Publications

@TechReport{	  maggi_rfquack_tr_2021,
  abstract	= {Software-defined radios (SDRs) are indispensable for
		  signal reconnaissance and physical-layer dissection, but
		  despite we have advanced tools like Universal Radio Hacker,
		  SDR-based approaches require substantial effort.
		  Contrarily, RF dongles such as the popular Yard Stick One
		  are easy to use and guarantee a deterministic
		  physical-layer implementation. However, they're not very
		  flexible, as each dongle is a static hardware system with a
		  monolithic firmware. We present RFquack, an open-source
		  tool and library firmware that combines the flexibility of
		  a software-based approach with the determinism and
		  performance of embedded RF frontends. RFquack is based on a
		  multi-radio hardware system with swappable RF frontends,
		  and a firmware that exposes a uniform, hardware-agnostic
		  API. RFquack focuses on a structured firmware architecture
		  that allows high- and low-level interaction with the RF
		  frontends. It facilitates the development of host-side
		  scripts and firmware plug-ins, to implement efficient
		  data-processing pipelines or interactive protocols, thanks
		  to the multi-radio support. RFquack has an IPython shell
		  and 9 firmware modules for: spectrum scanning, automatic
		  carrier detection and bitrate estimation, headless
		  operation with remote management, in-flight packet
		  filtering and manipulation, MouseJack, and RollJam (as
		  examples). We used RFquack to setup RF hacking contests,
		  analyze industrial-grade devices and key fobs, on which we
		  found and reported 11 vulnerabilities in their RF
		  protocols. },
  author	= {Maggi, Federico and Guglielmini, Andrea},
  date		= {2021-04-06},
  file		= {files/papers/reports/maggi_rfquack_tr_2021.pdf},
  institution	= {arXiv},
  shorttitle	= {RFQuack},
  title		= {RFQuack: A Universal Hardware-Software Toolkit for
		  Wireless Protocol (Security) Analysis and Research},
  url		= {https://arxiv.org/abs/2104.02551}
}

@InProceedings{	  maggi_smsec_2020,
  abstract	= {Smart manufacturing systems are an attractive target for
		  cyber attacks, because they embed valuable data andcritical
		  equipment. Despite the market is driving towards integrated
		  and interconnected factories, current smartmanufacturing
		  systems are still designed under the assumption that they
		  will stay isolated from the corporatenetwork and the
		  outside world. This choice may result in an internal
		  architecture with insufficient network andsystem
		  compartmentalization. As a result, once an attacker has
		  gained access, they have full control of the
		  entireproduction plant because of the lack of network
		  segmentation.With the goal of raising cybersecurity
		  awareness, in this paper we describe a practical case study
		  showing attackscenarios that we have validated on a real
		  modular smart manufacturing system, and suggest practical
		  securitycountermeasures. The testbed smart manufacturing
		  system is part of the Industry 4.0 research laboratory
		  hosted byPolitecnico di Milano, and comprises seven
		  assembly stations, each with their programmable logic
		  controllers andhuman-computer interfaces, as well as an
		  industrial robotic arm that performs pick-and-place
		  tasks.On this testbed we show two indirect attacks to gain
		  initial access, even under the best-case scenario of a
		  system notdirectly connected to any public network. We
		  conclude by showing two post-exploitation scenarios that an
		  adversarycan use to cause physical impact on the
		  production, or keep persistent access to the plant.We are
		  unaware of a similar security analysis performed within the
		  premises of a research facility, following ascientific
		  methodology, so we believe that this work can represent a
		  good first step to inspire follow up research onthe many
		  verticals that we touch.},
  author	= {Maggi, Federico and Balduzzi, Marco and Vosseler, Rainer
		  and Rösler, Martin and Quadrini, Walter and Tavola,
		  Giacomo and Pogliani, Marcello and Quarta, Davide and
		  Zanero, Stefano},
  booktitle	= {International Conference on Industry 4.0 and Smart
		  Manufacturing},
  date		= {2020-11-23},
  file		= {files/papers/conference-papers/maggi_smsec_2020.pdf},
  location	= {Linz, Austria},
  publisher	= {Elsevier Procedia Computer Science},
  series	= {ISM '20},
  shorttitle	= {SMSec},
  title		= {Smart Factory Security: A Case Study on a Modular
		  SmartManufacturing System},
  volume	= {42}
}

@InProceedings{	  pogliani_otrazor_2020,
  abstract	= {To appear},
  address	= {New York, NY, USA},
  author	= {Pogliani, Marcello and Maggi, Federico and Balduzzi, Marco
		  and Quarta, Davide and Zanero, Stefano},
  booktitle	= {Proceedings of the 2020 on Asia Conference on Computer and
		  Communications Security},
  date		= {2020-10-5},
  file		= {files/papers/conference-papers/pogliani_otrazor_2020.pdf},
  location	= {Taipei, Taiwan},
  pages		= {(to appear)},
  publisher	= {ACM},
  series	= {AsiaCCS '20},
  shorttitle	= {OTRazor},
  title		= {Detecting Unsafe Code Patterns in Industrial Robot
		  Programs}
}

@TechReport{	  maggi_rogueautomationwp_tr_2020,
  abstract	= {In this research paper, we reveal previously unknown
		  design flaws that malicious actors could exploit to hide
		  malicious functionalities in industrial robots and other
		  automated, programmable manufacturing machines. Since these
		  flaws are difficult to fix, enterprises that deploy
		  vulnerable machines could face serious consequences. An
		  attacker could exploit them to become persistent within a
		  smart factory, silently alter the quality of products, halt
		  a manufacturing line, or perform some other malicious
		  activity.},
  author	= {Maggi, Federico and Pogliani, Marcello and Vittone,
		  Martino, and Quarta, Davide and Zanero, Stefano and
		  Balduzzi, Marco and Vosseler, Rainer and Rösler, Martin},
  date		= {2020-08-04},
  file		= {files/papers/reports/maggi_rogueautomationwp_tr_2020.pdf},
  institution	= {Trend Micro, Inc.},
  publisher	= {Trend Micro Research},
  series	= {Research Papers},
  shorttitle	= {RogueAutomationWP},
  title		= {Rogue Automation: Vulnerable and Malicious Code in
		  Industrial Programming},
  url		= {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/unveiling-the-hidden-risks-of-industrial-automation-programming}
}

@TechReport{	  maggi_smartfactorywp_tr_2020,
  abstract	= {This research presents a systematic security analysis that
		  we performed to explore a variety of attack vectors on a
		  real smart manufacturing system and to assess the attacks
		  that could be feasibly launched on a complex smart
		  manufacturing system. The main, two-pronged question we
		  want to answer is: Under which threat conditions and
		  attacker capabilities are certain attacks possible, and
		  what are the consequences?},
  author	= {Maggi, Federico and Pogliani, Marcello},
  date		= {2020-05-11},
  file		= {files/papers/reports/maggi_smartfactorywp_tr_2020.pdf},
  institution	= {Trend Micro, Inc.},
  publisher	= {Trend Micro Research},
  series	= {Research Papers},
  shorttitle	= {SmartFactoryWP},
  title		= {Attacks on Smart Manufactururing Systems: A
		  Forward-looking Security Analysis},
  url		= {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/threats-and-consequences-a-security-analysis-of-smart-manufacturing-systems}
}

@TechReport{	  hilt_factoryhoneypotwp_tr_2020,
  abstract	= {Different critical infrastructures have been hit with
		  attacks such as those that involved the infamous Stuxnet
		  malware1 and the more recent Triton malware.2 These
		  incidents — attacks on manufacturing and other sectors
		  that use industrial control systems (ICSs) — continue to
		  be heard of through the years. In 2017, for instance, the
		  notorious WannaCry ransomware shut down a car manufacturing
		  factory in Japan,3 and another ransomware attack took down
		  a factory in North Carolina, U.S.4Smart factories attract
		  the interest of threat actors for the critical and
		  sensitive infrastructures they usually handle. A successful
		  attack, no matter how difficult the execution, can yield
		  high-impact results that can corner an organization into
		  giving in to cybercriminals’ demands or, at the very
		  least, cost it considerable losses.Prompted by our desire
		  to determine how knowledgeable and imaginative attackers
		  could be in compromising a manufacturing facility, we built
		  the most realistic factory honeypot we had ever created.
		  And in doing so, we also created an ideal environment where
		  we could monitor and learn about the attacks that the
		  honeypot came to attract. From conceptualization to actual
		  execution, our factory honeypot was designed to be an
		  attractive target for potential cybercriminals.Our factory
		  honeypot took on the ruse of a small fictitious company
		  that apparently handled clients from critical industries
		  yet possessed inadequate security defenses. Our ruse proved
		  successful as our honeypot saw several attacks, which we
		  had the freedom and resources to monitor. These attacks
		  included a malicious cryptocurrency mining campaign, two
		  ransomware attacks, another that posed as a ransomware
		  attack, and several scanners.In this research paper, we
		  detail the conceptualization and creation of our most
		  elaborate honeypot to date, and discuss the result of our
		  monitoring and tracking of the incidents that occurred on
		  the honeypot.},
  author	= {Hilt, Stephen and Maggi, Federico and Perine, Charles and
		  Remorin, Lord and Rösler, Martin and Vosseler, Rainer},
  date		= {2020-01-21},
  file		= {files/papers/reports/hilt_factoryhoneypotwp_tr_2020.pdf},
  institution	= {Trend Micro, Inc.},
  publisher	= {Trend Micro Research},
  series	= {Research Papers},
  shorttitle	= {FactoryHoneypotWP},
  title		= {Caught in the Act: Running a Realistic Factory Honeypot to
		  Capture Real Threats},
  url		= {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/fake-company-real-threats-logs-from-a-smart-factory-honeypot}
}

@InProceedings{	  maggi_industrialradios_2019,
  abstract	= {Heavy industrial machinery is a primary asset for the
		  operation of key sectors such as construction,
		  manufacturing, and logistics. Targeted attacks against
		  these assets could result in incidents, fatal injuries, and
		  substantial financial loss. Given the importance of such
		  scenarios, we analyzed and evaluated the security
		  implications of the technology used to operate and control
		  this machinery, namely industrial radio remote controllers.
		  We conducted the first-ever security analysis of this
		  technology, which relies on proprietary radio-frequency
		  protocols to implement remote-control functionalities.
		  Through a two-phase evaluation approach we discovered
		  important flaws in the design and implementation of
		  industrial remote controllers. In this paper we introduce
		  and describe 5 practical attacks affecting major vendors
		  and multiple real-world installations. We conclude by
		  discussing how a challenging responsible disclosure process
		  resulted in first-ever security patches and improved
		  security awareness.},
  author	= {Maggi, Federico and Balduzzi, Marco and Andersson,
		  Jonathan and Lin, Philippe and Hilt, Stephen and Urano,
		  Akira and Vosseler, Rainer},
  booktitle	= {Proceedings of the 16th International Conference on
		  Detection of Intrusions and Malware, and Vulnerability
		  Assessment (DIMVA)},
  date		= {2019-06-19},
  doi		= {10.1007/978-3-030-22038-9_7},
  editor	= {Perdisci, Roberto and Almgren, Magnus},
  file		= {files/papers/conference-papers/maggi_industrialradios_2019.pdf},
  isbn		= {978-3-030-22037-2},
  location	= {Gothenburg, Sweden},
  pages		= {(to appear)},
  publisher	= {Springer International Publishing},
  shorttitle	= {IndustrialRadios},
  title		= {A Security Evaluation of Industrial Radio Remote
		  Controllers},
  volume	= {11543}
}

@Article{	  pogliani_article_2019,
  abstract	= {In modern factories, ``controlled'' manufacturing systems,
		  such as industrial robots, CNC machines, or 3D printers,
		  are often connected in a control network, together with a
		  plethora of heterogeneous control devices. Despite the
		  obvious advantages in terms of production and ease of
		  maintenance, this trend raises non-trivial cybersecurity
		  concerns. Often, the devices employed are not designed for
		  an interconnected world, but cannot be promptly replaced:
		  In fact, they have essentially become legacy systems,
		  embodying design patterns where components and networks are
		  accounted as trusted elements. In this paper, we take a
		  holistic view of the security issues (and challenges) that
		  arise in designing and securely deploying controlled
		  manufacturing systems, using industrial robots as a case
		  study---indeed, robots are the most representative instance
		  of a complex automatically controlled industrial device.
		  Following up to our previous experimental analysis, we take
		  a broad look at the deployment of industrial robots in a
		  typical factory network and at the security challenges that
		  arise from the interaction between operators and machines;
		  then, we propose actionable points to secure industrial
		  cyber-physical systems, and we discuss the limitations of
		  the current standards in industrial robotics to account for
		  active attackers.},
  author	= {Pogliani, Marcello and Quarta, Davide and Polino, Mario
		  and Vittone, Martino and Maggi, Federico and Zanero,
		  Stefano},
  day		= {13},
  doi		= {10.1007/s11416-019-00329-8},
  file		= {files/papers/journal-papers/pogliani_article_2019.pdf},
  issn		= {2263-8733},
  journal	= {Journal of Computer Virology and Hacking Techniques},
  month		= {Feb},
  title		= {Security of controlled manufacturing systems in the
		  connected factory: the case of industrial robots},
  year		= {2019}
}

@TechReport{	  andersson_industrialradioswp_tr_2019,
  abstract	= {Radio frequency (RF) remote controllers are widely used in
		  manufacturing, construction, transportation, and many other
		  industrial applications. Cranes, drills, and miners, among
		  others, are commonly equipped with RF remotes.
		  Unfortunately, these devices have become the weakest link
		  in these safety-critical applications, characterized by
		  long life spans, high replacement costs, and cumbersome
		  patching processes. Given the pervasive connectivity
		  promoted by the Industry 4.0 trend, we foresee a security
		  risk in this domain as has happened in other fields.
		  
		  Our research reveals that RF remote controllers are
		  distributed globally, and millions of vulnerable units are
		  installed on heavy industrial machinery and environments.
		  Our extensive in-lab and on-site analysis of devices made
		  by seven popular vendors reveals a lack of security
		  features at different levels, with obscure, proprietary
		  protocols instead of standard ones. They are vulnerable to
		  command spoofing, so an attacker can selectively alter
		  their behavior by crafting arbitrary commands — with
		  consequences ranging from theft and extortion to sabotage
		  and injury.
		  
		  This research analyzes and shows how an attacker can
		  persistently and remotely take control or simulate the
		  malfunction of the attached machinery, through attacks like
		  command injection, emergency-stop (e-stop) abuse, and
		  malicious re-pairing. In addition, many modern radio
		  controllers can be programmed via software, which also
		  lacks any security measures, opening them to remote attack
		  vectors. A remote attacker who compromises the computer
		  used to program these remotes can alter their firmware to
		  implement persistent and sophisticated attacks.
		  
		  Having examined the root cause of the vulnerabilities that
		  make these attacks possible, we have reached out to the
		  affected vendors to promote suitable mitigation, and we
		  hope that our research will help raise awareness and avoid
		  unfortunate situations regarding RF remote controllers in
		  industrial applications.},
  author	= {Andersson, Jonathan and Balduzzi, Marco and Hilt, Stephen
		  and Lin, Philippe and Maggi, Federico and Urano, Akira and
		  Vosseler, Rainer},
  date		= {2019-01-15},
  file		= {files/papers/reports/andersson_industrialradioswp_tr_2019.pdf},
  institution	= {Trend Micro, Inc.},
  publisher	= {Trend Micro Research},
  series	= {Research Papers},
  shorttitle	= {IndustrialRadiosWP},
  title		= {A Security Analysis of Radio Remote Controllers for
		  Industrial Applications},
  url		= {https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf}
}

@TechReport{	  maggi_mqttwp_tr_2018,
  abstract	= {The most popular protocols for machine-tomachine (M2M)
		  technology---the backbone of the internet of things (IoT)
		  and industrial internet of things (IIoT)---are affected by
		  security and privacy issues that impact several market
		  verticals, applications, products, and brands.
		  
		  This report provides a holistic security analysis of the
		  most popular M2M protocols: Message Queuing Telemetry
		  Transport (MQTT) and Constrained Application Protocol
		  (CoAP). Given their flexibility, these data protocols are
		  being adopted in a variety of settings for consumer,
		  enterprise, and industrial applications to connect
		  practically all kinds of “machine,” from innocuous
		  fitness trackers to large power plants. We found issues in
		  design as well as vulnerable implementations, along with
		  hundreds of thousands of unsecure deployments. These issues
		  highlight the risk of how endpoints could be open to
		  denial-of-service (DoS) attacks and, in some cases, taken
		  advantage of to gain full control by an attacker. Despite
		  the fixes in the design specifications, it is hard for
		  developers to keep up with a changing standard when a
		  technology becomes pervasive. Also, the market for this
		  technology is very wide because the barrier to entry is
		  fairly low. This has led to a multitude of fragmented
		  implementations.
		  
		  This report is aimed at raising security awareness and
		  driving the adoption of proper remediation measures.},
  author	= {Maggi, Federico and Vosseler, Rainer and Quarta, Davide},
  date		= {2018-12-04},
  file		= {files/papers/reports/maggi_mqttwp_tr_2018.pdf},
  institution	= {Trend Micro, Inc.},
  publisher	= {Trend Micro Research},
  series	= {Research Papers},
  shorttitle	= {MQTTWP},
  title		= {The Fragility of Industrial IoT's Data Backbone: Security
		  and Privacy Issues in MQTT and CoAP Protocols},
  url		= {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/mqtt-and-coap-security-and-privacy-issues-in-iot-and-iiot-communication-protocols}
}

@InProceedings{	  maggi_defplorex_2018,
  abstract	= { Website defacement is the practice of altering the web
		  pages of a website after its compromise. The altered pages,
		  calleddeface pages, can negatively affect the reputation
		  and business of the victim site. Previous research has
		  focused primarily on detection, rather than exploring the
		  defacement phenomenon in depth. While investigating several
		  defacements, we observed that the artifacts left by the
		  defacers allow an expert analyst to investigate the actors'
		  modus operandi and social structure, and expand from the
		  single deface page to a group of related defacements (i.e.,
		  acampaign ). However, manually performing such analysis on
		  millions of incidents is tedious, and poses scalability
		  challenges. From these observations, we propose an
		  automated approach that efficiently builds intelligence
		  information out of raw deface pages. Our approach
		  streamlines the analysts job by automatically recognizing
		  defacement campaigns, and assigning meaningful textual
		  labels to them. Applied to a comprehensive dataset of 13
		  million defacement records, from Jan. 1998 to Sept. 2016,
		  our approach allowed us to conduct the first large-scale
		  measurement on web defacement campaigns. In addition, our
		  approach is meant to be adopted operationally by analysts
		  to identify live campaigns on the field.
		  
		  We go beyond confirming anecdotal evidence. We analyze the
		  social structure of modern defacers, which includes lone
		  individuals as well as actors that cooperate with each
		  others, or with teams, which evolve over time and dominate
		  the scene. We conclude by drawing a parallel between the
		  time line of World-shaping events and defacement campaigns,
		  representing the evolution of the interests and orientation
		  of modern defacers.},
  address	= {New York, NY, USA},
  author	= {Maggi, Federico and Balduzzi, Marco and Flores, Ryan and
		  Gu, Lion and Ciancaglini, Vincenzo},
  booktitle	= {Proceedings of the 2018 on Asia Conference on Computer and
		  Communications Security},
  date		= {2018-06-04},
  doi		= {10.1145/3196494.3196542},
  file		= {files/papers/conference-papers/maggi_defplorex_2018.pdf},
  isbn		= {978-1-4503-5576-6},
  location	= {Incheon, Republic of Korea},
  pages		= {443--456},
  publisher	= {ACM},
  series	= {AsiaCCS '18},
  shorttitle	= {DefPloreX},
  title		= {Investigating Web Defacement Campaigns at Large}
}

@TechReport{	  balduzzi_defplorexwp_tr_2018,
  abstract	= {Web attacks—attacks that compromise internet assets like
		  mail servers, cloud infrastructures, and websites—are
		  troubling phenomena. The research community has put
		  considerable effort into investigating these incidents but
		  has mostly focused on detecting attacks and not delving
		  into the reasons behind these attacks.
		  
		  Of course, the typical cybercriminal's goal is to profit.
		  They might compromise websites to push ransomware, or they
		  could try and steal data—recent breaches show that
		  information is an increasingly valuable commodity. But, as
		  this paper discusses, more emotional motivations, such as
		  patriotism, specific real-world events or simply
		  hacktivism, can also trigger compromises.
		  
		  Web defacement hacktivism is the practice of subverting a
		  website with the goal of promoting a specific agenda or
		  political ideology. Methods may vary, but when hacktivists
		  compromise a website, the usual tactic involves replacing
		  the original page with their version—a practice that is
		  called web defacement. Hacktivism is mainly linked to web
		  defacement, but a hacktivist (the attacker) can also be
		  involved in traffic redirection (from a legitimate site to
		  an attackerowned site), denial of service (a form of
		  service disruption), and malware distribution to support
		  their particular cause.
		  
		  Dedicated websites like Zone-H1 collect evidence of web
		  defacements and defacers can voluntarily advertise their
		  compromise by submitting a report. Elaborating on the
		  reasons behind web defacements at scale is not as easy as
		  it seems. While someone could theorize that geopolitical
		  events and conflicts influence cybercriminals’ attacks
		  against websites and their choice of victims, corroborating
		  this phenomenon requires large-scale analysis.
		  
		  Our examination of over 13 million web defacement reports
		  against websites spans over 18 years, covering multiple
		  continents. We designed an internal system that gathers,
		  analyzes, and clusters these millions of reports. As we
		  identify the major campaigns of these defacers, we can
		  provide further insights into how geopolitical events are
		  reflected in web defacements. We also look at how different
		  factors, such as the political beliefs and the defacers'
		  religious inclination, can trigger and affect these
		  attacks.
		  
		  Our first two sections provide high-level insights into our
		  dataset of defacements, as well as some defining facts
		  about the targets and tactics used by the defacers. Our
		  next section on Real World Impact breaks down seven top
		  campaigns that have affected Israel, France, India, Syria,
		  Kosovo, and countries surrounding the South China Sea. We
		  delve into specific conflicts in those areas and the
		  defacements that happened in the aftermath.
		  
		  The succeeding sections cover the hacking groups'
		  affiliations and how their collectives are organized—some
		  collectives are formed across continents, and some are a
		  loose collection of local hackers. Recruitment tools and
		  the methods used to distribute hacking techniques are also
		  discussed.
		  
		  The final sections discuss other activities that defacers
		  take part in, and how the current activities may evolve.
		  Recently, there have been incidents of hackers who have
		  gone from simple web defacement to activities supporting
		  cybercrime. There is a real possibility that defacers and
		  defacement groups will start to escalate their activities,
		  move away from ideological motivations, and turn into
		  cybercrime. },
  author	= {Balduzzi, Marco and Flores, Ryan and Gu, Lion and Maggi,
		  Federico and Ciancaglini, Vincenzo and Reyes, Roel and
		  Urano, Akira},
  date		= {2018-01-22},
  file		= {files/papers/reports/balduzzi_defplorexwp_tr_2018.pdf},
  institution	= {Trend Micro, Inc.},
  publisher	= {TrendLabs},
  series	= {Research Papers},
  shorttitle	= {DefPloreXWP},
  title		= {A Deep Dive into Defacement: How Geopolitical Events
		  Trigger Web Attacks},
  url		= {https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf}
}

@InProceedings{	  zarras_sqlbot_2017,
  abstract	= {It could be argued that without search engines, the web
		  would have never grown to the size that it has today. To
		  achieve maximum coverage and provide relevant results,
		  search engines employ large armies of autonomous crawlers
		  that continuously scour the web, following links, indexing
		  content, and collecting features that are then used to
		  calculate the ranking of each page. In this paper, we
		  describe how autonomous crawlers can be abused by attackers
		  to exploit vulnerabilities on thirdparty websites while
		  hiding the true origin of the attacks. Moreover, we show
		  how certain vulnerabilities on websites that are currently
		  deemed unimportant, can be abused in a way that would allow
		  an attacker to arbitrarily boost the rankings of malicious
		  websites in the search results of popular search engines.
		  Motivated by the potentials of these vulnerabilities, we
		  propose a series of preventive and defensive
		  countermeasures that website owners and search engines can
		  adopt to minimize, or altogether eliminate, the effects of
		  crawler-abusing attacks.},
  author	= {Zarras, Apostolis and Maggi, Federico},
  booktitle	= {Proceedings of the 15th Annual International Conference on
		  Privacy, Security and Trust (PST)},
  date		= {2017-08-28},
  doi		= {10.1109/PST.2017.00049},
  file		= {files/papers/conference-papers/zarras_sqlbot_2017.pdf},
  isbn		= {978-1-5386-2487-6},
  location	= {Calgary, Canada},
  pages		= {355--35509},
  publisher	= {IEEE Computer Society},
  shorttitle	= {SQLBot},
  title		= {Hiding Behind the Shoulders of Giants: Abusing Crawlers
		  for Indirect Web Attacks}
}

@InProceedings{	  shastry_hybridstaticfuzzing_2017,
  abstract	= {Taint-style vulnerabilities comprise a majority of fuzzer
		  discovered program faults. These vulnerabilities usually
		  manifest as memory access violations caused by tainted
		  program input. Although fuzzers have helped uncover a
		  majority of taint-style vulnerabilities in software to
		  date, they are limited by (i) extent of test coverage; and
		  (ii) the availability of fuzzable test cases. Therefore,
		  fuzzing alone cannot provide a high assurance that all
		  taint-style vulnerabilities have been uncovered.
		  
		  In this paper, we use static template matching to find
		  recurrences of fuzzer-discovered vulnerabilities. To
		  compensate for the inherent incompleteness of template
		  matching, we implement a simple yet effective match-ranking
		  algorithm that uses test coverage data to focus attention
		  on matches comprising untested code. We prototype our
		  approach using the Clang/LLVM compiler toolchain and use it
		  in conjunction with afl-fuzz, a modern coverage-guided
		  fuzzer. Using a case study carried out on the Open vSwitch
		  codebase, we show that our prototype uncovers corner cases
		  in modules that lack a fuzzable test harness. Our work
		  demonstrates that static analysis can effectively
		  complement fuzz testing, and is a useful addition to the
		  security assessment tool-set. Furthermore, our techniques
		  hold promise for increasing the effectiveness of program
		  analysis and testing, and serve as a building block for a
		  hybrid vulnerability discovery framework.},
  author	= {Shastry, Bhargava and Maggi, Federico and Yamaguchi,
		  Fabian and Rieck, Konrad and Seifert, Jean-Pierre},
  booktitle	= {11th USENIX Workshop on Offensive Technologies USENIX
		  Workshop on Offensive Technologies (WOOT 17)},
  date		= {2017-08},
  file		= {files/papers/workshop-papers/shastry_hybridstaticfuzzing_2017.pdf},
  keywords	= {workshop},
  location	= {Vancouver, BC},
  publisher	= {USENIX Association},
  shorttitle	= {HybridStaticFuzzing},
  title		= {Static Exploration of Taint-Style Vulnerabilities Found by
		  Fuzzing},
  url		= {https://www.usenix.org/conference/woot17/workshop-program/presentation/shastry}
}

@InProceedings{	  unruh_joernphp_2017,
  abstract	= {The Web is replete with tutorial-style content on how to
		  accomplish programming tasks. Unfortunately, even
		  top-ranked tutorials suffer from severe security
		  vulnerabilities, such as cross-site scripting (XSS), and
		  SQL injection (SQLi). Assuming that these tutorials
		  influence real-world software development, we hypothesize
		  that code snippets from popular tutorials can be used to
		  bootstrap vulnerability discovery at scale. To validate our
		  hypothesis, we propose a semi-automated approach to find
		  recurring vulnerabilities starting from a handful of
		  top-ranked tutorials that contain vulnerable code snippets.
		  We evaluate our approach by performing an analysis of tens
		  of thousands of open-source web applications to check if
		  vulnerabilities originating in the selected tutorials
		  recur. Our analysis framework has been running on a
		  standard PC, analyzed 64,415 PHP codebases hosted on GitHub
		  thus far, and found a total of 117 vulnerabilities that
		  have a strong syntactic similarity to vulnerable code
		  snippets present in popular tutorials. In addition to
		  shedding light on the anecdotal belief that programmers
		  reuse web tutorial code in an ad hoc manner, our study
		  finds disconcerting evidence of insufficiently reviewed
		  tutorials compromising the security of open-source
		  projects. Moreover, our findings testify to the feasibility
		  of large-scale vulnerability discovery using poorly written
		  tutorials as a starting point.},
  author	= {Unruh, Tommi and Shastry, Bhargava and Skoruppa, Malte and
		  Maggi, Federico and Rieck, Konrad and Seifert, Jean-Pierre
		  and Yamaguchi, Fabian},
  booktitle	= {Proceedings of the 11th USENIX Workshop on Offensive
		  Technologies (WOOT 17)},
  date		= {2017-08},
  file		= {files/papers/workshop-papers/unruh_joernphp_2017.pdf},
  keywords	= {workshop},
  location	= {Vancouver, BC},
  publisher	= {USENIX Association},
  shorttitle	= {JoernPHP},
  title		= {Leveraging Flawed Tutorials for Seeding Large-Scale Web
		  Vulnerability Discovery},
  url		= {https://www.usenix.org/conference/woot17/workshop-program/presentation/unruh}
}

@TechReport{	  maggi_candoswp_tr_2017,
  abstract	= {This research is a joint effort between Politecnico di
		  Milano, Linklayer Labs, and Trend Micro's FTR. In this
		  report, we describe a vulnerability in modern cars’
		  networks that allows a completely stealthy
		  denial-of-service attack which is undetectable by current
		  security mechanisms and works for every automotive vendor.
		  This attack differs drastically from other previously
		  reported car hacks because it does not exploit easily
		  patchable software vulnerabilities. Rather, the element
		  exploited is a design flaw, which is thus fundamentally
		  hard to solve, in the standard that defines how in-vehicle
		  networks work.
		  
		  This attack was presented at the 2017 international
		  conference on Detection of Intrusions and Malware &
		  Vulnerability Assessment (DIMVA) in Bonn (Jul 6–7). Prior
		  to that, we coordinated with the ICS-CERT, which promptly
		  disseminated an alert (ICS-ALERT-17-209-01).},
  author	= {Maggi, Federico},
  date		= {2017-08},
  file		= {files/papers/reports/maggi_candoswp_tr_2017.pdf},
  institution	= {Trend Micro, Inc.},
  publisher	= {TrendLabs Security Intelligence Blog},
  series	= {Technical Brief},
  shorttitle	= {CANDoSWP},
  title		= {A Vulnerability in Modern Automotive Standards and How We
		  Exploited It},
  url		= {https://documents.trendmicro.com/assets/A-Vulnerability-in-Modern-Automotive-Standards-and-How-We-Exploited-It.pdf}
}

@InProceedings{	  palanca_candos_2017,
  abstract	= {Modern vehicles incorporate tens of electronic control
		  units (ECUs), driven by as much as 100,000,000 lines of
		  code. They are tightly interconnected via internal
		  networks, mostly based on the CAN bus standard. Past
		  research showed that, by obtaining physical access to the
		  network or by remotely compromising a vulnerable ECU, an
		  attacker could control even safety-critical inputs such as
		  throttle, steering or brakes. In order to secure current
		  CAN networks from cyberattacks, detection and prevention
		  approaches based on the analysis of transmitted frames have
		  been proposed, and are generally considered the most time-
		  and cost-effective solution, to the point that companies
		  have started promoting aftermarket products for existing
		  vehicles.},
  author	= {Palanca, Andrea and Evenchick, Eric and Maggi, Federico
		  and Zanero, Stefano},
  booktitle	= {Proceedings of the 14th International Conference on
		  Detection of Intrusions and Malware, and Vulnerability
		  Assessment (DIMVA)},
  date		= {2017-07-06},
  doi		= {10.1007/978-3-319-60876-1_9},
  editor	= {Polychronakis, Michalis and Meier, Michael},
  file		= {files/papers/conference-papers/palanca_candos_2017.pdf},
  isbn		= {978-3-319-60876-1},
  location	= {Bonn, Germany},
  pages		= {185--206},
  publisher	= {Springer International Publishing},
  shorttitle	= {CANDoS},
  title		= {A Stealth, Selective, Link-Layer Denial-of-Service Attack
		  Against Automotive Networks}
}

@Article{	  continella_prometheus_article_2017,
  abstract	= {Nowadays Information stealers are reaching high levels of
		  sophistication. The number of families and variants
		  observed increased exponentially in the last years.
		  Furthermore, these trojans are sold on underground markets
		  along with automatic frameworks that include web-based
		  administration panels, builders and customization
		  procedures. From a technical point of view such malware is
		  equipped with a functionality, called WebInject, that
		  exploits API hooking techniques to intercept all sensitive
		  data in a browser context and modify web pages on infected
		  hosts. In this paper we propose Prometheus, an automatic
		  system that is able to analyze trojans that base their
		  attack technique on DOM modifications. Prometheus is able
		  to identify the injection operations performed by malware,
		  and generate signatures based on the injection behavior.
		  Furthermore, it is able to extract the WebInject targets by
		  using memory forensic techniques. We evaluated Prometheus
		  against real-world, online websites and a dataset of
		  distinct variants of financial trojans. In our experiments
		  we show that our approach correctly recognizes known
		  variants of WebInject-based malware and successfully
		  extracts the WebInject targets. },
  author	= {Continella, Andrea and Carminati, Michele and Polino,
		  Mario and Lanzi, Andrea and Zanero, Stefano and Maggi,
		  Federico},
  date		= {2017-05-02},
  file		= {files/papers/journal-papers/continella_prometheus_article_2017.pdf},
  journal	= {Journal of Computer Security},
  number	= {Preprint},
  pages		= {1--21},
  publisher	= {IOS Press},
  shorttitle	= {Prometheus},
  title		= {Prometheus: Analyzing WebInject-based information
		  stealers}
}

@TechReport{	  maggi_robotswp_tr_2017,
  abstract	= {Vulnerabilities in protocols and software running
		  industrial robots are by now widely known, but to date,
		  there has been no in-depth, hands-on research that
		  demonstrates to what extent robots can actually be
		  compromised. For the first time, with this research—a
		  collaboration between Politecnico di Milano (POLIMI) and
		  the Trend Micro Forward-Looking Threat Research (FTR)
		  Team—we have been able to analyze the impact of
		  system-specific attacks and demonstrate attack scenarios on
		  actual standard industrial robots in a controlled
		  environment. In industrial devices, the impact of a single,
		  simple software vulnerability can already have serious
		  consequences. Depending on the actual setup and security
		  posture of the targeted smart factory, attackers could
		  trigger attacks that could amount to massive financial
		  damage to the company in question or at worst, even affect
		  critical goods. Almost all industry sectors that are
		  critical for a nation are potentially at risk.
		  
		  Unfortunately, the Industry 4.0 revolution is just bringing
		  industrial robots closer to the forefront. As improvements
		  in the way industrial robots work and communicate increase
		  their complexity and interconnectedness, the industrial
		  robots sector unlocks a broader attack surface. In our
		  security analysis, we found that the software running on
		  these devices is outdated; based on vulnerable OSs and
		  libraries, sometimes relying on obsolete or cryptographic
		  libraries; and have weak authentication systems with
		  default, unchangeable credentials. Additionally, the Trend
		  Micro FTR Team found tens of thousands of industrial
		  devices residing on public IP addresses, which could
		  include exposed industrial robots, further increasing the
		  risk that an attacker can access and hack them.
		  
		  The impact of vulnerabilities, for example on robots, is
		  what makes our findings a very loud wake-up call for the
		  industrial control systems (ICS) sector. To quantify such
		  impact, our security analysis revealed that industrial
		  robots must follow three fundamental laws—accurately
		  “read” from the physical world through sensors and
		  “write” (i.e., perform actions) through motors and
		  tools, refuse to execute self-damaging control logic, and
		  most importantly, echo one of the “Laws of Robotics”
		  (devised by Isaac Asimov, a popular science writer) to
		  never harm humans. Then, by combining the set of
		  vulnerabilities that we discovered on a real, standard
		  robot installed in our laboratory, we demonstrated how
		  remote attackers can violate such fundamental laws up to
		  the point where they can alter or introduce minor defects
		  in the manufactured product, physically damage the robot,
		  steal industry secrets, or injure humans. We then
		  considered some threat scenarios on how attackers
		  capitalized on these attacks, as in an act of sabotage or a
		  ransomware-like scheme.
		  
		  On the one hand, industrial devices are designed according
		  to strict physical security and safety standards in order
		  to work in rough conditions with extreme temperature
		  ranges, vibrations, and electromagnetic noise. On the
		  other, because of the ubiquity and flexibility demanded by
		  the Industry 4.0 trend, industrial devices are being
		  designed to be flexible, easy to deploy, and to not
		  necessarily require any special security or IT skills.
		  These opposing design requirements make producers very
		  prone to introducing software bugs.
		  
		  Rather than concluding this paper with a classic checklist
		  for ICS vendors, we reflected on reasons why the situation
		  has not changed much over the years. Thus, we provided a
		  series of research and engineering challenges that we
		  believe will make a difference in the journey to secure the
		  Industry 4.0 ecosystem. On this journey toward improving
		  the security posture of robots in the Industry 4.0 setting,
		  we also began reaching out to vendors, among whom ABB
		  Robotics stood out in that it readily welcomed suggestions
		  we had to offer and even started working on a response plan
		  that will affect its current product line without losing
		  time.},
  author	= {Maggi, Federico and Quarta, Davide and Pogliani, Marcello
		  and Polino, Mario and Zanchettin, Andrea M. and Zanero,
		  Stefano},
  date		= {2017-05},
  file		= {files/papers/reports/maggi_robotswp_tr_2017.pdf},
  institution	= {Trend Micro, Inc.},
  publisher	= {TrendLabs},
  series	= {Research Papers},
  shorttitle	= {RobotsWP},
  title		= {Rogue Robots: Testing the Limits of an Industrial
		  Robot’s Security},
  url		= {https://documents.trendmicro.com/assets/wp/wp-industrial-robot-security.pdf}
}

@InProceedings{	  quarta_robosec_2017,
  abstract	= {Industrial robots, automated manufacturing, and efficient
		  logistics processes are at the heart of the upcoming fourth
		  industrial revolution. While there are seminal studies on
		  the vulnerabilities of cyber-physical systems in the
		  industry, as of today there has been no systematic analysis
		  of the security of industrial robot controllers. We examine
		  the standard architecture of an industrial robot and
		  analyze a concrete deployment from a systems security
		  standpoint. Then, we propose an attacker model and confront
		  it with the minimal set of requirements that industrial
		  robots should honor: precision in sensing the environment,
		  correctness in execution of control logic, and safety for
		  human operators. Following an experimental and practical
		  approach, we then show how our modeled attacker can subvert
		  such requirements through the exploitation of software
		  vulnerabilities, leading to severe consequences that are
		  unique to the robotics domain. We conclude by discussing
		  safety standards and security challenges in industrial
		  robotics.},
  author	= {Quarta, Davide and Pogliani, Marcello and Polino, Mario
		  and Maggi, Federico and Zanchettin, Andrea Maria and
		  Zanero, Stefano},
  booktitle	= {Proceedings of the 38th IEEE Symposium on Security and
		  Privacy},
  date		= {2017-05},
  doi		= {10.1109/SP.2017.20},
  file		= {files/papers/conference-papers/quarta_robosec_2017.pdf},
  location	= {San Jose, CA},
  publisher	= {ACM},
  series	= {S&P '17},
  shorttitle	= {RoboSec},
  title		= {An Experimental Security Analysis of an Industrial Robot
		  Controller}
}

@InProceedings{	  mavroudis_ubeacsec_2017,
  abstract	= {Nowadays users often possess a variety of electronic
		  devices for communication and entertainment. In particular,
		  smartphones are playing an increasingly central role in
		  users’ lives: Users carry them everywhere they go and
		  often use them to control other devices. This trend
		  provides incentives for the industry to tackle new
		  challenges, such as cross-device authentication, and to
		  develop new monetization schemes. A new technology based on
		  ultrasounds has recently emerged to meet these demands.
		  Ultrasound technology has a number of desirable features:
		  it is easy to deploy, flexible, and inaudible by humans.
		  This technology is already utilized in a number of
		  different real-world applications, such as device pairing,
		  proximity detection, and cross-device tracking.
		  
		  This paper examines the different facets of
		  ultrasound-based technology. Initially, we discuss how it
		  is already used in the real world, and subsequently examine
		  this emerging technology from the privacy and security
		  perspectives. In particular, we first observe that the lack
		  of OS features results in violations of the principle of
		  least privilege: an app that wants to use this technology
		  currently needs to require full access to the device
		  microphone. We then analyse real-world Android apps and
		  find that tracking techniques based on ultrasounds suffer
		  from a number of vulnerabilities and are susceptible to
		  various attacks. For example, we show that ultrasound
		  cross-device tracking deployments can be abused to perform
		  stealthy deanonymization attacks (e.g., to unmask users who
		  browse the Internet through anonymity networks such as
		  Tor), to inject fake or spoofed audio beacons, and to leak
		  a user’s private information.
		  
		  Based on our findings, we introduce several defense
		  mechanisms. We first propose and implement immediately
		  deployable defenses that empower practitioners,
		  researchers, and everyday users to protect their privacy.
		  In particular, we introduce a browser extension and an
		  Android permission that enable the user to selectively
		  suppress frequencies falling within the ultrasonic
		  spectrum. We then argue for the standardization of
		  ultrasound beacons, and we envision a flexible OS-level API
		  that addresses both the effortless deployment of
		  ultrasound-enabled applications, and the prevention of
		  existing privacy and security problems.},
  author	= {Mavroudis, Vasilios and Hao, Shuang and Fratantonio,
		  Yanick and Maggi, Federico and Kruegel, Christopher and
		  Vigna, Giovanni},
  booktitle	= {Proceedings of the 17th Privacy Enhancing Technologies
		  Symposium},
  date		= {2017-04-04},
  doi		= {10.1515/popets-2017-0018},
  file		= {files/papers/conference-papers/mavroudis_ubeacsec_2017.pdf},
  location	= {Minneapolis, USA},
  pages		= {95--112},
  publisher	= {DE GRUYTER},
  series	= {PETS '17},
  shorttitle	= {uBeacSec},
  title		= {On the Privacy and Security of the Ultrasound Ecosystem}
}

@InProceedings{	  continella_shieldfs_2016,
  abstract	= {Preventive and reactive security measures can only
		  partially mitigate the damage caused by modern ransomware
		  attacks. Indeed, the remarkable amount of illicit profit
		  and the cybercriminals’ increasing interest in ransomware
		  schemes suggest that a fair number of users are actually
		  paying the ransoms. Unfortunately, pure-detection
		  approaches (e.g., based on analysis sandboxes or pipelines)
		  are not sufficient nowadays, because often we do not have
		  the luxury of being able to isolate a sample to analyze,
		  and when this happens it is already too late for several
		  users! We believe that a forwardlooking solution is to
		  equip modern operating systems with practical self-healing
		  capabilities against this serious threat. Towards such a
		  vision, we propose ShieldFS, an add-on driver that makes
		  the Windows native filesystem immune to ransomware attacks.
		  For each running process, ShieldFS dynamically toggles a
		  protection layer that acts as a copy-onwrite mechanism,
		  according to the outcome of its detection component.
		  Internally, ShieldFS monitors the low-level filesystem
		  activity to update a set of adaptive models that profile
		  the system activity over time. Whenever one or more
		  processes violate these models, their operations are deemed
		  malicious and the side effects on the filesystem are
		  transparently rolled back.
		  
		  We designed ShieldFS after an analysis of billions of
		  low-level, I/O filesystem requests generated by thousands
		  of benign applications, which we collected from clean
		  machines in use by real users for about one month. This is
		  the first measurement on the filesystem activity of a large
		  set of benign applications in real working conditions. We
		  evaluated ShieldFS in real-world working conditions on
		  real, personal machines, against samples from state of the
		  art ransomware families. ShieldFS was able to detect the
		  malicious activity at runtime and transparently recover all
		  the original files. Although the models can be tuned to fit
		  various filesystem usage profiles, our results show that
		  our initial tuning yields high accuracy even on unseen
		  samples and variants.},
  author	= {Continella, Andrea and Guagnelli, Alessandro and Zingaro,
		  Giovanni and De Pasquale, Giulio and Barenghi, Alessandro
		  and Zanero, Stefano and Maggi, Federico},
  booktitle	= {Proceedings of the 32nd Annual Computer Security
		  Applications Conference},
  date		= {2016-12},
  doi		= {10.1145/2991079.2991110},
  file		= {files/papers/conference-papers/continella_shieldfs_2016.pdf},
  isbn		= {978-1-4503-4771-6},
  location	= {Los Angeles, USA},
  numpages	= {12},
  pages		= {336--347},
  publisher	= {ACM},
  series	= {ACSAC '16},
  shorttitle	= {ShieldFS},
  title		= {ShieldFS: A Self-healing, Ransomware-aware Filesystem}
}

@InProceedings{	  zheng_greateatlon_2016,
  abstract	= {Ransomware is a class of malware that aim at preventing
		  victims from accessing valuable data, typically via data
		  encryption or device locking, and ask for a payment to
		  release the target. In the past year, instances of
		  ransomware attacks have been spotted on mobile devices too.
		  However, despite their relatively low infection rate, we
		  notice that the techniques used by mobile ransomware are
		  quite sophisticated, and different from those used by
		  ransomware against traditional computers.
		  
		  Through an in-depth analysis of about 100 samples of
		  currently active ransomware apps, we conclude that most of
		  them pass undetected by state-of-the-art tools, which are
		  unable to recognize the abuse of benign features for
		  malicious purposes. The main reason is that such tools rely
		  on an inadequate and incomplete set of features. The most
		  notable examples are the abuse of reflection and
		  device-administration APIs, appearing in modern ransomware
		  to evade analysis and detection, and to elevate their
		  privileges (e.g., to lock or wipe the device). Moreover,
		  current solutions introduce several false positives in the
		  na ̈ıve way they detect cryptographic-APIs abuse,
		  flagging goodware apps as ransomware merely because they
		  rely on cryptographic libraries. Last but not least, the
		  performance overhead of current approaches is unacceptable
		  for appstore-scale workloads.
		  
		  In this work, we tackle the aforementioned limitations and
		  propose GreatEatlon, a next-generation mobile ransomware
		  detector. We foresee GreatEatlon deployed on the appstore
		  side, as a preventive countermeasure. At its core,
		  GreatEatlon uses static program-analysis techniques to
		  ``resolve'' reflection-based, anti-analysis attempts, to
		  recognize abuses of the device administration API, and
		  extract accurate data-flow information required to detect
		  truly malicious uses of cryptographic APIs. Given the
		  significant resources utilized by Great- Eatlon, we prepend
		  to its core a fast pre-filter that quickly discards obvious
		  goodware, in order to avoid wasting computer cycles.
		  
		  We tested GreatEatlon on thousands of samples of goodware,
		  generic malware and ransomware applications, and showed
		  that it surpasses current approaches both in speed and
		  detection capabilities, while keeping the false negative
		  rate below 1.3%. },
  author	= {Zheng, Chenghyu and Della Rocca, Nicola and Andronio,
		  Niccolò and Zanero, Stefano and Maggi Federico},
  date		= {2016-10-10},
  doi		= {10.1007/978-3-319-59608-2_34},
  file		= {files/papers/conference-papers/zheng_greateatlon_2016.pdf},
  isbn		= {978-3-319-59608-2},
  location	= {Guangzhou, People's Republic of China},
  pages		= {617--636},
  shorttitle	= {GreatEatlon},
  title		= {GreatEatlon: Fast, Static Detection of Mobile Ransomware}
}

@InProceedings{	  zheng_openst_2016,
  abstract	= {Several tools for program tracing and introspection exist.
		  These tools can be used to analyze potentially malicious or
		  untrusted programs. In this setting, it is important to
		  prevent that the target program determines whether it is
		  being traced or not. This is typically achieved by
		  minimizing the code of the introspection routines and any
		  artifact or side-effect that the program can leverage.
		  Indeed, the most recent approaches consist of lightly
		  instrumented operating systems or thin hypervisors running
		  directly on bare metal.
		  
		  Following this research trend, we investigate the
		  feasibility of transparently tracing a Linux/ARM program
		  without modifying the software stack, while keeping the
		  analysis cost and flexibility compatible with state of the
		  art emulation- or bare-metal-based approaches. As for the
		  typical program tracing task, our goal is to reconstruct
		  the stream of system call invocations along with the
		  respective un-marshalled arguments.
		  
		  We propose to leverage the availability of on-chip
		  debugging interfaces of modern ARM systems, which are
		  accessible via JTAG. More precisely, we developed OpenST,
		  an open-source prototype tracer that allowed us to analyze
		  the performance overhead and to assess the transparency
		  with respect to evasive, real-world malicious programs.
		  OpenST has two tracing modes: In-kernel dynamic tracing and
		  external tracing. The in-kernel dynamic tracing mode uses
		  the JTAG interface to ``hot-patch'' the system calls at
		  runtime, injecting introspection code. This mode is more
		  transparent than emulator based approaches, but assumes
		  that the traced program does not have access to the kernel
		  memory where the introspection code is loaded. The external
		  tracing mode removes this assumption by using the JTAG
		  interface to manage hardware breakpoints.
		  
		  Our tests show that OpenST's greater transparency comes at
		  the price of a steep performance penalty. However, with a
		  cost model, we show that OpenST scales better than the
		  state of the art, bare-metal-based approach, while
		  remaining equally stealthy to evasive malware.},
  author	= {Zheng, Chenghyu and Dalla Preda, Mila and Granjal, Jorge
		  and Zanero, Stefano and Maggi, Federico},
  booktitle	= {IEEE Conference on Communications and Network Security
		  (CNS)},
  date		= {2016-10},
  doi		= {10.1109/CNS.2016.7860472},
  file		= {files/papers/conference-papers/zheng_openst_2016.pdf},
  location	= {Philadelphia, US},
  pages		= {73-81},
  shorttitle	= {OpenST},
  title		= {On-Chip System Call Tracing: A Feasibility Study and Open
		  Prototype}
}

@Article{	  dalla-preda_aamo_article_2016,
  abstract	= {The authors of mobile-malware have started to leverage
		  program protection techniques to circumvent anti-viruses,
		  or simply hinder reverse engineering. In response to the
		  diffusion of anti-virus applications, several researches
		  have proposed a plethora of analyses and approaches to
		  highlight their limitations when malware authors employ
		  program-protection techniques. An important contribution of
		  this work is a systematization of the state of the art of
		  anti-virus apps, comparing the existing approaches and
		  providing a detailed analysis of their pros and cons. As a
		  result of our systematization, we notice the lack of
		  openness and reproducibility that, in our opinion, are
		  crucial for any analysis methodology. Following this
		  observation, the second contribution of this work is an
		  open, reproducible, rigorous methodology to assess the
		  effectiveness of mobile anti-virus tools against
		  code-transformation attacks. Our unified workflow, released
		  in the form of an open-source prototype, comprises a
		  comprehensive set of obfuscation operators. It is intended
		  to be used by anti-virus developers and vendors to test the
		  resilience of their products against a large dataset of
		  malware samples and obfuscations, and to obtain insights on
		  how to improve their products with respect to particular
		  classes of code-transformation attacks.},
  author	= {Dalla Preda, Mila and Maggi, Federico},
  date		= {2016-09-20},
  doi		= {10.1007/s11416-016-0282-2},
  file		= {files/papers/journal-papers/dalla-preda_aamo_article_2016.pdf},
  issn		= {2263-8733},
  journal	= {Journal of Computer Virology and Hacking Techniques},
  pages		= {1--24},
  shorttitle	= {AAMO},
  title		= {Testing android malware detectors against code
		  obfuscation: a systematization of knowledge and unified
		  methodology},
  url		= {http://dx.doi.org/10.1007/s11416-016-0282-2}
}

@InProceedings{	  mambretti_trellis_2016,
  abstract	= {Operating systems provide a wide variety of resource
		  isolation and access control mechanisms, ranging from
		  traditional user-based security models to fine-grained
		  permission systems as found in modern mobile operating
		  systems. However, comparatively little assistance is
		  available for defining and enforcing access control
		  policies within multiuser applications. These applications,
		  often found in enterprise environments, allow multiple
		  users to operate at different privilege levels in terms of
		  exercising application functionality and accessing data.
		  Developers of such applications bear a heavy burden in
		  ensuring that security policies over code and data in this
		  setting are properly expressed and enforced. We present
		  Trellis, an approach for expressing hierarchical access
		  control policies in applications and enforcing these
		  policies during execution. The approach enhances the
		  development toolchain to allow programmers to partially
		  annotate code and data with simple privilege level tags,
		  and uses a static analysis to infer suitable tags for the
		  entire application. At runtime, policies are extracted from
		  the resulting binaries and are enforced by a modified
		  operating system kernel. Our evaluation demonstrates that
		  this approach effectively supports the development of
		  secure multi-user applications with modest runtime
		  performance overhead.},
  author	= {Mambretti, Andrea and Onarlioglu, Kaan and Mulliner,
		  Collin and Robertson, William and Kirda, Engin and Maggi,
		  Federico and Zanero, Stefano},
  booktitle	= {International Symposium on Research in Attacks, Intrusions
		  and Defenses (RAID)},
  date		= {2016-09},
  doi		= {10.1007/978-3-319-45719-2_20},
  file		= {files/papers/conference-papers/mambretti_trellis_2016.pdf},
  location	= {Paris, France},
  pages		= {437--456},
  shorttitle	= {Trellis},
  title		= {Trellis: Privilege Separation for Multi-User Applications
		  Made Easy}
}

@InProceedings{	  coletta_droydseuss_2016,
  abstract	= {After analyzing several Android mobile banking trojans, we
		  observed the presence of repetitive artifacts that describe
		  valuable information about the distribution of this class
		  of malicious apps. Motivated by the high threat level posed
		  by mobile banking trojans and by the lack of publicly
		  available analysis and intelligence tools, we automated the
		  extraction of such artifacts and created a malware tracker
		  named DroydSeuss. DroydSeuss first processes applications
		  both statically and dynamically, extracting relevant
		  strings that contain traces of communication endpoints.
		  Second, it prioritizes the extracted strings based on the
		  APIs that manipulate them. Finally, DroydSeuss correlates
		  the endpoints with descriptive metadata from the samples,
		  providing aggregated statistics, raw data, and cross-sample
		  information that allow researchers to pinpoint relevant
		  groups of applications. We connected DroydSeuss to the
		  VirusTotal daily feed, consuming Android samples that
		  perform banking-trojan activity. We manually analyzed its
		  output and found supporting evidence to confirm its
		  correctness. Remarkably, the most frequent itemset unveiled
		  a campaign currently spreading against Chinese and Korean
		  bank customers.
		  
		  Although motivated by mobile banking trojans, DroydSeuss
		  can be used to analyze the communication behavior of any
		  suspicious application.},
  author	= {Coletta, Alberto and Van der Veen, Victor and Maggi,
		  Federico},
  booktitle	= {Financial Cryptography and Data Security},
  date		= {2016-02},
  file		= {files/papers/conference-papers/coletta_droydseuss_2016.pdf},
  publisher	= {Springer Berlin Heidelberg},
  series	= {Lecture Notes in Computer Science (LNCS)},
  shorttitle	= {DroydSeuss},
  title		= {DroydSeuss: A Mobile Banking Trojan Tracker - Short
		  Paper}
}

@InProceedings{	  falsina_grabnrun_2015,
  abstract	= {Android introduced the dynamic code loading (DCL)
		  mechanism to allow for code reuse, to achieve
		  extensibility, to enable updating functionalities or to
		  boost application start- up performance. In spite of its
		  wide adoption by developers, implementing DCL in a secure
		  way is challenging, leading to serious vulnerabilities such
		  as remote code injection. Previous academic and community
		  attempts at solving this problem are unfortunately either
		  impractical or incomplete, or in some cases exhibit
		  vulnerabilities. In this paper, we propose, design,
		  implement and test Grab 'n Run, a novel code verification
		  protocol and a series of supporting libraries, APIs, and
		  components, that address the problem by abstracting away
		  from the developer challenging implementation details. Grab
		  'n Run is designed to be practical: among its tools, it
		  provides a drop-in library, which requires no modifications
		  to the Android framework or the underlying Dalvik/ART
		  runtime, is very similar to the native API, and most code
		  can be automatically rewritten to use it. Grab 'n Run also
		  contains an application rewriting tool, which allows easy
		  porting of existing applications to use the secure API of
		  its library. We evaluate Grab 'n Run library with a user
		  study, obtaining impressive results in vulnerability
		  reduction, ease of use and speed of development. We also
		  show that the performance overhead introduced by our
		  library is negligible. The library is released as free
		  software.},
  author	= {Falsina, Luca and Fratantonio, Yanick and Zanero, Stefano
		  and Kruegel, Christopher and Vigna, Giovanni and Maggi,
		  Federico},
  booktitle	= {Proceedings of the 31st Annual Computer Security
		  Applications Conference},
  date		= {2015-12},
  doi		= {10.1145/2818000.2818042},
  file		= {files/papers/conference-papers/falsina_grabnrun_2015.pdf},
  isbn		= {978-1-4503-3682-6},
  location	= {Los Angeles, USA},
  numpages	= {10},
  pages		= {201--210},
  publisher	= {ACM},
  series	= {ACSAC '15},
  shorttitle	= {GrabNRun},
  title		= {Grab 'n Run: Secure and Practical Dynamic Code Loading for
		  Android Applications}
}

@Article{	  valdi_andrototal_article_2015,
  abstract	= {AndroTotal, a scalable antivirus evaluation system for
		  mobile devices, creates reproducible, self-contained
		  testing environments for each antivirus application and
		  malware pair and stores them in a repository, benefiting
		  both the research community and Android device users.},
  author	= {Valdi, Andrea and Lever, Eros and Benefico, Simone and
		  Quarta, Davide and Zanero, Stefano and Maggi, Federico},
  date		= {2015-11},
  doi		= {10.1109/MC.2015.320},
  file		= {files/papers/journal-papers/valdi_andrototal_article_2015.pdf},
  issn		= {0018-9162},
  journaltitle	= {Computer},
  number	= {11},
  pages		= {60--68},
  shorttitle	= {AndroTotal},
  title		= {Scalable Testing of Mobile Antivirus Applications},
  volume	= {48}
}

@InProceedings{	  andronio_heldroid_2015,
  abstract	= {In ransomware attacks, the actual target is the human, as
		  opposed to the classic attacks that abuse the infected
		  devices (e.g., botnet renting, information stealing).
		  Mobile devices are by no means immune to ransomware
		  attacks. However, there is little research work on this
		  matter and only traditional protections are available. Even
		  state-of-the-art mobile malware detection approaches are
		  ineffective against ransomware apps because of the subtle
		  attack scheme. As a consequence, the ample attack surface
		  formed by the billion mobile devices is left unprotected.
		  First, in this work we summarize the results of our
		  analysis of the existing mobile ransomware families,
		  describing their common characteristics. Second, we present
		  HelDroid, a fast, efficient and fully automated approach
		  that recognizes known and unknown scareware and ransomware
		  samples from goodware. Our approach is based on detecting
		  the ``build- ing blocks'' that are typically needed to
		  implement a mobile ransomware application. Specifically,
		  HelDroid detects, in a generic way, if an app is attempting
		  to lock or encrypt the device without the user’s consent,
		  and if ransom requests are displayed on the screen. Our
		  technique works without requiring that a sample of a
		  certain family is available beforehand. We implemented
		  HelDroid and tested it on real-world Android ransomware
		  samples. On a large dataset comprising hundreds of
		  thousands of APKs including goodware, malware, scareware,
		  and ransomware, HelDroid exhibited nearly zero false
		  positives and the capability of recognizing unknown
		  ransomware samples. },
  author	= {Andronio, Niccolò and Zanero, Stefano and Maggi,
		  Federico},
  booktitle	= {International Symposium on Research in Attacks, Intrusions
		  and Defenses (RAID)},
  date		= {2015-10},
  doi		= {10.1007/978-3-319-26362-5_18},
  file		= {files/papers/conference-papers/andronio_heldroid_2015.pdf},
  location	= {Kyoto, Japan},
  pages		= {382--404},
  series	= {Lecture Notes in Computer Science},
  shorttitle	= {HelDroid},
  title		= {HelDroid: Dissecting and Detecting Mobile Ransomware},
  volume	= {9404}
}

@InProceedings{	  ilia_faceoff_2015,
  abstract	= {The capabilities of modern devices, coupled with the
		  almost ubiquitous availability of Internet connectivity,
		  have resulted in photos being shared online at an
		  unprecedented scale. This is further amplified by the
		  popularity of social networks and the immediacy they offer
		  in content sharing. Existing access control mechanisms are
		  too coarse-grained to handle cases of conflicting interests
		  between the users associated with a photo; stories of
		  embarrassing or inappropriate photos being widely
		  accessible have become quite common. In this paper, we
		  propose to rethink access control when applied to photos,
		  in a way that allows us to effectively prevent unwanted
		  individuals from recognizing users in a photo. The core
		  concept behind our approach is to change the granularity of
		  access control from the level of the photo to that of a
		  user's personally identifiable information (PII). In this
		  work, we consider the face as the PII. When another user
		  attempts to access a photo, the system determines which
		  faces the user does not have the permission to view, and
		  presents the photo with the restricted faces blurred out.
		  Our system takes advantage of the existing face recognition
		  functionality of social networks, and can interoperate with
		  the current photo-level access control mechanisms. We
		  implement a proof-of-concept application for Facebook, and
		  demonstrate that the performance overhead of our approach
		  is minimal. We also conduct a user study to evaluate the
		  privacy offered by our approach, and find that it
		  effectively prevents users from identifying their contacts
		  in 87.35% of the restricted photos. Finally, our study
		  reveals the misconceptions about the privacy offered by
		  existing mechanisms, and demonstrates that users are
		  positive towards the adoption of an intuitive,
		  straightforward access control mechanism that allows them
		  to manage the visibility of their face in published
		  photos.},
  author	= {Ilia, Panagiotis and Polakis, Iasonas and Athanasopoulos,
		  Elias and Maggi, Federico and Ioannidis, Sotiris},
  booktitle	= {Proceedings of the 22Nd ACM SIGSAC Conference on Computer
		  and Communications Security},
  date		= {2015-10},
  doi		= {10.1145/2810103.2813603},
  file		= {files/papers/conference-papers/ilia_faceoff_2015.pdf},
  isbn		= {978-1-4503-3832-5},
  location	= {New York, NY, USA},
  pages		= {781--792},
  publisher	= {ACM},
  series	= {CCS '15},
  shorttitle	= {FaceOff},
  title		= {Face/Off: Preventing Privacy Leakage From Photos in Social
		  Networks},
  url		= {http://doi.acm.org/10.1145/2810103.2813603}
}

@InProceedings{	  polino_jackdaw_2015,
  abstract	= {When analyzing an untrusted binary, reverse engineers
		  usually rely on ad-hoc collections of interesting dynamic
		  patterns known as behaviors in the malware-analysis
		  community and static patterns known as signatures in the
		  antivirus community. Such patterns are often part of the
		  skill set of the analyst, sometimes implemented in
		  manually-created post-processing scripts. It would be
		  desirable to be able to automatically find such behaviors,
		  present them to analysts, and create a systematic catalog
		  of matching rules and relevant implementations. We propose
		  Jackdaw, a system that finds interesting dynamic patterns,
		  and ranks them to unveil potentially interesting behaviors.
		  Then, it annotates them with static information, capturing
		  the distinct implementations of each across different
		  malware families. Finally, Jackdaw associates semantic
		  information to the behaviors, so as to create a descriptive
		  summary that helps the analysts in querying the catalog of
		  behaviors by type. To do this, it leverages the dynamic
		  information and an indexed Web-based knowledge databases.
		  We implement and demonstrate Jackdaw on the Win32 API (even
		  if the technique can be generalized to any OS). On a
		  dataset of 2,136 distinct binaries, including both
		  malicious and benign libraries and executables, we compared
		  the behaviors extracted automatically against a ground
		  truth of 44 behaviors created manually by expert analysts.
		  Jackdaw found 77.3% of them and was able to exclude
		  spurious behaviors in 99.6% cases. We also discovered 466
		  novel behaviors, among which manual exploration and review
		  by expert reverse engineers revealed interesting findings
		  and confirmed the correctness of the semantic tagging.},
  author	= {Polino, Mario and Scorti, Andrea and Maggi, Federico and
		  Zanero, Stefano},
  booktitle	= {Detection of Intrusions and Malware, and Vulnerability
		  Assessment},
  date		= {2015-07-09},
  doi		= {10.1007/978-3-319-20550-2_7},
  editor	= {Almgren, Magnus and Gulisano, Vincenzo and Maggi,
		  Federico},
  file		= {files/papers/conference-papers/polino_jackdaw_2015.pdf},
  isbn		= {978-3-319-20549-6 978-3-319-20550-2},
  pages		= {121--143},
  publisher	= {Springer International Publishing},
  series	= {Lecture Notes in Computer Science},
  shorttitle	= {Jackdaw},
  title		= {Jackdaw: Towards Automatic Reverse Engineering of Large
		  Datasets of Binaries},
  url		= {http://link.springer.com/chapter/10.1007/978-3-319-20550-2_7}
}

@Article{	  carminati_banksealer_article_2015,
  abstract	= {The significant growth of online banking frauds, fueled by
		  the underground economy of malware, raised the need for
		  effective fraud analysis systems. Unfortunately, almost all
		  of the existing approaches adopt black box models and
		  mechanisms that do not give any justifications to analysts.
		  Also, the development of such methods is stifled by limited
		  Internet banking data availability for the scientific
		  community. In this paper we describe BankSealer, a decision
		  support system for online banking fraud analysis and
		  investigation. During a training phase, BankSealer builds
		  easy-to-understand models for each customer's spending
		  habits, based on past transactions. First, it quantifies
		  the anomaly of each transaction with respect to the
		  customer historical profile. Second, it finds global
		  clusters of customers with similar spending habits. Third,
		  it uses a temporal threshold system that measures the
		  anomaly of the current spending pattern of each customer,
		  with respect to his or her past spending behavior. With
		  this threefold profiling approach, it mitigates the
		  under-training due to the lack of historical data for
		  building well-trained profiles, and the evolution of users'
		  spending habits over time. At runtime, BankSealer supports
		  analysts by ranking new transactions that deviate from the
		  learned profiles, with an output that has an easily
		  understandable, immediate statistical meaning.
		  
		  Our evaluation on real data, based on fraud scenarios built
		  in collaboration with domain experts that replicate
		  typical, real-world attacks (e.g., credential stealing,
		  banking trojan activity, and frauds repeated over time),
		  shows that our approach correctly ranks complex frauds. In
		  particular, we measure the effectiveness, the computational
		  resource requirements and the capabilities of BankSealer to
		  mitigate the problem of users that performed a low number
		  of transactions. Our system ranks frauds and anomalies with
		  up to 98% detection rate and with a maximum daily
		  computation time of 4~min. Given the good results, a
		  leading Italian bank deployed a version of BankSealer in
		  their environment to analyze frauds.},
  author	= {Carminati, Michele and Caron, Roberto and Maggi, Federico
		  and Epifani, Ilenia and Zanero, Stefano},
  date		= {2015-04},
  doi		= {10.1016/j.cose.2015.04.002},
  file		= {files/papers/journal-papers/carminati_banksealer_article_2015.pdf},
  issn		= {0167-4048},
  journaltitle	= {Computers & Security},
  shortjournal	= {Computers & Security},
  shorttitle	= {BankSealer},
  title		= {BankSealer: A decision support system for online banking
		  fraud analysis and investigation},
  url		= {http://www.sciencedirect.com/science/article/pii/S0167404815000437}
}

@TechReport{	  maggi_eusyssec_tr_2015,
  abstract	= {Looking back at the evolution of cyber criminal
		  activities, from the nineties to the present day, we
		  observe interesting trends coming together in what may seem
		  a perfectly orchestrated scene. In parallel with the
		  `security by design', we recall the importance of reactive
		  security in a field of ever-changing arms races.},
  author	= {Maggi, Federico and Zanero, Stefano and Markatos,
		  Evangelos},
  date		= {2015-01},
  file		= {files/papers/reports/maggi_eusyssec_tr_2015.pdf},
  number	= {43},
  pages		= {43},
  series	= {ERCIM News},
  shorttitle	= {EUSysSec},
  title		= {European Cyber-Security Research and Innovation},
  url		= {http://ercim-news.ercim.eu/en100/r-i/european-cyber-security-research-and-innovation}
}

@InProceedings{	  polakis_resoauth_2014,
  abstract	= {In an effort to hinder attackers from compromising user
		  accounts, Facebook launched a form of two-factor
		  authentication called social authentication (SA), where
		  users are required to identify photos of their friends to
		  complete a log-in attempt. Recent research, however,
		  demonstrated that attackers can bypass the mechanism by
		  employing face recognition software. Here we demonstrate an
		  alternative attack. that employs image comparison
		  techniques to identify the SA photos within an offline
		  collection of the users' photos. In this paper, we revisit
		  the concept of SA and design a system with a novel photo
		  selection and transformation process, which generates
		  challenges that are robust against these attacks. The
		  intuition behind our photo selection is to use photos. that
		  fail software-based face recognition, while remaining
		  recognizable to humans who are familiar with the depicted
		  people. The photo transformation process. creates
		  challenges in the form of photo collages, where faces are
		  transformed so as to render image matching techniques
		  ineffective. We experimentally confirm the robustness of
		  our approach against three template. matching algorithms
		  that solve 0.4 percent of the challenges, while requiring
		  four orders of magnitude more processing effort.
		  Furthermore, when the transformations are applied, face
		  detection software fails to detect even a single face. Our
		  user studies confirm that users are able to identify their
		  friends in over 99% of the photos with faces unrecognizable
		  by software, and can solve over 94 percent of the
		  challenges with transformed photos.},
  author	= {Polakis, Iasonas and Ilia, Panagiotis and Maggi, Federico
		  and Lancini, Marco and Kontaxis, Georgios and Zanero,
		  Stefano and Ioannidis, Sotiris and Keromytis, Angelos D.},
  booktitle	= {Proceedings of the 2014 ACM SIGSAC Conference on Computer
		  and Communications Security},
  date		= {2014-11},
  doi		= {10.1145/2660267.2660317},
  file		= {files/papers/conference-papers/polakis_resoauth_2014.pdf},
  isbn		= {978-1-4503-2957-6},
  location	= {New York, NY, USA},
  pages		= {501--512},
  publisher	= {ACM},
  series	= {CCS '14},
  shorttitle	= {ReSoAuth},
  title		= {Faces in the Distorting Mirror: Revisiting Photo-based
		  Social Authentication},
  url		= {http://doi.acm.org/10.1145/2660267.2660317}
}

@TechReport{	  bazzoli_xsspeeker_tr_2014,
  abstract	= {Since the first publication of the "OWASP Top 10" (2004),
		  cross-site scripting (XSS) vulnerabilities have always been
		  among the top 5 web application security bugs. Black-box
		  vulnerability scanners are widely used in the industry to
		  reproduce (XSS) attacks automatically. In spite of the
		  technical sophistication and advancement, previous work
		  showed that black-box scanners miss a non-negligible
		  portion of vulnerabilities, and report non-existing,
		  non-exploitable or uninteresting vulnerabilities.
		  Unfortunately, these results hold true even for XSS
		  vulnerabilities, which are relatively simple to trigger if
		  compared, for instance, to logic flaws. Black-box scanners
		  have not been studied in depth on this vertical: knowing
		  precisely how scanners try to detect XSS can provide useful
		  insights to understand their limitations, to design better
		  detection methods. In this paper, we present and discuss
		  the results of a detailed and systematic study on 6
		  black-box web scanners (both proprietary and open source)
		  that we conducted in coordination with the respective
		  vendors. To this end, we developed an automated tool to (1)
		  extract the payloads used by each scanner, (2) distill the
		  "templates" that have originated each payload, (3) evaluate
		  them according to quality indicators, and (4) perform a
		  cross-scanner analysis. Unlike previous work, our testbed
		  application, which contains a large set of XSS
		  vulnerabilities, including DOM XSS, was gradually
		  retrofitted to accomodate for the payloads that triggered
		  no vulnerabilities. Our analysis reveals a highly
		  fragmented scenario. Scanners exhibit a wide variety of
		  distinct payloads, a non-uniform approach to fuzzing and
		  mutating the payloads, and a very diverse detection
		  effectiveness.},
  author	= {Bazzoli, Enrico and Criscione, Claudio and Maggi, Federico
		  and Zanero, Stefano},
  date		= {2014-10-15},
  file		= {files/papers/reports/bazzoli_xsspeeker_tr_2014.pdf},
  institution	= {arXiv},
  shorttitle	= {XSSPeeker},
  title		= {XSS Peeker: A Systematic Analysis of Cross-site Scripting
		  Vulnerability Scanners},
  url		= {http://arxiv.org/abs/1410.4207}
}

@InProceedings{	  polakis_osnresearch_2014,
  abstract	= {We describe our experience gained while exploring
		  practical security and privacy problems in a real-world,
		  large- scale social network (i.e., Facebook), and summarize
		  our conclusions in a series of "lessons learned". We first
		  conclude that it is better to adequately describe the
		  potential ethical concerns from the very beginning and plan
		  ahead the institutional review board (IRB) request. Even
		  though sometimes optional, the IRB approval is a valuable
		  point from the reviewer's perspective. Another aspect that
		  needs planning is getting in touch with the online social
		  network security team, which takes a substantial amount of
		  time. With their support, "bending the rules" (e.g., using
		  scrapers) when the experimental goals require so, is
		  easier. Clearly, in cases where critical technical
		  vulnerabilities are found during the research, the general
		  recommendations for responsible disclosure should be
		  followed. Gaining the audience's engagement and trust was
		  essential to the success of our user study. Participants
		  felt more comfortable when subscribing to our experiments,
		  and also responsibly reported bugs and glitches. We did not
		  observe the same behavior in crowd-sourcing workers, who
		  were instead more interested in obtaining their rewards. On
		  a related point, our experience suggests that crowd
		  sourcing should not be used alone: Setting up tasks is more
		  time consuming than it seems, and researchers must insert
		  some sentinel checks to ensure that workers are not
		  submitting random answers.From a logistics point of view,
		  we learned that having at least a high-level plan of the
		  experiments pays back, especially when the IRB requires a
		  detailed description of the work and the data to be
		  collected. However, over planning can be dangerous because
		  the measurement goals can change dynamically. From a
		  technical point of view, partially connected to the
		  logistics remarks, having a complex and large
		  data-gathering and analysis framework may be
		  counterproductive in terms of set-up a- d management
		  overhead. From our experience we suggest to choose simple
		  technologies that scale up if needed but, more importantly,
		  can scale down. For example, launching a quick query should
		  be straightforward, and the frameworks should not impose
		  too much overhead for formulating it. We conclude with a
		  series of practical recommendations on how to successfully
		  collect data from online social networks (e.g., using
		  techniques for network multipresence, mimicking user
		  behavior, and other crawling "tricks"') and avoid abusing
		  the online service, while gathering the data required by
		  the experiments.},
  author	= {Polakis, Iasonas and Maggi, Federico and Zanero, Stefano
		  and Keromytis, Angelos D.},
  booktitle	= {2014 Third International Workshop on Building Analysis
		  Datasets and Gathering Experience Returns for Security
		  (BADGERS)},
  date		= {2014-09},
  doi		= {10.1109/BADGERS.2014.9},
  file		= {files/papers/workshop-papers/polakis_osnresearch_2014.pdf},
  keywords	= {workshop},
  location	= {Wroclaw, Poland},
  pages		= {18-29},
  shorttitle	= {OSNResearch},
  title		= {Security and Privacy Measurements on Social Networks:
		  Experiences and Lessons Learned}
}

@InProceedings{	  antonini_knxmalware_2014,
  abstract	= {Building automation systems rely heavily on
		  general-purpose computers and communication protocols,
		  which are often affected by security vulnerabilities. In
		  this paper, we first analyze the attack surface of a real
		  building automation system - based on the widely used KNX
		  protocol-connected to a general-purpose IP network. To this
		  end, we analyze the vulnerabilities of KNX-based networks
		  highlighted by previous research work, which, however, did
		  not corroborate their findings with experimental results.
		  To verify the practical exploitability of these
		  vulnerabilities and their potential impact, we implement a
		  full-fledged testbed infrastructure that reproduces the
		  typical deployment of a building automation system. On this
		  testbed, we show the feasibility of a practical attack that
		  leverages and combines the aforementioned vulnerabilities.
		  We show the ease of reverse engineering the vendor-specific
		  components of the KNX protocol. Our attack leverages the
		  IP-to-KNX connectivity to send arbitrary commands which are
		  executed by the actuators. We conclude that the
		  vulnerabilities highlighted by previous work are
		  effectively exploitable in practice, with severe results.
		  Although we use KNX as a target, our work can be
		  generalized to other communication protocols, often
		  characterized by similar issues. Finally, we analyze the
		  countermeasures proposed in previous literature and reveal
		  the limitations that prevent their adoption in practice. We
		  suggest a practical stopgap measure to protect real
		  KNX-based BASs from our attack.},
  author	= {Antonini, Alessio and Maggi, Federico and Zanero,
		  Stefano},
  booktitle	= {Proceedings of the 2Nd International Symposium on ICS &
		  SCADA Cyber Security Research 2014},
  date		= {2014-09},
  doi		= {10.14236/ewic/ics-csr2014.7},
  file		= {files/papers/conference-papers/antonini_knxmalware_2014.pdf},
  isbn		= {978-1-78017-286-6},
  location	= {UK},
  pages		= {53--60},
  publisher	= {BCS},
  series	= {ICS-CSR 2014},
  shorttitle	= {KNXMalware},
  title		= {A Practical Attack Against a KNX-based Building Automation
		  System},
  url		= {http://dx.doi.org/10.14236/ewic/ics-csr2014.7}
}

@InProceedings{	  criscione_zarathustra_2014,
  abstract	= {Modern trojans are equipped with a functionality, called
		  WebInject, that can be used to silently modify a web page
		  on the infected end host. Given its flexibility,
		  WebInject-based malware is becoming a popular
		  information-stealing mechanism. In addition, the structured
		  and well-organized malware-as-a-service model makes revenue
		  out of customization kits, which in turns leads to high
		  volumes of binary variants. Analysis approaches based on
		  memory carving to extract the decrypted webinject.txt and
		  config.bin files at runtime make the strong assumption that
		  the malware will never change the way such files are
		  handled internally, and therefore are not future proof by
		  design. In addition, developers of sensitive web
		  applications (e.g., online banking) have no tools that they
		  can possibly use to even mitigate the effect of
		  WebInjects.},
  author	= {Criscione, Claudio and Bosatelli, Fabio and Zanero,
		  Stefano and Maggi, Federico},
  booktitle	= {Proceedings of the Twelfth Annual International Conference
		  on Privacy, Security and Trust (PST)},
  date		= {2014-07},
  doi		= {10.1109/PST.2014.6890933},
  file		= {files/papers/conference-papers/criscione_zarathustra_2014.pdf},
  isbn		= {978-1-4799-3502-4},
  location	= {Toronto, Canada},
  pages		= {139--148},
  publisher	= {IEEE Computer Society},
  shorttitle	= {Zarathustra},
  title		= {Zarathustra: Extracting WebInject Signatures from Banking
		  Trojans}
}

@InProceedings{	  schiavoni_phoenix_2014,
  abstract	= {Modern botnets rely on domain-generation algorithms (DGAs)
		  to build resilient command-and-control infrastructures.
		  Given the prevalence of this mechanism, recent work has
		  focused on the analysis of DNS traffic to recognize botnets
		  based on their DGAs. While previous work has concentrated
		  on detection, we focus on supporting intelligence
		  operations. We propose Phoenix, a mechanism that, in
		  addition to telling DGA- and non-DGA-generated domains
		  apart using a combination of string and IP-based features,
		  characterizes the DGAs behind them, and, most importantly,
		  finds groups of DGA-generated domains that are
		  representative of the respective botnets. As a result,
		  Phoenix can associate previously unknown DGA-generated
		  domains to these groups, and produce novel knowledge about
		  the evolving behavior of each tracked botnet. We evaluated
		  Phoenix on 1,153,516 domains, including DGA-generated
		  domains from modern, well-known botnets: without
		  supervision, it correctly distinguished DGA- vs.
		  non-DGA-generated domains in 94.8 percent of the cases,
		  characterized families of domains that belonged to distinct
		  DGAs, and helped researchers ``on the field'' in gathering
		  intelligence on suspicious domains to identify the correct
		  botnet.},
  author	= {Schiavoni, Stefano and Maggi, Federico and Cavallaro,
		  Lorenzo and Zanero, Stefano},
  booktitle	= {Proceedings of the International Conference on Detection
		  of Intrusions and Malware, and Vulnerability Assessment
		  (DIMVA)},
  date		= {2014-07},
  doi		= {10.1007/978-3-319-08509-8_11},
  editor	= {Dietrich, Sven},
  file		= {files/papers/conference-papers/schiavoni_phoenix_2014.pdf},
  isbn		= {978-3-319-08508-1 978-3-319-08509-8},
  pages		= {192--211},
  publisher	= {Springer International Publishing},
  series	= {Lecture Notes in Computer Science},
  shorttitle	= {Phoenix},
  title		= {Phoenix: DGA-Based Botnet Tracking and Intelligence},
  url		= {http://link.springer.com/chapter/10.1007/978-3-319-08509-8_11}
}

@InProceedings{	  lindorfer_andradar_2014,
  abstract	= {Compared to traditional desktop software, Android
		  applications are delivered through software repositories,
		  commonly known as application markets. Other mobile
		  platforms, such as Apple iOS and BlackBerry OS also use the
		  marketplace model, but what is unique to Android is the
		  existence of a plethora of alternative application markets.
		  This complicates the task of detecting and tracking Android
		  malware. Identifying a malicious application in one
		  particular market is simply not enough, as many instances
		  of this application may exist in other markets. To quantify
		  this phenomenon, we exhaustively crawled 8 markets between
		  June and November 2013. Our findings indicate that
		  alternative markets host a large number of ad-aggressive
		  apps, a non-negligible amount of malware, and some markets
		  even allow authors to publish known malicious apps without
		  prompt action. Motivated by these findings, we present
		  AndRadar, a framework for discovering multiple instances of
		  a malicious Android application in a set of alternative
		  application markets. AndRadar scans a set of markets in
		  parallel to discover similar applications. Each lookup
		  takes no more than a few seconds, regardless of the size of
		  the marketplace. Moreover, it is modular, and new markets
		  can be transparently added once the search and download
		  URLs are known. Using AndRadar we are able to achieve three
		  goals. First, we can discover malicious applications in
		  alternative markets, second, we can expose app distribution
		  strategies used by malware developers, and third, we can
		  monitor how different markets react to new malware. During
		  a three-month evaluation period, AndRadar tracked over
		  20,000 apps and recorded more than 1,500 app deletions in
		  16 markets. Nearly 8% of those deletions were related to
		  apps that were hopping from market to market. The most
		  established markets were able to react and delete new
		  malware within tens of days from the malicious app
		  publication date while other markets did not react at
		  all.},
  author	= {Lindorfer, Martina and Volanis, Stamatis and Sisto,
		  Alessandro and Neugschwandtner, Matthias and
		  Athanasopoulos, Elias and Maggi, Federico and Platzer,
		  Christian and Zanero, Stefano and Ioannidis, Sotiris},
  booktitle	= {Detection of Intrusions and Malware, and Vulnerability
		  Assessment},
  date		= {2014-07},
  doi		= {10.1007/978-3-319-08509-8_4},
  editor	= {Dietrich, Sven},
  file		= {files/papers/conference-papers/lindorfer_andradar_2014.pdf},
  isbn		= {978-3-319-08508-1 978-3-319-08509-8},
  pages		= {51--71},
  publisher	= {Springer International Publishing},
  series	= {Lecture Notes in Computer Science},
  shorttitle	= {AndRadar},
  title		= {AndRadar: Fast Discovery of Android Applications in
		  Alternative Markets},
  url		= {http://link.springer.com/chapter/10.1007/978-3-319-08509-8_4}
}

@InProceedings{	  carminati_banksealer_2014,
  abstract	= {We propose a semi-supervised online banking fraud analysis
		  and decision support approach. During a training phase, it
		  builds a profile for each customer based on past
		  transactions. At runtime, it supports the analyst by
		  ranking unforeseen transactions that deviate from the
		  learned profiles. It uses methods whose output has a
		  immediate statistical meaning that provide the analyst with
		  an easy-to-understand model of each customer's spending
		  habits. First, we quantify the anomaly of each transaction
		  with respect to the customer historical profile. Second, we
		  find global clusters of customers with similar spending
		  habits. Third, we use a temporal threshold system that
		  measures the anomaly of the current spending pattern of
		  each customer, with respect to his or her past spending
		  behavior. As a result, we mitigate the undertraining due to
		  the lack of historical data for building of well-trained
		  profiles (of fresh users), and the users that change their
		  (spending) habits over time. Our evaluation on real-world
		  data shows that our approach correctly ranks complex frauds
		  as ``top priority''.},
  author	= {Carminati, Michele and Caron, Roberto and Maggi, Federico
		  and Epifani, Ilenia and Zanero, Stefano},
  booktitle	= {ICT Systems Security and Privacy Protection},
  date		= {2014-06-02},
  doi		= {10.1007/978-3-642-55415-5_32},
  editor	= {Cuppens-Boulahia, Nora and Cuppens, Frédéric and
		  Jajodia, Sushil and Kalam, Anas Abou El and Sans, Thierry},
  file		= {files/papers/conference-papers/carminati_banksealer_2014.pdf},
  isbn		= {978-3-642-55414-8 978-3-642-55415-5},
  pages		= {380--394},
  publisher	= {Springer Berlin Heidelberg},
  series	= {IFIP Advances in Information and Communication
		  Technology},
  shorttitle	= {BankSealer},
  title		= {BankSealer: An Online Banking Fraud Analysis and Decision
		  Support System},
  url		= {http://link.springer.com/chapter/10.1007/978-3-642-55415-5_32}
}

@InProceedings{	  nikiforakis_strangerdanger_2014,
  abstract	= {URL shortening services facilitate the need of exchanging
		  long URLs using limited space, by creating compact URL
		  aliases that redirect users to the original URLs when
		  followed. Some of these services show advertisements (ads)
		  to link-clicking users and pay a commission of their
		  advertising earnings to link-shortening users. In this
		  paper, we investigate the ecosystem of these increasingly
		  popular ad-based URL shortening services. Even though
		  traditional URL shortening services have been thoroughly
		  investigated in previous research, we argue that, due to
		  the monetary incentives and the presence of third-party
		  advertising networks, ad-based URL shortening services and
		  their users are exposed to more hazards than traditional
		  shortening services. By analyzing the services themselves,
		  the advertisers involved, and their users, we uncover a
		  series of issues that are actively exploited by malicious
		  advertisers and endanger the users. Moreover, next to
		  documenting the ongoing abuse, we suggest a series of
		  defense mechanisms that services and users can adopt to
		  protect themselves.},
  author	= {Nikiforakis, Nick and Maggi, Federico and Stringhini,
		  Gianluca and Rafique, M. Zubair and Joosen, Wouter and
		  Kruegel, Christopher and Piessens, Frank and Vigna,
		  Giovanni and Zanero, Stefano},
  booktitle	= {Proceedings of the 23rd International Conference on World
		  Wide Web},
  date		= {2014-04},
  doi		= {10.1145/2566486.2567983},
  file		= {files/papers/conference-papers/nikiforakis_strangerdanger_2014.pdf},
  isbn		= {978-1-4503-2744-2},
  location	= {Seoul, Korea},
  pages		= {51--62},
  publisher	= {International World Wide Web Conferences Steering
		  Committee},
  series	= {WWW '14},
  shorttitle	= {StrangerDanger},
  title		= {Stranger Danger: Exploring the Ecosystem of Ad-based URL
		  Shortening Services},
  url		= {http://dx.doi.org/10.1145/2566486.2567983}
}

@InProceedings{	  spagnuolo_bitiodine_2014,
  abstract	= {Bitcoin, the famous peer-to-peer, decentralized electronic
		  currency system, allows users to benefit from pseudonymity,
		  by generating an arbitrary number of aliases (or addresses)
		  to move funds. However, the complete history of all
		  transactions ever performed, called "blockchain", is public
		  and replicated on each node. The data it contains is
		  difficult to analyze manually, but can yield a high number
		  of relevant information.
		  
		  In this paper we present a modular framework, BitIodine,
		  which parses the blockchain, clusters addresses that are
		  likely to belong to a same user or group of users,
		  classifies such users and labels them, and finally
		  visualizes complex information extracted from the Bitcoin
		  network.
		  
		  BitIodine labels users (semi-)automatically with
		  information on their identity and actions which is
		  automatically scraped from openly available information
		  sources. BitIodine also supports manual investigation by
		  finding paths and reverse paths between addresses or users.
		  
		  We tested BitIodine on several real-world use cases,
		  identified an address likely to belong to the encrypted
		  Silk Road cold wallet, or investigated the CryptoLocker
		  ransomware and accurately quantified the number of ransoms
		  paid, as well as information about the victims.
		  
		  We release an early prototype of BitIodine as a library for
		  building more complex Bitcoin forensic analysis tools.},
  author	= {Spagnuolo, Michele and Maggi, Federico and Zanero,
		  Stefano},
  booktitle	= {Financial Cryptography and Data Security},
  date		= {2014-03-03},
  doi		= {10.1007/978-3-662-45472-5_29},
  file		= {files/papers/conference-papers/spagnuolo_bitiodine_2014.pdf},
  isbn		= {978-3-662-45471-8},
  location	= {Barbados},
  pages		= {457--468},
  publisher	= {Springer Berlin Heidelberg},
  series	= {Lecture Notes in Computer Science (LNCS)},
  shorttitle	= {BitIodine},
  title		= {BitIodine: Extracting Intelligence from the Bitcoin
		  Network}
}

@TechReport{	  gianazza_puppetdroid_tr_2014,
  abstract	= {Popularity and complexity of malicious mobile applications
		  are rising, making their analysis difficult and labor
		  intensive. Mobile application analysis is indeed inherently
		  different from desktop application analysis: In the latter,
		  the interaction of the user (i.e., victim) is crucial for
		  the malware to correctly expose all its malicious
		  behaviors. We propose a novel approach to analyze
		  (malicious) mobile applications. The goal is to exercise
		  the user interface (UI) of an Android application to
		  effectively trigger malicious behaviors, automatically. Our
		  key intuition is to record and reproduce the UI
		  interactions of a potential victim of the malware, so as to
		  stimulate the relevant behaviors during dynamic analysis.
		  To make our approach scale, we automatically re-execute the
		  recorded UI interactions on apps that are similar to the
		  original ones. These characteristics make our system
		  orthogonal and complementary to current dynamic analysis
		  and UI-exercising approaches. We developed our approach and
		  experimentally shown that our stimulation allows to reach a
		  higher code coverage than automatic UI exercisers, so to
		  unveil interesting malicious behaviors that are not exposed
		  when using other approaches. Our approach is also suitable
		  for crowdsourcing scenarios, which would push further the
		  collection of new stimulation traces. This can potentially
		  change the way we conduct dynamic analysis of (mobile)
		  applications, from fully automatic only, to user-centric
		  and collaborative too.},
  author	= {Gianazza, Andrea and Maggi, Federico and Fattori, Aristide
		  and Cavallaro, Lorenzo and Zanero, Stefano},
  date		= {2014-02-19},
  file		= {files/papers/reports/gianazza_puppetdroid_tr_2014.pdf},
  institution	= {arXiv},
  shorttitle	= {PuppetDroid},
  title		= {PuppetDroid: A User-Centric UI Exerciser for Automatic
		  Dynamic Analysis of Similar Android Applications},
  url		= {http://arxiv.org/abs/1402.4826}
}

@InProceedings{	  bonetti_ssdforensics_2013,
  abstract	= {Solid-state drives (SSDs) are inherently different from
		  traditional drives, as they incorporate data-optimization
		  mechanisms to overcome their limitations (such as a limited
		  number of program-erase cycles, or the need of blanking a
		  block before writing). The most common optimizations are
		  wear leveling, trimming, compression, and garbage
		  collection, which operate transparently to the host OS and,
		  in certain cases, even when the disks are disconnected from
		  a computer (but still powered up). In simple words, SSD
		  controllers are designed to hide these internals
		  completely, rendering them inaccessible if not through
		  direct acquisition of the memory cells. These optimizations
		  have a significant impact on the forensic analysis of SSDs.
		  The main cause is that memory cells could be pre-emptively
		  blanked, whereas a traditional drive sector would need to
		  be explicitly rewritten to physically wipe off the data.
		  Unfortunately, the existing literature on this subject is
		  sparse and the conclusions are seemingly contradictory. In
		  this paper we propose a generic, practical, test-driven
		  methodology that guides researchers and forensics analysts
		  through a series of steps that assess the "forensic
		  friendliness" of a SSD. Given a drive of the same brand and
		  model of the one under analysis, our methodology produces a
		  decision that helps an analyst to determine whether or not
		  an expensive direct acquisition of the memory cells is
		  worth the effort, because the extreme optimizations may
		  have rendered the data unreadable or useless. We apply our
		  methodology to three SSDs produced by top vendors (Samsung,
		  Corsair, and Crucial), and provide a detailed description
		  of how each step should be conducted.},
  author	= {Bonetti, Gabriele and Viglione, Marco and Frossi,
		  Alessandro and Maggi, Federico and Zanero, Stefano},
  booktitle	= {Proceedings of the 29th Annual Computer Security
		  Applications Conference},
  date		= {2013-12},
  doi		= {10.1145/2523649.2523660},
  file		= {files/papers/conference-papers/bonetti_ssdforensics_2013.pdf},
  isbn		= {978-1-4503-2015-3},
  location	= {New York, NY, USA},
  pages		= {269--278},
  publisher	= {ACM},
  series	= {ACSAC '13},
  shorttitle	= {SSDForensics},
  title		= {A Comprehensive Black-box Methodology for Testing the
		  Forensic Characteristics of Solid-state Drives},
  url		= {http://doi.acm.org/10.1145/2523649.2523660}
}

@TechReport{	  schiavoni_phoenix_tr_2013,
  abstract	= {Modern botnets rely on domain-generation algorithms (DGAs)
		  to build resilient command-and-control infrastructures.
		  Recent works focus on recognizing automatically generated
		  domains (AGDs) from DNS traffic, which potentially allows
		  to identify previously unknown AGDs to hinder or disrupt
		  botnets' communication capabilities. The state-of-the-art
		  approaches require to deploy low-level DNS sensors to
		  access data whose collection poses practical and privacy
		  issues, making their adoption problematic. We propose a
		  mechanism that overcomes the above limitations by analyzing
		  DNS traffic data through a combination of linguistic and
		  IP-based features of suspicious domains. In this way, we
		  are able to identify AGD names, characterize their DGAs and
		  isolate logical groups of domains that represent the
		  respective botnets. Moreover, our system enriches these
		  groups with new, previously unknown AGD names, and produce
		  novel knowledge about the evolving behavior of each tracked
		  botnet. We used our system in real-world settings, to help
		  researchers that requested intelligence on suspicious
		  domains and were able to label them as belonging to the
		  correct botnet automatically. Additionally, we ran an
		  evaluation on 1,153,516 domains, including AGDs from both
		  modern (e.g., Bamital) and traditional (e.g., Conficker,
		  Torpig) botnets. Our approach correctly isolated families
		  of AGDs that belonged to distinct DGAs, and set
		  automatically generated from non-automatically generated
		  domains apart in 94.8 percent of the cases.},
  author	= {Schiavoni, Stefano and Maggi, Federico and Cavallaro,
		  Lorenzo and Zanero, Stefano},
  date		= {2013-11-21},
  file		= {files/papers/reports/schiavoni_phoenix_tr_2013.pdf},
  institution	= {arXiv},
  shorttitle	= {Phoenix},
  title		= {Tracking and Characterizing Botnets Using Automatically
		  Generated Domains},
  url		= {http://arxiv.org/abs/1311.5612}
}