I am a Researcher Level 1 (Gr. 4) of the Informatics Area of Pedeciba (Programa de Desarrollo de las Ciencias Básicas) and a Researcher (Active) Level 2 of the Sistema Nacional de Investigadores (SNI, National System of Researchers), Uruguay.
From March 2018 to February 2020 I was the chair (Coordinador) of the Informatics Area of Pedeciba.
Current projects
October 2021 - : ModSecIntl: A machine learning-assisted web application firewall.
The general objective of this project is the conception and development of automated mechanisms for the identification, analysis and prevention of computer attacks on web applications. The technological result of the project will be a Minimum Viable Product (MVP) consisting of models and tools that allow automated support to these mechanisms.
The main idea is to combine the flexibility provided by the classification procedures obtained from the definition of machine learning models with the codified knowledge integrated in the specification of the rules used by the WAF to detect attacks. A major challenge is being able to provide the ability to integrate user-defined learning models with the ModSecurity rule decision engine. This framework incorporates a model development environment and a classifier module called the Web Attack Classification Engine (WACE).
Funding: Partially funded by a grant from Fondo de Innovación en Ciberseguridad de la OEA, Cisco y Fundación Citi, Edición 2020.
Role: Head of the project.
Recent projects
March 2018 - September 2021: Automation of knowledge derivation for the assurance of computer systems.
The objective of this project is the definition and development of techniques that allow incorporating the use and adaptation of machine learning techniques, data mining and model-driven security for the construction of tools capable of increasing the level of assurance of web applications. The development of attack detection techniques, in particular, involves procedures that help to discern between the behavior of a valid user of the system and a malicious (human or mechanical) actor. The identification and classification of an unforeseen (anomalous) behavior must take into account if a detected event is simply suspicious, or if in fact it is an event that is part of a security incident, and particularly an attack.
Funding: This project is partially funded by the grant Fondo María Viñas 2017 (ANII).
Role: Head of the project.
April 2020 - October 2020: PROTECT (Privacy Oriented TEchniques for the assurance of Contact Tracing solutions).
The PROTECT project is developed by a multi-disciplinary team of researchers from the University of the Republic whose work is focused on investigating the problems of the use of digital technologies to implement digital proximity tracing in order to improve the effectiveness of the contagion detection proces of COVID-19.
Funding: This project is partially funded by CSIC, Universidad de la República.
Role: Project leader and researcher.
October 2015 - September 2018: Certified autonomic mechanisms for mobile security.
This project targets the design of (certified) mechanisms able to proactively understand the behaviour of platforms that deploy technologies for mobile devices in order to detect/prevent vulnerable states of those platforms. To that end we aim at integrating the use of formal security models and certified proofs of properties that may be used to enforce or violate security policies with methods and techniques capable of collecting and analyzing information residing in mobile devices as well as the events that provoke creation, modification and (potentially unsecure) flow of that information.
We focus on the Android platform as the technology reference in which the developed methods and techniques conducted in this project shall be contrasted. Android is an attractive platform for several reasons. In particular Android applications run on smart phones, and these devices manage a tremendous amount of personal information such as passwords, locations, and social network data. In addition, the large number of devices enabled to host this platform makes Android an obvious target for the application of the results of the project.
Funding: This project is partially funded by the grant Fondo Clemente Estable 2014 (ANII).
Role: Head of the project.
March 2015 - December 2016: AKD: Autonomic Knowledge Discovery for Security Vulnerability Prevention in Self-governing Systems. This project targets the design and development of a novel autonomic approach able to proactively anticipate and prevent future vulnerable states. To that end, an efficient and intelligent use of the knowledge managed by self-governing entities becomes essential. Knowledge plays a central role for achieving autonomicity as it captures what an autonomic system knows about itself, about the environment, and the ways it can behave. Our goal is to take advantage of this knowledge, primarily using a conceptual knowledge discovery process (CKDP), in order to integrate anticipatory capabilities into the autonomic security plane.
CKDP is an extension proposed to the standard knowledge discovery process, which has formal concept analysis (FCA) in its core. FCA has been used for several different applications of mining and knowledge management across multiple subdomains of computer science and bioinformatics. Some examples are organization, querying, browsing, search and prediction. The main goal of this project is the study of vulnerability anticipation mechanisms from the perspective of CKDP and FCA. To do so, we consider a conceptual mapping between the autonomic control loop usually called MAPE (monitoring, analysis, planning, execution) and CKDP (data preparation, mining, interpretation/evaluation, deployment). This mapping raises intriguing questions about the consequences of applying well-known techniques of knowledge discovery into autonomic-related problems and vice versa. The investigation of these consequences is one of the main goals of this work.
In this project participate research teams from Brazil, Chile, France and Uruguay.
Funding: This project was partially funded by the program STIC Amsud (ANII).
Role: Coordinator of the Uruguayan team.
December 2009 - March 2014: VirtualCert: Towards a Certified Virtualization Platform. In this project we focused on the security of computer virtualization platforms. In particular,the main objective was to develop a formal idealized model of one such platform, establish non-interference security properties that should be guaranteed by the modeled control access mechanisms and to construct mathematical proofs, verified with the help of a proof assistant, that those properties are satisfied. This project was developed in collaboration with Dr. Gilles Barthe, from IMDEA Software, Spain.
Funding: This project was partially funded by the grant Fondo Clemente Estable 2009 (ANII) and CSIC I+D 2012 (UdelaR).
Role: Co-head of the project.
September 2006 – December 2009: Project STIC-AMSUD / ReSeCo: Reliability and Security of Distributed Software Components. The objective of the project ReSeCo was to investigate reliability and security in a computational model in which both the platform and applications are dynamic, so that incoming software, built from of-the-shelf components, may be destined to form part of the platform or to execute as a standard application.
The concrete goals of the project include the development of mechanisms that help software developers build reliable software from of-the-shelf components, and of security infrastructures that guarantee end-users that the software they use is safe and secure.
The research teams involved in this project were: the Everest team from INRIA Sophia-Antipolis (France), the Computer Science section of FAMAF at Universidad Nacional de Córdoba (Argentine), the Department of Computer Science at Universidad de Chile (Chile), and the Formal Methods team from InCo (Uruguay).
The project was funded by the French goverment and by specific programs of the local research agencies (PDT – DINACYT in the case of our team).
Funding: This project was partially funded by the program STIC Amsud (ANII) 2006.
Role: Coordinator of the Uruguayan team.
January 2007 – March 2009: STEVE: Security Through Verifiable Evidence. The overall objective of this project was to investigate architectures that will guarantee to end users in a distributed setting that it is safe to use computations performed by a third party or download and install software components developed by a third party. We shall follow a new approach, based on the idea of Proof Carrying Code, where software/results come equipped with a formal specification of the properties they verify, and a certificate, i.e. a condensed mathematical proof that can be checked automatically and efficiently, that the software/result satisfies these properties. The challenge here is to propose an infrastructure for generating, sending, and verifying certificates, and instantiate the infrastructure to programs (as in mobile and distributed code), where consumers want to check that incoming software is correct and innocuous, and to computations (as in grid computing), where consumers want to check that incoming results of computations are correct and innocuous.
Funding: This project was partially funded by the grant Prof. Clemente Estable of DINACYT.
Role: Head of the project.
April 2006 - August 2009: Project CERTuy. This R&D project had as its main objectives to develop activities that would contribute to the creation of a national CERT (Computer Emergency Response Team). These activities were developed in collaboration with the CSIRT (Computer Security Incidents Response Team) of the national telecommunication company ANTEL.
This project was partially funded by ANTEL and the Engineering School of the University of the Republic.
Role: Head of the academic team.
Other projects
2001 - 2002: Projet de Collaboration Règionale Cône-Sud France: Cartes à Puce. This was a research project on the domain of Smart Cards in which collaborated research groups of INRIA Sophia-Antipolis, France, University of Córdoba, Argentine and InCo, Uruguay. The project was partially funded by the French Government.
Role: Co-Head of the project.
2000 - 2002: Integration of Type Theory and Model Checking for the Formal Verification of Reactive Systems. This project was partially funded by the CSIC (the university research agency).
Role: Co-Head of the project.
1999 - 2001: Subtypes and Objects in Theories and Tools based on Type Theory.This project was partially funded by the grant Prof. Clemente Estable of DINACYT.
Role: Principal researcher.