Matthew Rossi

Researcher @ Università degli Studi di Bergamo

I am a highly motivated developer passionate about tackling impactful projects. Currently a researcher at Università degli Studi di Bergamo, I investigate integrating security features across mobile, web, and cloud systems. As a lifelong learner who thrives in collaborative environments, I enjoy exchanging ideas with inspiring colleagues.

Work Experience

Università degli Studi di Bergamo

Researcher

2019 - Present

As a member of the computer security group at Università degli Studi di Bergamo I research computer systems security across heterogeneous technological environments. From cloud systems (e.g., Kubernetes), to web technologies (e.g., JavaScript runtimes, WebAssembly), and even mobile systems (e.g., Android).

  • Drive architectural decisions in Horizon Europe projects
  • Collaborate with project partners to design and develop the software platform
  • Identify security gaps in widely adopted systems and develop practical solutions
  • Assess security and evaluate performance of systems
  • Write publications and technical reports
  • Supervised 25+ thesis students

Università degli Studi di Bergamo

Teaching Assistant

2019 - Present

Teaching assistant for the bachelor's courses: "Informatica (modulo di programmazione)" and "Basi di dati" (formerly "Basi di dati e Web"), and the master's courses: "Advanced Data Management" and "Sicurezza dei sistemi informatici". Lectures of these courses are about:

  • Fundamentals of computer programming in Python
  • Relational databases (fundamentals, data models, schema design, and queries)
  • Web development (front-end, back-end, and object-relational-mapping)
  • Linux access control mechanisms and their use in Android
  • Frameworks for scalable distributed data processing (e.g., Apache Hadoop, Apache Spark)

Education

Università degli Studi di Bergamo

Software Engineering

Ph.D. program in Engineering and Applied Sciences

2020 - 2023
Thesis: Fine-grained access control technologies to protect resources in mobile and cloud applications
GPA: Excellent

Politecnico di Milano

Software Engineering

Master of Science (MSc)

2015 - 2018
Thesis: SELinux policies for fine-grained protection of Android apps
GPA: 3.85/4.0

Università degli Studi di Bergamo

Software Engineering

Bachelor of Science (BSc)

2012 - 2015
Thesis: Access control and confidentiality using over-encryption in Openstack
GPA: 4.0/4.0 - Graduated summa cum laude

ITIS P. Paleocapa

Technical High School

High School

2007 - 2012

Awards

CSAW 2023 Applied Research Competition Finalist

Grenoble INP - Esisar | Engineering school in cybersecure intelligent systems

2023-09-15

This competition assesses the top scholarly security research of the year by focusing on research that has a practical impact. The paper NatiSand: Native Code Sandboxing for JavaScript Runtimes, of which I am one of the authors, was selected as one of the top 10 finalists. In short, it presents a mechanism to isolate binary programs and shared libraries in JavaScript runtimes (e.g., Node.js, Deno, and Bun).

CSAW 2021 Applied Research Competition Finalist

Grenoble INP - Esisar | Engineering school in cybersecure intelligent systems

2021-11-10

This competition assesses the top scholarly security research of the year by focusing on research that has a practical impact. The paper SEApp: Bringing Mandatory Access Control to Android Apps, of which I am the first author, was selected as one of the top 10 finalists. In short, it presents a natural evolution of the Android security model with the goal of improving the security of applications and the privacy of their users.

IEEE PerCom 2021 Best Artifact Award winner

IEEE International Conference on Pervasive Computing and Communications (PerCom)

2021-03-22

The software artifact of the paper Scalable Distributed Data Anonymization was awarded as the best of the entire conference. It protects respondents of a dataset by obfuscating information that can disclose their identities and sensitive information. By leveraging Apache Spark, the algorithm scales to a cluster of worker nodes to guarantee performance even when working on large datasets.

Projects

Deployment of the Kubernetes Platform for Green and Privacy Preserving Data Operations

GitOps repository for the automated deployment of the Kubernetes platform for green and privacy preserving data operations with the use of ArgoCD. The project is part of the results produced by the consortium of the GLACIATION project. I have been in charge of the deployment of OPA Gatekeeper (with the Gatekeeper Policy Manager), MinIO server-side encryption with HashiCorp Vault, and the Apache Spark operator with our ad hoc data sanitization application.

Kubernetes Platform for Green and Privacy Preserving Data Operations

Documentation, design and implementation of the Kubernetes platform for green and privacy preserving data operations. The project is part of the results produced by the consortium of the GLACIATION project. I have been in charge of the design and implementation of the admission control, data wrapping, and data sanitization services.

Anonymization in Apache Spark

Apache Spark application implementing an efficient and effective approach to protect user privacy by obfuscating their identities or sensitive information. Three kind of transformations are supported: k-anonymity, l-diversity, and the use of both of them. Sanitization jobs are configured by the requesting application with numerous parameters with the goal of tailoring the sanitization process according to the specific requirements of the user. The application can run in Kubernetes clusters.

Security observability tools: dmng & permissionsnoop

A flexible and intuitive tool that relies on instrumentation to collect, merge, and audit the activity traces generated by any application component. This information is then used to create fine-grained access policies, and introduce sandboxing using recent Kernel security modules, strengthening the security boundary of entire cloud applications.

Multi-Dimensional Indexes Enabling Queries on Encrypted Data

Index enabling query execution over encrypted datasets without leaking frequency information. The tool preprocesses the dataset to construct client-side mappings and encrypt the dataset. Then, it shows their runtime use, by automating the upload of the encrypted dataset to PostgresSQL and Redis, and querying them.

Native Code Sandboxing for the Deno Runtime

Patch to the Deno JavaScript runtime to provide strong isolation guarantees against the execution of native code. It allows developers to control access to filesystem, Inter-Process Communication, and network, effectively reducing the risks coming from the execution of binary programs and shared libraries. Despite the use of advanced security mechanisms, the solution features a simple interface that requires no application changes nor security expertise from developers.

Fine-Grained Sandbox for Deno Subprocesses

Patch to the Deno JavaScript runtime to enable the creation of fine-grained sandboxes for the execution of subprocesses. The sandbox is mainly built using Landlock, with policy exceptions being supported thanks to eBPF. The primary goal of the proposed protection mechanism is to preserve the integrity of the filesystem, and prevent access to confidential resources.

Security-Enhanced Android Applications

Patch to the Android Open Source Project (AOSP) to improve the security of Android applications by allowing developers to define ad hoc policies for their app components. This is a natural evolution of the Android security model, and can help guarantee user privacy even in the presence of third-party components (e.g., advertisement libraries). It supports multiple Android versions and has been tested on virtual and physical devices.

Protocol for the Deployment of Time-Locks in Blockchains

Novel way of implementing time-locked secrets based on smart contracts. It relies on the blockchain to measure the elapse of time, and it combines threshold cryptography with economic incentives and penalties to replace cryptographic puzzles. The prototype is implemented on top of the Ethereum blockchain.

Mix&Slice Virtual Filesystem

Encrypted virtual filesystem implemented on top of Filesystem in Userspace (FUSE) that persists data using the Mix&Slice all-or-nothing transform.

RDF-based Policy Engine with SQL integrations

RDF-based policy engine to evaluate access requests according to the MOSAICrOWN policy language. It includes SQL integrations to identify the set of resources target of a query, make a policy decision, and, when possible, rewrite the query to guarantee the enforcement of the policy.

Music Recommender

A recommender system to suggest songs a user would likely add to one of her playlists based on: other tracks in the same playlist, other playlists created by the same user and other playlists created by other users.

Il Dottore Artificiale

A simplified implementation of a rule-based expert system in the medical field, with the goal to filter diseases a patient may be suffering based on the symptoms they presents. A chatbot interacts with the patient by generating questions and parsing their answers with regular expressions.

Command Prompt Snake

An implementation of Snake for the Windows Command Prompt.

Challenges

Coding Challenges

I am passionate about code challenges since high school, when I took part at Olimpiadi Italiane di Informatica, a national event on problem solving with focus on algorithm time and space complexity. More recently I have participated to Google's Code Jam, Hash Code and Kick Start, and Reply Code Challenge.

Publications

Supporting Data Owner Control in IPFS Networks

IEEE International Conference on Communications (ICC)

2024-06-09

Decentralized storage architectures are emerging as valid complementary solutions to cloud-based storage services. InterPlanetary File System (IPFS) is one of the most well-known distributed file storage protocols with wide adoption, good performance, and a variety of applications built over it. However, IPFS does not natively support data privacy and its decentralized nature limits the ability of data owners to maintain control over their resources and force their deletion. In this paper, we propose Mix-IPFS, an approach that addresses these shortcomings while exhibiting negligible overhead.

Lightweight Cloud Application Sandboxing

IEEE International Conference on Cloud Computing Technology and Science (CLOUDCOM)

2023-12-4

Modern cloud applications can quickly grow to an elaborate and intricate tangle of services. In this scenario, paying attention to security aspects is important to mitigate the impact of incidents. In this paper, we address the problem proposing an approach that restricts application access to file system resources with a resource-based granularity. To this end, we develop a flexible and intuitive tool that relies on instrumentation to collect, merge, and audit the activity traces generated by any application component. We then demonstrate how this information can be used to introduce fine-grained sandboxes with minimal performance footprint.

NatiSand: Native Code Sandboxing for JavaScript Runtimes

International Symposium on Research in Attacks, Intrusions and Defenses (RAID)

2023-10-16

JavaScript runtimes (e.g., Node.js, Deno, and Bun) render code in a secure and isolated environment, but when they execute binary programs and shared libraries, no isolation guarantees are provided. In this paper we propose NatiSand, a component for JavaScript runtimes that leverages Landlock, eBPF, and Seccomp to control the filesystem, Inter-Process Communication (IPC), and network resources available to binary programs and shared libraries. The approach requires no changes to the application code and offers the user a simple interface. To demonstrate the effectiveness and efficiency of NatiSand we reproduced a number of vulnerabilities affecting third-party code, showing their mitigation and exhibiting competitive peformance with state of the art code sandboxing solutions.

Leveraging eBPF to enhance sandboxing of WebAssembly runtimes

ACM ASIA Conference on Computer and Communications Security (ASIACCS)

2023-07-10

WebAssembly is a binary instruction format with strong security guarantees by design. While originally designed to run inside web browsers, there are now numerous runtimes that bring WebAssembly outside of it. The need to access system resources in these environments has led to the definition of the WebAssembly System Interface (WASI). With specific regard to the file system, WASI requires runtimes to implement security checks to only permit access to a predefined list of directories. While this is a step in the right direction, the approach not only suffers from poor granularity, but is also error-prone and has led to security issues. In this paper we replace the built-in security checks with eBPF programs, enabling the introduction of fine-grained per-module policies. Preliminary experiments confirm the efficiency of the solution.

Cage4Deno: A Fine-Grained Sandbox for Deno Subprocesses

ACM ASIA Conference on Computer and Communications Security (ASIACCS)

2023-07-10

Deno is a runtime for JavaScript and TypeScript that is receiving great interest by developers, and is increasingly used for the construction of back-ends of web applications. A primary goal of Deno is to provide a secure and isolated environment for the execution of JavaScript programs. However this protection does not extend to the execution of subprocesses. In this paper we propose Cage4Deno, a set of modifications to Deno enabling the creation of fine-grained sandboxes for the execution of subprocesses by using Landlock and eBPF. Experiments showcase the sandbox effectiveness against a number of exploits and prove the efficiency of the proposal.

Scalable Distributed Data Anonymization for Large Datasets

Transactions on Big Data (Early Access)

2022-09-19

k-Anonymity and ℓ-diversity are two well-known privacy metrics that guarantee protection of the respondents of a dataset by obfuscating information that can disclose their identities and sensitive information. Existing solutions assume to operate in a centralized scenario, and therefore cannot scale. In this paper, we propose a solution enforcing both k-anonymity and ℓ-diversity in a distributed manner with the use of Apache Spark. The experimental evaluation shows that our solution provides scalability without affecting the quality of the resulting anonymization.

Multi-dimensional indexes for point and range queries on outsourced encrypted data

IEEE Global Communications Conference (GLOBECOM)

2021-12-07

An approach for indexing encrypted data stored at external providers to enable provider-side evaluation of queries. The approach supports the evaluation of point and range conditions on multiple attributes, and protects data against static frequency-based inferences by clustering tuples in fixed-size groups that are mapped to the same index values. The experiments evaluate query performance and client-storage requirements, and confirm the efficiency of our solution.

I Told You Tomorrow: Practical Time-Locked Secrets using Smart Contracts

International Conference on Availability, Reliability and Security (ARES)

2021-08-17

Time-Locks enable the release of a secret at a future point in time. Many approaches implement Time-Locks as cryptographic puzzles, binding the time span for the recovery of the secret to the time to solve the puzzle. To overcome this limitation, we propose I Told You Tomorrow (ITYT), a novel way of implementing time-locked secrets based on smart contracts. ITYT relies on the blockchain to measure the elapse of time, and it combines threshold cryptography with economic incentives and penalties to replace cryptographic puzzles. We analyze its resiliency to attacks with the help of economic game theory and demonstrate the low cost and limited resource consumption of the approach with our experiments.

SEApp: Bringing Mandatory Access Control to Android Apps

USENIX Security Symposium (USENIX Security)

2021-08-11

The Android security model focuses on to the protection of system components and secure the interactions between apps. However, app developers have no way to isolate internal components of their applications. Our solution overcomes this limitation, giving developers the power to define ad-hoc Mandatory Access Control (MAC) policies for their apps. This is a natural evolution of the security mechanisms already available in Android, and can help guarantee user privacy even in the presence of third-party components.

Scalable Distributed Data Anonymization

IEEE International Conference on Pervasive Computing and Communications (PerCom)

2021-03-22

An approach for enabling distributed anonymization of sensor data using an arbitrary number of workers with Apache Spark. The experimental evaluation shows that the proposed approach is scalable and does not affect the quality of the anonymized dataset.

Artifact: Scalable Distributed Data Anonymization

IEEE International Conference on Pervasive Computing and Communications (PerCom)

2021-03-22

The paper describes the prototype of Scalable Distributed Data Anonymization, and how to reproduce its experiments.

Skills

Programming

  • Python
  • C/C++
  • Rust

Linux

  • Ubuntu
  • Regolith Desktop
  • Fish Shell

Security

  • eBPF
  • Landlock
  • SELinux

Engineering

  • Communication
  • Problem Solving
  • Teamwork

Research

  • LaTeX
  • Networking
  • Public Speaking

DevOps

  • Git
  • Docker
  • Kubernetes

Distributed Systems

  • Apache Spark
  • Apache Hadoop
  • MinIO

Databases

  • PostgreSQL
  • Redis
  • SQLite

Languages

Italian

Native speaker

English

Fluent

Interests

Technology

Travel

Soccer

Videogames

References

available upon request