-
Notifications
You must be signed in to change notification settings - Fork 1
/
reports.bib
732 lines (698 loc) · 45.9 KB
/
reports.bib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
@TechReport{ maggi_rfquack_tr_2021,
shorttitle = {RFQuack},
author = {Maggi, Federico and Guglielmini, Andrea},
title = {RFQuack: A Universal Hardware-Software Toolkit for Wireless
Protocol (Security) Analysis and Research},
institution = {arXiv},
abstract = {Software-defined radios (SDRs) are indispensable for signal
reconnaissance and physical-layer dissection, but despite we
have advanced tools like Universal Radio Hacker, SDR-based
approaches require substantial effort. Contrarily, RF dongles
such as the popular Yard Stick One are easy to use and
guarantee a deterministic physical-layer implementation.
However, they're not very flexible, as each dongle is a
static hardware system with a monolithic firmware. We present
RFquack, an open-source tool and library firmware that
combines the flexibility of a software-based approach with
the determinism and performance of embedded RF frontends.
RFquack is based on a multi-radio hardware system with
swappable RF frontends, and a firmware that exposes a
uniform, hardware-agnostic API. RFquack focuses on a
structured firmware architecture that allows high- and
low-level interaction with the RF frontends. It facilitates
the development of host-side scripts and firmware plug-ins,
to implement efficient data-processing pipelines or
interactive protocols, thanks to the multi-radio support.
RFquack has an IPython shell and 9 firmware modules for:
spectrum scanning, automatic carrier detection and bitrate
estimation, headless operation with remote management,
in-flight packet filtering and manipulation, MouseJack, and
RollJam (as examples). We used RFquack to setup RF hacking
contests, analyze industrial-grade devices and key fobs, on
which we found and reported 11 vulnerabilities in their RF
protocols. },
date = {2021-04-06},
url = {https://arxiv.org/abs/2104.02551},
file = {files/papers/reports/maggi_rfquack_tr_2021.pdf}
}
@TechReport{ maggi_rogueautomationwp_tr_2020,
shorttitle = {RogueAutomationWP},
author = {Maggi, Federico and Pogliani, Marcello and Vittone, Martino,
and Quarta, Davide and Zanero, Stefano and Balduzzi, Marco
and Vosseler, Rainer and Rösler, Martin},
title = {Rogue Automation: Vulnerable and Malicious Code in
Industrial Programming},
institution = {Trend Micro, Inc.},
abstract = {In this research paper, we reveal previously unknown design
flaws that malicious actors could exploit to hide malicious
functionalities in industrial robots and other automated,
programmable manufacturing machines. Since these flaws are
difficult to fix, enterprises that deploy vulnerable machines
could face serious consequences. An attacker could exploit
them to become persistent within a smart factory, silently
alter the quality of products, halt a manufacturing line, or
perform some other malicious activity.},
date = {2020-08-04},
url = {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/unveiling-the-hidden-risks-of-industrial-automation-programming},
series = {Research Papers},
publisher = {Trend Micro Research},
file = {files/papers/reports/maggi_rogueautomationwp_tr_2020.pdf}
}
@TechReport{ maggi_smartfactorywp_tr_2020,
shorttitle = {SmartFactoryWP},
author = {Maggi, Federico and Pogliani, Marcello},
title = {Attacks on Smart Manufactururing Systems: A Forward-looking
Security Analysis},
institution = {Trend Micro, Inc.},
abstract = {This research presents a systematic security analysis that
we performed to explore a variety of attack vectors on a real
smart manufacturing system and to assess the attacks that
could be feasibly launched on a complex smart manufacturing
system. The main, two-pronged question we want to answer is:
Under which threat conditions and attacker capabilities are
certain attacks possible, and what are the consequences?},
date = {2020-05-11},
url = {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/threats-and-consequences-a-security-analysis-of-smart-manufacturing-systems},
series = {Research Papers},
publisher = {Trend Micro Research},
file = {files/papers/reports/maggi_smartfactorywp_tr_2020.pdf}
}
@TechReport{ hilt_factoryhoneypotwp_tr_2020,
shorttitle = {FactoryHoneypotWP},
author = {Hilt, Stephen and Maggi, Federico and Perine, Charles and
Remorin, Lord and Rösler, Martin and Vosseler, Rainer},
title = {Caught in the Act: Running a Realistic Factory Honeypot to
Capture Real Threats},
institution = {Trend Micro, Inc.},
abstract = {Different critical infrastructures have been hit with
attacks such as those that involved the infamous Stuxnet
malware1 and the more recent Triton malware. These incidents
— attacks on manufacturing and other sectors that use
industrial control systems (ICSs) — continue to be heard of
through the years. In 2017, for instance, the notorious
WannaCry ransomware shut down a car manufacturing factory in
Japan, and another ransomware attack took down a factory in
North Carolina, U.S. Smart factories attract the interest of
threat actors for the critical and sensitive infrastructures
they usually handle. A successful attack, no matter how
difficult the execution, can yield high-impact results that
can corner an organization into giving in to
cybercriminals’ demands or, at the very least, cost it
considerable losses.Prompted by our desire to determine how
knowledgeable and imaginative attackers could be in
compromising a manufacturing facility, we built the most
realistic factory honeypot we had ever created. And in doing
so, we also created an ideal environment where we could
monitor and learn about the attacks that the honeypot came to
attract. From conceptualization to actual execution, our
factory honeypot was designed to be an attractive target for
potential cybercriminals.Our factory honeypot took on the
ruse of a small fictitious company that apparently handled
clients from critical industries yet possessed inadequate
security defenses. Our ruse proved successful as our honeypot
saw several attacks, which we had the freedom and resources
to monitor. These attacks included a malicious cryptocurrency
mining campaign, two ransomware attacks, another that posed
as a ransomware attack, and several scanners.In this research
paper, we detail the conceptualization and creation of our
most elaborate honeypot to date, and discuss the result of
our monitoring and tracking of the incidents that occurred on
the honeypot.},
date = {2020-01-21},
url = {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/fake-company-real-threats-logs-from-a-smart-factory-honeypot},
series = {Research Papers},
publisher = {Trend Micro Research},
file = {files/papers/reports/hilt_factoryhoneypotwp_tr_2020.pdf}
}
@TechReport{ andersson_industrialradioswp_tr_2019,
shorttitle = {IndustrialRadiosWP},
author = {Andersson, Jonathan and Balduzzi, Marco and Hilt, Stephen
and Lin, Philippe and Maggi, Federico and Urano, Akira and
Vosseler, Rainer},
title = {A Security Analysis of Radio Remote Controllers for
Industrial Applications},
institution = {Trend Micro, Inc.},
abstract = {Radio frequency (RF) remote controllers are widely used in
manufacturing, construction, transportation, and many other
industrial applications. Cranes, drills, and miners, among
others, are commonly equipped with RF remotes. Unfortunately,
these devices have become the weakest link in these
safety-critical applications, characterized by long life
spans, high replacement costs, and cumbersome patching
processes. Given the pervasive connectivity promoted by the
Industry 4.0 trend, we foresee a security risk in this domain
as has happened in other fields.
Our research reveals that RF remote controllers are
distributed globally, and millions of vulnerable units are
installed on heavy industrial machinery and environments. Our
extensive in-lab and on-site analysis of devices made by
seven popular vendors reveals a lack of security features at
different levels, with obscure, proprietary protocols instead
of standard ones. They are vulnerable to command spoofing, so
an attacker can selectively alter their behavior by crafting
arbitrary commands — with consequences ranging from theft
and extortion to sabotage and injury.
This research analyzes and shows how an attacker can
persistently and remotely take control or simulate the
malfunction of the attached machinery, through attacks like
command injection, emergency-stop (e-stop) abuse, and
malicious re-pairing. In addition, many modern radio
controllers can be programmed via software, which also lacks
any security measures, opening them to remote attack vectors.
A remote attacker who compromises the computer used to
program these remotes can alter their firmware to implement
persistent and sophisticated attacks.
Having examined the root cause of the vulnerabilities that
make these attacks possible, we have reached out to the
affected vendors to promote suitable mitigation, and we hope
that our research will help raise awareness and avoid
unfortunate situations regarding RF remote controllers in
industrial applications.},
date = {2019-01-15},
url = {https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf},
series = {Research Papers},
publisher = {Trend Micro Research},
file = {files/papers/reports/andersson_industrialradioswp_tr_2019.pdf}
}
@TechReport{ maggi_mqttwp_tr_2018,
shorttitle = {MQTTWP},
author = {Maggi, Federico and Vosseler, Rainer and Quarta, Davide},
title = {The Fragility of Industrial IoT's Data Backbone: Security
and Privacy Issues in MQTT and CoAP Protocols},
institution = {Trend Micro, Inc.},
abstract = {The most popular protocols for machine-tomachine (M2M)
technology---the backbone of the internet of things (IoT) and
industrial internet of things (IIoT)---are affected by
security and privacy issues that impact several market
verticals, applications, products, and brands.
This report provides a holistic security analysis of the most
popular M2M protocols: Message Queuing Telemetry Transport
(MQTT) and Constrained Application Protocol (CoAP). Given
their flexibility, these data protocols are being adopted in
a variety of settings for consumer, enterprise, and
industrial applications to connect practically all kinds of
“machine,” from innocuous fitness trackers to large power
plants. We found issues in design as well as vulnerable
implementations, along with hundreds of thousands of unsecure
deployments. These issues highlight the risk of how endpoints
could be open to denial-of-service (DoS) attacks and, in some
cases, taken advantage of to gain full control by an
attacker. Despite the fixes in the design specifications, it
is hard for developers to keep up with a changing standard
when a technology becomes pervasive. Also, the market for
this technology is very wide because the barrier to entry is
fairly low. This has led to a multitude of fragmented
implementations.
This report is aimed at raising security awareness and
driving the adoption of proper remediation measures.},
date = {2018-12-04},
url = {https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/mqtt-and-coap-security-and-privacy-issues-in-iot-and-iiot-communication-protocols},
series = {Research Papers},
publisher = {Trend Micro Research},
file = {files/papers/reports/maggi_mqttwp_tr_2018.pdf}
}
@TechReport{ balduzzi_defplorexwp_tr_2018,
shorttitle = {DefPloreXWP},
author = {Balduzzi, Marco and Flores, Ryan and Gu, Lion and Maggi,
Federico and Ciancaglini, Vincenzo and Reyes, Roel and Urano,
Akira},
title = {A Deep Dive into Defacement: How Geopolitical Events Trigger
Web Attacks},
institution = {Trend Micro, Inc.},
abstract = {Web attacks—attacks that compromise internet assets like
mail servers, cloud infrastructures, and websites—are
troubling phenomena. The research community has put
considerable effort into investigating these incidents but
has mostly focused on detecting attacks and not delving into
the reasons behind these attacks.
Of course, the typical cybercriminal's goal is to profit.
They might compromise websites to push ransomware, or they
could try and steal data—recent breaches show that
information is an increasingly valuable commodity. But, as
this paper discusses, more emotional motivations, such as
patriotism, specific real-world events or simply hacktivism,
can also trigger compromises.
Web defacement hacktivism is the practice of subverting a
website with the goal of promoting a specific agenda or
political ideology. Methods may vary, but when hacktivists
compromise a website, the usual tactic involves replacing the
original page with their version—a practice that is called
web defacement. Hacktivism is mainly linked to web
defacement, but a hacktivist (the attacker) can also be
involved in traffic redirection (from a legitimate site to an
attackerowned site), denial of service (a form of service
disruption), and malware distribution to support their
particular cause.
Dedicated websites like Zone-H1 collect evidence of web
defacements and defacers can voluntarily advertise their
compromise by submitting a report. Elaborating on the reasons
behind web defacements at scale is not as easy as it seems.
While someone could theorize that geopolitical events and
conflicts influence cybercriminals’ attacks against
websites and their choice of victims, corroborating this
phenomenon requires large-scale analysis.
Our examination of over 13 million web defacement reports
against websites spans over 18 years, covering multiple
continents. We designed an internal system that gathers,
analyzes, and clusters these millions of reports. As we
identify the major campaigns of these defacers, we can
provide further insights into how geopolitical events are
reflected in web defacements. We also look at how different
factors, such as the political beliefs and the defacers'
religious inclination, can trigger and affect these attacks.
Our first two sections provide high-level insights into our
dataset of defacements, as well as some defining facts about
the targets and tactics used by the defacers. Our next
section on Real World Impact breaks down seven top campaigns
that have affected Israel, France, India, Syria, Kosovo, and
countries surrounding the South China Sea. We delve into
specific conflicts in those areas and the defacements that
happened in the aftermath.
The succeeding sections cover the hacking groups'
affiliations and how their collectives are organized—some
collectives are formed across continents, and some are a
loose collection of local hackers. Recruitment tools and the
methods used to distribute hacking techniques are also
discussed.
The final sections discuss other activities that defacers
take part in, and how the current activities may evolve.
Recently, there have been incidents of hackers who have gone
from simple web defacement to activities supporting
cybercrime. There is a real possibility that defacers and
defacement groups will start to escalate their activities,
move away from ideological motivations, and turn into
cybercrime. },
date = {2018-01-22},
url = {https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf},
series = {Research Papers},
publisher = {TrendLabs},
file = {files/papers/reports/balduzzi_defplorexwp_tr_2018.pdf}
}
@TechReport{ maggi_candoswp_tr_2017,
shorttitle = {CANDoSWP},
author = {Maggi, Federico},
title = {A Vulnerability in Modern Automotive Standards and How We
Exploited It},
institution = {Trend Micro, Inc.},
abstract = {This research is a joint effort between Politecnico di
Milano, Linklayer Labs, and Trend Micro's FTR. In this
report, we describe a vulnerability in modern cars’
networks that allows a completely stealthy denial-of-service
attack which is undetectable by current security mechanisms
and works for every automotive vendor. This attack differs
drastically from other previously reported car hacks because
it does not exploit easily patchable software
vulnerabilities. Rather, the element exploited is a design
flaw, which is thus fundamentally hard to solve, in the
standard that defines how in-vehicle networks work.
This attack was presented at the 2017 international
conference on Detection of Intrusions and Malware \&
Vulnerability Assessment (DIMVA) in Bonn (Jul 6–7). Prior
to that, we coordinated with the ICS-CERT, which promptly
disseminated an alert (ICS-ALERT-17-209-01).},
date = {2017-08},
url = {https://documents.trendmicro.com/assets/A-Vulnerability-in-Modern-Automotive-Standards-and-How-We-Exploited-It.pdf},
publisher = {TrendLabs Security Intelligence Blog},
series = {Technical Brief},
file = {files/papers/reports/maggi_candoswp_tr_2017.pdf}
}
@TechReport{ maggi_robotswp_tr_2017,
shorttitle = {RobotsWP},
author = {Maggi, Federico and Quarta, Davide and Pogliani, Marcello
and Polino, Mario and Zanchettin, Andrea M. and Zanero,
Stefano},
title = {Rogue Robots: Testing the Limits of an Industrial Robot’s
Security},
institution = {Trend Micro, Inc.},
abstract = {Vulnerabilities in protocols and software running industrial
robots are by now widely known, but to date, there has been
no in-depth, hands-on research that demonstrates to what
extent robots can actually be compromised. For the first
time, with this research—a collaboration between
Politecnico di Milano (POLIMI) and the Trend Micro
Forward-Looking Threat Research (FTR) Team—we have been
able to analyze the impact of system-specific attacks and
demonstrate attack scenarios on actual standard industrial
robots in a controlled environment. In industrial devices,
the impact of a single, simple software vulnerability can
already have serious consequences. Depending on the actual
setup and security posture of the targeted smart factory,
attackers could trigger attacks that could amount to massive
financial damage to the company in question or at worst, even
affect critical goods. Almost all industry sectors that are
critical for a nation are potentially at risk.
Unfortunately, the Industry 4.0 revolution is just bringing
industrial robots closer to the forefront. As improvements in
the way industrial robots work and communicate increase their
complexity and interconnectedness, the industrial robots
sector unlocks a broader attack surface. In our security
analysis, we found that the software running on these devices
is outdated; based on vulnerable OSs and libraries, sometimes
relying on obsolete or cryptographic libraries; and have weak
authentication systems with default, unchangeable
credentials. Additionally, the Trend Micro FTR Team found
tens of thousands of industrial devices residing on public IP
addresses, which could include exposed industrial robots,
further increasing the risk that an attacker can access and
hack them.
The impact of vulnerabilities, for example on robots, is what
makes our findings a very loud wake-up call for the
industrial control systems (ICS) sector. To quantify such
impact, our security analysis revealed that industrial robots
must follow three fundamental laws—accurately “read”
from the physical world through sensors and “write”
(i.e., perform actions) through motors and tools, refuse to
execute self-damaging control logic, and most importantly,
echo one of the “Laws of Robotics” (devised by Isaac
Asimov, a popular science writer) to never harm humans. Then,
by combining the set of vulnerabilities that we discovered on
a real, standard robot installed in our laboratory, we
demonstrated how remote attackers can violate such
fundamental laws up to the point where they can alter or
introduce minor defects in the manufactured product,
physically damage the robot, steal industry secrets, or
injure humans. We then considered some threat scenarios on
how attackers capitalized on these attacks, as in an act of
sabotage or a ransomware-like scheme.
On the one hand, industrial devices are designed according to
strict physical security and safety standards in order to
work in rough conditions with extreme temperature ranges,
vibrations, and electromagnetic noise. On the other, because
of the ubiquity and flexibility demanded by the Industry 4.0
trend, industrial devices are being designed to be flexible,
easy to deploy, and to not necessarily require any special
security or IT skills. These opposing design requirements
make producers very prone to introducing software bugs.
Rather than concluding this paper with a classic checklist
for ICS vendors, we reflected on reasons why the situation
has not changed much over the years. Thus, we provided a
series of research and engineering challenges that we believe
will make a difference in the journey to secure the Industry
4.0 ecosystem. On this journey toward improving the security
posture of robots in the Industry 4.0 setting, we also began
reaching out to vendors, among whom ABB Robotics stood out in
that it readily welcomed suggestions we had to offer and even
started working on a response plan that will affect its
current product line without losing time.},
date = {2017-05},
url = {https://documents.trendmicro.com/assets/wp/wp-industrial-robot-security.pdf},
series = {Research Papers},
publisher = {TrendLabs},
file = {files/papers/reports/maggi_robotswp_tr_2017.pdf}
}
@TechReport{ maggi_eusyssec_tr_2015,
shorttitle = {EUSysSec},
author = {Maggi, Federico and Zanero, Stefano and Markatos,
Evangelos},
title = {European Cyber-Security Research and Innovation},
number = {43},
abstract = {Looking back at the evolution of cyber criminal activities,
from the nineties to the present day, we observe interesting
trends coming together in what may seem a perfectly
orchestrated scene. In parallel with the `security by
design', we recall the importance of reactive security in a
field of ever-changing arms races.},
date = {2015-01},
url = {http://ercim-news.ercim.eu/en100/r-i/european-cyber-security-research-and-innovation},
series = {ERCIM News},
pages = {43},
file = {files/papers/reports/maggi_eusyssec_tr_2015.pdf}
}
@TechReport{ bazzoli_xsspeeker_tr_2014,
shorttitle = {XSSPeeker},
author = {Bazzoli, Enrico and Criscione, Claudio and Maggi, Federico
and Zanero, Stefano},
title = {XSS Peeker: A Systematic Analysis of Cross-site Scripting
Vulnerability Scanners},
institution = {arXiv},
abstract = {Since the first publication of the "OWASP Top 10" (2004),
cross-site scripting (XSS) vulnerabilities have always been
among the top 5 web application security bugs. Black-box
vulnerability scanners are widely used in the industry to
reproduce (XSS) attacks automatically. In spite of the
technical sophistication and advancement, previous work
showed that black-box scanners miss a non-negligible portion
of vulnerabilities, and report non-existing, non-exploitable
or uninteresting vulnerabilities. Unfortunately, these
results hold true even for XSS vulnerabilities, which are
relatively simple to trigger if compared, for instance, to
logic flaws. Black-box scanners have not been studied in
depth on this vertical: knowing precisely how scanners try to
detect XSS can provide useful insights to understand their
limitations, to design better detection methods. In this
paper, we present and discuss the results of a detailed and
systematic study on 6 black-box web scanners (both
proprietary and open source) that we conducted in
coordination with the respective vendors. To this end, we
developed an automated tool to (1) extract the payloads used
by each scanner, (2) distill the "templates" that have
originated each payload, (3) evaluate them according to
quality indicators, and (4) perform a cross-scanner analysis.
Unlike previous work, our testbed application, which contains
a large set of XSS vulnerabilities, including DOM XSS, was
gradually retrofitted to accomodate for the payloads that
triggered no vulnerabilities. Our analysis reveals a highly
fragmented scenario. Scanners exhibit a wide variety of
distinct payloads, a non-uniform approach to fuzzing and
mutating the payloads, and a very diverse detection
effectiveness.},
date = {2014-10-15},
url = {http://arxiv.org/abs/1410.4207},
file = {files/papers/reports/bazzoli_xsspeeker_tr_2014.pdf}
}
@TechReport{ gianazza_puppetdroid_tr_2014,
shorttitle = {PuppetDroid},
author = {Gianazza, Andrea and Maggi, Federico and Fattori, Aristide
and Cavallaro, Lorenzo and Zanero, Stefano},
title = {PuppetDroid: A User-Centric UI Exerciser for Automatic
Dynamic Analysis of Similar Android Applications},
institution = {arXiv},
abstract = {Popularity and complexity of malicious mobile applications
are rising, making their analysis difficult and labor
intensive. Mobile application analysis is indeed inherently
different from desktop application analysis: In the latter,
the interaction of the user (i.e., victim) is crucial for the
malware to correctly expose all its malicious behaviors. We
propose a novel approach to analyze (malicious) mobile
applications. The goal is to exercise the user interface (UI)
of an Android application to effectively trigger malicious
behaviors, automatically. Our key intuition is to record and
reproduce the UI interactions of a potential victim of the
malware, so as to stimulate the relevant behaviors during
dynamic analysis. To make our approach scale, we
automatically re-execute the recorded UI interactions on apps
that are similar to the original ones. These characteristics
make our system orthogonal and complementary to current
dynamic analysis and UI-exercising approaches. We developed
our approach and experimentally shown that our stimulation
allows to reach a higher code coverage than automatic UI
exercisers, so to unveil interesting malicious behaviors that
are not exposed when using other approaches. Our approach is
also suitable for crowdsourcing scenarios, which would push
further the collection of new stimulation traces. This can
potentially change the way we conduct dynamic analysis of
(mobile) applications, from fully automatic only, to
user-centric and collaborative too.},
date = {2014-02-19},
url = {http://arxiv.org/abs/1402.4826},
file = {files/papers/reports/gianazza_puppetdroid_tr_2014.pdf}
}
@TechReport{ schiavoni_phoenix_tr_2013,
shorttitle = {Phoenix},
author = {Schiavoni, Stefano and Maggi, Federico and Cavallaro,
Lorenzo and Zanero, Stefano},
title = {Tracking and Characterizing Botnets Using Automatically
Generated Domains},
institution = {arXiv},
abstract = {Modern botnets rely on domain-generation algorithms (DGAs)
to build resilient command-and-control infrastructures.
Recent works focus on recognizing automatically generated
domains (AGDs) from DNS traffic, which potentially allows to
identify previously unknown AGDs to hinder or disrupt
botnets' communication capabilities. The state-of-the-art
approaches require to deploy low-level DNS sensors to access
data whose collection poses practical and privacy issues,
making their adoption problematic. We propose a mechanism
that overcomes the above limitations by analyzing DNS traffic
data through a combination of linguistic and IP-based
features of suspicious domains. In this way, we are able to
identify AGD names, characterize their DGAs and isolate
logical groups of domains that represent the respective
botnets. Moreover, our system enriches these groups with new,
previously unknown AGD names, and produce novel knowledge
about the evolving behavior of each tracked botnet. We used
our system in real-world settings, to help researchers that
requested intelligence on suspicious domains and were able to
label them as belonging to the correct botnet automatically.
Additionally, we ran an evaluation on 1,153,516 domains,
including AGDs from both modern (e.g., Bamital) and
traditional (e.g., Conficker, Torpig) botnets. Our approach
correctly isolated families of AGDs that belonged to distinct
DGAs, and set automatically generated from non-automatically
generated domains apart in 94.8 percent of the cases.},
date = {2013-11-21},
url = {http://arxiv.org/abs/1311.5612},
file = {files/papers/reports/schiavoni_phoenix_tr_2013.pdf}
}
@TechReport{ kochanek_cartox_tr_2012,
shorttitle = {CarToX},
author = {Kochanek, Roman and Dardanelli, Andrea and Maggi, Federico
and Zanero, Stefano and Tanelli, Mara and Savaresi, Sergio
and Holz, Thorsten},
title = {Secure Integration of Mobile Devices for Automotive
Services},
institution = {Politecnico di Milano},
number = {2012-09},
abstract = {Modern vehicles, and in particular electric vehicles, are
increasingly being equipped with interconnected computer
systems, which collect information through vehicular sources
and remote, Internet-connected services. Unfortunately, this
creates a non-negligible attack surface, which extends even
more when vehicles are integrated with smartphones to offer
advanced services. In fact, embedded systems on vehicles have
been developed to address safety, not security requirements.
Furthermore, vehicles have real-time constraints, and the
typical embedded architectures used on board significantly
complicate security designs. In this paper, we introduce a
communication framework that addresses these challenges and
we demonstrate how a smartphone can interact with a vehicle
in a secure and safe manner. To this end, we design a
security session layer that ensures end-to-end security
transparently. We conduct an experimental evaluation on a
real implementation of our security layer, which shows that
our solution is practical and easy to use, satisfies
performance constraints, and meets real-time requirements by
taking into account the limited capabilities of our target
architecture. More precisely, we implement our approach for
an electrically-powered two-wheeler manufactured by Piaggio,
and show how a smartphone can interact via a wireless link
with the battery-life controller in a secure manner.
Interestingly, our approach is not limited to vehicles, but
can be used in other application domains where a smartphone
needs to securely interact with an embedded device.},
date = {2012-06-01},
file = {files/papers/reports/kochanek_cartox_tr_2012.pdf}
}
@TechReport{ maggi_cloudids_tr_2010,
shorttitle = {CloudIDS},
author = {Maggi, Federico and Zanero, Stefano},
title = {Rethinking security in a cloudy world},
institution = {Politecnico di Milano},
number = {2010-11},
abstract = {The world of information and communication technology is
experiencing changes that, regardless of some skepticism, are
bringing to life the concept of ``utility computing''. The
nostalgics observed a parallel between the emerging paradigm
of cloud computing and the traditional time-sharing era,
depicting clouds as the modern reincarnation of mainframes
available on a pay-per-use basis, and equipped with virtual,
elastic, paid disks-as-a-service that replace the old
physical disks with quotas. This comparison is fascinating,
but more importantly, in our opinion, it prepares the ground
for constructive critiques regarding the security of such
computing paradigm. In this paper we explore similar
analogies to discuss our position about the current
countermeasures (e.g., intrusion detection systems,
anti-viruses), developed to mitigate well-known security
threats. By reasoning on said affinities, we focus on the
simple case of anomaly-based approaches, which are employed
in many modern protection tools, not just in intrusion
detectors. We illustrate our position by the means of a
simple running example and show that attacks against
injection vulnerabilities, a current menace that is easily
recognizable with ordinary anomaly-based checks, can be
difficult to detect if web services are assumed to be regular
web applications. Along this line, we concentrate on a few,
critical hypotheses that demand particular attention. We
conclude that, although only a minority of threats qualify as
novel, they are well camouflaged and can be difficult to
recognize behind the confusion caused by the cloud computing
excitement.},
date = {2010-11-11},
file = {files/papers/reports/maggi_cloudids_tr_2010.pdf}
}
@TechReport{ maggi_iclearshot_tr_2010,
shorttitle = {iClearshot},
author = {Maggi, Federico and Volpatto, Alberto and Gasparini, Simone
and Boracchi, Giacomo and Zanero, Stefano},
title = {Don't touch a word! A practical input eavesdropping attack
against mobile touchscreen devices},
institution = {Politecnico di Milano},
number = {2010-59},
abstract = {Spying on a person is a subtle, yet easy and reliable method
to obtain sensitive information. Even if the victim is well
protected from digital attacks, spying may be a viable
option. In addition, the pervasiveness of mobile devices
increases an attacker's opportunities to observe the victims
while they are accessing or entering sensitive information.
This risk is exacerbated by the remarkable user-friendliness
of modern, mobile graphical interfaces, which, for example,
display visual feedback to improve the user experience and
make common tasks, \$\ensuremath{\backslash}backslash\$eg,
typing, more natural. Unfortunately, this turns into the
well-known trade-off between usability and security. In this
work, we focus on how usability of modern mobile interfaces
may affect the users' privacy. In particular, we describe a
practical eavesdropping attack, able to recognize the
sequence of keystrokes from a low-resolution video, recorded
while the victim is typing on a touchscreen. Our attack
exploits the fact that modern virtual keyboards, as opposed
to mechanical ones, often display magnified, virtual keys in
predictable positions. To demonstrate the feasibility of this
attack we implemented it against 2010's most popular
smart-phone (i.e., Apple's iPhone). Our approach works under
realistic conditions, because it tracks and rectifies the
target screen according to the victim's natural movements,
before performing the keystroke recognition. On real-world
settings, our attack can automatically recognize up to
97.07\% (91.03\% on average) of the keystrokes, with a 1.15\%
error rate and a speed between 37 and 51 keystrokes per
minute. This work confirms that touchscreen keyboards that
magnify keys make automatic eavesdropping attacks easier than
in classic mobile keyboards.},
date = {2010-11-01},
file = {files/papers/reports/maggi_iclearshot_tr_2010.pdf}
}
@TechReport{ maggi_traces_tr_2008,
shorttitle = {Traces},
author = {Maggi, Federico},
title = {Specification and Evaluation of an Efficient Recognizer for
Rational Trace Languages},
institution = {Politecnico di Milano},
number = {2008-23},
abstract = {An improved, one-pass version of a two-pass, Earley-like
recognition algorithm is here proposed to solve the
Membership Problem for rational trace languages in polynomial
time. The algorithm is first described through the formal
specification of what we called a Non Deterministic Buffer
Machine (NDBM); secondly, the recognition is detailed through
a deterministic algorithm along with some running examples.
In addition, we describe our prototype implementation of the
algorithm used to empirically evaluate the performances and
the characteristics of the proposed solution. To this end, we
designed pseudo-random testing data generators that are here
described as well.},
date = {2008-06-01},
file = {files/papers/reports/maggi_traces_tr_2008.pdf}
}
@TechReport{ maggi_recordmatching_tr_2008,
shorttitle = {RecordMatching},
author = {Maggi, Federico},
title = {A Survey of Probabilistic Record Matching Models, Techniques
and Tools},
institution = {Politecnico di Milano},
number = {2008-22},
abstract = {Probabilistic record linkage regards the use of stochastic
decision models to solve the problem of record linkage (also
known as record matching). Data quality has became a key
aspect in many institutions and the demand for novel,
effective techniques is increasing. Record linkage in general
has been studied in the last three decades and a solid
probabilistic decision framework has been proposed along with
several extensions and specific estimation methods. This
paper is a survey work narrowed to the most recent and
promising approaches also including a selection of data
cleansing tools based on probabilistic decision models.},
date = {2008-04-01},
file = {files/papers/reports/maggi_recordmatching_tr_2008.pdf}
}