-
Notifications
You must be signed in to change notification settings - Fork 1
/
papers.bib
1783 lines (1726 loc) · 108 KB
/
papers.bib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
@InProceedings{ maggi_smsec_2020,
shorttitle = {SMSec},
author = {Maggi, Federico and Balduzzi, Marco and Vosseler, Rainer and
Rösler, Martin and Quadrini, Walter and Tavola, Giacomo and
Pogliani, Marcello and Quarta, Davide and Zanero, Stefano},
title = {Smart Factory Security: A Case Study on a Modular
SmartManufacturing System},
publisher = {Elsevier Procedia Computer Science},
booktitle = {International Conference on Industry 4.0 and Smart
Manufacturing},
volume = {42},
series = {ISM '20},
location = {Linz, Austria},
abstract = {Smart manufacturing systems are an attractive target for
cyber attacks, because they embed valuable data andcritical
equipment. Despite the market is driving towards integrated
and interconnected factories, current smartmanufacturing
systems are still designed under the assumption that they
will stay isolated from the corporatenetwork and the outside
world. This choice may result in an internal architecture
with insufficient network andsystem compartmentalization. As
a result, once an attacker has gained access, they have full
control of the entireproduction plant because of the lack of
network segmentation.With the goal of raising cybersecurity
awareness, in this paper we describe a practical case study
showing attackscenarios that we have validated on a real
modular smart manufacturing system, and suggest practical
securitycountermeasures. The testbed smart manufacturing
system is part of the Industry 4.0 research laboratory hosted
byPolitecnico di Milano, and comprises seven assembly
stations, each with their programmable logic controllers
andhuman-computer interfaces, as well as an industrial
robotic arm that performs pick-and-place tasks.On this
testbed we show two indirect attacks to gain initial access,
even under the best-case scenario of a system notdirectly
connected to any public network. We conclude by showing two
post-exploitation scenarios that an adversarycan use to cause
physical impact on the production, or keep persistent access
to the plant.We are unaware of a similar security analysis
performed within the premises of a research facility,
following ascientific methodology, so we believe that this
work can represent a good first step to inspire follow up
research onthe many verticals that we touch.},
date = {2020-11-23},
file = {files/papers/conference-papers/maggi_smsec_2020.pdf}
}
@InProceedings{ pogliani_otrazor_2020,
shorttitle = {OTRazor},
author = {Pogliani, Marcello and Maggi, Federico and Balduzzi, Marco
and Quarta, Davide and Zanero, Stefano},
title = {Detecting Unsafe Code Patterns in Industrial Robot
Programs},
publisher = {ACM},
booktitle = {Proceedings of the 15th ACM Asia Conference on Computer and
Communications SecurityOctober 2020},
series = {AsiaCCS '20},
pages = {759--771},
address = {New York, NY, USA},
location = {Taipei, Taiwan},
abstract = {In this paper, we analyze the languages of $8$ leading
industrial robot vendors, systematize their technical
features, and discuss cases of vulnerable and malicious uses.
We then describe a static source-code analyzer that we
created to analyze robotic programs and discover insecure or
potentially malicious code paths. We focused our
proof-of-concept implementation on two popular languages,
namely ABB's RAPID and KUKA's KRL. By evaluating our tool on
a set of publicly available programs, we show that insecure
patterns are found in real-world code; therefore, static
source-code analysis is an effective security screening
mechanism, for example to prevent commissioning insecure or
malicious industrial task programs. Finally, we discuss
remediation steps that developers and vendors can adopt to
mitigate such issues.},
doi = {https://doi.org/10.1145/3320269.3384735},
date = {2020-10-5},
file = {files/papers/conference-papers/pogliani_otrazor_2020.pdf}
}
@InProceedings{ maggi_industrialradios_2019,
shorttitle = {IndustrialRadios},
author = {Maggi, Federico and Balduzzi, Marco and Andersson, Jonathan
and Lin, Philippe and Hilt, Stephen and Urano, Akira and
Vosseler, Rainer},
title = {A Security Evaluation of Industrial Radio Remote
Controllers},
publisher = {Springer International Publishing},
editor = {Perdisci, Roberto and Almgren, Magnus},
booktitle = {Proceedings of the 16th International Conference on
Detection of Intrusions and Malware, and Vulnerability
Assessment (DIMVA)},
volume = {11543},
pages = {(to appear)},
location = {Gothenburg, Sweden},
abstract = {Heavy industrial machinery is a primary asset for the
operation of key sectors such as construction, manufacturing,
and logistics. Targeted attacks against these assets could
result in incidents, fatal injuries, and substantial
financial loss. Given the importance of such scenarios, we
analyzed and evaluated the security implications of the
technology used to operate and control this machinery, namely
industrial radio remote controllers. We conducted the
first-ever security analysis of this technology, which relies
on proprietary radio-frequency protocols to implement
remote-control functionalities. Through a two-phase
evaluation approach we discovered important flaws in the
design and implementation of industrial remote controllers.
In this paper we introduce and describe 5 practical attacks
affecting major vendors and multiple real-world
installations. We conclude by discussing how a challenging
responsible disclosure process resulted in first-ever
security patches and improved security awareness.},
doi = {10.1007/978-3-030-22038-9_7},
isbn = {978-3-030-22037-2},
date = {2019-06-19},
file = {files/papers/conference-papers/maggi_industrialradios_2019.pdf}
}
@InProceedings{ maggi_defplorex_2018,
shorttitle = {DefPloreX},
author = {Maggi, Federico and Balduzzi, Marco and Flores, Ryan and Gu,
Lion and Ciancaglini, Vincenzo},
title = {Investigating Web Defacement Campaigns at Large},
publisher = {ACM},
booktitle = {Proceedings of the 2018 on Asia Conference on Computer and
Communications Security},
series = {AsiaCCS '18},
pages = {443--456},
address = {New York, NY, USA},
location = {Incheon, Republic of Korea},
abstract = { Website defacement is the practice of altering the web
pages of a website after its compromise. The altered pages,
calleddeface pages, can negatively affect the reputation and
business of the victim site. Previous research has focused
primarily on detection, rather than exploring the defacement
phenomenon in depth. While investigating several defacements,
we observed that the artifacts left by the defacers allow an
expert analyst to investigate the actors' modus operandi and
social structure, and expand from the single deface page to a
group of related defacements (i.e., acampaign ). However,
manually performing such analysis on millions of incidents is
tedious, and poses scalability challenges. From these
observations, we propose an automated approach that
efficiently builds intelligence information out of raw deface
pages. Our approach streamlines the analysts job by
automatically recognizing defacement campaigns, and assigning
meaningful textual labels to them. Applied to a comprehensive
dataset of 13 million defacement records, from Jan. 1998 to
Sept. 2016, our approach allowed us to conduct the first
large-scale measurement on web defacement campaigns. In
addition, our approach is meant to be adopted operationally
by analysts to identify live campaigns on the field.
We go beyond confirming anecdotal evidence. We analyze the
social structure of modern defacers, which includes lone
individuals as well as actors that cooperate with each
others, or with teams, which evolve over time and dominate
the scene. We conclude by drawing a parallel between the time
line of World-shaping events and defacement campaigns,
representing the evolution of the interests and orientation
of modern defacers.},
doi = {10.1145/3196494.3196542},
isbn = {978-1-4503-5576-6},
date = {2018-06-04},
file = {files/papers/conference-papers/maggi_defplorex_2018.pdf}
}
@InProceedings{ zarras_sqlbot_2017,
shorttitle = {SQLBot},
author = {Zarras, Apostolis and Maggi, Federico},
title = {Hiding Behind the Shoulders of Giants: Abusing Crawlers for
Indirect Web Attacks},
publisher = {IEEE Computer Society},
booktitle = {Proceedings of the 15th Annual International Conference on
Privacy, Security and Trust (PST)},
pages = {355--35509},
location = {Calgary, Canada},
abstract = {It could be argued that without search engines, the web
would have never grown to the size that it has today. To
achieve maximum coverage and provide relevant results, search
engines employ large armies of autonomous crawlers that
continuously scour the web, following links, indexing
content, and collecting features that are then used to
calculate the ranking of each page. In this paper, we
describe how autonomous crawlers can be abused by attackers
to exploit vulnerabilities on thirdparty websites while
hiding the true origin of the attacks. Moreover, we show how
certain vulnerabilities on websites that are currently deemed
unimportant, can be abused in a way that would allow an
attacker to arbitrarily boost the rankings of malicious
websites in the search results of popular search engines.
Motivated by the potentials of these vulnerabilities, we
propose a series of preventive and defensive countermeasures
that website owners and search engines can adopt to minimize,
or altogether eliminate, the effects of crawler-abusing
attacks.},
doi = {10.1109/PST.2017.00049},
isbn = {978-1-5386-2487-6},
date = {2017-08-28},
file = {files/papers/conference-papers/zarras_sqlbot_2017.pdf}
}
@InProceedings{ palanca_candos_2017,
shorttitle = {CANDoS},
author = {Palanca, Andrea and Evenchick, Eric and Maggi, Federico and
Zanero, Stefano},
title = {A Stealth, Selective, Link-Layer Denial-of-Service Attack
Against Automotive Networks},
publisher = {Springer International Publishing},
editor = {Polychronakis, Michalis and Meier, Michael},
booktitle = {Proceedings of the 14th International Conference on
Detection of Intrusions and Malware, and Vulnerability
Assessment (DIMVA)},
pages = {185--206},
location = {Bonn, Germany},
abstract = {Modern vehicles incorporate tens of electronic control units
(ECUs), driven by as much as 100,000,000 lines of code. They
are tightly interconnected via internal networks, mostly
based on the CAN bus standard. Past research showed that, by
obtaining physical access to the network or by remotely
compromising a vulnerable ECU, an attacker could control even
safety-critical inputs such as throttle, steering or brakes.
In order to secure current CAN networks from cyberattacks,
detection and prevention approaches based on the analysis of
transmitted frames have been proposed, and are generally
considered the most time- and cost-effective solution, to the
point that companies have started promoting aftermarket
products for existing vehicles.},
doi = {10.1007/978-3-319-60876-1_9},
isbn = {978-3-319-60876-1},
date = {2017-07-06},
file = {files/papers/conference-papers/palanca_candos_2017.pdf}
}
@InProceedings{ quarta_robosec_2017,
shorttitle = {RoboSec},
author = {Quarta, Davide and Pogliani, Marcello and Polino, Mario and
Maggi, Federico and Zanchettin, Andrea Maria and Zanero,
Stefano},
title = {An Experimental Security Analysis of an Industrial Robot
Controller},
publisher = {ACM},
booktitle = {Proceedings of the 38th IEEE Symposium on Security and
Privacy},
series = {S\&P '17},
location = {San Jose, CA},
abstract = {Industrial robots, automated manufacturing, and efficient
logistics processes are at the heart of the upcoming fourth
industrial revolution. While there are seminal studies on the
vulnerabilities of cyber-physical systems in the industry, as
of today there has been no systematic analysis of the
security of industrial robot controllers. We examine the
standard architecture of an industrial robot and analyze a
concrete deployment from a systems security standpoint. Then,
we propose an attacker model and confront it with the minimal
set of requirements that industrial robots should honor:
precision in sensing the environment, correctness in
execution of control logic, and safety for human operators.
Following an experimental and practical approach, we then
show how our modeled attacker can subvert such requirements
through the exploitation of software vulnerabilities, leading
to severe consequences that are unique to the robotics
domain. We conclude by discussing safety standards and
security challenges in industrial robotics.},
doi = {10.1109/SP.2017.20},
date = {2017-05},
file = {files/papers/conference-papers/quarta_robosec_2017.pdf}
}
@InProceedings{ mavroudis_ubeacsec_2017,
shorttitle = {uBeacSec},
author = {Mavroudis, Vasilios and Hao, Shuang and Fratantonio, Yanick
and Maggi, Federico and Kruegel, Christopher and Vigna,
Giovanni},
title = {On the Privacy and Security of the Ultrasound Ecosystem},
publisher = {DE GRUYTER},
booktitle = {Proceedings of the 17th Privacy Enhancing Technologies
Symposium},
series = {PETS '17},
pages = {95--112},
location = {Minneapolis, USA},
abstract = {Nowadays users often possess a variety of electronic devices
for communication and entertainment. In particular,
smartphones are playing an increasingly central role in
users’ lives: Users carry them everywhere they go and often
use them to control other devices. This trend provides
incentives for the industry to tackle new challenges, such as
cross-device authentication, and to develop new monetization
schemes. A new technology based on ultrasounds has recently
emerged to meet these demands. Ultrasound technology has a
number of desirable features: it is easy to deploy, flexible,
and inaudible by humans. This technology is already utilized
in a number of different real-world applications, such as
device pairing, proximity detection, and cross-device
tracking.
This paper examines the different facets of ultrasound-based
technology. Initially, we discuss how it is already used in
the real world, and subsequently examine this emerging
technology from the privacy and security perspectives. In
particular, we first observe that the lack of OS features
results in violations of the principle of least privilege: an
app that wants to use this technology currently needs to
require full access to the device microphone. We then analyse
real-world Android apps and find that tracking techniques
based on ultrasounds suffer from a number of vulnerabilities
and are susceptible to various attacks. For example, we show
that ultrasound cross-device tracking deployments can be
abused to perform stealthy deanonymization attacks (e.g., to
unmask users who browse the Internet through anonymity
networks such as Tor), to inject fake or spoofed audio
beacons, and to leak a user’s private information.
Based on our findings, we introduce several defense
mechanisms. We first propose and implement immediately
deployable defenses that empower practitioners, researchers,
and everyday users to protect their privacy. In particular,
we introduce a browser extension and an Android permission
that enable the user to selectively suppress frequencies
falling within the ultrasonic spectrum. We then argue for the
standardization of ultrasound beacons, and we envision a
flexible OS-level API that addresses both the effortless
deployment of ultrasound-enabled applications, and the
prevention of existing privacy and security problems.},
doi = {10.1515/popets-2017-0018},
date = {2017-04-04},
file = {files/papers/conference-papers/mavroudis_ubeacsec_2017.pdf}
}
@InProceedings{ continella_shieldfs_2016,
shorttitle = {ShieldFS},
author = {Continella, Andrea and Guagnelli, Alessandro and Zingaro,
Giovanni and De Pasquale, Giulio and Barenghi, Alessandro and
Zanero, Stefano and Maggi, Federico},
title = {ShieldFS: A Self-healing, Ransomware-aware Filesystem},
publisher = {ACM},
booktitle = {Proceedings of the 32nd Annual Computer Security
Applications Conference},
series = {ACSAC '16},
pages = {336--347},
location = {Los Angeles, USA},
abstract = {Preventive and reactive security measures can only partially
mitigate the damage caused by modern ransomware attacks.
Indeed, the remarkable amount of illicit profit and the
cybercriminals’ increasing interest in ransomware schemes
suggest that a fair number of users are actually paying the
ransoms. Unfortunately, pure-detection approaches (e.g.,
based on analysis sandboxes or pipelines) are not sufficient
nowadays, because often we do not have the luxury of being
able to isolate a sample to analyze, and when this happens it
is already too late for several users! We believe that a
forwardlooking solution is to equip modern operating systems
with practical self-healing capabilities against this serious
threat. Towards such a vision, we propose ShieldFS, an add-on
driver that makes the Windows native filesystem immune to
ransomware attacks. For each running process, ShieldFS
dynamically toggles a protection layer that acts as a
copy-onwrite mechanism, according to the outcome of its
detection component. Internally, ShieldFS monitors the
low-level filesystem activity to update a set of adaptive
models that profile the system activity over time. Whenever
one or more processes violate these models, their operations
are deemed malicious and the side effects on the filesystem
are transparently rolled back.
We designed ShieldFS after an analysis of billions of
low-level, I/O filesystem requests generated by thousands of
benign applications, which we collected from clean machines
in use by real users for about one month. This is the first
measurement on the filesystem activity of a large set of
benign applications in real working conditions. We evaluated
ShieldFS in real-world working conditions on real, personal
machines, against samples from state of the art ransomware
families. ShieldFS was able to detect the malicious activity
at runtime and transparently recover all the original files.
Although the models can be tuned to fit various filesystem
usage profiles, our results show that our initial tuning
yields high accuracy even on unseen samples and variants.},
doi = {10.1145/2991079.2991110},
isbn = {978-1-4503-4771-6},
numpages = {12},
date = {2016-12},
file = {files/papers/conference-papers/continella_shieldfs_2016.pdf}
}
@InProceedings{ zheng_greateatlon_2016,
shorttitle = {GreatEatlon},
author = {Zheng, Chenghyu and Della Rocca, Nicola and Andronio,
Niccolò and Zanero, Stefano and Maggi Federico},
title = {GreatEatlon: Fast, Static Detection of Mobile Ransomware},
pages = {617--636},
location = {Guangzhou, People's Republic of China},
abstract = {Ransomware is a class of malware that aim at preventing
victims from accessing valuable data, typically via data
encryption or device locking, and ask for a payment to
release the target. In the past year, instances of ransomware
attacks have been spotted on mobile devices too. However,
despite their relatively low infection rate, we notice that
the techniques used by mobile ransomware are quite
sophisticated, and different from those used by ransomware
against traditional computers.
Through an in-depth analysis of about 100 samples of
currently active ransomware apps, we conclude that most of
them pass undetected by state-of-the-art tools, which are
unable to recognize the abuse of benign features for
malicious purposes. The main reason is that such tools rely
on an inadequate and incomplete set of features. The most
notable examples are the abuse of reflection and
device-administration APIs, appearing in modern ransomware to
evade analysis and detection, and to elevate their privileges
(e.g., to lock or wipe the device). Moreover, current
solutions introduce several false positives in the na ̈ıve
way they detect cryptographic-APIs abuse, flagging goodware
apps as ransomware merely because they rely on cryptographic
libraries. Last but not least, the performance overhead of
current approaches is unacceptable for appstore-scale
workloads.
In this work, we tackle the aforementioned limitations and
propose GreatEatlon, a next-generation mobile ransomware
detector. We foresee GreatEatlon deployed on the appstore
side, as a preventive countermeasure. At its core,
GreatEatlon uses static program-analysis techniques to
``resolve'' reflection-based, anti-analysis attempts, to
recognize abuses of the device administration API, and
extract accurate data-flow information required to detect
truly malicious uses of cryptographic APIs. Given the
significant resources utilized by Great- Eatlon, we prepend
to its core a fast pre-filter that quickly discards obvious
goodware, in order to avoid wasting computer cycles.
We tested GreatEatlon on thousands of samples of goodware,
generic malware and ransomware applications, and showed that
it surpasses current approaches both in speed and detection
capabilities, while keeping the false negative rate below
1.3\%. },
doi = {10.1007/978-3-319-59608-2_34},
isbn = {978-3-319-59608-2},
date = {2016-10-10},
file = {files/papers/conference-papers/zheng_greateatlon_2016.pdf}
}
@InProceedings{ zheng_openst_2016,
shorttitle = {OpenST},
author = {Zheng, Chenghyu and Dalla Preda, Mila and Granjal, Jorge and
Zanero, Stefano and Maggi, Federico},
title = {On-Chip System Call Tracing: A Feasibility Study and Open
Prototype},
booktitle = {IEEE Conference on Communications and Network Security
(CNS)},
pages = {73-81},
location = {Philadelphia, US},
abstract = {Several tools for program tracing and introspection exist.
These tools can be used to analyze potentially malicious or
untrusted programs. In this setting, it is important to
prevent that the target program determines whether it is
being traced or not. This is typically achieved by minimizing
the code of the introspection routines and any artifact or
side-effect that the program can leverage. Indeed, the most
recent approaches consist of lightly instrumented operating
systems or thin hypervisors running directly on bare metal.
Following this research trend, we investigate the feasibility
of transparently tracing a Linux/ARM program without
modifying the software stack, while keeping the analysis cost
and flexibility compatible with state of the art emulation-
or bare-metal-based approaches. As for the typical program
tracing task, our goal is to reconstruct the stream of system
call invocations along with the respective un-marshalled
arguments.
We propose to leverage the availability of on-chip debugging
interfaces of modern ARM systems, which are accessible via
JTAG. More precisely, we developed OpenST, an open-source
prototype tracer that allowed us to analyze the performance
overhead and to assess the transparency with respect to
evasive, real-world malicious programs. OpenST has two
tracing modes: In-kernel dynamic tracing and external
tracing. The in-kernel dynamic tracing mode uses the JTAG
interface to ``hot-patch'' the system calls at runtime,
injecting introspection code. This mode is more transparent
than emulator based approaches, but assumes that the traced
program does not have access to the kernel memory where the
introspection code is loaded. The external tracing mode
removes this assumption by using the JTAG interface to manage
hardware breakpoints.
Our tests show that OpenST's greater transparency comes at
the price of a steep performance penalty. However, with a
cost model, we show that OpenST scales better than the state
of the art, bare-metal-based approach, while remaining
equally stealthy to evasive malware.},
doi = {10.1109/CNS.2016.7860472},
date = {2016-10},
file = {files/papers/conference-papers/zheng_openst_2016.pdf}
}
@InProceedings{ mambretti_trellis_2016,
shorttitle = {Trellis},
author = {Mambretti, Andrea and Onarlioglu, Kaan and Mulliner, Collin
and Robertson, William and Kirda, Engin and Maggi, Federico
and Zanero, Stefano},
title = {Trellis: Privilege Separation for Multi-User Applications
Made Easy},
booktitle = {International Symposium on Research in Attacks, Intrusions
and Defenses (RAID)},
pages = {437--456},
location = {Paris, France},
abstract = {Operating systems provide a wide variety of resource
isolation and access control mechanisms, ranging from
traditional user-based security models to fine-grained
permission systems as found in modern mobile operating
systems. However, comparatively little assistance is
available for defining and enforcing access control policies
within multiuser applications. These applications, often
found in enterprise environments, allow multiple users to
operate at different privilege levels in terms of exercising
application functionality and accessing data. Developers of
such applications bear a heavy burden in ensuring that
security policies over code and data in this setting are
properly expressed and enforced. We present Trellis, an
approach for expressing hierarchical access control policies
in applications and enforcing these policies during
execution. The approach enhances the development toolchain to
allow programmers to partially annotate code and data with
simple privilege level tags, and uses a static analysis to
infer suitable tags for the entire application. At runtime,
policies are extracted from the resulting binaries and are
enforced by a modified operating system kernel. Our
evaluation demonstrates that this approach effectively
supports the development of secure multi-user applications
with modest runtime performance overhead.},
doi = {10.1007/978-3-319-45719-2_20},
date = {2016-09},
file = {files/papers/conference-papers/mambretti_trellis_2016.pdf}
}
@InProceedings{ coletta_droydseuss_2016,
shorttitle = {DroydSeuss},
author = {Coletta, Alberto and Van der Veen, Victor and Maggi,
Federico},
title = {DroydSeuss: A Mobile Banking Trojan Tracker - Short Paper},
publisher = {Springer Berlin Heidelberg},
booktitle = {Financial Cryptography and Data Security},
series = {Lecture Notes in Computer Science (LNCS)},
abstract = {After analyzing several Android mobile banking trojans, we
observed the presence of repetitive artifacts that describe
valuable information about the distribution of this class of
malicious apps. Motivated by the high threat level posed by
mobile banking trojans and by the lack of publicly available
analysis and intelligence tools, we automated the extraction
of such artifacts and created a malware tracker named
DroydSeuss. DroydSeuss first processes applications both
statically and dynamically, extracting relevant strings that
contain traces of communication endpoints. Second, it
prioritizes the extracted strings based on the APIs that
manipulate them. Finally, DroydSeuss correlates the endpoints
with descriptive metadata from the samples, providing
aggregated statistics, raw data, and cross-sample information
that allow researchers to pinpoint relevant groups of
applications. We connected DroydSeuss to the VirusTotal daily
feed, consuming Android samples that perform banking-trojan
activity. We manually analyzed its output and found
supporting evidence to confirm its correctness. Remarkably,
the most frequent itemset unveiled a campaign currently
spreading against Chinese and Korean bank customers.
Although motivated by mobile banking trojans, DroydSeuss can
be used to analyze the communication behavior of any
suspicious application.},
date = {2016-02},
file = {files/papers/conference-papers/coletta_droydseuss_2016.pdf}
}
@InProceedings{ falsina_grabnrun_2015,
shorttitle = {GrabNRun},
author = {Falsina, Luca and Fratantonio, Yanick and Zanero, Stefano
and Kruegel, Christopher and Vigna, Giovanni and Maggi,
Federico},
title = {Grab 'n Run: Secure and Practical Dynamic Code Loading for
Android Applications},
publisher = {ACM},
booktitle = {Proceedings of the 31st Annual Computer Security
Applications Conference},
series = {ACSAC '15},
pages = {201--210},
location = {Los Angeles, USA},
abstract = {Android introduced the dynamic code loading (DCL) mechanism
to allow for code reuse, to achieve extensibility, to enable
updating functionalities or to boost application start- up
performance. In spite of its wide adoption by developers,
implementing DCL in a secure way is challenging, leading to
serious vulnerabilities such as remote code injection.
Previous academic and community attempts at solving this
problem are unfortunately either impractical or incomplete,
or in some cases exhibit vulnerabilities. In this paper, we
propose, design, implement and test Grab 'n Run, a novel code
verification protocol and a series of supporting libraries,
APIs, and components, that address the problem by abstracting
away from the developer challenging implementation details.
Grab 'n Run is designed to be practical: among its tools, it
provides a drop-in library, which requires no modifications
to the Android framework or the underlying Dalvik/ART
runtime, is very similar to the native API, and most code can
be automatically rewritten to use it. Grab 'n Run also
contains an application rewriting tool, which allows easy
porting of existing applications to use the secure API of its
library. We evaluate Grab 'n Run library with a user study,
obtaining impressive results in vulnerability reduction, ease
of use and speed of development. We also show that the
performance overhead introduced by our library is negligible.
The library is released as free software.},
doi = {10.1145/2818000.2818042},
isbn = {978-1-4503-3682-6},
numpages = {10},
date = {2015-12},
file = {files/papers/conference-papers/falsina_grabnrun_2015.pdf}
}
@InProceedings{ andronio_heldroid_2015,
shorttitle = {HelDroid},
author = {Andronio, Niccolò and Zanero, Stefano and Maggi, Federico},
title = {HelDroid: Dissecting and Detecting Mobile Ransomware},
booktitle = {International Symposium on Research in Attacks, Intrusions
and Defenses (RAID)},
volume = {9404},
series = {Lecture Notes in Computer Science},
pages = {382--404},
location = {Kyoto, Japan},
abstract = {In ransomware attacks, the actual target is the human, as
opposed to the classic attacks that abuse the infected
devices (e.g., botnet renting, information stealing). Mobile
devices are by no means immune to ransomware attacks.
However, there is little research work on this matter and
only traditional protections are available. Even
state-of-the-art mobile malware detection approaches are
ineffective against ransomware apps because of the subtle
attack scheme. As a consequence, the ample attack surface
formed by the billion mobile devices is left unprotected.
First, in this work we summarize the results of our analysis
of the existing mobile ransomware families, describing their
common characteristics. Second, we present HelDroid, a fast,
efficient and fully automated approach that recognizes known
and unknown scareware and ransomware samples from goodware.
Our approach is based on detecting the ``build- ing blocks''
that are typically needed to implement a mobile ransomware
application. Specifically, HelDroid detects, in a generic
way, if an app is attempting to lock or encrypt the device
without the user’s consent, and if ransom requests are
displayed on the screen. Our technique works without
requiring that a sample of a certain family is available
beforehand. We implemented HelDroid and tested it on
real-world Android ransomware samples. On a large dataset
comprising hundreds of thousands of APKs including goodware,
malware, scareware, and ransomware, HelDroid exhibited nearly
zero false positives and the capability of recognizing
unknown ransomware samples. },
doi = {10.1007/978-3-319-26362-5_18},
date = {2015-10},
file = {files/papers/conference-papers/andronio_heldroid_2015.pdf}
}
@InProceedings{ ilia_faceoff_2015,
shorttitle = {FaceOff},
author = {Ilia, Panagiotis and Polakis, Iasonas and Athanasopoulos,
Elias and Maggi, Federico and Ioannidis, Sotiris},
title = {Face/Off: Preventing Privacy Leakage From Photos in Social
Networks},
publisher = {ACM},
booktitle = {Proceedings of the 22Nd ACM SIGSAC Conference on Computer
and Communications Security},
series = {CCS '15},
pages = {781--792},
location = {New York, NY, USA},
abstract = {The capabilities of modern devices, coupled with the almost
ubiquitous availability of Internet connectivity, have
resulted in photos being shared online at an unprecedented
scale. This is further amplified by the popularity of social
networks and the immediacy they offer in content sharing.
Existing access control mechanisms are too coarse-grained to
handle cases of conflicting interests between the users
associated with a photo; stories of embarrassing or
inappropriate photos being widely accessible have become
quite common. In this paper, we propose to rethink access
control when applied to photos, in a way that allows us to
effectively prevent unwanted individuals from recognizing
users in a photo. The core concept behind our approach is to
change the granularity of access control from the level of
the photo to that of a user's personally identifiable
information (PII). In this work, we consider the face as the
PII. When another user attempts to access a photo, the system
determines which faces the user does not have the permission
to view, and presents the photo with the restricted faces
blurred out. Our system takes advantage of the existing face
recognition functionality of social networks, and can
interoperate with the current photo-level access control
mechanisms. We implement a proof-of-concept application for
Facebook, and demonstrate that the performance overhead of
our approach is minimal. We also conduct a user study to
evaluate the privacy offered by our approach, and find that
it effectively prevents users from identifying their contacts
in 87.35\% of the restricted photos. Finally, our study
reveals the misconceptions about the privacy offered by
existing mechanisms, and demonstrates that users are positive
towards the adoption of an intuitive, straightforward access
control mechanism that allows them to manage the visibility
of their face in published photos.},
doi = {10.1145/2810103.2813603},
isbn = {978-1-4503-3832-5},
date = {2015-10},
url = {http://doi.acm.org/10.1145/2810103.2813603},
file = {files/papers/conference-papers/ilia_faceoff_2015.pdf}
}
@InProceedings{ polino_jackdaw_2015,
shorttitle = {Jackdaw},
author = {Polino, Mario and Scorti, Andrea and Maggi, Federico and
Zanero, Stefano},
title = {Jackdaw: Towards Automatic Reverse Engineering of Large
Datasets of Binaries},
publisher = {Springer International Publishing},
editor = {Almgren, Magnus and Gulisano, Vincenzo and Maggi, Federico},
booktitle = {Detection of Intrusions and Malware, and Vulnerability
Assessment},
series = {Lecture Notes in Computer Science},
pages = {121--143},
abstract = {When analyzing an untrusted binary, reverse engineers
usually rely on ad-hoc collections of interesting dynamic
patterns known as behaviors in the malware-analysis community
and static patterns known as signatures in the antivirus
community. Such patterns are often part of the skill set of
the analyst, sometimes implemented in manually-created
post-processing scripts. It would be desirable to be able to
automatically find such behaviors, present them to analysts,
and create a systematic catalog of matching rules and
relevant implementations. We propose Jackdaw, a system that
finds interesting dynamic patterns, and ranks them to unveil
potentially interesting behaviors. Then, it annotates them
with static information, capturing the distinct
implementations of each across different malware families.
Finally, Jackdaw associates semantic information to the
behaviors, so as to create a descriptive summary that helps
the analysts in querying the catalog of behaviors by type. To
do this, it leverages the dynamic information and an indexed
Web-based knowledge databases. We implement and demonstrate
Jackdaw on the Win32 API (even if the technique can be
generalized to any OS). On a dataset of 2,136 distinct
binaries, including both malicious and benign libraries and
executables, we compared the behaviors extracted
automatically against a ground truth of 44 behaviors created
manually by expert analysts. Jackdaw found 77.3\% of them and
was able to exclude spurious behaviors in 99.6\% cases. We
also discovered 466 novel behaviors, among which manual
exploration and review by expert reverse engineers revealed
interesting findings and confirmed the correctness of the
semantic tagging.},
doi = {10.1007/978-3-319-20550-2_7},
isbn = {978-3-319-20549-6 978-3-319-20550-2},
date = {2015-07-09},
url = {http://link.springer.com/chapter/10.1007/978-3-319-20550-2_7},
file = {files/papers/conference-papers/polino_jackdaw_2015.pdf}
}
@InProceedings{ polakis_resoauth_2014,
shorttitle = {ReSoAuth},
author = {Polakis, Iasonas and Ilia, Panagiotis and Maggi, Federico
and Lancini, Marco and Kontaxis, Georgios and Zanero, Stefano
and Ioannidis, Sotiris and Keromytis, Angelos D.},
title = {Faces in the Distorting Mirror: Revisiting Photo-based
Social Authentication},
publisher = {ACM},
booktitle = {Proceedings of the 2014 ACM SIGSAC Conference on Computer
and Communications Security},
series = {CCS '14},
pages = {501--512},
location = {New York, NY, USA},
abstract = {In an effort to hinder attackers from compromising user
accounts, Facebook launched a form of two-factor
authentication called social authentication (SA), where users
are required to identify photos of their friends to complete
a log-in attempt. Recent research, however, demonstrated that
attackers can bypass the mechanism by employing face
recognition software. Here we demonstrate an alternative
attack. that employs image comparison techniques to identify
the SA photos within an offline collection of the users'
photos. In this paper, we revisit the concept of SA and
design a system with a novel photo selection and
transformation process, which generates challenges that are
robust against these attacks. The intuition behind our photo
selection is to use photos. that fail software-based face
recognition, while remaining recognizable to humans who are
familiar with the depicted people. The photo transformation
process. creates challenges in the form of photo collages,
where faces are transformed so as to render image matching
techniques ineffective. We experimentally confirm the
robustness of our approach against three template. matching
algorithms that solve 0.4 percent of the challenges, while
requiring four orders of magnitude more processing effort.
Furthermore, when the transformations are applied, face
detection software fails to detect even a single face. Our
user studies confirm that users are able to identify their
friends in over 99\% of the photos with faces unrecognizable
by software, and can solve over 94 percent of the challenges
with transformed photos.},
doi = {10.1145/2660267.2660317},
isbn = {978-1-4503-2957-6},
date = {2014-11},
url = {http://doi.acm.org/10.1145/2660267.2660317},
file = {files/papers/conference-papers/polakis_resoauth_2014.pdf}
}
@InProceedings{ antonini_knxmalware_2014,
shorttitle = {KNXMalware},
author = {Antonini, Alessio and Maggi, Federico and Zanero, Stefano},
title = {A Practical Attack Against a KNX-based Building Automation
System},
publisher = {BCS},
booktitle = {Proceedings of the 2Nd International Symposium on ICS \&
SCADA Cyber Security Research 2014},
series = {ICS-CSR 2014},
pages = {53--60},
location = {UK},
abstract = {Building automation systems rely heavily on general-purpose
computers and communication protocols, which are often
affected by security vulnerabilities. In this paper, we first
analyze the attack surface of a real building automation
system - based on the widely used KNX protocol-connected to a
general-purpose IP network. To this end, we analyze the
vulnerabilities of KNX-based networks highlighted by previous
research work, which, however, did not corroborate their
findings with experimental results. To verify the practical
exploitability of these vulnerabilities and their potential
impact, we implement a full-fledged testbed infrastructure
that reproduces the typical deployment of a building
automation system. On this testbed, we show the feasibility
of a practical attack that leverages and combines the
aforementioned vulnerabilities. We show the ease of reverse
engineering the vendor-specific components of the KNX
protocol. Our attack leverages the IP-to-KNX connectivity to
send arbitrary commands which are executed by the actuators.
We conclude that the vulnerabilities highlighted by previous
work are effectively exploitable in practice, with severe
results. Although we use KNX as a target, our work can be
generalized to other communication protocols, often
characterized by similar issues. Finally, we analyze the
countermeasures proposed in previous literature and reveal
the limitations that prevent their adoption in practice. We
suggest a practical stopgap measure to protect real KNX-based
BASs from our attack.},
doi = {10.14236/ewic/ics-csr2014.7},
isbn = {978-1-78017-286-6},
date = {2014-09},
url = {http://dx.doi.org/10.14236/ewic/ics-csr2014.7},
file = {files/papers/conference-papers/antonini_knxmalware_2014.pdf}
}
@InProceedings{ criscione_zarathustra_2014,
shorttitle = {Zarathustra},
author = {Criscione, Claudio and Bosatelli, Fabio and Zanero, Stefano
and Maggi, Federico},
title = {Zarathustra: Extracting WebInject Signatures from Banking
Trojans},
publisher = {IEEE Computer Society},
booktitle = {Proceedings of the Twelfth Annual International Conference
on Privacy, Security and Trust (PST)},
pages = {139--148},
location = {Toronto, Canada},
abstract = {Modern trojans are equipped with a functionality, called
WebInject, that can be used to silently modify a web page on
the infected end host. Given its flexibility, WebInject-based
malware is becoming a popular information-stealing mechanism.
In addition, the structured and well-organized
malware-as-a-service model makes revenue out of customization
kits, which in turns leads to high volumes of binary
variants. Analysis approaches based on memory carving to
extract the decrypted webinject.txt and config.bin files at
runtime make the strong assumption that the malware will
never change the way such files are handled internally, and
therefore are not future proof by design. In addition,
developers of sensitive web applications (e.g., online
banking) have no tools that they can possibly use to even
mitigate the effect of WebInjects.},
doi = {10.1109/PST.2014.6890933},
isbn = {978-1-4799-3502-4},
date = {2014-07},
file = {files/papers/conference-papers/criscione_zarathustra_2014.pdf}
}
@InProceedings{ lindorfer_andradar_2014,
shorttitle = {AndRadar},
author = {Lindorfer, Martina and Volanis, Stamatis and Sisto,
Alessandro and Neugschwandtner, Matthias and Athanasopoulos,
Elias and Maggi, Federico and Platzer, Christian and Zanero,
Stefano and Ioannidis, Sotiris},
title = {AndRadar: Fast Discovery of Android Applications in
Alternative Markets},
publisher = {Springer International Publishing},
editor = {Dietrich, Sven},
booktitle = {Detection of Intrusions and Malware, and Vulnerability
Assessment},
series = {Lecture Notes in Computer Science},
pages = {51--71},
abstract = {Compared to traditional desktop software, Android
applications are delivered through software repositories,
commonly known as application markets. Other mobile
platforms, such as Apple iOS and BlackBerry OS also use the
marketplace model, but what is unique to Android is the
existence of a plethora of alternative application markets.
This complicates the task of detecting and tracking Android
malware. Identifying a malicious application in one
particular market is simply not enough, as many instances of
this application may exist in other markets. To quantify this
phenomenon, we exhaustively crawled 8 markets between June
and November 2013. Our findings indicate that alternative
markets host a large number of ad-aggressive apps, a
non-negligible amount of malware, and some markets even allow
authors to publish known malicious apps without prompt
action. Motivated by these findings, we present AndRadar, a
framework for discovering multiple instances of a malicious
Android application in a set of alternative application
markets. AndRadar scans a set of markets in parallel to
discover similar applications. Each lookup takes no more than
a few seconds, regardless of the size of the marketplace.
Moreover, it is modular, and new markets can be transparently
added once the search and download URLs are known. Using
AndRadar we are able to achieve three goals. First, we can
discover malicious applications in alternative markets,
second, we can expose app distribution strategies used by
malware developers, and third, we can monitor how different
markets react to new malware. During a three-month evaluation
period, AndRadar tracked over 20,000 apps and recorded more
than 1,500 app deletions in 16 markets. Nearly 8\% of those
deletions were related to apps that were hopping from market
to market. The most established markets were able to react
and delete new malware within tens of days from the malicious
app publication date while other markets did not react at
all.},
doi = {10.1007/978-3-319-08509-8_4},
isbn = {978-3-319-08508-1 978-3-319-08509-8},
date = {2014-07},
url = {http://link.springer.com/chapter/10.1007/978-3-319-08509-8_4},
file = {files/papers/conference-papers/lindorfer_andradar_2014.pdf}
}
@InProceedings{ schiavoni_phoenix_2014,
shorttitle = {Phoenix},
author = {Schiavoni, Stefano and Maggi, Federico and Cavallaro,
Lorenzo and Zanero, Stefano},
title = {Phoenix: DGA-Based Botnet Tracking and Intelligence},
publisher = {Springer International Publishing},
editor = {Dietrich, Sven},
booktitle = {Proceedings of the International Conference on Detection of
Intrusions and Malware, and Vulnerability Assessment
(DIMVA)},
series = {Lecture Notes in Computer Science},
pages = {192--211},
abstract = {Modern botnets rely on domain-generation algorithms (DGAs)
to build resilient command-and-control infrastructures. Given
the prevalence of this mechanism, recent work has focused on
the analysis of DNS traffic to recognize botnets based on
their DGAs. While previous work has concentrated on
detection, we focus on supporting intelligence operations. We
propose Phoenix, a mechanism that, in addition to telling
DGA- and non-DGA-generated domains apart using a combination
of string and IP-based features, characterizes the DGAs
behind them, and, most importantly, finds groups of
DGA-generated domains that are representative of the
respective botnets. As a result, Phoenix can associate
previously unknown DGA-generated domains to these groups, and
produce novel knowledge about the evolving behavior of each
tracked botnet. We evaluated Phoenix on 1,153,516 domains,
including DGA-generated domains from modern, well-known
botnets: without supervision, it correctly distinguished DGA-
vs. non-DGA-generated domains in 94.8 percent of the cases,
characterized families of domains that belonged to distinct
DGAs, and helped researchers ``on the field'' in gathering
intelligence on suspicious domains to identify the correct
botnet.},
doi = {10.1007/978-3-319-08509-8_11},
isbn = {978-3-319-08508-1 978-3-319-08509-8},
date = {2014-07},
url = {http://link.springer.com/chapter/10.1007/978-3-319-08509-8_11},
file = {files/papers/conference-papers/schiavoni_phoenix_2014.pdf}
}
@InProceedings{ carminati_banksealer_2014,
shorttitle = {BankSealer},
author = {Carminati, Michele and Caron, Roberto and Maggi, Federico
and Epifani, Ilenia and Zanero, Stefano},
title = {BankSealer: An Online Banking Fraud Analysis and Decision
Support System},
publisher = {Springer Berlin Heidelberg},
editor = {Cuppens-Boulahia, Nora and Cuppens, Fr{\'e}d{\'e}ric and
Jajodia, Sushil and Kalam, Anas Abou El and Sans, Thierry},
booktitle = {ICT Systems Security and Privacy Protection},
series = {IFIP Advances in Information and Communication Technology},
pages = {380--394},
abstract = {We propose a semi-supervised online banking fraud analysis