skip to: content | navigation

Bruno Crispo

Sample menu:

• Home page
• Publications
• PhD Students
• Software
• Projects
• On the Press
• Patents

I am hiring!

Interested in doing research on System security, Internet of Things, trust technology or web security? Then please send me an e-mail. I am always looking for good candidates for PhD, junior or senior researcher and also as a professor.

Find more info about our new results on behavioural biometrics here.

Find more info about the CINI Cyber Security National Lab i am involved with, by clicking on its logo .

Applications to the CyberChallenge CTF 2024 are open.

News

Dec 2023

Our paper OAuth 2.0 Redirect URI Validation Falls Short, Literally" has been presented at ACSAC 2023 by Elsevier.

July 2023

Our paper AppBox: A Black-Box Application Sandboxing Technique for Mobile App Management Solutions" has been presented at IEEE ISCC 2023.

Feb. 2023

Our paper "A Survey of Human-Computer Interaction (HCI) & Natural Habits-based Behavioural Biometric Modalities for User Recognition Schemes" has been accepted at Pattern Recognition Journal published by Elsevier.

Dec. 2022

Our paper "AI-enabled IoT Penetration Testing: State-of-the-art and Research Challenges" has been accepted at Enterprise Information Systems Journal published by Taylor & Francis.

Professor at the Department of Computer Science and Information Engineering (DISI) University of Trento via Sommarive 14, I-38123 Povo (TN), Italy Telephone: +39 0461 28 2099 Fax: +39 0461 28 2093 E-mail: bruno.crispounitn.it Last update (13/12/2023)

News

• TheNeCS PhD Winter School 2024 is coming! The seventh edition of this annual event will take place in Cortina from the 8th till the 12th of January and it will display a prestigious list of speakers. For more info visit the website.
• Together with esteemed and well-known colleagues of mine, we are organizing an exciting and prestigious Dagstuhl Sminar on the Security and Privacy of Current and Emerging IoT Devices and Systems . More details can be found in the dedicated webpage.
• Security Embedded has been founded! Security Embedded is an innovative startup offering services and products in the domain of IIot and OT security. We showcased our portfolio of solutions at the Prototype for Humanity at Dubai in November 2022. Visit the company website if you are interested to know more...and we are hiring too.

Some of my recent papers (check also the full list)

• We keep discovering security issues also on well established security standard. Our most recent paper OAuth 2.0 Redirect URI Validation Falls Short, Literally just presented at ACSAC 2023 has raised the attention of the group working at the standard.
• Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, William Robertson, Cached and Confused: Web Cache Deception in the Wild. accepted at Usenix Security 2020. The paper was noted by many experts (e.g. James Kettle, Omer Gil ) and it was covered by specialized media (e.g., The Daily Swig, ZDNet).
• Mahmoud Ammar, Giovanni Russello, Bruno Crispo, Internet of Things: A survey on the security of IoT frameworks. Journal of Information Security and Applications 38: 8-27 (2018).
• Mahmoud Ammar and Bruno Crispo, "Verify&Revive: Secure Detection and Recovery of Compromised Low-end Embedded Devices" accepted and presented at the Annual Computer Security Applications Conference (ACSAC'20) . The paper deals with the difficult problem of recovering from a comprimsed state in teh context of embedded systems.

Research Interests

• Large-scale analysis of web-based attacks: Recently, I started working on large-scale analysis of new web-based attacks. The first target here is the discovery of new vulnerabilities and attacks to exploit them. The second is the analysis of the potential impact of each of these vulnerabilities by analyzing large portions of website and how many of these are subject to the discovered vulnerabilities. So far one of the most important results of this research has been the discovery and exploitation of the Relative Path Overwrite (RPO) attack. The most important exploit we study about it was the Web Cache Deception work that will be presented at Usenix Security 2020.
• Security of Internet of Things: This research thread investigates the problem of protecting Internet of Things and cyber-physical systems. In particular, I study the emergence of new attack vectors caused by the interconnection of subsystems that have never been connected to Internet before. I don't limit my research to attacks, but I also investigate defense mechanisms. My main interest is on the protection of the simplest classes of devices, that are also the most widely deployed, that could not be equipped with special hardware to protect cryptographic keys and in some cases not even with primary memory protection. In this domain, my interest is on software-based solutions.
• Behavioural Biometrics: Several field studies show that users are very reluctant on using traditional authentication methods like PIN and password to authenticate to the new generation of devices like smartphone, smart watches, fitness bands, etc. In this activity I am interested in designing and evaluating new user authentication methods for IoT. These methods are based on behavioral biometrics, thus biometrics based on how users perform particular activities. MEMS technology embedded in almost all these new devices allows the implementation of new biometrics without the need for additional or specialized hardware. Here the challenge is to design methods that users accept and find easy to use and that achieve the necessary accuracy to provide the desired level of security. This topic of research is typically multidisciplinary since involves competences in the area of security and privacy, machine learning and computer-human interactions.
• Adversarial Learning: How not to jump into the bandwagon of AI nowadays?! Recently, I started working on this topic too. However, just a small part of the activity is devoted to applications of adversarial learning, that account for 95% of the research you can find around, while most of the research I do here tries to be more fundamental and study how to design learning algorithms that make adversarial attacks more difficult. This research thread is in collaboration with Prof. Bergadano from University of Torino.
• Mobile Platforms Security and Privacy: Smartphones became a pervasive computing and communication platform used by people to perform many activities besides placing and receiving phone calls. However, the protection and security models supported by such platforms have been shown not to adequately address security and privacy concerns of their users. This research activity is structured in two different threads. The first, aims at extending and strengthening the security models and mechanisms of existing smart-phone platforms and OSes. Particularly challenging in this domain is to find solutions that can increase the security and privacy of users without affecting usability. The second thread, acts directly on the mobile applications. Here the focus is the development of innovative techniques that combine static and dynamic approaches to analyse the security of applications. Particularly challenging is the analysis of the code uploaded only at runtime and the analysis of programming constructs that hide their semantics (i.e. reflections).

Research projects I am currently involved in

• CROSSCON (EU Research Innovative Action)
  I am the scientific coordinator of an interesting EU research project ( >6M Euro) called CROSSCON. IoT developers face a very fragmented landscape made of very different devices, from bare metal devices with few KB of RAM and limited or no security protection to devices equipped with powerful support for AI and with built-in hardware (HW) to implement Root of Trust (RoT) and Trusted Execution Environments (TEE). Such different devices coexist, and it is an open challenge to guarantee an acceptable level of security across the whole system to avoid “easy” entry points for attackers. CROSSCON aims at addressing all these issues by designing a new open, flexible, highly portable and vendor independent IoT security stack that can run across a variety of different edge devices and multiple HW platforms to offer a consistent security baseline across an entire IoT system. A high-level assurance is guaranteed by the formal verification of the stack specifications.
• Safe and Secure Industrial Internet of Things (MUR PRIN2022)
  Technological transformations and business opportunities are radically transforming traditional Physical Systems into more modern but also less secure Cyber-Physical Systems. These systems, recently, have often been the target of highly sophisticated cyber attacks. When such systems are also safety-critical, the insecurity induced by the cyber part can also affect the physical components, thus undermining the safety of the entire system. Since IIoT systems are strategic economic assets and their protection is the precondition for keeping citizens safe, strengthening their security is of paramount importance. This entails preventing cyber attacks from happening, and – in case prevention fails – promptly detecting them, countering their effects, and mitigating their impacts and potential damages. The Safe and Secure Industrial Internet of Things (S2) project focuses on foundational concepts and principles that combined with new tools and methods allow to design and build of safer and more secure safety-critical systems. The S2 consortium includes well-established and internationally renowned research groups that have already a consolidated and proven know-how in the different and complementary areas required to address such a complex problem..
• SPECTRO: SPecialised Education programmes in CybersecuriTy and Robotics (EU Digital Europe SKILLS)
  SPECTRO focuses on the design and delivery of two double-degree master’s programmes (ISCED Level 7, 120 ECTS) and self-standing learning modules in two key digital technology areas for the future of Europe: Cybersecurity and Robotics The two specialised master’s programmes, which will also include a minor in Innovation and Entrepreneurship, will be designed and delivered by a consortium consisting of 12 higher education institutions from 7 different countries, 2 innovative SMEs, 1 leading research centre in Information Systems and EIT Digital, a pan-European organisation with in-depth knowledge and experience in the digital skills domain.
• DUCA: Data Usage Control for empowering digital sovereignty for All citizens (EU MSCA Staff Exchange)
  The Internet of Everything has led to a surge in connected devices, resulting in the generation of a huge amount of data. With the support of the Marie Skłodowska Curie Actions programme, the DUCA project aims to provide a comprehensive framework to address the growing concerns around data privacy and protection. Its goal is to empower European users and organisations to take control of their data, ensuring confidentiality and personal data protection. DUCA’s framework comprises a set of security and privacy-enhancing solutions, which will be platform-independent to enable compatibility with various architectures and deployment models. The project has identified three use cases: smart energy, usage control for Big Data and artificial intelligence, and collaborative mobility.

Scientific events I am currently involved in

• General Chair 7th International NeCS Winter PhD School 2024
• Program Committe of the The WEB Conference 2024.
• Program Committe of Esorics 2024.
• Program Committe of CODASPY 2024.
• Program Committe of Usenix Security 2022.
• Program Committe of Usenix Security 2021.

Copyright © 2011 Bruno Crispo
Template design by Andreas Viklund and Gian Pietro Picco