I am hiring!

Interested in doing research on System security, Internet of Things, trust technology or web security? Then please send me an e-mail. I am always looking for good candidates for PhD, junior or senior researcher and also as a professor.

Find more info about our new results on behavioural biometrics here.

Find more info about the CINI Cyber Security National Lab i am involved with, by clicking on its logo Cyber Security National Lab .

Applications to the CyberChallenge CTF 2024 are open.

News

  • Dec 2023
    Our paper OAuth 2.0 Redirect URI Validation Falls Short, Literally" has been presented at ACSAC 2023 by Elsevier.
  • July 2023
    Our paper AppBox: A Black-Box Application Sandboxing Technique for Mobile App Management Solutions" has been presented at IEEE ISCC 2023.
  • Feb. 2023
    Our paper "A Survey of Human-Computer Interaction (HCI) & Natural Habits-based Behavioural Biometric Modalities for User Recognition Schemes" has been accepted at Pattern Recognition Journal published by Elsevier.
  • Dec. 2022
    Our paper "AI-enabled IoT Penetration Testing: State-of-the-art and Research Challenges" has been accepted at Enterprise Information Systems Journal published by Taylor & Francis.

    • xESB: Security Enhanced Enterprise Service Bus


    Project description
    An Enterprise Service Bus is a state of the art piece of technology that deals with mediating communication throughout the enterprise. Enforcement of a policy comprises all the actions that need to be performed in order to makes sure that a policy or set of contraints is satisfied. xESB is an enhanced version of an ESB that monitors and enforces security policies both inside one business domain and between business domains. xESB is based on the Java Business Integration Standard which specifies a number of requirements for the SOA applications that are to be put together (or integrated). Because Java Business Integration is a standard, xESB is generic and applies to any JBI-based infrastructures.

    xESB works with the 3 steps of a runtime enforcement process. Once a message is intercepted, the message is evaluated against the deployed security policies; the result is a decision that xESB translates into a series of actions; the enforcement process is in charge of performing those actions (either directly or by delegating them to a trusted third party). In our case xESB understands and performs directly the actions specified by the policy:
    • deletion or blocking of a message
    • delaying of a message
    • modifying of a message in terms of its metadata
    The policy language that xESB understands dictates how strong its enforcement is. We have used an internal xESB language that supports UCON-like obligations and is adapted to this message level, as well as two other languages: POLPA (Policy Language based on Process Algebra) and OSL (Obligation Specification Language). The aim is to make xESB able to use any kind of policy language as long as the constraints have to do more with event logic rather than application logic. In our latest work, we have explored the possibilities of having xESB enforcement performed in tandem with enforcement at the business process level. In this way, we sugest a common controller that can delegate enforcement actions at both the xESB layer and BPEL layer. This approach makes it flexible and more reliable to enact realistic SOA policies.


    People: Gabriela Gheorghe, Bruno Crispo

    Publications:
    • Gabriela Gheorghe, Daniel Schleicher, Ralph Mietzner, Ganna Monakova, Tobias Anstett, Bruno Crispo, Frank Leymann, "Combining Enforcement Strategies in Service Oriented Architectures". In the proceedings of the 8th International Conference on Service Oriented Computing (ICSOC 2010), December 2010.
    • Gabriela Gheorghe, Paolo Mori, Bruno Crispo and Fabio Martinelli, "Enforcing UCON Policies on the Enterprise Service Bus". In the proceedings of the 12th International Symposium on Distributed Objects, Middleware and Applications (DOA2010) On theMove Federated Conferences, October 2010.
    • Gabriela Gheorghe, Stephan Neuhaus, Bruno Crispo, "xESB: an Enterprise Service Bus for Access and Usage Control Policy Enforcement". In the proceedings of the Fourth International Conference on Trust Management (IFIPTM10), June 1 2010.
    • Gabriela Gheorghe, Fabio Massacci, Stephan Neuhaus and Alexander Pretschner, "GoCoMM: A Governance and Compliance Maturity Model". In the proceedings of the 1st ACM Workshop on Information Security Governance, November 2009.