Differences

This shows you the differences between two versions of the page.

research [2013/01/04 13:20]
pelosi
research [2013/01/04 13:22] (current)
pelosi
Line 1: Line 1:
==== Research Interests ==== ==== Research Interests ====
My main research interests are in the area of applied cryptography and computer security [JR.1--3, JR.5--6, IB.4--5, IC.1--3, IC.5--6, IC.8--9, IC.11--13, IC.15, IC.17--22, IC.25--32, PT.1--12, IPT.1, TR.6, TR.8, TR.3--4, TR.1]. I also work in the area of data security \& privacy [IB.1--3, JR.7, IC.10, IC.14, IC.16, IC.23--24, TR.5], specifically: developing privacy-preserving mechanisms that allow users to access databases without revealing which data they're accessing. Other research topics I am interested in, are logic synthesis of combinatorial circuits and computer architecture security [JR.4, IC.6--7]. My main research interests are in the area of applied cryptography and computer security [JR.1--3, JR.5--6, IB.4--5, IC.1--3, IC.5--6, IC.8--9, IC.11--13, IC.15, IC.17--22, IC.25--32, PT.1--12, IPT.1, TR.6, TR.8, TR.3--4, TR.1]. I also work in the area of data security \& privacy [IB.1--3, JR.7, IC.10, IC.14, IC.16, IC.23--24, TR.5], specifically: developing privacy-preserving mechanisms that allow users to access databases without revealing which data they're accessing. Other research topics I am interested in, are logic synthesis of combinatorial circuits and computer architecture security [JR.4, IC.6--7].
 +
 +
 +----
 +
In particular, the activity carried out in the last years spans over the following research lines: In particular, the activity carried out in the last years spans over the following research lines:
 +
== Access Control and Cryptographic Databases == == Access Control and Cryptographic Databases ==
Line 11: Line 16:
  * (b)  A major obstacle toward the large adoption of outsourcing, otherwise particularly attractive to individuals and to small/medium organizations, is the perception of insecurity and potential loss of control on sensitive data. Guaranteeing privacy in a context where data are externally outsourced entails protecting confidentiality of the data as well as of the accesses to them. In particular, we recognized three different type of confidentiality requirements: (1) content confidentiality (to maintain confidentiality on the data being outsourced), (2) access confidentiality (to conceal the fact that an access aims at a specific data), (3) pattern confidentiality (referring to more accesses aiming at the same data). Several solutions have been proposed in the past few years, both in the theoretical and in the system communities: such solutions consider a honest-but-curious server and resort to encryption to protect the outsourced data, guaranteeing only the data-confidentiality feature. I worked on the definition and development of an indexing model for a relational database that supports not only data confidentiality, but also confidentiality of the accesses that users make on such data (with respect to third parties and mainly to the service provider). Indeed, the developed solution allows to effectively address the access confidentiality problem also in concurrent scenarios [JR.7, IC.23-24].   * (b)  A major obstacle toward the large adoption of outsourcing, otherwise particularly attractive to individuals and to small/medium organizations, is the perception of insecurity and potential loss of control on sensitive data. Guaranteeing privacy in a context where data are externally outsourced entails protecting confidentiality of the data as well as of the accesses to them. In particular, we recognized three different type of confidentiality requirements: (1) content confidentiality (to maintain confidentiality on the data being outsourced), (2) access confidentiality (to conceal the fact that an access aims at a specific data), (3) pattern confidentiality (referring to more accesses aiming at the same data). Several solutions have been proposed in the past few years, both in the theoretical and in the system communities: such solutions consider a honest-but-curious server and resort to encryption to protect the outsourced data, guaranteeing only the data-confidentiality feature. I worked on the definition and development of an indexing model for a relational database that supports not only data confidentiality, but also confidentiality of the accesses that users make on such data (with respect to third parties and mainly to the service provider). Indeed, the developed solution allows to effectively address the access confidentiality problem also in concurrent scenarios [JR.7, IC.23-24].
 +
 +
 +----
 +
== Applied Cryptography == == Applied Cryptography ==
Line 20: Line 29:
* (b)  Although the current standard cryptographic algorithms proved to withstand exhaustive and mathematical attacks, their hardware and software implementations have exhibited side-channel vulnerabilities due to the information leakage through power consumption, electro-magnetic emissions, or device weaknesses against fault-injection techniques. As long as the power and EM analyses in the side-channel area go, I have studied how information leaks when a physical device performs cryptographic operations. Advancements has been obtained in the effectiveness of the power-based attacks through employing digital filtering techniques [IC.18, IC.21].\\ Moreover, a sound design-time evaluation of the security of a digital device has been proposed [JR.5, IB.5, IC.30].\\ Finally, I introduced a general framework [IC.31, IPT.1, TR.8] to automate the application of countermeasures against Differential Power Attacks aimed at software implementations of cryptographic primitives.The approach makes use of compiler-based techniques to analyze the vulnerabilities of algorithms in their intermediate code representation and apply provable-secure static-time countermeasures. The proposed framework allows to trade-off the performance and the security margins provided by a combined approach in applying the countermeasures at both static-time and run-time. At run-time, the core idea lies in the generation of multiple versions of the code, to prevent an attacker from recognizing the exact point in time where the observed operation is executed and how such operation is performed. This strategy increases the effort needed to retrieve the secret key through hindering the formulation of a correct hypothetical consumption to be correlated with the power measurements. At the current state-of-the-art this is the first comprehensive and general solution to counteract power-based side-channel attacks aimed at SW implementations of embedded devices, with limited impact on both costs and performances.\\ In an “active attack” scenario (a.k.a., fault-attack scenario), the adversary perturbs the regular behavior of the encrypting device in order to obtain a small amount of information correlated with the error. As a contribution in this area, we proposed a new attack against the widely adopted implementation of the Elliptic Curve Digital Signature Standard [IC.26] and a low-cost, non-invasive and effective technique to inject faults in an ARM9 general purpose CPU through lowering its feeding voltage. This is the first result available in fault attacks literature dealing with a software implementation of a cryptosystem, running on a full fledged CPU with a complete operating system. The works published in [JR.6, IB.4-5, IC.12, IC.17, IC.19] fully characterize the fault model and practically validate the technique considering the AES and RSA ciphers. In addition, in [IC.20] a new software-based countermeasures is proposed, with the aim of minimizing the overheads introduced through the instruction duplication and triplication in the error-detecting or error-correcting cryptosystem implementations.\\ Finally, the research investigations in the context of the EU project TOISE about smart grid security & privacy led to classify the threats to these systems into three broad groups: (i) System level threats that attempt to take down the grid; (ii) attempts to steal electrical service; and (iii) attempts to compromise the confidentiality of data on the system. Analyses and considerations we made about vulnerabilities and opportunities of the smart grid technology has been published in [IC.22, IC.25, IC.29]. * (b)  Although the current standard cryptographic algorithms proved to withstand exhaustive and mathematical attacks, their hardware and software implementations have exhibited side-channel vulnerabilities due to the information leakage through power consumption, electro-magnetic emissions, or device weaknesses against fault-injection techniques. As long as the power and EM analyses in the side-channel area go, I have studied how information leaks when a physical device performs cryptographic operations. Advancements has been obtained in the effectiveness of the power-based attacks through employing digital filtering techniques [IC.18, IC.21].\\ Moreover, a sound design-time evaluation of the security of a digital device has been proposed [JR.5, IB.5, IC.30].\\ Finally, I introduced a general framework [IC.31, IPT.1, TR.8] to automate the application of countermeasures against Differential Power Attacks aimed at software implementations of cryptographic primitives.The approach makes use of compiler-based techniques to analyze the vulnerabilities of algorithms in their intermediate code representation and apply provable-secure static-time countermeasures. The proposed framework allows to trade-off the performance and the security margins provided by a combined approach in applying the countermeasures at both static-time and run-time. At run-time, the core idea lies in the generation of multiple versions of the code, to prevent an attacker from recognizing the exact point in time where the observed operation is executed and how such operation is performed. This strategy increases the effort needed to retrieve the secret key through hindering the formulation of a correct hypothetical consumption to be correlated with the power measurements. At the current state-of-the-art this is the first comprehensive and general solution to counteract power-based side-channel attacks aimed at SW implementations of embedded devices, with limited impact on both costs and performances.\\ In an “active attack” scenario (a.k.a., fault-attack scenario), the adversary perturbs the regular behavior of the encrypting device in order to obtain a small amount of information correlated with the error. As a contribution in this area, we proposed a new attack against the widely adopted implementation of the Elliptic Curve Digital Signature Standard [IC.26] and a low-cost, non-invasive and effective technique to inject faults in an ARM9 general purpose CPU through lowering its feeding voltage. This is the first result available in fault attacks literature dealing with a software implementation of a cryptosystem, running on a full fledged CPU with a complete operating system. The works published in [JR.6, IB.4-5, IC.12, IC.17, IC.19] fully characterize the fault model and practically validate the technique considering the AES and RSA ciphers. In addition, in [IC.20] a new software-based countermeasures is proposed, with the aim of minimizing the overheads introduced through the instruction duplication and triplication in the error-detecting or error-correcting cryptosystem implementations.\\ Finally, the research investigations in the context of the EU project TOISE about smart grid security & privacy led to classify the threats to these systems into three broad groups: (i) System level threats that attempt to take down the grid; (ii) attempts to steal electrical service; and (iii) attempts to compromise the confidentiality of data on the system. Analyses and considerations we made about vulnerabilities and opportunities of the smart grid technology has been published in [IC.22, IC.25, IC.29].
-== Other Research Interests: Logic Synthesis and Computer Architecture Security == 
-Boolean matching is the problem of determining whether two Boolean functions are functionally equivalent under the permutation and negation of inputs and outputs. The topic finds numerous applications in verification and logic synthesis. The research contribution [JR.4, IC.7], addresses the P-equivalence Boolean matching, outlining  a formal framework that unifies some of the spectral and canonical form-based approaches to the problem. As a first major contribution, we show how these approaches are particular cases of a single generic algorithm, parametric with respect to a given linear transformation of the input function. As a second major contribution, we identify a linear transformation that can be used to significantly speed up Boolean matching with respect to the state-of-the-art.+----
----+== Other Research Interests: Logic Synthesis and Computer Architecture Security ==
 +Boolean matching is the problem of determining whether two Boolean functions are functionally equivalent under the permutation and negation of inputs and outputs. The topic finds numerous applications in verification and logic synthesis. The research contribution [JR.4, IC.7], addresses the P-equivalence Boolean matching, outlining  a formal framework that unifies some of the spectral and canonical form-based approaches to the problem. As a first major contribution, we show how these approaches are particular cases of a single generic algorithm, parametric with respect to a given linear transformation of the input function. As a second major contribution, we identify a linear transformation that can be used to significantly speed up Boolean matching with respect to the state-of-the-art.