InterNational Cyber Security Center of Excellence (INCS-CoE)

I'm involved in the activities of the InterNational Cyber Security Center of Excellence (INCS-CoE), in particular in WG1 and WG3.


FutureTPM (Future Proofing the Connected World: A Quantum-Resistant Trusted Platform Module). The goal of FutureTPM is to create a Quantum-Resistant (QR) Trusted Platform Module (TPM) by designing and developing QR algorithms suitable for inclusion in a TPM. The algorithm design will be accompanied by implementation and performance evaluation, as well as formal security analyses in the full range of TPM environments: i.e. hardware, software and virtualization environments. Use cases in online banking, activity tracking and device management will provide environments and applications to validate the FutureTPM framework. FutureTPM will provide robust and provably-secure QR algorithms for a new generation of TPMs. A key strategic objective of FutureTPM is to contribute to standardization efforts at EU level within TCG, ISO/IEC and ETSI. Because the TPM shares many functions in common with other widely-used devices, such as HSMs and TEEs, the FutureTPM solution is expected to benefit them as well.

The consortium consists of high calibre industrial and academic partners from across Europe, combining QR crypto researchers with TPM developers. The FutureTPM project partners are:

  • TECHNIKON Forschungs- und Planungsgesellschaft mbH, Austria
  • University of Surrey, United Kingdom
  • UBITECH Limited, Cyprus
  • Royal Holloway and Bedford New College, United Kingdom
  • IBM Research GmbH, Switzerland
  • The University of Birmingham, United Kingdom
  • Infineon Technologies AG, Germany
  • Infineon Technologies Austria AG, Austria
  • Université du Luxembourg, Luxembourg
  • Suite5 Data Intelligence Solutions Limited, Ireland
  • INESC-ID – Instituto de Engenhariade Sistemas e Computadores, Investigacao e Desenvolvimento em Lisboa, Portugal
  • University of Piraeus Research Center, Greece
  • Huawei Technologies Düsseldorf GmbH, Germany
  • VIVA Payment Services SA, Greece

FutureTPM Logo

Coco Cloud

Coco Cloud (Confidential and Compliant Clouds) is an FP7 project that aims to facilitate data sharing in cloud environments by providing end-to-end data centric security from the client to the cloud based on the (semi-)automated enforcement ofData Sharing Agreements. These agreements may reflect legal, contractual or user defined preferences, which may be conflicting and thus an appropriate balance and model for their enforcement must be found.

FP7, Partners: Hewlett-Packard, The Italian National Research Council, Imperial College London, University of Oslo, SAP, Atos, AGID, Bird & Bird, and Grupo Hospitalario Quirón.


CIPART (Cloud Intelligent Protection at Run-Time) aims to develop novel techniques for intelligent cloud protection by advancing the state of the art in system modelling at run time, attack scenarios based analysis, novel techniques for selecting countermeasures and remedial actions and novel techniques for re-perimeterisation of the cloud environment. The methodology adopted combines fundamental research on knowledge representation, probabilistic analysis and machine learning with empirical and experimental studies in an industrial test-bed environment.

Additionally, the project also aims to achieve a better understanding of the business models and incentives involved in the relationships between cloud tenants and hosting organisations in the provision of security services based on measures of cost, risk and value and to propose new models that facilitate sharing of risk and exchange of security relevant information, which would in turn allow to simplify security management and provide better protection.


MSP (Mobile Security and Privacy) is an EIT ICT LAB project whose goal is to design and develop a set of mechanisms for the protection of the application execution in the mobile devices. This entails run-time enforcement mechanisms for application specific security policies.


Phook is a search engine for Facebook Photos. Joint work with Gianpiero Costantino. More info can be found here.
Phook Logo


MADAM (Multi-level Anomaly Detector for Android Malware) is a novel host-based malware detection system for Android devices which simultaneously analyzes and correlates features at four levels: kernel, application, user and package, to detect and stop malicious behaviors. MADAM has been specifically designed to take into account those behaviors that are characteristics of almost every real malware which can be found in the wild. MADAM detects and effectively blocks more than 96% of malicious apps, which come from three large datasets with more than 2,800 apps, by exploiting the cooperation of two parallel classifiers and a behavioral signature-based detector. Extensive experiments have been conducted to show the high usability of MADAM, the low false alarm rate, the negligible performance overhead and limited battery consumption. More info can be found here.



MAETROID (Multi-criteria App Evaluator of TRust in AndrOID) is a framework to evaluate the trustworthiness of Android apps, i.e. the amount of risk they pose to the users, e.g. in terms of confidentiality and integrity. The framework performs a multi-criteria analysis of an app at deploy-time and returns a single easy-to-understand evaluation on the app's risk level, aimed at driving the user decision on whether installing or not a new app. The used criteria include the set of requested permissions and a further set of metadata retrieved from the marketplace, which denote the app quality and popularity. We have classified 11,000 Android apps coming from Google Play and from a database of known malware. In particular, MAETROID has recognized as dangerous all the apps belonging to the database of malicious apps, while about 20% of apps from Google Play have been classified as medium risk. More info can be found here. maetroid


CAMAS is a framework for Classification of Android MAlware through Subgraphs. CAMAS extracts execution traces from several malicious applications and then it mines common subgraphs from these traces. Meaningful subgraphs are selected through a refinement process. Afterwards, these meaningful subgraphs are searched in the execution traces of newly downloaded applications to discover misbehaviors. In the end, a classifier analyzes these data concerning found subgraphs in the downloaded application to assess if this application should be considered malicious or not. camas


PICARD (ProbabIlistic Contracts on AndRoiD) is a probabilistic contract-based intrusion detection system to recognize and block the misbehaviors performed by trojanized apps on Android devices. PICARD is a collaborative framework based on probabilistic contracts generated from the execution traces collected by a network of collaborative users.


AntiCheetah is an autonomic multi-round approach to perform the assignment of input elements to cloud nodes as an autonomic, self-configuring and self-optimizing cloud system. Anticheetah is resilient to node cheating, even in scenarios where smart cheaters return the same fake values. To this end, cost-efficient redundancy is used to detect and correct anomalies.anticheetah


iCareMobile is a framework to apply security policies for parental control on Smartphones.

Introspection-based Context Agent Injection

Work developed during an internship at IBM Zurich Research Lab. More info can be found here.

Virtual machine Integrity Measurement System (VIMS)

VIMS is a framework based upon virtualization technology for the attestation of the integrity of a remote system that considers not only the configuration of the system to be attested but also its current behaviour. VIMS runs two virtual machines on a system to be attested, i.e. the Client VM and the Assurance VM. The Assurance VM is a shadow machine that exploits virtual machine introspection to apply a set of consistency checks on the configuration of the Client VM and on the software it currently runs to remotely attest its integrity. Joint work with Diego Cilea, Fabrizio Baiardi and Enel SpA. vims


PsycoTrace is a virtualization-based monitoring system that protects a process P from attacks that alter the process self as specified by the program source code. Joint work with Dario Maggiari and Francesco Tamberi and Fabrizio Baiardi. More info can be found here.


Virtual Interacting Network CommunIty (Vinci)

Vinci is a software architecture to share in a secure way a private infrastructure. Joint work with Fabrizio Baiardi. More info can be found here


Virtual environment Secure File System (VSFS)

Virtual environment Secure File System (VSFS) is a software architecture for secure file sharing among applications with different trust levels that consists of a set of interconnected virtual machines. Application VMs run the application processes that transparently access remote shared files hosted by File System VMs. Each File System VM implements a Mandatory Access Control security policy to control file sharing. To define and enforce this policy, VSFS uses SELinux.



Xen VMI is a host intrusion detection system that exploits virtual machine introspection to check the integrity of a kernel running inside a virtual machine. Joint work with Fabio Campisi and Fabrizio Baiardi. The source code for this project is available here. It contains a set of introspection functions for the Linux Kernel running on Xen, i.e. for checking the integrity of the Linux kernel running inside a domU. It works on Xen 3.0.2 and 3.1.0 and with Linux 2.6.16-xen and 2.6.18-xen. Thanks to Dario Maggiari for the memory introspection functions.
This is the full listing of the archive:


Privacy-Preserving Distributed Data Mining Library (PPDDM-Lib)

PPDDM-Lib is an open source ANSI C/C++ library of functions and protocols useful to exchange sensible information while computing Data Mining Models from several servers. The OpenSSL Toolkit is required. Joint work with Maurizio Atzori, developed at ISTI-CNR, Pisa. Here is the source code.

Dark Medieval Labyrinth

Dark Medieval Labyrinth is an OpenGL 3D game written in C++ that runs on both Windows and Linux. The game together with the editor were developed by me and Francesco Tamberi for our final project of Costruzione di Interfacce course (2003/2004).