defence system for simulating the consequences of intercepting missile attacks. In the system demonstration, we show how maps annotated with the findings of the system are filtered by the access control module to produce appropriate views for users with different clearances and terminals under given release and protection policies.
destination: SACMAT2013
year: 2013
doi: 10.1145/2462410.2462427
## 2014
- id: CSET2014
id_iris: 250446
title: "TESTREX: a Testbed for Repeatable Exploits"
authors:
- StanislavDashevskyi
- DanielDosSantos
- FabioMassacci
- AntoninoSabetta
destination: CSET2014
year: 2014
urlNews: /news/2014/06/09/paper-accepted-at-cset14/
- id: DBSec2014
id_iris: 226015
title: "Incremental Analysis of Evolving Administrative Role Based Access Control Policies"
authors:
- SilvioRanise
- TuanAnhTruong
abstract: >
We consider the safety problem for Administrative Role-Based Access Control (ARBAC) policies, i.e. detecting whether sequences of administrative actions can result in policies by which a user can acquire permissions that may compromise some security goals. In particular, we are interested in sequences of safety problems generated by modifications (namely, adding/deleting an element to/from the set of possible actions) to an ARBAC policy accommodating the evolving needs of an organization. or resulting from fixing some safety issues. Since problems in such sequences share almost all administrative actions, we propose an incremental technique that avoids the re-computation of the solution to the current problem by re-using much of the work done on the previous problem in a sequence. An experimental evaluation shows the better performances of an implementation of our technique with respect to the only available approach to solve safety problems for evolving ARBAC policies proposed by Gofman, Luo, and Yang.
destination: DBSec2014
year: 2014
doi: 10.1007/978-3-662-43936-4_17
- id: FMSD2014
id_iris: 269019
title: An extension of lazy abstraction with interpolation for programs with arrays
authors:
- FrancescoAlberti
- RobertoBruttomesso
- SilvioGhilardi
- SilvioRanise
- NatashaSharygina
abstract: >
Lazy abstraction with interpolation-based refinement has been shown to be a powerful technique for verifying imperative programs. In presence of arrays, however, the method suffers from an intrinsic limitation, due to the fact that invariants needed for verification usually contain universally quantified variables, which are not present in program specifications. In this work we present an extension of the interpolation-based lazy abstraction framework in which arrays of unknown length can be handled in a natural manner. In particular, we exploit the Model Checking Modulo Theories framework to derive a backward reachability version of lazy abstraction that supports reasoning about arrays. The new approach has been implemented in a tool, called safari, which has been validated on a wide range of benchmarks. We show by means of experiments that our approach can synthesize and prove universally quantified properties over arrays in a completely automatic fashion.
destination: FMSD
year: 2014
doi: 10.1007/s10703-014-0209-9
- id: NOMS2014
id_iris: 250444
title: A Dynamic Risk-based Access Control Architecture for Cloud Computing
authors:
- DanielDosSantos
- CarlaMerkleWestphall
- CarlosBeckerWestphall
abstract: >
Cloud computing is a distributed computing model that still faces problems. New ideas emerge to take advantage of its features and among the research challenges found in the cloud, we can highlight Identity and Access Management. The main problems of the application of access control in the cloud are the necessary flexibility and scalability to support a large number of users and resources in a dynamic and heterogeneous environment, with collaboration and information sharing needs. This paper proposes the use of risk-based dynamic access control for cloud computing. The proposal is presented as an access control model based on an extension of the XACML standard with three new components: the Risk Engine, the Risk Quantification Web Services and the Risk Policies. The risk policies present a method to describe risk metrics and their quantification, using local or remote functions. The risk policies allow users and cloud service providers to define how to handle risk-based access control for their resources, using different quantification and aggregation methods. The model reaches the access decision based on a combination of XACML decisions and risk analysis. A prototype of the model is implemented, showing it has enough expressivity to describe the models of related work. In the experimental results, the prototype takes between 2 and 6 milliseconds to reach access decisions using a risk policy. A discussion on the security aspects of the model is also presented.
destination: NOMS2014
year: 2014
doi: 10.1109/NOMS.2014.6838319
urlNews: /news/2013/11/05/paper-accepted-at-noms-2014/
- id: SACMAT2014_ABAC
id_iris: 226218
title: Attribute Based Access Control for APIs in Spring Security
authors:
- AlessandroArmando
- RobertoCarbone
- EyasuGetahunChekole
- SilvioRanise
abstract: >
The widespread adoption of Application Programming Interfaces (APIs) by enterprises is changing the way business is done by permitting the implementation of a multitude of apps, customized to user needs. While supporting a more flexible exploitation of available data, services and applications developed on top of APIs are vulnerable to a variety of attacks, ranging from SQL injection to unauthorized access of sensitive data. Available security solutions must be re-used and/or adapted to work with APIs. In this paper, we focus on the development of a flexible access control mechanism for APIs. This is an important security mechanism to guarantee the enforcement of authorization constraints on resources while invoking their API functions. We have developed an extension of the Spring Security framework, the standard for securing services and apps built in the popular (open source) Spring framework, for the specification and enforcement of Attribute-Based Access Control (ABAC) policies. We demonstrate our work with scenarios arising in a smart energy eco-system.
destination: SACMAT2014
year: 2014
doi: 10.1145/2613087.2613109
urlNews: /news/2014/05/20/papers-accepted-at-sacmat-2014/
- id: SACMAT2014_RBAC
id_iris: 226016
title: Scalable and Precise Automated Analysis of Administrative Temporal Role-Based Access Control
authors:
- SilvioRanise
- TuanAnhTruong
- AlessandroArmando
abstract: >
Extensions of Role-Based Access Control (RBAC) policies taking into account contextual information (such as time and space) are increasingly being adopted in real-world applications. Their administration is complex since they must satisfy rapidly evolving needs. For this reason, automated techniques to identify unsafe sequences of administrative actions (i.e. actions generating policies by which a user can acquire permissions that may compromise some security goals) are fundamental tools in the administrator's tool-kit. In this paper, we propose a precise and scalable automated analysis technique for the safety of administrative temporal RBAC policies. Our approach is to translate safety problems for this kind of policy to (decidable) reachability problems of a certain class of symbolic transition systems. The correctness of the translation allows us to design a precise analysis technique for the safety of administrative RBAC policies with a finite but unknown number of users. For scalability, we present a heuristics that allows us to reduce the set of administrative actions without losing the precision of the analysis. An extensive experimental analysis confirms the scalability and precision of the approach also in comparison with a recent analysis technique developed for the same class of temporal RBAC policies.
destination: SACMAT2014
year: 2014
doi: 10.1145/2613087.2613102
urlNews: /news/2014/05/20/papers-accepted-at-sacmat-2014/
- id: SmartGridSec14
id_iris: 251631
title: Selective Release of Smart Metering Data in Multi-domain Smart Grids
authors:
- AlessandroArmando
- RobertoCarbone
- EyasuGetahunChekole
- ClaudioPetrazzuolo
- AndreaRanalli
- SilvioRanise
abstract: >
In the context of energy efficiency, smart metering solutions are receiving growing attention as they support the automatic collection of (fine-grained) consumption data of appliances. While the capability of a stakeholder (such as a consumer, an utility, or a third-party service) to access smart metering data can give rise to innovative services for users, it makes the control of data release and usage significantly more complex. It is thus extremely important to put in place an adequate access control mechanism that takes into account the authorization requirements of the various stakeholders. To address this issue, we propose a framework based on the Attribute Based Access Control model for the selective release of smart metering data in cloud-based solutions for smart grids.
We applied our framework to a scenario proposed by Energy@Home, a non-profit association of companies with the mission of developing and promoting techniques for energy efficiency in smart homes. As a proof of concept, we implemented our approach on top of the open-source Spring Security framework.
destination: SmartGridSec14
year: 2014
doi: 10.1007/978-3-319-10329-7_4
urlNews: /news/2014/02/19/paper-accepted-at-workshop-on-smart-grid-security/
- id: STM2014
id_iris: 251431
title: "ALPS: An Action Language for Policy Specification and Automated Safety Analysis"
authors:
- SilvioRanise
- RiccardoTraverso
abstract: >
Authorization conditions of access control policies are complex and varied as they might depend, e.g., on the current time, the position of the users, selected parts of the system state, and even on the history of the computations. Several models, languages, and enforcement mechanisms have been proposed for different scenarios. Unfortunately, this complicates the verification of safety, i.e. no permission is leaked to unauthorized users. To avoid these problems, we present an intermediate language called Action Language for Policy Specification. Two desiderata drive its definition: (i) it should support as many models and policies as possible and (ii) it should be easily integrated in existing verification systems so that robust techniques (e.g., model checking or satisfiability solving) can be exploited to safety. We argue (i) by using selected examples of access control models and policies taken from the literature. For (ii), we prove some theoretical properties of the language that pave the way to the definition of automatic translations to available verification techniques.
destination: STM2014
year: 2014
doi: 10.1007/978-3-319-11851-2_10
- id: TACAS2014
id_iris: 211216
title: "SATMC: A SAT-Based Model Checker for Security-Critical Systems"
authors:
- AlessandroArmando
- RobertoCarbone
- LucaCompagna
abstract: >
We present SATMC 3.0, a SAT-based bounded model checker for security-critical systems that stems from a successful combination of encoding techniques originally developed for planning with techniques developed for the analysis of reactive systems. SATMC has been successfully applied in a variety of application domains (security protocols, security-sensitive business processes, and cryptographic APIs) and for different purposes (design-time security analysis and security testing). SATMC strikes a balance between general purpose model checkers and security protocol analyzers as witnessed by a number of important success stories including the discovery of a serious man-in-the-middle attack on the SAML-based Single Sign-On (SSO) for Google Apps, an authentication flaw in the SAML 2.0 Web Browser SSO Profile, and a number of attacks on PKCS#11 Security Tokens. SATMC is integrated and used as back-end in a number of research prototypes (e.g., the AVISPA Tool, Tookan, the SPaCIoS Tool) and industrial-strength tools (e.g., the Security Validator plugin for SAP NetWeaver BPM).
destination: TACAS2014
year: 2014
doi: 10.1007/978-3-642-54862-8_3
- id: TOCL2014
id_iris: 264419
title: Quantifier-free interpolation in combinations of equality interpolating theories
authors:
- RobertaBruttomesso
- SilvioGhilardi
- SilvioRanise
abstract: >
The use of interpolants in verification is gaining more and more importance. Since theories used in applications are usually obtained as (disjoint) combinations of simpler theories, it is important to modularly reuse interpolation algorithms for the component theories. We show that a sufficient and necessary condition to do this for quantifier-free interpolation is that the component theories have the strong (sub-)amalgamation property. Then, we provide an equivalent syntactic characterization and show that such characterization covers most theories commonly employed in verification. Finally, we design a combined quantifier-free interpolation algorithm capable of handling both convex and nonconvex theories; this algorithm subsumes and extends most existing work on combined interpolation.
destination: TOCL
destinationAddon: Volume 15, Issue 1, No. 5
year: 2014
doi: 10.1145/2490253
## 2015
- id: ASIACCS2015
id_iris: 303737
title: Automated Synthesis of Run-time Monitors to Enforce Authorization Policies in Business Processes
authors:
- ClaraBertolissi
- DanielDosSantos
- SilvioRanise
destination: ASIACCS2015
year: 2015
doi: 10.1145/2714576.2714633
urlNews: /news/2015/04/01/paper-accepted-at-asiaccs-2015/
- id: CNS2015
id_iris: 303740
title: Compiling NATO authorization policies for enforcement in the cloud and SDNs
authors:
- AlessandroArmando
- SilvioRanise
- RiccardoTraverso
- KonradWrona
destination: CNS2015
year: 2015
doi: 10.1109/CNS.2015.7346913
- id: DBSec2015
id_iris: 303743
title: Assisting the Deployment of Security-Sensitive Workflows by Finding Execution Scenarios
authors:
- DanielDosSantos
- SilvioRanise
- LucaCompagna
- SerenaPonta
destination: DBSec2015
year: 2015
doi: 10.1007/978-3-319-20810-7_6
urlNews: /news/2015/04/21/paper-accepted-at-dbsec-2015/
- id: MIST2015
id_iris: 303716
title: Mobile App Security Assessment with the MAVeriC Dynamic Analysis Module
authors:
- AlessandroArmando
- GianlucaBocci
- GabrieleCosta
- RoccoMammoliti
- AlessioMerlo
- SilvioRanise
- RiccardoTraverso
- AndreaValenza
destination: DBSec2015
year: 2015
doi: 10.1007/978-3-319-20810-7_6
urlNews: /news/2015/04/21/paper-accepted-at-dbsec-2015/
- id: POST2015
id_iris: 303746
title: Analysis of XACML Policies with SMT
authors:
- FatihTurkmen
- JerryDenHartog
- SilvioRanise
- NicolaZannone
destination: POST2015
abstract: >
The eXtensible Access Control Markup Language (XACML) is an extensible and flexible XML language for the specification of access control policies. However, the richness and flexibility of the language (along with the verbose syntax of XML) come with a price: errors are easy to make and difficult to detect when policies grow in size. If these errors are not detected and rectified, they can result in serious data leakage and/or privacy violations leading to significant legal and financial consequences. To assist policy authors in the analysis of their policies, several policy analysis tools have been proposed based on different underlying formalisms. However, most of these tools either abstract away functions over non-Boolean domains (hence they cannot provide information about them) or produce very large encodings which hinder the performance. In this paper, we present a generic policy analysis framework that employs SMT as the underlying reasoning mechanism. The use of SMT does not only allow more fine-grained analysis of policies but also improves the performance. We demonstrate that a wide range of security properties proposed in the literature can be easily modeled within the framework. A prototype implementation and its evaluation are also provided.
year: 2015
doi: 10.1007/978-3-662-46666-7_7
- id: SAC2015
id_iris: 303755
title: Automated analysis of RBAC policies with temporal constraints and static role hierarchies
authors:
- SilvioRanise
- TuanAnhTruong
- LucaViganò
destination: SAC2015
abstract: >
Temporal role based access control models support the specification and enforcement of several temporal constraints on role enabling, role activation, and temporal role hierarchies among others. In this paper, we define three mappings that preserve the solutions to a class of policy problems (they map security analysis problems in presence of static temporal role hierarchies to problems without them) and we show how they can be used to extend the capabilities of a tool for the analysis of administrative temporal role-based access control policies to reason in presence of temporal role hierarchies. An experimental evaluation with a prototype implementation shows the better behavior of one of the proposed mappings over the other two. To the best of our knowledge, ours is the first tool capable of reasoning with (static) temporal role hierarchies.
year: 2015
doi: 10.1145/2695664.2695787
- id: SACMAT2015
id_iris: 303728
title: A SMT-based Tool for the Analysis and Enforcement of NATO Content-based Protection and Release Policies
authors:
- AlessandroArmando
- SilvioRanise
- RiccardoTraverso
- KonradWrona
destination: SACMAT2015
year: 2015
doi: 10.1145/2752952.2752954
- id: SECRYPT2015
id_iris: 303758
title: Modeling Authorization Policies for Web Services in Presence of Transitive Dependencies
authors:
- WorachetUttha
- ClaraBertolissi
- SilvioRanise
destination: SECRYPT2015
year: 2015
doi: 10.5220/0005548502930300
- id: STM2015
id_iris: 303761
title: A Declarative Framework for Specifying and Enforcing Purpose-Aware Policies
authors:
- RiccardoDeMasellis
- ChiaraGhidini
- SilvioRanise
destination: STM2015
abstract: >
Purpose is crucial for privacy protection as it makes users confident that their personal data are processed as intended. Available proposals for the specification and enforcement of purpose-aware policies are unsatisfactory for their ambiguous semantics of purposes and/or lack of support to the run-time enforcement of policies.
In this paper, we propose a declarative framework based on a first-order temporal logic that allows us to give a precise semantics to purpose-aware policies and to reuse algorithms for the design of a run-time monitor enforcing purpose-aware policies. We also show the complexity of the generation and use of the monitor which, to the best of our knowledge, is the first such a result in literature on purpose-aware policies.
year: 2015
doi: 10.1007/978-3-319-24858-5_4
- id: TaPP2015
title: A Proposal Architecture for Logical Data Tracking in Cloud
authors:
- MojtabaEskandari
- BrunoCrispo
- AndersonSantanaDeOliveira
destination: TaPP2015
year: 2015
urlNews: /news/2015/06/05/paper-accepted-at-tapp-2015/
## 2016
- id: ABAC2016
id_iris: 307012
title: SMT-based Enforcement and Analysis of NATO Content-based Protection and Release Policies
authors:
- AlessandroArmando
- SilvioRanise
- RiccardoTraverso
- KonradWrona
destination: ABAC2016
year: 2016
doi: 10.1145/2875491.2875493
urlNews: /news/2016/01/11/paper-accepted-at-abac-2016/
- id: ESSoS2016
id_iris: 307090
title: On the Security Cost of Using a Free and Open Source Component in a Proprietary Product
authors:
- StanislavDashevskyi
- AchimBrucker
- FabioMassacci
abstract: >
The work presented in this paper is motivated by the need to estimate the security effort of consuming Free and Open Source Software (FOSS) components within a proprietary software supply chain of a large European software vendor. To this extent we have identified three different cost models: centralized (the company checks each component and propagates changes to the different product groups), distributed (each product group is in charge of evaluating and fixing its consumed FOSS components), and hybrid (only the least used components are checked individually by each development team). We investigated publicly available factors (e. g., development activity such as commits, code size, or fraction of code size in different programming languages) to identify which one has the major impact on the security effort of using a FOSS component in a larger software product.
destination: ESSoS2016
year: 2016
doi: 10.1007/978-3-319-30806-7_12
urlNews: /news/2016/02/16/paper-accepted-at-essos-2016/
- id: FDSE2016
id_iris: 307039
title: "ASASPXL: New Clother for Analysing ARBAC Policies"
authors:
- TuanAnhTruong
- SilvioRanise
abstract: >
Access Control is becoming increasingly important for today’s ubiquitous systems. In access control models, the administration of access control policies is an important task that raises a crucial analysis problem: if a set of administrators can give a user an unauthorized access permission. In this paper, we consider the analysis problem in the context of the Administrative Role-Based Access Control (ARBAC), one of the most widespread administrative models. We describe how we design heuristics to enable an analysis tool, called asaspXL, to scale up to handle large and complex ARBAC policies. An extensive experimentation shows that the proposed heuristics play a key role in the success of the analysis tool over the state-of-the-art analysis tools.
destination: FDSE2016
year: 2016
doi: 10.1007/978-3-319-48057-2_19
- id: NDSS2016
id_iris: 307029
title: Attack Patterns for Black-Box Security Testing of Multi-Party Web Applications
authors:
- AvinashSudhodanan
- AlessandroArmando
- LucaCompagna
- RobertoCarbone
abstract: >
The advent of Software-as-a-Service (SaaS) has led to the development of multi-party web applications (MPWAs). MPWAs rely on core trusted third-party systems (e.g., payment servers, identity providers) and protocols such as Cashier-as-aService (CaaS), Single Sign-On (SSO) to deliver business services to users. Motivated by the large number of attacks discovered against MPWAs and by the lack of a single general-purpose application-agnostic technique to support their discovery, we propose an automatic technique based on attack patterns for black-box, security testing of MPWAs. Our approach stems from the observation that attacks against popular MPWAs share a number of similarities, even if the underlying protocols and services are different. In this paper, we target six different replay attacks, a login CSRF attack and a persistent XSS attack. Firstly, we propose a methodology in which security experts can create attack patterns from known attacks. Secondly, we present a security testing framework that leverages attack patterns to automatically generate test cases for testing the security of MPWAs. We implemented our ideas on top of OWASP ZAP (a popular, open-source penetration testing tool), created seven attack patterns that correspond to thirteen prominent attacks from the literature and discovered twenty one previously unknown vulnerabilities in prominent MPWAs (e.g., twitter.com, developer.linkedin.com, pinterest.com), including MPWAs that do not belong to SSO and CaaS families.
destination: NDSS2016
year: 2016
urlNews: /news/2015/10/23/paper-accepted-at-ndss-2016/
- id: RTSI2016
id_iris: 313241
title: "A delegated authorization solution for smart-city mobile applications"
authors:
- GiadaSciarretta
- RobertoCarbone
- SilvioRanise
abstract: >
An increasingly popular scenario for Smart Cities is the one in which mobile apps attempt to access resources (e.g., open data about public transportation or e-government services) made available by city authorities through the use of Application Programming Interfaces (APIs). There is a growing awareness of the benefits of using APIs to foster civic engagement through a more efficient and personalized delivery of government services, and as an enabler of a new wave of innovation contributing to a more automated and sustainable city functioning. Despite these advantages, there are several factors hindering the exploitation of APIs. One of the most important technical barriers to the creation of mobile apps following the recurrent pattern of consuming data (e.g., selected parts of open data or user profiles) stored by other applications or services is the lack of a secure delegation mechanism. In this paper, we discuss the main security issues underlying the design of such a delegation mechanism for Smart City mobile apps and present a solution-based on OAuth 2.0-overcoming the security problems. An implementation of the solution has been integrated in the Smart Community Platform for developing open services in the Trentino region and is being used daily by up to 13,000 users. To date, no security issue has been reported.
destination: RTSI2016
year: 2016
doi: 10.1109/RTSI.2016.7740623
- id: SACMAT2016
id_iris: 307044
title: Modular Synthesis of Enforcement Mechanisms for the Workflow Satisfiability Problem
authors:
- DanielDosSantos
- SerenaPonta
- SilvioRanise
abstract: >
Modularity is an important concept in the design and enactment of workflows. However, supporting the specification and enforcement of authorization in this setting is not straightforward. In this paper, we introduce a notion of component and a combination mechanism for security-sensitive workflows. These are business processes in which execution constraints on the tasks are complemented with authorization constraints (e.g., Separation of Duty) and authorization policies (specifying which users can execute which tasks). We show how authorization constraints can also be imposed across components and demonstrate the usefulness of our notion of component by showing (i) the scalability of a technique for the synthesis of run-time monitors for security-sensitive workflows; and (ii) the design of a plug-in for the reuse of workflows and related run-time monitors inside an editor for security-sensitive workflows.
destination: SACMAT2016
year: 2016
doi: 10.1145/2914642.2914649
- id: SECRYPT2016
id_iris: 307033
title: "Security of Mobile Single Sign-On: a Rational Reconstruction of Facebook Login Solution"
authors:
- GiadaSciarretta
- AlessandroArmando
- RobertoCarbone
- SilvioRanise
abstract: >
While there exist many secure authentication and authorization solutions for web applications, their adaptation in the mobile context is a new and open challenge. In this paper, we argue that the lack of a proper reference model for Single Sign-On (SSO) for mobile native applications drives many social network vendors (acting as Identity Providers) to develop their own mobile solution. However, as the implementation details are not well documented, it is difficult to establish the proper security level of these solutions. We thus provide a rational reconstruction of the Facebook SSO flow, including a comparison with the OAuth 2.0 standard and a security analysis obtained testing the Facebook SSO reconstruction against a set of identified SSO attacks. Based on this analysis, we have modified and generalized the Facebook solution proposing a native SSO solution capable of solving the identified vulnerabilities and accommodating any Identity Provider.
destination: SECRYPT2016
year: 2016
doi: 10.5220/0005969001470158
urlNews: /news/2016/06/16/paper-accepted-at-secrypt-2016/
- id: STTT2016
id_iris: 307037
title: Parameterized model checking for security policy analysis
authors:
- SilvioRanise
- RiccardoTraverso
- TuanAnhTruong
abstract: >
We explain how a parameterized model checking technique can be exploited to mechanize the analysis of access control policies. The main advantage of the approach is to reason regardless of the number of users of the system in which the policy is enforced. This permits to obtain more useful results from the analysis; for instance, ensuring that sensitive permissions cannot be leaked regardless of the number of users in the system. We also briefly discuss how some heuristics make the technique scalable to handle (very) large policies. This is demonstrated by a comparative experimental evaluation with state-of-the-art tools for the analysis of access control policies.
destination: STTT
year: 2016
doi: 10.1007/s10009-015-0410-1
- id: TACAS2016
id_iris: 307053
title: "Cerberus: Automated Synthesis of Enforcement Mechanisms for Security-Sensitive Business Processes"
authors:
- LucaCompagna
- DanielDosSantos
- SerenaPonta
- SilvioRanise
abstract: >
Cerberus is a tool to automatically synthesize run-time enforcement mechanisms for security-sensitive Business Processes (BPs). The tool is capable of guaranteeing that the execution constraints ECEC on the tasks together with the authorization policy APAP and the authorization constraints ACAC are satisfied while ensuring that the process can successfully terminate. Cerberus can be easily integrated in many workflow management systems, it is transparent to process designers, and does not require any knowledge beyond usual BP modeling. The tool works in two phases. At design-time, the enforcement mechanism M, parametric in the authorization policy APAP, is generated from ECEC and ACAC; M can thus be used with any instance of the same BP provided that ECEC and ACAC are left unchanged. At run-time, a specific authorization policy is added to M, thereby obtaining an enforcement mechanism M∗M∗ dedicated to a particular instance of the security-sensitive business process. To validate our approach, we discuss the implementation and usage of Cerberus in the SAP HANA Operational Intelligence platform.
destination: TACAS2016
year: 2016
doi: 10.1007/978-3-662-49674-9_36
## 2017
- id: CODASPY2017
id_iris: 313213
title: "Aegis: Automatic Enforcement of Security Policies in Workflow-driven Web Applications"
authors:
- LucaCompagna
- DanielDosSantos
- SerenaPonta
- SilvioRanise
abstract: >
Organizations often expose business processes and services as web applications. Improper enforcement of security policies in these applications leads to business logic vulnerabilities that are hard to find and may have dramatic security implications. Aegis is a tool to automatically synthesize run-time monitors to enforce control-flow and data-flow integrity, as well as authorization policies and constraints in web applications. The enforcement of these properties can mitigate attacks, e.g., authorization bypass and workflow violations, while allowing regulatory compliance in the form of, e.g., Separation of Duty. Aegis is capable of guaranteeing business continuity while enforcing the security policies. We evaluate Aegis on a set of real-world applications, assessing the enforcement of policies, mitigation of vulnerabilities, and performance overhead.
destination: CODASPY2017
year: 2017
doi: 10.1145/3029806.3029813
- id: COSE2017
id_iris: 313200
title: "Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements"
authors:
- GiadaSciarretta
- RobertoCarbone
- SilvioRanise
- AlessandroArmando
abstract: >
While there exist many secure authentication and authorization solutions for web applications, their adaptation in the mobile context is a new and open challenge. In this paper, we argue that the lack of a proper reference model for Single Sign-On (SSO) for mobile native applications drives many social network vendors (acting as Identity Providers) to develop their own mobile solution. However, as the implementation details are not well documented, it is difficult to establish the proper security level of these solutions. We thus provide a rational reconstruction of the Facebook SSO flow, including a comparison with the OAuth 2.0 standard and a security analysis obtained testing the Facebook SSO reconstruction against a set of identified SSO attacks. Based on this analysis, we have modified and generalized the Facebook solution proposing a native SSO abstract model and a related implementation capable of solving the identified vulnerabilities and accommodating any Identity Provider. Finally, we have analyzed the new native SSO solution proposed by the OAuth Working Group, extracted the related abstract model and made a comparison with our proposal.
destination: COSE
destinationAddon: Volume 71, November 2017, Pages 71-86
year: 2017
doi: 10.1016/j.cose.2017.04.011
- id: COSE2017_XACML
id_iris: 313198
title: Formal analysis of XACML policies using SMT
authors:
- FatihTurkmen
- JerryDenHartog
- SilvioRanise
- NicolaZannone
abstract: >
The eXtensible Access Control Markup Language (XACML) has attracted significant attention from both industry and academia, and has become the de facto standard for the specification of access control policies. However, its XML-based verbose syntax and rich set of constructs make the authoring of XACML policies difficult and error-prone. Several automated tools have been proposed to analyze XACML policies before their actual deployment. However, most of the existing tools either cannot efficiently reason about non-Boolean attributes, which often appear in XACML policies, or restrict the analysis to a small set of properties. This work presents a policy analysis framework for the verification of XACML policies based on SAT modulo theories (SMT). We show how XACML policies can be encoded into SMT formulas, along with a query language able to express a variety of well-known security properties, for policy analysis. By being able to reason over non-Boolean attributes, our SMT-based policy analysis framework allows a fine-grained policy analysis while relieving policy authors of the burden of defining an appropriate level of granularity of the analysis. An evaluation of the framework shows that it is computationally efficient and requires less memory compared to existing approaches.
destination: COSE
destinationAddon: Volume 66, May 2017, Pages 185-203
year: 2017
doi: 10.1016/j.cose.2017.01.009
- id: EUROSP2017
id_iris: 313216
title: "Large-scale Analysis & Detection of Authentication Cross-Site Request Forgeries"
authors:
- AvinashSudhodanan
- RobertoCarbone
- LucaCompagna
- NicolasDolgin
- AlessandroArmando
- UmbertoMorelli
abstract: >
Cross-Site Request Forgery (CSRF) attacks are one of the critical threats to web applications. In this paper, we focus on CSRF attacks targeting web sites' authentication and identity management functionalities. We will refer to them collectively as Authentication CSRF (Auth-CSRF in short). We started by collecting several Auth-CSRF attacks reported in the literature, then analyzed their underlying strategies and identified 7 security testing strategies that can help a manual tester uncover vulnerabilities enabling Auth-CSRF. In order to check the effectiveness of our testing strategies and to estimate the incidence of Auth-CSRF, we conducted an experimental analysis considering 300 web sites belonging to 3 different rank ranges of the Alexa global top 1500. The results of our experiments are alarming: out of the 300 web sites we considered, 133 qualified for conducting our experiments and 90 of these suffered from at least one vulnerability enabling Auth-CSRF (i.e. 68%). We further generalized our testing strategies, enhanced them with the knowledge we acquired during our experiments and implemented them as an extension (namely CSRF-checker) to the open-source penetration testing tool OWASP ZAP. With the help of CSRFchecker, we tested 132 additional web sites (again from the Alexa global top 1500) and identified 95 vulnerable ones (i.e. 72%). Our findings include serious vulnerabilities among the web sites of Microsoft, Google, eBay etc. Finally, we responsibly disclosed our findings to the affected vendors.
destination: EUROSP2017
year: 2017
doi: 10.1109/EuroSP.2017.45
urlNews: /news/2017/10/17/paper-accepted-at-eurosp-2017/
- id: IFIPSEC2017
id_iris: 313224
title: "Assisted Authoring, Analysis and Enforcement of Access Control Policies in the Cloud"
authors:
- UmbertoMorelli
- SilvioRanise
abstract: >
The heterogeneity of cloud computing platforms hinders the proper exploitation of cloud technologies since it prevents interoperability, promotes vendor lock-in and makes it very difficult to exploit the well-engineered security mechanisms made available by cloud providers. In this paper, we introduce a technique to help developers to specify and enforce access control policies in cloud applications. The main idea is twofold. First, use a high-level specification language with a formal semantics that allows to answer access requests abstracting from an access control mechanism available in a particular cloud platform. Second, exploit an automated translation mechanism to compute (equivalent) policies that can be enforced in two of the most widely used cloud platforms: AWS and Openstack. We illustrate the technique on a running example and report our experience with a prototype implementation.
destination: IFIPSEC2017
year: 2017
doi: 10.1007/978-3-319-58469-0_20
urlNews: /news/2017/06/15/paper-accepted-at-ifipsec-2017/
- id: JCS2017
id_iris: 313204
title: Automatically finding execution scenarios to deploy security-sensitive workflows
authors:
- DanielDosSantos
- SilvioRanise
- LucaCompagna
- SerenaPonta
abstract: >
We introduce a new class of analysis problems, called Scenario Finding Problems (SFPs), for security-sensitive business processes that – besides execution constraints on tasks – define access control policies (constraining which users can execute which tasks) and authorization constraints (such as Separation of Duty). The solutions to SFPs are concrete execution scenarios that assist customers in the reuse and deployment of security-sensitive workflows. We study the relationship of SFPs to well-known properties of security-sensitive processes such as Workflow Satisfiability and Resiliency together with their complexity. Finally, we present a symbolic approach to solving SFPs and describe our experience with a prototype implementation on real-world business process models taken from an on-line library.
destination: JCS
destinationAddon: Volume 25, no. 3, Pages 255-282
year: 2017
doi: 10.3233/JCS-16894
- id: SACMAT2017
id_iris: 313220
title: "Security Analysis and Legal Compliance Checking for the Design of Privacy-friendly Information Systems"
authors:
- PaoloGuarda
- SilvioRanise
- HariSiswantoro
abstract: >
Nowadays, most of business practices involve personal data-processing of customers and employees. This is strictly regulated by legislation to protect the rights of the data subject. Enforcing regulation into enterprise information system is a non-trivial task that requires an interdisciplinary approach. This paper presents a declarative framework to support the specification of information system designs, purpose-aware access control policies, and the legal requirements derived from the European Data Protection Directive. This allows for compliance checking via a reduction to policy refinement that is supported by available automated tools. We briefly discuss the results of the compliance analysis with a prototype tool on a simple but realistic scenario about the processing of personal data to produce salary slips of employees in an Italian organization.
destination: SACMAT2017
year: 2017
doi: 10.1145/3078861.3078879
- id: SAFECOMP2017
id_iris: 313237
title: "Automated Legal Compliance Checking by Security Policy Analysis"
authors:
- SilvioRanise
- HariSiswantoro
abstract: >
Legal compliance-by-design is the process of developing a software system that processes personal data in such a way that its ability to meet specific legal provisions is ascertained. In this paper, we describe techniques to automatically check the compliance of the security policies of a system against formal rules derived from legal provisions by re-using available tools for security policy verification. We also show the practical viability of our approach by reporting the experimental results of a prototype for checking compliance of realistic and synthetic policies against the European Data Protection Directive (EU DPD).
destination: SAFECOMP2017
year: 2017
doi: 10.1007/978-3-319-66284-8_30
- id: SECRYPT2017
id_iris: 313202
title: "Strong Authentication for e-Banking: a Survey on European Regulations and Implementations"