155 result(s)
Page Size: 10, 20, 50
Export: bibtex, xml, json, csv
Order by:

CNR Author operator: and / or
more
Typology operator: and / or
Language operator: and / or
Date operator: and / or
more
Rights operator: and / or
2021 Journal article Open Access OPEN

COVID-19 & privacy: Enhancing of indoor localization architectures towards effective social distancing
Barsocchi P., Calabrò A., Crivello A., Daoudagh S., Furfari F., Girolami M., Marchetti E.
The way people access services in indoor environments has dramatically changed in the last year. The countermeasures to the COVID-19 pandemic imposed a disruptive requirement, namely preserving social distance among people in indoor environments. We explore in this work the possibility of adopting the indoor localization technologies to measure the distance among users in indoor environments. We discuss how information about people's contacts collected can be exploited during three stages: before, during, and after people access a service. We present a reference architecture for an Indoor Localization System (ILS), and we illustrate three representative use-cases. We derive some architectural requirements, and we discuss some issues that concretely cope with the real installation of an ILS in real-world settings. In particular, we explore the privacy and trust reputation of an ILS, the discovery phase, and the deployment of the ILS in real-world settings. We finally present an evaluation framework for assessing the performance of the architecture proposed.Source: Array 9 (2021). doi:10.1016/j.array.2020.100051
DOI: 10.1016/j.array.2020.100051
Project(s): CyberSec4Europe via OpenAIRE

See at: Array Open Access | Array Open Access | Array Open Access | Array Open Access | ISTI Repository Open Access | Array Open Access | CNR ExploRA Restricted | www.sciencedirect.com Restricted


2020 Conference article Restricted

A Framework for the Validation of Access Control Systems
Daoudagh S., Lonetti F., Marchetti E.
In modern pervasive applications, it is important to validate Access Control (AC) mechanisms that are usually defined by means of the XACML standard. Mutation analysis has been applied on Access Control Policies (ACPs) for measuring the adequacy of a test suite. This paper provides an automatic framework for realizing mutations of the code of the Policy Decision Point (PDP) that is a critical component in AC systems. The proposed framework allows the test strategies assessment and the analysis of test data by leveraging mutation-based approaches. We show how to instantiate the proposed framework and provide also some examples of its application.Source: Emerging Technologies for Authorization and Authentication. ETAA 2019, pp. 35–51, Luxembourg City, Luxembourg, 27/09/2019
DOI: 10.1007/978-3-030-39749-4_3
Project(s): CyberSec4Europe via OpenAIRE

See at: academic.microsoft.com Restricted | dblp.uni-trier.de Restricted | link.springer.com Restricted | link.springer.com Restricted | link.springer.com Restricted | CNR ExploRA Restricted


2020 Conference article Open Access OPEN

A life cycle for authorization systems development in the GDPR perspective
Said D., Marchetti E.
The General Data Protection Regulation (GDPR) defines the principle of Integrity and Confidentiality, and implicitly calls for the adoption of authorization systems for regulating the access to personal data. We present here a process development life cycle for the specification, deployment and testing of authorization systems. The life cycle targets legal aspects, such as the data usage purpose, the user consent and the data retention period. We also present its preliminary architecture where available solutions for extracting, implementing and testing the data protection regulation are integrated. The objective is to propose for the first time a unique improved solution for addressing different aspects of the GDPR development and enforcement along all the life cycle phases.Source: 4th Italian Conference on Cyber Security, ITASEC 2020, Ancona, Italy, 05-07/02/2020
Project(s): CyberSec4Europe via OpenAIRE

See at: ceur-ws.org Open Access | ISTI Repository Open Access | CNR ExploRA Open Access


2020 Conference article Open Access OPEN

Assessing testing strategies for access control systems: a controlled experiment
Daoudagh S., Lonetti F., Marchetti E.
This paper presents a Controlled Experiment (CE) for assessing testing strategies in the context of Access Control (AC); more precisely, the CE is performed by considering the AC Systems (ACSs) based on the XACML Standard. We formalized the goal of the CE, and we assessed two available test cases generation strategies in terms of three metrics: Effectiveness, Size and Average Percentage Faults Detected (APFD). The experiment operation is described and the main results are analyzed.Source: 6th International Conference on Information Systems Security and Privacy, pp. 107–118, Valletta, Malta, 25-27/02/2020
DOI: 10.5220/0008974201070118
Project(s): CyberSec4Europe via OpenAIRE

See at: doi.org Open Access | ISTI Repository Open Access | CNR ExploRA Open Access | www.scitepress.org Open Access | academic.microsoft.com Restricted | dblp.uni-trier.de Restricted


2020 Conference article Open Access OPEN

Defining controlled experiments inside the access control environment
Daoudagh S., Marchetti E.
In ICT systems and modern applications access control systems are important mechanisms for managing resources and data access. Their criticality requires high security levels and consequently, the application of effective and efficient testing approaches. In this paper we propose standardized guidelines for correctly and systematically performing the testing process in order to avoid errors and improve the effectiveness of the validation. We focus in particular on Controlled Experiments, and we provide here a characterization of the first three steps of the experiment process (i.e., Scoping, Planning and Operation) by the adoption of the Goal- Question-Metric template. The specialization of the three phases is provided through a concrete example.Source: 8th International Conference on Model-Driven Engineering and Software Development, MODELSWARD 2020; Valletta, pp. 167–176, Valletta, Malta, 25-27 February, 2020
DOI: 10.5220/0009358201670176
Project(s): CyberSec4Europe via OpenAIRE

See at: ISTI Repository Open Access | CNR ExploRA Open Access | www.scitepress.org Open Access | academic.microsoft.com Restricted | dblp.uni-trier.de Restricted


2020 Journal article Open Access OPEN

XACMET: XACML Testing & Modeling: An automated model-based testing solution for access control systems
Daoudagh S., Lonetti F., Marchetti E.
In the context of access control systems, testing activity is among the most adopted means to assure that sensible information or resources are correctly accessed. In XACML-based access control systems, incoming access requests are transmitted to the policy decision point (PDP) that grants or denies the access based on the defined XACML policies. The criticality of a PDP component requires an intensive testing activity consisting in probing such a component with a set of requests and checking whether its responses grant or deny the requested access as specified in the policy. Existing approaches for improving manual derivation of test requests such as combinatorial ones do not consider policy function semantics and do not provide a verdict oracle. In this paper, we introduce XACMET, a novel approach for systematic generation of XACML requests as well as automated model-based oracle derivation. The main features of XACMET are as follows: (i) it defines a typed graph, called the XAC-Graph, that models the XACML policy evaluation; (ii) it derives a set of test requests via full-path coverage of this graph; (iii) it derives automatically the expected verdict of a specific request execution by executing the corresponding path in such graph; (iv) it allows us to measure coverage assessment of a given test suite. Our validation of the XACMET prototype implementation confirms the effectiveness of the proposed approach.Source: Software quality journal 28 (2020): 249–282. doi:10.1007/s11219-019-09470-5
DOI: 10.1007/s11219-019-09470-5

See at: ISTI Repository Open Access | Software Quality Journal Restricted | Software Quality Journal Restricted | link.springer.com Restricted | Software Quality Journal Restricted | Software Quality Journal Restricted | CNR ExploRA Restricted | Software Quality Journal Restricted


2020 Conference article Open Access OPEN

A privacy-by-design architecture for indoor localization systems
Barsocchi P., Calabro A., Crivello A., Daoudagh S., Furfari F., Girolami M., Marchetti E.
The availability of mobile devices has led to an arising development of indoor location services collecting a large amount of sensitive information. However, without accurate and verified management, such information could become severe back-doors for security and privacy issues. We propose in this paper a novel Location-Based Service (LBS) architecture in line with the GDPR's provisions. For feasibility purposes and considering a representative use-case, a reference implementation, based on the popular Telegram app, is also presented.Source: 13th International Conference on the Quality of Information and Communications Technology (QUATIC 2020), pp. 358–366, Faro, Portugal, September 9-11, 2020
DOI: 10.1007/978-3-030-58793-2_29
Project(s): CyberSec4Europe via OpenAIRE

See at: link-springer-com-443.webvpn.fjmu.edu.cn Open Access | CNR ExploRA Open Access | academic.microsoft.com Restricted | link.springer.com Restricted | link.springer.com Restricted


2020 Journal article Embargo

Cloud testing automation: industrial needs and ElasTest response
Bertolino A., Calabrò A., Marchetti E., Cervantes Sala A., Tunon De Hita G., Gheorghe Pop I. D., Gowtham V.
While great emphasis is given in the current literature about the potential of leveraging the cloud for testing purposes, the authors have scarce factual evidence from real-world industrial contexts about the motivations, drawbacks and benefits related to the adoption of automated cloud testing technology. In this study, the authors present an empirical study undertaken within the ongoing European Project ElasTest, which has developed an open source platform for end-to-end testing of large distributed systems. This study aims at validating the ElasTest solution, and consists of the assessment of four demonstrators belonging to different application domains, namely e-commerce, 5G networking, WebRTC and Internet of Things. For each demonstrator, they collected differing requirements, and achieved varying results, both positive and negative, showing that cloud testing needs careful assessment before adoption.Source: IET software (Print) 14 (2020): 553–562. doi:10.1049/iet-sen.2019.0140
DOI: 10.1049/iet-sen.2019.0140
Project(s): ELASTEST via OpenAIRE

See at: IET Software Restricted | IET Software Restricted | IET Software Restricted | IET Software Restricted | IET Software Restricted | IET Software Restricted | IET Software Restricted | IET Software Restricted | Fraunhofer-ePrints Restricted | CNR ExploRA Restricted


2020 Conference article Restricted

Continuous Development and Testing of Access and Usage Control: A Systematic Literature Review
Daoudagh S., Lonetti F., Marchetti E.
Context: Development and testing of access/usage control systems is a growing research area. With new trends in software development such as DevOps, the development of access/usage control also has to evolve. Objective: The main aim of this paper is to provide an overview of research proposals in the area of continuous development and testing of access and usage control systems. Method: The paper uses a Systematic Literature Review as a research method to define the research questions and answer them following a systematic approach. With the specified search string, 210 studies were retrieved. After applying the inclusion and exclusion criteria in two phases, a final set of 20 primary studies was selected for this review. Results: Results show that primary studies are mostly published in security venues followed by software engineering venues. Furthermore, most of the studies are based on the standard XACML access control language. In addition, a significant portion of the proposals for development and testing is automated with test assessment and generation the most targeted areas. Some general guidelines for leveraging continuous developing and testing of the usage and access control systems inside the DevOps process are also provided.Source: 2020 European Symposium on Software Engineering, pp. 51–59, Rome, Italy, 06-08/11/2020
DOI: 10.1145/3393822.3432330
Project(s): CyberSec4Europe via OpenAIRE

See at: academic.microsoft.com Restricted | dl.acm.org Restricted | dl.acm.org Restricted | CNR ExploRA Restricted


2019 Conference article Open Access OPEN

A dynamic and scalable solution for improving daily life safety
Calabrò A., Marchetti E., Moroni D., Pieri G.
The integration of computation, networking, and physical processes requires regular exchange of critical information in timely and reliable fashion and a secure modeling and control engine able to rule and to coordinate all different sources of information. In this paper we provide the description of a dynamic and flexible infrastructure to be installed and applied into daily realities, able to maximize safety and security with an extremely low impact on the maintenance and the updating effort. The proposal has been conceived in collaboration with an Italian kindergarten. Preliminary results collected during simulation and testing activity are encouraging.Source: 2nd International Conference on Applications of Intelligent Systems, Las Palmas de Gran Canaria, Spain, 07-09 January 2019
DOI: 10.1145/3309772.3309796

See at: ISTI Repository Open Access | academic.microsoft.com Restricted | dblp.uni-trier.de Restricted | dl.acm.org Restricted | dl.acm.org Restricted | CNR ExploRA Restricted


2019 Journal article Open Access OPEN

A systematic review on cloud testing
Bertolino A., De Angelis G., Gallego M., García B., Gortázar F., Lonetti F., Marchetti E.
A systematic literature review is presented that surveyed the topic of cloud testing over the period 2012-2017. Cloud testing can refer either to testing cloud-based systems (testing of the cloud) or to leveraging the cloud for testing purposes (testing in the cloud): both approaches (and their combination into testing of the cloud in the cloud) have drawn research interest. An extensive paper search was conducted by both automated query of popular digital libraries and snowballing, which resulted in the final selection of 147 primary studies. Along the survey, a framework has been incrementally derived that classifies cloud testing research among six main areas and their topics. The article includes a detailed analysis of the selected primary studies to identify trends and gaps, as well as an extensive report of the state-of-the-art as it emerges by answering the identified Research Questions. We find that cloud testing is an active research field, although not all topics have received enough attention and conclude by presenting the most relevant open research challenges for each area of the classification framework.Source: ACM computing surveys 52 (2019). doi:10.1145/3331447
DOI: 10.1145/3331447
Project(s): ELASTEST via OpenAIRE

See at: ISTI Repository Open Access | ZENODO Open Access | ACM Computing Surveys Open Access | ACM Computing Surveys Restricted | ACM Computing Surveys Restricted | ACM Computing Surveys Restricted | ACM Computing Surveys Restricted | dl.acm.org Restricted | ACM Computing Surveys Restricted | ACM Computing Surveys Restricted | ACM Computing Surveys Restricted | CNR ExploRA Restricted


2019 Conference article Restricted

GDPR and business processes: an effective solution
Bartolini C., Calabró A., Marchetti E.
In the European Union, the recent update to data protection laws by virtue of the General Data Protection Regulation (GDPR) significantly changed the landscape of the processing of personal data. Consequently, adequate solutions to ensure that the controller and processor properly understand and meet the data protection requirements are needed. In enterprise reality it is quite common to use Business Process (BP) models to manage the different business activities. Hence the idea of integrating privacy concepts into BP models so as to leverage them to the role of GDPR recommenders. To this end, suggestions and recommendations about data management pursuant to GDPR provisions have been added to specific tasks of the BP, to improve both the process management and personnel learning and training. Feasibility of the proposed idea, implemented into an Eclipse plugin, has been provided through a realistic example.Source: APPIS 2019 - 2nd International Conference on Applications of Intelligent Systems, Las Palmas de Gran Canaria, Spain, 7-12 January 2019
DOI: 10.1145/3309772.3309779

See at: academic.microsoft.com Restricted | dblp.uni-trier.de Restricted | dl.acm.org Restricted | dl.acm.org Restricted | CNR ExploRA Restricted


2019 Conference article Open Access OPEN

A decentralized solution for combinatorial testing of access control engine
Daoudagh S., Lonetti F., Marchetti E.
In distributed environments, information security is a key factor and access control is an important means to guarantee confidentiality of sensitive and valuable data. In this paper, we introduce a new decentralized framework for testing of XACML-based access control engines. The proposed framework is composed of different web services and provides the following functionalities: I) generation of test cases based on combinatorial testing strategies; ii) decentralized oracle that associates the expected result to a given test case, i.e. an XACML request; and finally, iii) a GUI for interacting with the framework and providing some analysis about the expected results. A first validation confirms the efficiency of the proposed approach.Source: ICISSP 2019 - 5th International Conference on Information Systems Security and Privacy, pp. 126–135, Prague, Czech Republic, 23-25 February 2019
DOI: 10.5220/0007379401260135
Project(s): CyberSec4Europe via OpenAIRE

See at: doi.org Open Access | ISTI Repository Open Access | CNR ExploRA Open Access | www.scitepress.org Open Access | academic.microsoft.com Restricted | dblp.uni-trier.de Restricted | www.scopus.com Restricted


2019 Conference article Open Access OPEN

Enhancing business process modelling with data protection compliance: an ontology-based proposal
Bartolin C., Calabró A., Marchetti E.
The research and industrial environments are struggling to identify practical approaches to highlight the (new) duties of controllers of personal data and foster the transition of IT-based systems, services, and tools to comply with the GDPR. In this paper, we present a solution for enhancing the modelling of business processes with facilities to help evaluate the compliance with the GDPR. The proposal is based on a model describing the constituents of the data protection domain: A structured form of the legal text, an ontology of data protection concepts, and a machine-readable translation of the GDPR provisions. An example of application is also provided.Source: ICISSP 2019 - 5th International Conference on Information Systems Security and Privacy, pp. 421–428, Prague, Czech Republic, 23-25 February 2019
DOI: 10.5220/0007392304210428

See at: doi.org Open Access | ISTI Repository Open Access | CNR ExploRA Open Access | www.scitepress.org Open Access | academic.microsoft.com Restricted | dblp.uni-trier.de Restricted | www.scopus.com Restricted


2019 Conference article Open Access OPEN

Integrating access control and business process for GDPR compliance: A preliminary study
Calabrò A., Daoudagh S., Marchetti E.
Currently, the scientific communities and private companies are actively working to provide theoretical and practical solutions for enforcing the adoption of the General Data Protection Regulation (GDPR) and its compliance problem. In line with the principle of data protection by design, the paper proposes an approach for the automation and enforcement of GDPR requirements. The idea is to extend the currently adopted access control mechanisms so to leverage them to the enforcement of GDPR compliance during business activities of data management and analysis. From a practical point of view, this means to integrate into the existing business processes specific facilities for assisting in the design, development, maintenance, and verification of the GDPR requirements as well as to modify the language and architecture of the access control systems so as to let the management of GDPR principles and obligations. For this, the basic steps of the proposed approach are provided as well as an example used to clarify the integrated use of access control systems and business process models.Source: ITASEC19 - Italian Conference on Cybersecurity, pisa, 12-15/02/2019

See at: dblp.org Open Access | ISTI Repository Open Access | CNR ExploRA Open Access


2019 Conference article Open Access OPEN

Towards a lawful authorized access: A preliminary GDPR-based authorized access
Bartolini C., Daoudagh S., Lenzini G., Marchetti E.
The General Data Protection Regulation (GDPR)'s sixth principle, Integrity and Confidentiality, dictates that personal data must be protected from unauthorised or unlawful processing. To this aim, we propose a systematic approach for authoring access control policies that are by-design aligned with the provisions of the GDPR. We exemplify it by considering realistic use cases.Source: ICSOFT 2019 - 14th International Conference on Software Technologies, pp. 331–338, Praga, 26-28/07/2019
DOI: 10.5220/0007978703310338
Project(s): CyberSec4Europe via OpenAIRE

See at: ISTI Repository Open Access | CNR ExploRA Open Access | www.scitepress.org Open Access | academic.microsoft.com Restricted | dblp.uni-trier.de Restricted | www.scitepress.org Restricted | www.scopus.com Restricted


2019 Conference article Restricted

GDPR-Based User Stories in the Access Control Perspective
Bartolini C., Daoudagh S., Lenzini G., Marchetti E.
Because of GDPR's principle of "data protection by design and by default", organizations who wish to stay lawful have to re-think their data practices. Access Control (AC) can be a technical solution for them to protect access to "personal data by design", and thus to gain legal compliance, but this requires to have Access Control Policies (ACPs) expressing requirements aligned with GDPR's provisions. Provisions are however pieces of law and are not written to be immediately interpreted as technical requirements; the task is thus not straightforward. The Agile software development methodology can help untangle the problem. It has dedicated tools to describe requirements and one of such them, User Stories, seems up to task. Stories are concise yet informal descriptions telling who, what and why something is required by users; they are prioritized in lists, called backlogs. Inspired by these Agile tools this paper advances the notion of Data Protection backlogs, which are lists of User Stories about GDPR provisions told as technical requirements. For each User Story we build a corresponding ACP, so enabling the implementation of GDPR compliant AC systems.Source: International Conference on the Quality of Information and Communications Technology QUATIC 2019, pp. 3–17, Ciudad Real, Spain, 11-13/09/2019
DOI: 10.1007/978-3-030-29238-6_1
Project(s): CyberSec4Europe via OpenAIRE

See at: academic.microsoft.com Restricted | dblp.uni-trier.de Restricted | link.springer.com Restricted | link.springer.com Restricted | link.springer.com Restricted | CNR ExploRA Restricted


2019 Conference article Open Access OPEN

Towards Runtime Monitoring for malicious behaviors detection in Smart Ecosystems
Cioroaica E., Di Giandomenico F., Kuhn T., Lonetti F., Marchetti E., Jahic J., Schnicke F.
A Smart Ecosystem reflects in the control decisions of entities of different nature, especially of its software components. Particularly, the malicious behavior requires a more accurate attention. This paper discusses the challenges related to the evaluation of software smart agents and proposes a first solution leveraging the monitoring facilities for a) assuring conformity between the software agent and its digital twin in a real-time evaluation and b) validating decisions of the digital twins during runtime in a predictive simulation.Source: ISSREW 2019 - IEEE International Symposium on Software Reliability Engineering Workshops, pp. 200–203, Berlin, Germany, 27-30 October, 2019
DOI: 10.1109/issrew.2019.00072
Project(s): SECREDAS via OpenAIRE

See at: ISTI Repository Open Access | Fraunhofer-ePrints Open Access | academic.microsoft.com Restricted | dblp.uni-trier.de Restricted | ieeexplore.ieee.org Restricted | CNR ExploRA Restricted | xplorestaging.ieee.org Restricted


2019 Contribution to book Restricted

A General Framework for Decentralized Combinatorial Testing of Access Control Engine: Examples of Application
Daoudagh S., Lonetti F., Marchetti E.
Access control mechanisms aim to assure data protection in modern software systems. Testing of such mechanisms is a key activity to avoid security flaws and violations inside the systems or applications. In this paper, we introduce the general architecture of a new decentralized framework for testing of XACML-based access control engines. The proposed framework is composed of different web services and can be instantiated for different testing purposes: i) generation of test cases based on combinatorial testing strategies; ii) distributed test cases execution; iii) decentralized oracle derivation able to associate the expected authorization decision to a given XACML request. The effectiveness of the framework has been proven into two different experiments. The former addressed the evaluation of the distributed vs non distributed testing solution. The latter focused on the performance comparison of two distributed oracle approaches.Source: Information Systems Security and Privacy, edited by Paolo Mori, Steven Furnell, Olivier Camp, pp. 207–229, 2019
DOI: 10.1007/978-3-030-49443-8_10
Project(s): CyberSec4Europe via OpenAIRE

See at: academic.microsoft.com Restricted | dblp.uni-trier.de Restricted | link.springer.com Restricted | link.springer.com Restricted | CNR ExploRA Restricted | www.scilit.net Restricted


2018 Conference article Open Access OPEN

Leveraging Smart Environments for Runtime Resources Management
Barsocchi P., Calabrò A., Lonetti F., Marchetti E., Palumbo F.
Smart environments (SE) have gained widespread attention due to their flexible integration into everyday life. Applications leveraging the smart environments rely on regular exchange of critical information and need accurate models for monitoring and controlling the SE behavior. Different rules are usually specified and centralized for correlating sensor data, as well as managing the resources and regulating the access to them, thus avoiding security flaws. In this paper, we propose a dynamic and flexible infrastructure able to perform runtime resources' management by decoupling the different levels of SE control rules. This allows to simplify their continuous updating and improvement, thus reducing the maintenance effort. The proposed solution integrates low cost wireless technologies and can be easily extended to include other possible existing equipments. A first validation of the proposed infrastructure on a case study is also presented.Source: 10th International Conference on Software Quality: Methods and Tools for Better Software and Systems (SWQD 2018), pp. 171–190, Vienna, Austria, 16-19/01/2018
DOI: 10.1007/978-3-319-71440-0_10

See at: ISTI Repository Open Access | academic.microsoft.com Restricted | dblp.uni-trier.de Restricted | link.springer.com Restricted | link.springer.com Restricted | CNR ExploRA Restricted