I illustrate below some of the major milestones in my research with some sample papers. They are not necessarily the most cited; they are the ones that one could actually read to have a comprehensive idea of my research.
More details are available in the Research and Teaching Statement.
Empirical Security Economics: My current research effort is to empirically validate practical and affordable security solution, albeit they might not be perfect. Often security solutions stop at a mathematical model, we go the last mile (more precisely the last light year) and empirically validate them by running experiments or by performing qualitative studies. Such works often go against the “ethos” of academic security research working to protect us against an all powerful adversary, yet it has an unfettered potential of industry impact (you can better prioritize your finite resources instead fighting an all powerful adversary that doesn’t exist). Three papers illustrate this research, two in flagship computer security venue and one in a top business journal.
- Allodi, L, Massacci, F. Comparing vulnerability severity and exploits using case-control studies. ACM Trans. on Information and System Security, 17(1):1 (2014). The conference version was rejected several times (ICSE, CCS, ESORICS, etc.) because “It is just bad scholarship to suggest that one should not worry about all vulnerabilities”. People in industry knew better (they invited us at BlackHat USA 2013), as they know too well that their budget is fixed and therefore the academic advice of worrying about all vulnerabilities is useless. We looked at data from Symantec and black markets, combined it with solid mathematical research on statistics and risk reduction and we identified the vulnerabilites one should worry about. The outcome made up to the CVSS world standard. Out of this research we also made available to the community several databases licensed to Fraunhofer, MITRE, NCSU, MIT Sloan, MIT Lincoln Lab among others.
- De Gramatica, M., Massacci, F., Shim, W., Turhan, U. & Williams, J. (2016). Agency Problems and Airport Security: Quantitative and Qualitative Evidence on the Impact of Security Training. Risk Analysis 2017. This paper evaluates which type of security training is most effective for airport security officers (training costs >900€/person). We have a solid model based on principal-agent theory and validated it with interviews with high profile stakeholders. We transformed a “gut feeling” into an actionable model. The results were presented to ACI Europe, the federation of European Airport Directors.
- Massacci, F., Ngo, C. N., Nie, J., Venturi, D., & Williams, J. FuturesMEX: secure distributed futures market exchange. Proceedings of IEEE Symposium on Security and Privacy. 2018. This is a joint paper with economists and cryptographers: how to run a exchange like the Chicago Mercantile Exchange in a distributed fashion. We solved an already solved problem (an exchange is just an example of multi party computation -MPC), except that we did in a way that it was solvable with real empirical data. By using MPC even from top theory papers not only running a small market like Lean Hog trades would have required an year to just run a day of trading, but, to add insult to injury, retail and institutional investors (who only do 20% of the trades) would have had to spend 80% of the overall computational resources to allow high-frequency traders to place speculative orders that would have then been almost immediately canceled. When my business colleague J. Williams presented the paper and our patents in China to hedge funds he expected 20 people. He had 200.
Security Requirements Engineering: I started this work in 2003 with N. Zannone and J. Mylopoulos. The key idea is to develop a robut methodology to capture security requirements as first class citizens. Two, very different, ten-years apart, papers illustrate this research: initially I worked on design and formal reasoning capabilities, now understanding what really works in security risk analysis is the other focus in my research that complements it.
- Giorgini P., Massacci F., Mylopoulos J., Zannone N., "Requirements Engineering for Trust Management: Model, Methodology, and Reasoning". Int. J. of Information Security, 5(4):257-274, 2006. The short version of this paper appeared in IEEE RE’2005 and received in 2015 the Ten Years Most Influential Paper Award by the IEEE Requirements Engineering Conference. In this paper we designed a security methodology to capture security requirements, an underlying formalization in terms of logic programs and a verification methodology that would check whether desirable security properties would be satified.
- De Gramatica M, Labunets K, Massacci F, Paci F, Tedeschi A. The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals. In Proc. of the Int. Conf. on Req. Engineering: Foundation for Software Quality (REFSQ). 2015. So, we invented a “super-duper” security requirements method, why did industry not flock to adopt it? Since 2010, I have been experimenting to understand what works in practice. For example, in this paper with an industry co-author, we focus on catalogues: academic methods never have them, industry works with catalogues of several hundred pages (eg the NIST-800-x and ISO-2700x). They do make the difference between novices and experts. Understanding what makes a research method empirically usable by somebody else than its inventor is the pre-requisite for successful innovation.
Run-time and load-time security enforcement. This research is a mixture of theoretical research on the limit of what can be actually enforced and what can be practically achieved. Out of this research stream started my long standing collaboration with KU Leuven (F. Piessens and Wouter Josen).
- Ngo M., Massacci F., Milushev D., Piessens F.. “Runtime Enforcement of Security Policies on Black Box Reactive Programs”. In Proc. of the 42nd ACM Symp. on Principles of Progr. Lang.. POPL’2015. This paper summarizes the theoretical investigation on the limit and power of run-time enforcement mechanisms. With another students, N. Bielova we investigated the limits of edit automata (IJIS, JCS and POLICY’11) showing that practical enforcement cannot be simply caputred by the two basic concept of transparency and soundness.
- Desmet L, Joosen W., Massacci F., Philippaerts P., Piessens F., Siahaan I., Vanoverberghe D. Security-by-contract on the .NET platform. Inform. Security Technical Rep.13 (1):25-32, Jan 2008. This is one of the first papers describing the formal security checking of apps on a mobile phones. It is a comprehensive paper spannign from theory to implementation. We could run a checker testing whether an app respected some security policies. On the same year US researchers proposed at CCS to use very simple checks on android apps and could onlyuse the manifest of the app, we used real code. Our industry partner of the S3MS project, DoCoMo, licensed the industrial application in Japan and I tried to negotiate with Vodafone Itay its commercialization. Alas, .NET and Microsoft lost to Android…
- Koshutanski H., Massacci F.: Interactive access control for autonomic systems: From theory to implementation. ACM Trans. on Autonomous and Autonomic Systems 3(3): 2008. H. Koshutanski was my first “own” phd student in 2002 and started his research with a workshop paper that got significantly more citations than this final “round-up” journal. This paper summarizes our work on trust negotiation in which we combined a solid theory (abduction) with a running implementation (an opens source is available at http://www.interactiveaccess.org). This research is basically the only academic background of Microsoft’s patent US8060920 and Apple’s patent US8813185B2 on the dynamic management of users’ credentials.
Formal Methods for Security: In 1996, half-way through my Phd, I went to Cambridge to work with Robin Milner (one of the inventor of the Hennessy-Milner logic). Alas, Milner had just been elected head of department and suggested I could work with Roger Needham and Larry Paulson who had a joint project on modal logic for security. This “one year long mishap” gave a whole new turn to my research career.
- Bella G., Massacci F., Paulson L.C,: Verifying the SET Purchase Protocols. J. of Automated Reasoning 36(1-2):5-37, 2006. This paper describes the first work ever of verification of a major industrial protocol. Up to that point most of the formal security verification papers where about breaking and fixing academic protocols whose description could fit in a single page. Security researchers woud claim that formal methods could not scale. SET (Secure Electronic Transactions) was VISA’s and Mastercard’s protocol for the web. Its specification was thicker than a dictionary. We proved it correct and put to rest any claim that formal methods could not scale, but the effort in terms of time and person months was far from push-button technologies...
- Massacci F., Marraro L., "Logical Cryptanalysis as a SAT-Problem: Encoding and Analysis of the U.S. Data Encryption Standard". Journal of Automated Reasoning, 24(1-2):165-203, 2000. This research stemmed from a crazy idea I had when I returned from Cambridge. In the AI and formal method community SAT solvers were the new research fad that seemed to crack previously unsolvable problems. At the end of the day what is a cryptoraphic circuit? Just a big boolean formula. What is a cryptanalysis problem? Just a bit SAT problem. The devil is of course in the detail and managing to encode symmetric and public key crypto was far easy (for the latter it appeared in Discrete Applied Mathematics). We failed to crack real crypto and that time but SAT competitions still use crypto benchmarks today but Marc Stevens SHA-1 cracking in 2017 used a SAT solver of a MSc Student of mine (V. Nossum) as a major component..
Automated Resoning for Modal Logic: When I started my Phd, reasoning in modal logic was divided in two fields: those that purely manipulate formulas and those that manipulated the corresponding models. I tried to combine both ideas to get something better than both. The tableaux for modal and description logics that I did as single author or with a couple of colleagues revamped the area.
Massacci F., "Single Step Tableaux for Modal Logics". Journal of Automated Reasoning, 24(3): 319-364, 2000. In the Handbook of Tableaux Methods (1999) the chapter on modal tableaux by Gorè devotes 30 pages to my CADE paper of the mid 90s (the journal version is the one reported here). In 2014 our works in the area are still cited. My greatest satisfaction is a paper in the volume in memoriam of H. Ganzinger by R. Schmidt and U. Hustadt, the recognized advocates of the scientific competitor of tableaux (translation+resolution). Their paper “First-Order Resolution Methods for Modal Logics” is a survey with 90+ citations. There are only 2 citations for tableaux: the handbook above and one of my papers. I left the field 15 years ago and a citation by a scientific “enemy” to a paper 10 years old is truly “l’honneur des armes”.