Your search keyword '"FEDERICO MAGGI"' showing total 8 results

1. Detecting Insecure Code Patterns in Industrial Robot Programs

Author

Stefano Zanero, Federico Maggi, Marcello Pogliani, Davide Quarta, and Marco Balduzzi

Subjects

File system, 021110 strategic, defence & security studies, business.industry, Computer science, Project commissioning, 0211 other engineering and technologies, 02 engineering and technology, computer.software_genre, law.invention, Task (project management), Set (abstract data type), Industrial robot, law, 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Robot, 020201 artificial intelligence & image processing, Industrial robotics, Software engineering, business, computer

Abstract

Industrial robots are complex and customizable machines that can be programmed with proprietary domain-specific languages. These languages provide not only movement instructions, but also access to low-level system resources such as the network or the file system. Although useful, these features can lead to taint-style vulnerabilities and can be misused to implement malware---on par with general-purpose programming languages. In this paper, we analyze the languages of $8$ leading industrial robot vendors, systematize their technical features, and discuss cases of vulnerable and malicious uses. We then describe a static source-code analyzer that we created to analyze robotic programs and discover insecure or potentially malicious code paths. We focused our proof-of-concept implementation on two popular languages, namely ABB's RAPID and KUKA's KRL. By evaluating our tool on a set of publicly available programs, we show that insecure patterns are found in real-world code; therefore, static source-code analysis is an effective security screening mechanism, for example to prevent commissioning insecure or malicious industrial task programs. Finally, we discuss remediation steps that developers and vendors can adopt to mitigate such issues.

Published

2020

2. Investigating Web Defacement Campaigns at Large

Author

Marco Balduzzi, Ryan Flores, Vincenzo Ciancaglini, Lion Gu, and Federico Maggi

Subjects

Website defacement, World Wide Web, Structure (mathematical logic), Computer science, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, 02 engineering and technology, Field (computer science)

Abstract

Website defacement is the practice of altering the web pages of a website after its compromise. The altered pages, calleddeface pages, can negatively affect the reputation and business of the victim site. Previous research has focused primarily on detection, rather than exploring the defacement phenomenon in depth. While investigating several defacements, we observed that the artifacts left by the defacers allow an expert analyst to investigate the actors' modus operandi and social structure, and expand from the single deface page to a group of related defacements (i.e., acampaign ). However, manually performing such analysis on millions of incidents is tedious, and poses scalability challenges. From these observations, we propose an automated approach that efficiently builds intelligence information out of raw deface pages. Our approach streamlines the analysts job by automatically recognizing defacement campaigns, and assigning meaningful textual labels to them. Applied to a comprehensive dataset of 13 million defacement records, from Jan. 1998 to Sept. 2016, our approach allowed us to conduct the first large-scale measurement on web defacement campaigns. In addition, our approach is meant to be adopted operationally by analysts to identify live campaigns on the field. We go beyond confirming anecdotal evidence. We analyze the social structure of modern defacers, which includes lone individuals as well as actors that cooperate with each others, or with teams, which evolve over time and dominate the scene. We conclude by drawing a parallel between the time line of World-shaping events and defacement campaigns, representing the evolution of the interests and orientation of modern defacers.

Published

2018

3. ShieldFS

Author

Alessandro Guagnelli, Alessandro Barenghi, Stefano Zanero, Federico Maggi, Giovanni Zingaro, Andrea Continella, and Giulio De Pasquale

Subjects

Computer science, Self-healing, 0202 electrical engineering, electronic engineering, information engineering, Ransomware, Operating system, Protection layer, 020206 networking & telecommunications, 020201 artificial intelligence & image processing, 02 engineering and technology, computer.software_genre, Computer security, computer

Abstract

Preventive and reactive security measures can only partially mitigate the damage caused by modern ransomware attacks. Indeed, the remarkable amount of illicit profit and the cyber-criminals' increasing interest in ransomware schemes suggest that a fair number of users are actually paying the ransoms. Unfortunately, pure-detection approaches (e.g., based on analysis sandboxes or pipelines) are not sufficient nowadays, because often we do not have the luxury of being able to isolate a sample to analyze, and when this happens it is already too late for several users! We believe that a forward-looking solution is to equip modern operating systems with practical self-healing capabilities against this serious threat. Towards such a vision, we propose ShieldFS, an add-on driver that makes the Windows native filesystem immune to ransomware attacks. For each running process, ShieldFS dynamically toggles a protection layer that acts as a copy-on-write mechanism, according to the outcome of its detection component. Internally, ShieldFS monitors the low-level filesystem activity to update a set of adaptive models that profile the system activity over time. Whenever one or more processes violate these models, their operations are deemed malicious and the side effects on the filesystem are transparently rolled back. We designed ShieldFS after an analysis of billions of low-level, I/O filesystem requests generated by thousands of benign applications, which we collected from clean machines in use by real users for about one month. This is the first measurement on the filesystem activity of a large set of benign applications in real working conditions. We evaluated ShieldFS in real-world working conditions on real, personal machines, against samples from state of the art ransomware families. ShieldFS was able to detect the malicious activity at runtime and transparently recover all the original files. Although the models can be tuned to fit various filesystem usage profiles, our results show that our initial tuning yields high accuracy even on unseen samples and variants.

Published

2016

4. Grab 'n Run

Author

Stefano Zanero, Yanick Fratantonio, Christopher Kruegel, Giovanni Vigna, Federico Maggi, and Luca Falsina

Subjects

Computer science, business.industry, Code reuse, Vulnerability, Usability, computer.software_genre, Extensibility, Open source, Native API, Operating system, Code injection, Android (operating system), business, computer

Abstract

Android introduced the dynamic code loading (DCL) mechanism to allow for code reuse, to achieve extensibility, to enable updating functionalities, or to boost application start-up performance. In spite of its wide adoption by developers, previous research has shown that the secure implementation of DCL-based functionality is challenging, often leading to remote code injection vulnerabilities. Unfortunately, previous attempts to address this problem by both the academic and Android developers communities are affected by either practicality or completeness issues, and, in some cases, are affected by severe vulnerabilities. In this paper, we propose, design, implement, and test Grab 'n Run, a novel code verification protocol and a series of supporting libraries, APIs, and tools, that address the problem by abstracting away from the developer many of the challenging implementation details. Grab 'n Run is designed to be practical: Among its tools, it provides a drop-in library, which requires no modifications to the Android framework or the underlying Dalvik/ART runtime, is very similar to the native API, and most code can be automatically rewritten to use it. Grab 'n Run also contains an application-rewriting tool, which allows to easily port legacy or third-party applications to use the secure APIs developed in this work. We evaluate the Grab 'n Run library with a user study, obtaining very encouraging results in vulnerability reduction, ease of use, and speed of development. We also show that the performance overhead introduced by our library is negligible. For the benefit of the security of the Android ecosystem, we released Grab 'n Run as open source.

Published

2015

5. Stranger danger

Author

Christopher Kruegel, Wouter Joosen, Gianluca Stringhini, Stefano Zanero, Nick Nikiforakis, Federico Maggi, Giovanni Vigna, M. Zubair Rafique, Frank Piessens, Chung, Chin-Wan, Broder, Andrei Z, Shim, Kyuseok, and Suel, Torsten

Subjects

HTML5, malware, Computer science, business.industry, Internet privacy, advertising, iframe, short URLs, Space (commercial competition), computer.software_genre, URL shortening, Malware, business, computer

Abstract

URL shortening services facilitate the need of exchanging long URLs using limited space, by creating compact URL aliases that redirect users to the original URLs when followed. Some of these services show advertisements (ads) to link-clicking users and pay a commission of their advertising earnings to link-shortening users. In this paper, we investigate the ecosystem of these increasingly popular ad-based URL shortening services. Even though traditional URL shortening services have been thoroughly investigated in previous research, we argue that, due to the monetary incentives and the presence of third-party advertising networks, ad-based URL shortening services and their users are exposed to more hazards than traditional shortening services. By analyzing the services themselves, the advertisers involved, and their users, we uncover a series of issues that are actively exploited by malicious advertisers and endanger the users. Moreover, next to documenting the ongoing abuse, we suggest a series of defense mechanisms that services and users can adopt to protect themselves. ispartof: pages:51-62 ispartof: Proceedings of the 23rd International World Wide Web Conference (WWW 2014) pages:51-62 ispartof: World Wide Web Conference location:Seoul, Korea date:7 Apr - 11 Apr 2014 status: published

Published

2014

6. AndroTotal

Author

Stefano Zanero, Andrea Valdi, and Federico Maggi

Subjects

Software_OPERATINGSYSTEMS, Computer science, computer.file_format, computer.software_genre, Computer security, Mobile malware, Toolbox, Cryptovirology, World Wide Web, Conceptual framework, Scalability, Malware, Executable, Android (operating system), computer

Abstract

Although there are controversial opinions regarding how large the mobile malware phenomenon is in terms of absolute numbers, hype aside, the amount of new Android malware variants is increasing. This trend is mainly due to the fact that, as it happened with traditional malware, the authors are striving to repackage, obfuscate, or otherwise transform the executable code of their malicious apps in order to evade mobile security apps. There are about 85 of these apps only on the official marketplace. However, it is not clear how effective they are. Indeed, the sandboxing mechanism of Android does not allow (security) apps to audit other apps.We present AndroTotal, a publicly available tool, malware repository and research framework that aims at mitigating the above challenges, and allow researchers to automatically scan Android apps against an arbitrary set of malware detectors. We implemented AndroTotal and released it to the research community in April 2013. So far, we collected 18,758 distinct submitted samples and received the attention of several research groups (1,000 distinct accounts), who integrated their malware-analysis services with ours.

Published

2013

7. All your face are belong to us: breaking Facebook's social authentication

Author

Georgios Kontaxis, Marco Lancini, Stefano Zanero, Angelos D. Keromytis, Iasonas Polakis, Federico Maggi, and Sotiris Ioannidis

Subjects

Casual, business.industry, Computer science, Internet privacy, Face (sociological concept), 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, Attack surface, Computer security, computer.software_genre, Facial recognition system, Authentication (law), Threat model, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, business, Social circle, computer

Abstract

Two-factor authentication is widely used by high-value services to prevent adversaries from compromising accounts using stolen credentials. Facebook has recently released a two-factor authentication mechanism, referred to as Social Authentication, which requires users to identify some of their friends in randomly selected photos. A recent study has provided a formal analysis of social authentication weaknesses against attackers inside the victim's social circles. In this paper, we extend the threat model and study the attack surface of social authentication in practice, and show how any attacker can obtain the information needed to solve the challenges presented by Facebook. We implement a proof-of-concept system that utilizes widely available face recognition software and cloud services, and evaluate it using real public data collected from Facebook. Under the assumptions of Facebook's threat model, our results show that an attacker can obtain access to (sensitive) information for at least 42% of a user's friends that Facebook uses to generate social authentication challenges. By relying solely on publicly accessible information, a casual attacker can solve 22% of the social authentication tests in an automated fashion, and gain a significant advantage for an additional 56% of the tests, as opposed to just guessing. Additionally, we simulate the scenario of a determined attacker placing himself inside the victim's social circle by employing dummy accounts. In this case, the accuracy of our attack greatly increases and reaches 100% when 120 faces per friend are accessible by the attacker, even though it is very accurate with as little as 10 faces.

Published

2012

8. Lines of malicious code: insights into the malicious software industry

Author

Alessandro Di Federico, Martina Lindorfer, Federico Maggi, Stefano Zanero, and Paolo Milani Comparetti

Subjects

021110 strategic, defence & security studies, Software_OPERATINGSYSTEMS, Cyber-collection, business.industry, Computer science, 0211 other engineering and technologies, Software development, 02 engineering and technology, 16. Peace & justice, computer.software_genre, Computer security, Cryptovirology, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Software, Component (UML), 0202 electrical engineering, electronic engineering, information engineering, Code (cryptography), Malware, 020201 artificial intelligence & image processing, business, computer, Asprox botnet

Abstract

Malicious software installed on infected computers is a fundamental component of online crime. Malware development thus plays an essential role in the underground economy of cyber-crime. Malware authors regularly update their software to defeat defenses or to support new or improved criminal business models. A large body of research has focused on detecting malware, defending against it and identifying its functionality. In addition to these goals, however, the analysis of malware can provide a glimpse into the software development industry that develops malicious code.In this work, we present techniques to observe the evolution of a malware family over time. First, we develop techniques to compare versions of malicious code and quantify their differences. Furthermore, we use behavior observed from dynamic analysis to assign semantics to binary code and to identify functional components within a malware binary. By combining these techniques, we are able to monitor the evolution of a malware's functional components. We implement these techniques in a system we call Beagle, and apply it to the observation of 16 malware strains over several months. The results of these experiments provide insight into the effort involved in updating malware code, and show that Beagle can identify changes to individual malware components.

Published

2012