Proceedings of the Fourth Italian Conference on Cybersecurity — Scientific and Technical Track — ITASEC20 Ancona, 4–7 February, 2020 Edited by Michele Loreti1 and Luca Spalazzi2 1 Università di Camerino, Camerino, Italy 2 Università Politecnica delle Marche, Ancona, Italy Preface ITASEC20 is the fourth edition of the Italian Conference on Cybersecurity, an annual event started in 2017 under the support of the CINI Cybersecu- rity National Laboratory with the aim of fostering networking of cybersecurity researchers and professionals coming from universities, companies, and govern- ment institutions. ITASEC20 was held on February 4-7, 2020 in Ancona and was structured into a main cybersecurity science and technology track devoted to contributed talks; a demo track devoted to prototypes developed by compa- nies, research centers and universities; tutorials of interest for the cybersecurity community at large; workshops providing a forum for interactively exchanging opinions, presenting ideas, and discussing preliminary results; and special ses- sions where domestic cybersecurity startups presented their ongoing activities. The conference solicited two types of submissions: unpublished contributions to be included in the conference proceedings and presentation-only contributions of already published work, preliminary work and position papers. There were 82 submissions from 14 countries around the world. Among these there were 54 in the unpublished category and 28 in the presentation-only one. Each submission was reviewed by at least 3 programme committee members, with the exception of eight with two reviews, only. The committee decided to accept 22 papers out of the 54 submitted in the unpublished category, which are included in this proceedings volume. The peer reviewing process has been dealt with through EasyChair. We would like to thank the programme committee members and all the external reviewers, as well as the authors of all submitted papers. The programme of the technical science and technology track included this year three invited talks by Prof. Martin Abadi, Google Research, Luca Viganò, King’s College London, and Prof. Michele Mosca, Università di Waterloo, three leading scientists in the wide area of software security, whom we warmly thank. We would like to thank all the people involved in the organization of ITASEC20 and its tracks, in particular Paolo Prinetto, Executive Director of the CINI Cy- bersecurity National Laboratory, the General Chairs of the entire conference, Marco Baldi and Francesco Tiezzi. April 22, 2020 Michele Loreti Luca Spalazzi i Table of Contents Secure e-Voting in Smart Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Vincenzo Agate, Marco Curaba, Pierluca Ferraro, Giuseppe Lo Re and Marco Morana EVA: A Hybrid Cyber Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Shabeer Ahmad, Nicolò Maunero and Paolo Prinetto Modeling and Verification of the Worth-One-Minute Security Protocols . . 24 Alessandro Aldini, Alessandro Bogliolo, Saverio Delpriori, Lorenz Cuno Klopfenstein and Giorgia Remedi An Unsupervised Behavioral Analysis of Highway Traffic Flow for Security Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Fabrizio Balducci, Gabriella Calvano, Donato Impedovo and Giuseppe Pirlo How many bots are you following? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Alessandro Balestrucci A Report on the Security of Home Connections with IoT and Docker Honeypots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Stefano Bistarelli, Emanuele Bosimini and Francesco Santini Enhancing user awareness during internet browsing . . . . . . . . . . . . . . . . . . . . 70 Bernardo Breve, Loredana Caruccio, Stefano Cirillo, Domenico Desi- ato, Vincenzo Deufemia and Giuseppe Polese Control-flow Flattening Preserves the Constant-Time Policy . . . . . . . . . . . . 81 Matteo Busi, Pierpaolo Degano and Letterio Galletta A Hard Lesson: Assessing the HTTPS Deployment of Italian University Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Stefano Calzavara, Riccardo Focardi, Alvise Rabitti and Lorenzo Soligo Are you (Google) Home? Detecting Users’ Presence through Traffic Analysis of Smart Speakers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Davide Caputo, Luca Verderame, Alessio Merlo, Andrea Ranieri and Luca Caviglione MuAC: Access Control Language for Mutual Benefits . . . . . . . . . . . . . . . . . . 118 Lorenzo Ceragioli, Pierpaolo Degano and Letterio Galletta A Life Cycle for Authorization Systems Development in the GDPR Perspective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Said Daoudagh and Eda Marchetti ii A Hardware Implementation for Code-based Post-quantum Asymmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Kristjane Koleci, Marco Baldi, Maurizio Martina and Guido Masera MTA-KDD’19: A Dataset for Malware Traffic Detection . . . . . . . . . . . . . . . 151 Ivan Letteri, Giuseppe Della Penna, Luca Di Vita and Maria Teresa Grifa The mind is like a parachute, it only functions when open. National Security: the importance of the human being that works behind the machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Sabrina Magris, Claudio Masci and Luciano Piacentini Hardware Security, Vulnerabilities, and Attacks: A Comprehensive Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Paolo Prinetto and Gianluca Roascio Systematic IoT Penetration Testing: Alexa Case Study . . . . . . . . . . . . . . . . 188 Massimiliano Rak, Giovanni Salzillo and Claudia Romeo A novel cyber-security framework leveraging programmable capabilities in digital services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Matteo Repetto, Alessandro Carrega and Armend Duzha A Deep Learning Approach for Detecting Security Attacks on Blockchain 210 Francesco Scicchitano, Angelica Liguori, Massimo Guarascio, Ettore Ritacco and Giuseppe Manco Evaluating ambiguity of privacy indicators in a secure email app . . . . . . . . 221 Borce Stojkovski and Gabriele Lenzini A game-based learning experience for improving cybersecurity awareness . 233 Silvestro Veneruso, Lauren S. Ferro, Andrea Marrella, Massimo Me- cella and Tiziana Catarci Repadiography: towards a visual support for triaging repackaged apps . . . 241 Corrado Aaron Visaggio, Sonia Laudanna, Andrea Di Sorbo, Gerardo Canfora, Sara Caruso and Marianna Fucci iii Program Committee Giovanni Agosta Politecnico di Milano Maurizio Aiello CNR IEIIT Alessandro Aldini University of Urbino ”Carlo Bo” Marco Angelini Sapienza University of Rome Alessandro Armando University of Genova & Fondazione Bruno Kessler Marco Baldi Università Politecnica delle Marche Massimo Bartoletti Dipartimento di Matematica e Informatica, Univer- sità degli Studi di Cagliari Giampaolo Bella Università di Catania Davide Berardi University of Bologna Francesco Bergadano Università degli studi di Torino Stefano Bistarelli Università di Perugia Nicola Blefari Melazzi University of Rome, Tor Vergata Andrea Bondavalli University of Florence Daniele Bringhenti Politecnico di Torino Francesco Buccafurri Università Mediterranea di Reggio Calabria Matteo Busi Dipartimento di Informatica - Università di Pisa Giulio Busulini Independent Senior Advisor Michele Carminati Politecnico di Milano Dajana Cassioli University of L’Aquila - DISIM Luca Caviglione National Research Council of Italy (CNR) Mariano Ceccato University of Verona Michele Colajanni University of Modena Riccardo Colelli Università Roma Tre Maria Francesca Costabile Dipartimento di Informatica - University of Bari Domenico Cotroneo University of Naples Federico II Mila Dalla Preda University of Verona Said Daoudagh University of Pisa and ISTI-CNR Franco Davoli DIST-University of Genoa Rocco De Nicola IMT - School for Advanced Studies Lucca Pierpaolo Degano Dipartimento di Informatica - Università di Pisa Felicita Di Giandomenico ISTI-CNR Gianluca Dini University of Pisa Luca Durante CNR-IEIIT Elena Ferrari University of Insubria Riccardo Focardi Università Ca’ Foscari, Venezia Emanuele Frontoni Università Politecnica delle Marche Giorgio Giacinto University of Cagliari Franco Guida Fondazione Ugo Bordoni (FUB) Andrea Gussoni Politecnico di Milano Donato Iacobucci Università Politecnica delle Marche Antonio Lioy Politecnico di Torino Giuseppe Lo Re University of Palermo iv Michele Loreti University of Camerino Giuseppe Manco ICAR-CNR Niccolò Marastoni University of Verona Fabio Martinelli IIT-CNR Luigi Martino Scuola Superiore Sant’Anna Fabio Massacci University of Trento Isabella Mastroeni Università di Verona - Dipartimento di Informatica Marino Miculan DMIF, University of Udine Paolo Mori IIT-CNR Antonino Nocera University of Pavia Francesco Palmieri University of Salerno, Italy Stefano Panzieri Engineering Department - Roma TRE University Francesco Parisi-Presicce Sapienza University of Rome Andrea Polini University of Camerino Paolo Prinetto Politecnico di Torino Rosario Pugliese Dipartimento di Statistica, Informatica, Appli- cazioni - Università degli Studi di Firenze Silvio Ranise FBK-Irst Luigi Romano University of Naples ”Parthenope” Domenico Saccà University of Calabria Martina Saletta Dipartimento di Informatica, Sistemistica e Comu- nicazione (DISCo) - Università degli Studi di Milano - Bicocca Roberto Setola Università Campus Biomedico Chinmay Siwach IMT School for Advanced Studies Lucca Luca Spalazzi Università Politecnica delle Marche Francesco Spegni Università Politecnica delle Marche Maurizio Talamo Fondazione Inuit, University of Rome Tor Vergata Francesco Tiezzi University of Camerino Ivan Vaccari CNR Corrado Aaron Visaggio University of Sannio Roberto Zunino University of Trento v Additional Reviewers A Agate, Vincenzo Ardito, Carmelo Arena, Antonio B Bagini, Vittorio Basile, Davide Bella, Giampaolo Bernardinetti, Giorgio Bianchi, Giuseppe Biondi, Pietro Bisegna, Andrea Bodei, Chiara Bracciale, Lorenzo Busi, Matteo C Cambiaso, Enrico Ceragioli, Lorenzo Cheminod, Manuel Concone, Federico Coppolino, Luigi Costa, Gabriele D D’Antonio, Salvatore Dashti, Salimeh De Benedictis, Alessandra De Paola, Alessandra Desolda, Giuseppe E Esposito, Sergio F Faloci, Francesco Ferraro, Pierluca Formicola, Valerio Furfaro, Angelo G Galletta, Letterio Gigante, Nicola Giorgi, Giacomo Guarascio, Massimo Gunetti, Daniele vi I Iadarola, Giacomo Ianni, Michele L Lax, Gianluca Lupia, Francesco M Majorani, Carlo Manfredi, Salvatore Martinel, Niki Mazzeo, Giovanni Menicocci, Renato Mercaldo, Francesco Mercanti, Ivan Merlo, Alessio Micale, Davide Morana, Marco Morelli, Umberto Murgia, Maurizio Musarella, Lorenzo N Nardone, Roberto Nicolazzo, Serena O Orazi, Massimiliano P Palmieri, Maurizio Petrocchi, Marinella Piciarelli, Claudio Pisani, Francesco S. R Repetto, Matteo Rinaldo, Giancarlo Ritacco, Ettore Rullo, Antonino Russo, Enrico S Sanchez, Odnan Ref Santini, Francesco Saracco, Fabio Scagnetto, Ivan Scicchitano, Francesco Seno, Lucia Sereno, Matteo vii V Vaccari, Ivan Valenza, Fulvio Varano, Dario viii