Prof. Riccardo Sisto

Thesis Proposals

The proposed theses are all related to research activities of the NetGroup. Most of them are about distributed software development and formal approaches for guaranteeing dependability (mainly safety and security) of distributed systems.
The number of distributed systems that can be considered critical (in terms of safety and security) is constantly increasing due to the increasing pervasiveness of computer-based systems (e.g. in the fields of avionics, automotive, industry, health care, e-commerce, e-banking, etc.), hence the growing importance of techniques for increasing their dependability.
The theses that are currently available are listed here:
  1. A framework for automatic Network Security Functions configuration in NFV/Cloud context
  2. A framework for Virtual Network Functions (VNF) modeling and Service Graph verification in SDN/Cloud context
  3. Specification and Anomaly analysis of forwarding policies
  4. A framework for system requirements verification in Industrial Network Systems
  5. Analysis, Verification and Refinement of access control policy in Industrial Networked Systems
  6. Automatic configuration of network and security functions in an NFV MANO
  7. Connect, secure, manage, and monitor microservices using ISTIO
  8. Cloud service programming and modeling
This page will be updated with new proposals as they will become available.
For further information contact Prof. Riccardo Sisto.


  A framework for automatic Network Security Functions configuration in NFV/Cloud context

Network function virtualization (NFV) is a new networking paradigm that can be used to virtualize single network functions. NFV introduces several advantages compared to classical approaches, such as the dynamic provisioning of functionality or the implementation of scalable and reliable services (e.g., adding a new instance to support demands). NFV also allows the deployment of security controls, like firewalls or VPN gateways, as virtualized network functions. However, currently there is not an automatic way to select the security functions to enable and to configure the selected ones according to a set of user's security requirements.
The objective of the thesis is to define a framework that addresses the following challenges: (1) automatically identify the security functions necessary to enforce a given set of security policies, (2) automatically decide where the selected security functions will be deployed, and (3) automatically generate the necessary configurations of the selected security functions. The set of developed tools and libraries will be integrated into an existing software, which is already able to perform a basic refinement process.


  A framework for Virtual Network Functions (VNF) modeling and Service Graph verification in SDN/Cloud context

The networking panorama has dramatically evolved towards flexible and dynamic virtualization technologies, which allow the deployment of complex network services and functionalities. According to this trend, some functions (firewall, caches, NAT, etc.) that were traditionally deployed by means of static appliances, are now becoming light software packages that can be managed very easily thus allowing frequent reconfigurations of network service graphs in a cloud-like environment. In this context, a key challenge is represented by the need of continuously ensuring (before deploying) that some desired network properties or invariants are always guaranteed, especially in networks where an automatic reconfiguration is expected to be triggered very frequently in response to higher-level events (customer requests, administrator actions, etc.). As an example of such properties, a network operator may require that a given network configuration is always loop-free or a customer may want to be sure that all the traffic traverses a firewall for security reasons and so on.
The objective of the thesis is to define and implement a framework that allows the interested actors to define the behavior of any VNF in a Java-like fashion and allows the extraction of an abstract model from the Java code in order to verify the above mentioned network properties. Lastly, the set of developed tools and libraries will be integrated in an existing software, which is already able to verify some basic networks.


  Specification and Anomaly analysis of forwarding policies

Filtering and forwarding elements are fundamental in a network. However, managing their rules, particularly, in multi-firewall enterprise networks, is a complex and error-prone task. Forwarding rules have to be written, ordered and distributed carefully in order to avoid anomalies that might cause network vulnerabilities. Therefore, inserting or modifying such rules in any forwarding element requires thorough intra-policy and inter-policy analysis to determine the proper rule placement and order.
The objective of the thesis is to define and implement a set of techniques and algorithms to automatically discover policy anomalies in a NFV/SDN network, based on the existing literature in this field.


  A framework for system requirements verification in Industrial Network Systems

Within the Industrie 4.0 and Factory of the Future (FoF) frameworks, Industrial Control Systems (ICS) are undergoing a deep transformation of their communication infrastructures towards increased connectivity of devices and extreme flexibility of industrial plants. As the higher flexibility of these systems will require frequent network reconfigurations, an enhanced level of automation in the management of cyber security becomes necessary. At the same time, high assurance levels will be provided, as required by the safety-critical nature of these systems, by leveraging formal models and verification.
The objective of the thesis is to define and implement a framework that allows the verification on network and security requirements (e.g. network reachability, real-time communication, loop-free) in Industrial Network Systems.


  Analysis, Verification and Refinement of access control policy in Industrial Networked Systems

Within the Industrie 4.0 and Factory of the Future (FoF) frameworks, Industrial Control Systems (ICS) are undergoing a deep transformation of their communication infrastructures towards increased connectivity of devices and extreme flexibility of industrial plants. As the higher flexibility of these systems will require frequent network reconfigurations, an enhanced level of automation in the management of cyber security becomes necessary. At the same time, high assurance levels will be provided, as required by the safety-critical nature of these systems.
Access control is a major building block of network security, regulating access of legitimate users to resources of a system. Access control by itself cannot prevent the occurrence of cyber-attacks, however effective protection schemes cannot abstract from both the definition of how access to system resources shall take place as well as the correct enforcement of the desired behavior in the system.
As target networked system can be very complex, administrators often rely on policy-based paradigms for access control management (i.e., policy-based management, PBM). Policies are technology-independent rules which define the desired network behavior from a high-level perspective. As such, they allow separating the two problems of specification (i.e., definition of the desired network behavior) and implementation (i.e., actual enforcement of the desired behavior in the system) making network management easier and more flexible.
Access control policies regulate the access of users to the resources of a networked system by defining "who is allowed to do what on what". In this scenario, policy refinement, verification and analysis are important processes that have to be dealt with carefully, possibly relaying on computer-aided automated software tools.
The objective of the thesis is to define and implement a framework that extends the current solution in the Access control policy management. The thesis is in collaboration with CENG group, a research group of the Italian National Research Council (CNR) located in the Politecnico di Torino.


  Automatic configuration of network and security functions in an NFV MANO

Network function virtualization (NFV) is a new networking paradigm that virtualizes single network functions. NFV introduces several advantages compared to classical approaches, such as the dynamic provisioning of functionality or the implementation of scalable and reliable services (e.g., adding a new instance to support demands). NFV also allows the deployment of security controls, like firewalls or VPN gateways, as virtualized network functions.
NFV MANO (network functions virtualization management and orchestration), also called MANO, is an architectural framework for managing and orchestrating virtualized network functions (VNFs) and other software components. The European Telecommunications Standards Institute (ETSI) Industry Specification Group (ISG NFV) defined the MANO architecture to facilitate the deployment and connection of services as they are decoupled from dedicated physical devices and moved to virtual machines (VMs). Open Source Mano is an ETSI-hosted initiative to develop an Open Source NFV Management and Orchestration (MANO) software stack aligned with ETSI NFV.
The objective of the thesis is to presents an approach towards the integration of network and security policy management, which is already defined, into the Open Source Mano framework.


  Connect, secure, manage, and monitor microservices using ISTIO

During the last years application architectures moved from the standard Monolithic structure, where all the functionalities are embedded in the same application, to Microservices where each microservice implements a specific functionality and interfaces with other microservices. This new approach in application development introduces the need to manage and monitor interactions between different microservices. The aim of this thesis is to study, analyze and implement a solution in order to evaluate the benefits in the management, connection, security, and monitoring of Microservices using ISTIO, an open source solution for the management of microservices, into a distributed cloud environment. The work will be developed within a stage in the Blue Reply Company. The solution to be developed will be based on IBM Cloud, Kubernetes, Docker, and Java programming.
The thesis requires a good initial knowledge of Unix and Java programming. Some initial knowledge of Docker, Kubernetes, and the concepts of cloud services, Platform as a Service (PaaS), Software as a Service (SaaS), and microservices is useful but can be acquired during the thesis work.


Cloud service programming and modeling

Highly distributed Cloud services, ranging from microservice architectures to network function virtualization (NFV) systems, are emerging as a way for providing high flexibility and fast reconfiguration in the services offered to remote users. Given their high programmability, these systems require the introduction of powerful policy verification techniques, as well as proper programming interfaces that facilitate this verification by construction. The thesis work aims at defining user-friendly (e.g., Java-like) domain-specific languages that can simplify the service creation and its modeling for verification purposes, with particular focus on policy control.
The thesis is in collaboration with the Worcester Polytechnic Institute, USA, where the candidate is asked to spend some months working on the selected problem.


Last change: November 2018