-
Notifications
You must be signed in to change notification settings - Fork 1
/
talks.bib
1202 lines (1122 loc) · 69.9 KB
/
talks.bib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
@Unpublished{ yen_ddsbheu_talk_2021,
shorttitle = {DDSBHEU},
author = {Yen, Ta-Lun and Maggi, Federico and Boasson, Erik},
title = {The Data Distribution Service (DDS) Protocol is Critical:
Let's Use it Securely!},
eventtitle = {Black Hat Briefings Europe},
abstract = {We discovered and disclosed vulnerabilities in most of the
OMG Data Distribution Service (DDS) implementations. DDS
enables crucial technologies like autonomous driving,
healthcare machinery, military tactical systems, or missile
launch stations. Notably, DDS is used by NASA at the KSC, by
SIEMENS for smart grid applications, by Volkswagen and Bosch
for autonomous valet parking systems, by NAV CANADA for ATC,
and by the Robot Operating System 2 (ROS2) to control
industrial and consumer robots.
Designed around industrial-level requirements, DDS sits deep
in the control network, allowing an arbitrary number of
endpoints like sensors or actuators to communicate
transparently, with an abstract API based on familiar data
type specifications (e.g., C structs) and simple function
calls, regardless of the complexity of the data.
We approached DDS from the bottom up, and we will show you
how we wrote a Scapy layer to guide you through the packet
structure. Although network fuzzing wasn't directly
effective, it greatly helped us to master the tiny details of
DDS. This led us to find an amplification vulnerability in
the standard, which allows an attacker to redirect flood an
arbitrary host. DDS configuration is highly dependent on XML,
JSON, YAML, or similar formats, which make them another
attack vector. By writing a Radamsa-based file fuzzer we
found a parsing vulnerability in RTI DDS Connector, so an
attacker can use a malicious configuration file to gain
initial access. We then focus on fuzzing the message
interpretation routines in all implementations. Using
concrete examples, we explain how to pick good fuzz targets
and prepare them for popular frameworks like OSS-Fuzz and
UnicornAFL.
We take you from knowing nothing about DDS to efficiently
researching new vulnerabilities, which we encourage other
researchers, DDS users and implementors to do. We report on
our interactions with some of the DDS implementors, which we
believe is the first concrete step towards securing this
critical protocol in the long run. We release fuzzing
harnesses and a Scapy layer to decode the DDS RTPS layer.},
location = {London, UK},
url = {https://www.blackhat.com/eu-21/briefings/schedule/index.html#the-data-distribution-service-dds-protocol-is-critical-lets-use-it-securely-24934},
date = {2021-11-08},
howpublished = {Peer-reviewed Talk},
file = {files/talks/yen_ddsbheu_talk_2021.pdf}
}
@Unpublished{ mayoral-vilches_smallwonderbhus_talk_2021,
shorttitle = {SmallWonderBHUS},
author = {Mayoral-Vilches, Víctor and Maggi, Federico},
title = {Small Wonder: Uncovering Planned Obsolescence Practices in
Robotics and What This Means for Cybersecurity},
eventtitle = {Black Hat Briefings USA},
abstract = {Security in robotics is nothing really new if one considers
modern OT and IT approaches, and most security practices
translate directly to robots. However, there's almost no
security culture amongst robot makers.
Building a robot requires careful selection of components
that interact across networks while meeting timing deadlines.
It isn't uncommon for robot components to be compromised or
fail over time, leading to complete system malfunction. Given
the expensive prices of these machines (we focus on robots in
the 25K-70K USD range), it's only reasonable to consider the
need for securing and repairing robots.
We introduce and promote systematic "robot teardown" as an
approach to repair robots by understanding their internals
(still obscure). Needless to say, robot teardown is an
essential practice in robot security. We show several "tricks
from the trade" and the legal implications learned by porting
reverse-engineering practices into the less-explored field of
robotics. We explain how we a) discovered more than 90
security vulnerabilities in robots from Teradyne (MiR and UR)
over a period of two years (never discussed publicly before),
b) gained repairing capabilities on these robots, c) show
evidence of planned obsolescence by comparing two
sequentially released robot controllers, and d) demonstrate
how robot hacking leads us to repurpose an older controller
(previous version) from Universal Robots with their newer
robots (arms) maintaining full capabilities and demonstrating
that there's no need to re-spend thousands of dollars again.
Similar to Ford in the 1920s with cars, most robot
manufacturers nowadays employ planned obsolescence practices
and organize dealers and system integrators into "private
networks", providing repair parts only to "certified"
companies to make repairs more difficult and evade
competition. We wrap up by advocating for a "Right to
Repair'' in robotics to reduce robot e-waste and promote
systematic teardowns for the benefit of security research.},
location = {Las Vegas, US},
url = {https://www.blackhat.com/us-20/briefings/schedule/index.html#otrazor-static-code-analysis-for-vulnerability-discovery-in-industrial-automation-scripts-19523},
date = {2021-07-31},
howpublished = {Peer-reviewed Talk},
file = {files/talks/mayoral-vilches_smallwonderbhus_talk_2021.pdf}
}
@Unpublished{ maggi_smscs3sthlm_talk_2020,
shorttitle = {SMSCS3STHLM},
author = {Maggi, Federico},
title = {Hidden Attack Surfaces of Modern Industrial Automation
Systems},
eventtitle = {CS3STHLM},
abstract = {Last year we performed a security analysis on a testbed
smart manufacturing system using a variety of
"unconventional" attack vectors. Striving to think very much
outside the box, we wanted to understand which overlooked
conditions and attacker capabilities make certain attacks
possible, and their consequences.
Through concrete PoCs, we'll describe what unconventional
attack vectors and very creative attackers can achieve, as
well as how they can be stopped by current security
solutions.
We'll first show how a remote attacker can indirectly
compromise an engineering workstation to backdoor the
automation logic of an industrial robot. Then, we'll reveal
how the attack has been carried out via a malicious software
extension that targets the simulation and offline programming
(OLP) platform. The attendees will learn that such malicious
extensions have full capabilities on the target system, but
we'll explain what they are and how they can be stopped.
Our second entry point is an industry-grade embedded device.
These devices, often dubbed as "IIoT devices" offer great
programming flexibility—compared to, say, PLCs—at the
price of more responsibility for the programmers. The
proliferation of customizable IIoT devices along with the
many 3rd-party development libraries are the perfect target
for software supply-chain attacks. We'll show how we
trojanized a simple temperature-measurement library to
implement an ARP-based DoS attack, along with inaccurate
temperature data-points, which can cause cascade effects down
the data-processing pipeline. We'll argue that detecting
violations in the software supply-chain is hard in large,
distributed enterprises, but their effects can be mitigated
with proper network partitioning.
The last step of our security analysis focused on lateral
movements to complex, programmable machines such as
industrial robots. We observe that, movement-instructions
aside, industrial robot programming languages have
statements, loops, conditions, network sockets, serial
communication, etc. With access to low-level system resources
like files, network, memory, and peripherals, task programs
are a powerful, overlooked payload. Not only we show that
task programs are susceptible to input-validation
vulnerabilities, we also show that they're rich enough to
implement malware-like functionalities, given that the
runtime environment provides no resource isolation. As a
result, task programs have unmediated access to the entire
system.
We'll share cases of vulnerable and malicious task programs,
and how to discover such patterns, including some
vulnerabilities we found in real-world code.
We conclude by discussing the remediation steps that can be
adopted by developers and vendors to mitigate our findings in
the medium and long term.},
location = {Stocholm, Sweden},
url = {https://cs3sthlm.se/agenda/},
date = {2020-10-21},
howpublished = {Peer-reviewed Talk},
file = {files/talks/maggi_smscs3sthlm_talk_2020.pdf}
}
@Unpublished{ maggi_otrazorhitcon_talk_2020,
shorttitle = {OTRazorHITCON},
author = {Maggi, Federico and Pogliani, Marcello and Quarta, Davide
and Zanero, Stefano and Balduzzi, Marco},
title = {Guarding the Factory Floor: Catching Insecure Industrial
Robot Programs},
eventtitle = {HITCON},
abstract = {What if a perfectly patched industrial manufacturing machine
can still harbor for vulnerabilities where no one is looking?
What if the powerful programming languages used to program
these machines can go beyond simple movement instructions,
and actually allow threat actors to hide malware into the
logic?
Industrial robot OEMs provide proprietary, legacy programming
languages to automate these complex machines. Mostly offering
movement primitives, theseprogramming languages also give
access to low-level system resources like files, network
sockets, and some even allow memory and program pointer.
While useful, these features may lead to insecure programming
patterns such as input-validation vulnerabilities. Also,
they’re powerful enough to allow the implementation of
advanced malware functionalities, with an underlying runtime
environment that provides no resource isolation.
After going through the technical features of the languages
by eight leading OEMs, we'll share cases of vulnerable and
malicious usage. We'll then present a static code analyzer
that we created and patented, to scan robotic programs and
discover unsafe code patterns. Our evaluation on 100
automation task program files show that insecure patterns are
indeed found in real-world code, and that static source code
analysis is an effective defense tool in the short term.},
location = {Taiwan},
url = {https://hitcon.org/2020/agenda/93ba0758-bd84-43ae-9da0-b389fde2803b/},
date = {2020-09-12},
howpublished = {Peer-reviewed Talk},
file = {files/talks/maggi_otrazorhitcon_talk_2020.pdf}
}
@Unpublished{ maggi_otrazorbhus_talk_2020,
shorttitle = {OTRazorBHUS},
author = {Maggi, Federico and Pogliani, Marcello and Quarta, Davide
and Zanero, Stefano and Balduzzi, Marco},
title = {OTRazor: Static Code Analysis for Vulnerability Discovery in
Industrial Automation Scripts},
eventtitle = {Black Hat Briefings USA},
abstract = {In this talk, we delve into industrial robot programming,
focusing on the security issues arising from the design and
implementation choices of these platforms.
Industrial robot manufacturers provide proprietary,
domain-specific programming languages to operate these
complex machines. Mostly focused on movement instructions,
such programming languages also provide access to low-level
system resources like files and network access, and some even
allow dynamic code loading. While useful, these features can
lead to unsafe programming patterns such as input-validation
vulnerabilities or malware-like functionalities, especially
if the underlying environment provides no resource isolation
like those found in modern operating systems.
After describing the technical features of the languages by
eight leading manufacturers, we'll share several cases of
vulnerable and malicious usage. We'll then present a static
code analyzer that we created and patented, to scan robotic
programs and discover unsafe code patterns. Our evaluation on
50 automation programs show that unsafe patterns are indeed
found in real-world code, and that static source code
analysis is an effective defense tool in the short term.
We conclude by discussing the remediation steps that can be
adopted by developers and vendors to mitigate such issues in
the medium and long term.},
location = {Las Vegas, US},
url = {https://www.blackhat.com/us-20/briefings/schedule/index.html#otrazor-static-code-analysis-for-vulnerability-discovery-in-industrial-automation-scripts-19523},
date = {2020-08-05},
howpublished = {Peer-reviewed Talk},
file = {files/talks/maggi_otrazorbhus_talk_2020.pdf}
}
@Unpublished{ balduzzi_industrialradioshitb_talk_2019,
shorttitle = {IndustrialRadiosHITB},
author = {Balduzzi, Marco and Maggi, Federico},
title = {Hey Operator, Where’s Your Crane? Attacking Industrial
Remote Controllers},
eventtitle = {Hack In The Box Amsterdam},
abstract = {Radio-frequency (RF) remote controllers are widely used in
multiple industrial applications like manufacturing,
construction and transportation. Cranes, drillers and
diggers, among others, are commonly equipped with RF
controllers, which have become the weakest link in
safety-critical IIoT applications.
Our security assessment revealed a lack of important security
features at different levels, with vendors using obscure
proprietary protocols instead of standards. As a consequence,
this technology appeared to be vulnerable to attacks like
replay, command injection, e-stop abuse, malicious repairing
and reprogramming. Together with ZDI, we ran into a 6-months
responsible disclosure process and then released 10 security
advisories.
In this presentation, we share the findings of our research
and make use of demos to discuss the problems in detail. We
conclude providing recommendations for all parties involved
in the life-cycle of these devices, from vendors to users and
system integrators.},
location = {Amsterdam, The Netherlands},
url = {https://conference.hitb.org/hitbsecconf2019ams/sessions/hey-operator-wheres-your-crane-attacking-industrial-remote-controllers/},
date = {2019-05-10},
howpublished = {Peer-reviewed Talk},
file = {files/talks/balduzzi_industrialradioshitb_talk_2019.pdf}
}
@Unpublished{ maggi_rfquack_talk_2019,
shorttitle = {RFQuack},
author = {Maggi, Federico},
title = {RFQuack: The RF-Analysis Tool That Quacks},
eventtitle = {HITB Amsterdam},
abstract = {RFQuack is the versatile RF-analysis tool that quacks! It's
a library firmware that allows you to sniff, manipulate, and
transmit data over the air. And if you're not happy how the
default firmware functionalities, we made it easy to extend.
Consider it as the hardware-modular and developer-friendly
version of the great YardStick One, which is based on the
CC1111 radio chip. Differently from that and other RF
dongles, RFQuack is designed to be agnostic with respect to
the radio chip. So if you want to use, say, the RF69, you can
do it. If you need to use the CC110L or CC1120, you can do
it. Similarly to RFCat, RFQuack has console based, Python
scriptable, client that allows you to set parameters,
receive, transmit, and so on.},
location = {Amsterdam, The Netherlands},
url = {https://github.com/trendmicro/RFQuack},
date = {2019-05-09},
howpublished = {Peer-reviewed Demo},
file = {files/talks/maggi_rfquack_talk_2019.pdf}
}
@Unpublished{ maggi_m2mhmi_talk_2019,
shorttitle = {M2MHMI},
author = {Maggi, Federico},
title = {Machine-to-Machine Protocol Security: The Case of MQTT and
CoAP},
eventtitle = {Hannover Messe},
abstract = {MQTT and CoAP provide data connectivity for practically any
kind of "machines". This talk will cover the results of our
security analysis of MQTT and CoAP, which uncovered issues in
the design specifications, vulnerable product
implementations, and hundreds of thousands unsecured,
open-to-the-world deployments. Despite the fixes in the
design specifications, it is hard for developers to keep up
with a changing standard when a technology becomes pervasive.
Also, the market of this technology is very wide because the
barrier to entry is fairly low. This led to a multitude of
fragmented implementations. Our findings have been
acknowledged by the vendors, by the MQTT Technical Committee,
which released a note to help identify the risks, and
received the attention of several other organizations. Using
MQTT and CoAP as case study, we will provide recommendations
at various levels, in the hope to see a significant reduction
in the number of insecure deployments in the future.},
location = {Hannover, Germany},
date = {2019-04-04},
howpublished = {Selected Talk},
url = {https://www.hannovermesse.de/event/machine-to-machine-protocol-security-the-case-of-mqtt-and-coap/VOR/90582},
file = {files/talks/maggi_m2mhmi_talk_2019.pdf}
}
@Unpublished{ maggi_mqttbheu_talk_2018,
shorttitle = {MQTTBHEU},
author = {Maggi, Federico and Quarta, Davide},
title = {When Machines Can't Talk: Security and Privacy Issues of
Machine-to-Machine Data Protocols},
eventtitle = {Black Hat Briefings Europe},
abstract = {Two popular machine-to-machine (M2M) protocols—MQTT \&
CoAP—are slowly forming the backbone of many IoT
infrastructures, including critical industry environments.
They are used to provide data connectivity for practically
any kind of "machines". We found out that these protocols are
affected by security and privacy issues that impact several
market verticals, applications, products, and brands.
This talk provides a security analysis of MQTT \& CoAP at the
design, implementation, and deployment level. We found issues
in the design specifications, vulnerable product
implementations, and hundreds of thousands unsecured,
open-to-the-world deployments. These issues show the risk
that endpoints could be open to denial-of-service attacks
and, in some cases, full control by an adversary. Despite the
fixes in the design specifications, it is hard for developers
to keep up with a changing standard when a technology becomes
pervasive. Also, the market of this technology is very wide
because the barrier to entry is fairly low. This led to a
multitude of fragmented implementations.
We analyzed the source code of the most common MQTT
implementations, and discovered common flaws—mostly
originating from misinterpretation of the standard. In
particular, we found issues in how multibyte strings, UTF-8
characters, and regular-expressions are parsed. Combined with
standard features that force servers to retain messages and
clients to request acknowledgement the delivery of every
message, such bugs can lead to persistent denial of service.
Our findings have been acknowledged by the MQTT Technical
Committee, which released a note to help identify the risks.
Alongside this, we've analyzed hundreds of millions MQTT \&
CoAP messages obtained from hundreds of thousands server.
Despite previous efforts that tried to raise awareness, we
still found exposed data related to various industry sectors
and sensitive information, including credentials and network
infrastructure details. Moreover, we found out that MQTT is
being used beyond messaging, to transport binary data, most
likely for OTA update purposes, which certainly raises a red
flag.
Using MQTT \& CoAP as a concrete example of modern M2M
technology, we will provide recommendations at various levels
(standardization bodies, vendors, developers, and users) in
the hope to see a significant reduction in the number of
insecure deployments in the future, and a more responsible
position by standardization bodies.},
location = {London, UK},
url = {https://www.blackhat.com/eu-18/briefings/schedule/#when-machines-cant-talk-security-and-privacy-issues-of-machine-to-machine-data-protocols-12722},
date = {2018-12-06},
howpublished = {Peer-reviewed Talk},
file = {files/talks/maggi_mqttbheu_talk_2018.pdf}
}
@Unpublished{ maggi_webdefacementhitb_talk_2018,
shorttitle = {WebDefacementHITB},
author = {Maggi, Federico},
title = {Using Machine-Learning to Investigate Web Campaigns at
Large},
eventtitle = {Hack In The Box Dubai},
abstract = {Web defacement is the practice of altering a website after
its compromise. The altered pages, called defaced pages, can
negatively affect the reputation and business of the victim.
While investigating several campaigns, we observed that the
artifacts left by these attackers allow an expert analyst to
investigate their modus operandi and social structure, and
expand from single attacks to a group of related incidents.
However, manually performing such analysis on millions of
events is tedious, and poses scalability challenges.
From these observations, we conceived an automated system
that efficiently builds intelligence information out of raw
events. Our approach streamlines the analysts job by
automatically recognizing web campaigns, and assigning
meaningful textual labels to them. Applied to a comprehensive
dataset of 13 million incidents, our approach allowed us to
conduct what we believe been the first large-scale
investigation of this form. In addition, our approach is
meant to be adopted operationally by analysts to identify
live campaigns in the real world.
We analyze the social structure of modern web attackers,
which includes lone individuals as well as actors that
cooperate in teams. We look into their motivations, and we
draw a parallel between the time line of word-shaping events
and web campaigns, which represent the evolution of the
interests and orientation of modern attackers.},
location = {Dubai, United Arab Emirates},
url = {https://conference.hitb.org/hitbsecconf2018dxb/sessions/using-machine-learning-to-investigate-web-campaigns-at-large/},
date = {2018-11-28},
howpublished = {Peer-reviewed Talk},
file = {files/talks/maggi_webdefacementhitb_talk_2018.pdf}
}
@Unpublished{ maggi_ir_talk_2018,
shorttitle = {IR},
author = {Maggi, Federico},
title = {Safety Risks and Threats in Industrial Automation Systems:
The Case of Industrial Radio Remote Controllers},
eventtitle = {Trend Micro Direction},
location = {Tokyo, JP},
url = {https://direction.trendmicro.com/sess/},
date = {2018-11-16},
howpublished = {Talk},
file = {files/talks/maggi_ir_talk_2018.pdf}
}
@Unpublished{ maggi_iiothmi_talk_2018,
shorttitle = {IIoTHMI},
author = {Maggi, Federico},
title = {The impact of legacy machines on future manufacturing
cybersecurity},
eventtitle = {Hannover Messe},
abstract = {Despite the focus on future-generation equipment, legacy
industrial machines will continue to exist. In terms of
cybersecurity risks, what happens when these machines must be
connected? We've answered this question by taking a close
look at a previous-generation industrial robot, one of the
most widespread industrial machine, used practically in every
sector, including for manufacturing. Besides the software
vulnerabilities that we have found, which we consider
"natural" in embedded software, we focused on the root cause
of these vulnerabilities and we will discuss our thoughts and
practical recommendations with the audience. We will provide
a demo of what happens when an attacker compromises an
industrial robot, explaining how a software flaw can go all
the way down to affecting the quality of the manufactured
goods. Beyond robots, the entire factory features more and
more embedded systems, which are a critical entry point for
an external attacker, and thus need to properly be secured.},
location = {Hannover, Germany},
date = {2018-04-09},
howpublished = {Selected Talk},
url = {http://www.hannovermesse.de/event/the-impact-of-legacy-machines-on-future-manufacturing-cybersecurity/VOR/83621},
file = {files/talks/maggi_iiothmi_talk_2018.pdf}
}
@Unpublished{ balduzzi_defplorexbhus_talk_2017,
shorttitle = {DefPloreXBHUS},
author = {Balduzzi, Marco and Maggi, Federico and Ciancaglini,
Vincenzo and Flores, Ryan and Gu, Lion},
title = {DefPloreX: A Machine Learning Toolkit for Large-scale
e-Crime Forensics},
eventtitle = {Black Hat Arsenal USA},
abstract = {The security industry as a whole---including operation
centers, providers and telcos---loves collecting data.
Researchers are not different! A sort of common feeling is
that the more data someone collects, the more self-confident
he becomes about, say, a threat or another phenomenon.
However, large volumes of data imply more processing
resources needed, especially in extracting meaningful and
useful information if the data is highly unstructured. As a
result, manual data analysis is often the only choice, with
security professionals like pen-testers, reversers and
analysts processing data through tedious repetitive
operations.
Given this situation, and our research lab suffering from
similar problems, we have spent the first half of 2017
implementing a flexible toolkit based on open-source
libraries for efficiently analyzing millions of deface pages
and web incidents. Our tool, DefPloreX, uses a combination of
machine-learning and visualization techniques to practically
turn original unstructured data into meaningful high-level
descriptions. Real-time information on incidents, breaches,
attacks and vulnerabilities, for example, are efficiently
processed and condensed into objects that are easily
browsable -- making them suitable for efficient large-scale
eCrime forensics and investigations.
DefPloreX ingests plain CSV inputs about web incidents to
analyze, explores their resources with headless browsers,
extracts features from deface pages, and uploads the
resulting data to an Elastic index. Distributed headless
browsers are coordinated via Celery. Using Python Panda,
NumPy and PyTables, DefPloreX provides offline "views" of the
data, allowing easy pivoting and exploration. Our toolkit
automatically groups similar deface pages in clusters and
organizes web incidents in campaigns. Requiring only one
pass, clustering is intrinsically parallel and not memory
bound. DefPloreX offers text- and web-based UIs, which can be
queried using a simple language for investigations and
forensics.},
location = {Las Vegas, US},
url = {https://www.blackhat.com/us-17/arsenal.html#defplorex-a-machine-learning-toolkit-for-large-scale-ecrime-forensics},
date = {2017-07-27},
howpublished = {Peer-reviewed Demo},
file = {files/talks/balduzzi_defplorexbhus_talk_2017.pdf}
}
@Unpublished{ continella_shieldfsbhus_talk_2017,
shorttitle = {ShieldFSBHUS},
author = {Continella, Andrea and Guagnelli, Alessandro and Zingaro,
Giovanni and De Pasquale, Giulio and Barenghi, Alessandro and
Zanero, Stefano and Maggi, Federico},
title = {ShieldFS: The Last Word in Ransomware-resilient File
Systems},
eventtitle = {Black Hat Briefings USA},
abstract = {Preventive and reactive security measures can only partially
mitigate the damage caused by modern ransomware attacks. The
remarkable amount of illicit profit and the cybercriminals'
increasing interest in ransomware schemes demonstrate that
current defense solutions are failing, and a large number of
users are actually paying the ransoms. In fact,
pure-detection approaches (e.g., based on analysis sandboxes
or pipelines) are not sufficient, because, when luck allows a
sample to be isolated and analyzed, it is already too late
for several users! Moreover, modern ransomware implements
several techniques to prevent detection by common AV.
Similarly, for performance reasons, backups leave a
small-but-important window of recent files unprotected.
We believe that a forward-looking solution is to equip modern
operating systems with generic, practical self-healing
capabilities against this serious threat.
In this talk, we will present ShieldFS, a drop-in driver that
makes the Windows native filesystem immune to ransomware
attacks, even when detection fails ShieldFS dynamically
toggles a protection layer that acts as a copy-on-write
mechanism whenever its detection component reveals suspicious
activity. For this, ShieldFS monitors the filesystem's
internals to update a set of adaptive models that profile the
system activity over time. This detection is based on a study
of the filesystem activity of over 2,245 applications, and
takes into account the entropy of write operations, frequency
of read, write, and folder-listing operations, fraction of
files renamed, and the file-type usage statistics.
Additionally, ShieldFS monitors the memory pages of each
"potentially malicious" process, searching for traces of the
typical block cipher key schedules.
We will show how ShieldFS can shadow the write operations.
Whenever one or more processes violate our detection
component, their operations are deemed malicious and the side
effects on the filesystem are transparently rolled back.
Last, we will demo how effective ShieldFS is against samples
from state of the art ransomware families, showing that it is
able to detect the malicious activity at runtime and
transparently recover all the original files.},
location = {Las Vegas, US},
url = {https://www.blackhat.com/us-17/briefings.html#shieldfs-the-last-word-in-ransomware-resilient-file-systems},
date = {2017-07-27},
howpublished = {Peer-reviewed Talk},
file = {files/talks/continella_shieldfsbhus_talk_2017.pdf}
}
@Unpublished{ quarta_robosecbhus_talk_2017,
shorttitle = {RoboSecBHUS},
author = {Quarta, Davide and Pogliani, Marcello and Polino, Mario and
Maggi, Federico and Zanero Stefano},
title = {Breaking the Laws of Robotics: Attacking Industrial Robots},
eventtitle = {Black Hat Briefings USA},
abstract = {Industrial robots are complex cyber-physical systems used
for manufacturing, and a critical component of any modern
factory. These robots aren't just electromechanical devices
but include complex embedded controllers, which are often
interconnected with other computers in the factory network,
safety systems, and to the Internet for remote monitoring and
maintenance. In this scenario, industrial routers also play a
key role, because they directly expose the robot's
controller. Therefore, the impact of a single, simple
vulnerability can grant attackers an easy entry point.
Industrial robots must follow three fundamental laws:
accurately "read" from the physical world through sensors and
"write" (i.e. perform actions) through actuators, refuse to
execute self-damaging control logic, and most importantly,
echoing Asimov, never harm humans. By combining a set of
vulnerabilities we discovered on a real robot, we will
demonstrate how remote attackers are able to violate such
fundamental laws up to the point where they can alter the
manufactured product, physically damage the robot, steal
industry secrets, or injure humans.
We will cover in-depth technical aspects (e.g., reverse
engineering and vulnerability details, and attack PoCs),
alongside a broader discussion on the security posture of
industrial routers and robots: Why these devices are
attractive for attackers? What could they achieve? Are they
hard to compromise? How can their security be improved?},
location = {Las Vegas, US},
url = {https://www.blackhat.com/us-17/briefings.html#breaking-the-laws-of-robotics-attacking-industrial-robots},
date = {2017-07-27},
howpublished = {Peer-reviewed Talk},
file = {files/talks/quarta_robosecbhus_talk_2017.pdf}
}
@Unpublished{ mavroudis_silverdogbh_talk_2016,
shorttitle = {SilverDogBH},
author = {Mavroudis, Vasilios and Hao, Shuang and Fratantonio, Yanick
and Maggi, Federico and Vigna, Giovanni and Kruegel,
Christopher},
title = {Talking Behind Your Back: Attacks and Countermeasures of
Ultrasonic Cross-Device Tracking},
eventtitle = {Black Hat Briefings Europe},
abstract = {Cross-device tracking (XDT) technologies are currently the
``Holy Grail'' for marketers because they allow to track the
user's visited content across different devices to then push
relevant, more targeted content. For example, if a user
clicks on a particular advertisement while browsing the web
at home, the advertisers are very interested in collecting
this information to display, later on, related advertisements
on other devices belonging to the same user (e.g., phone,
tablet).
Currently, the most recent innovation in this area is
ultrasonic cross-device tracking (uXDT), which is the use of
the ultrasonic spectrum as a communication channel to "pair"
devices for the aforementioned tracking purposes.
Technically, this pairing happens through a receiver
application installed on the phone or tablet. The business
model is that users will receive rewards or useful services
for keeping those apps active, pretty much like it happens
for proximity-marketing apps (e.g., Shopkick), where users
receive deals for walk-ins recorded by their
indoor-localizing apps.
This talk will describe and demonstrate the practical
security and privacy risks that arise with the adoption of
uXDT-enabled systems. The uXDT technology has caught the
attention of major companies (e.g., IDG Ventures, Google,
Nestle, Dominos), many of which either invested in uXDT
providers (e.g., SilverPush, Signal360, Audible Magic), or
approached such companies as clients. Unfortunately,
unbeknownst to the users, we found that numerous mobile
applications, some with millions of downloads, include uXDT
advertising frameworks that actively listen for ultrasounds,
with no opt-out option for the users! Security experts and
the authorities (e.g., the Federal Trade Commission) have
promptly raised concerns about uXDT, but until now no
comprehensive security analysis of the technology has been
released.
In this talk, we will explore the uXDT ecosystem, dig into
the inner workings of popular uXDT frameworks, and perform an
in-depth technical analysis of the underlying technology,
exposing both implementation \& design vulnerabilities, and
critical security \& privacy shortcomings that we discovered.
In the offensive part of our talk, we will demonstrate
(through practical demo sessions) how an attacker can exploit
uXDT frameworks to reveal the true IP addresses of users who
browse the Internet through anonymity networks (e.g., VPNs or
Tor). Moreover, we will describe how an attacker can tamper
with the "pairing" process or affect the results of the
advertising/bidding algorithms. For example, an attacker
equipped with a simple beacon-emitting device (e.g., a
smartphone) can walk into a Starbucks at peak hour and launch
a profile-corruption attack against all customers currently
taking advantage of uXDT-enabled apps.
In the defensive part of our talk, we will introduce three
countermeasures that we designed, implemented, and will
publicly release. These include (1) a mobile application that
detects ultrasound beacons "in the air" with the goal of
raising awareness, (2) a browser extension that acts as a
personal firewall by selectively filtering ultrasonic
beacons, and (3) an brand-new OS permission control in
Android that allows applications to declaratively ask access
to the ultrasound spectrum. We will go into the technical
details and provide remediation advice useful both for the
users and developers.},
location = {London, UK},
url = {https://blackhat.com/eu-16/briefings/schedule/#talking-behind-your-back-attacks-and-countermeasures-of-ultrasonic-cross-device-tracking-4864},
date = {2016-11-03},
howpublished = {Peer-reviewed Talk},
file = {files/talks/mavroudis_silverdogbh_talk_2016.pdf}
}
@Unpublished{ maggi_greateatlonbheu_talk_2016,
shorttitle = {GreatEatlonBHEU},
author = {Maggi, Federico and Zanero, Stefano},
title = {Pocket-sized Badness: Why Ransomware Comes as a Plot Twist
in the Cat-Mouse Game},
eventtitle = {Black Hat Briefings Europe},
abstract = {While we have grown accustomed to stealthy malware,
specifically written to gain and maintain control of the
victim machines to abuse their resources, ransomware really
comes as a "plot twist"! After 10+ years of stealthy malware,
spread mainly for building botnets and steal information, for
the second time we're witnessing a growth of disruptive
malware, and an interest for direct and fast profit.
Ransomware is a particularly striking example of disruptive
malware, both on mobile and desktop targets: While
traditional mass malware must fly under the radar to fulfill
its goals, a ransomware attack that remains unaccountable has
failed miserably. It must show up to inform and frighten the
victim! As a result, the human psychological response to the
attack plays a significant role in the success of ransomware
schemes. And, given the remarkable revenue, the scheme seems
to be working fairly well.
This talk will describe the technical impact of disruptive
malware and its game-changing approach, which made us (at
least) rethink our incident-response plans. We will focus on
mobile ransomware as a representative, extreme case study.
Albeit not very studied, we are currently tracking 10
distinct families, and collected tenths of thousands distinct
samples in three months. In this talk, we will go through the
most notorious families such as Koler, SLocker, Svpeng (and
mention the other notable ones), overviewing their
social-engineering tricks and how they are technically
implemented. This will include, for instance, how an app can
effectively lock a device to forcefully display the typical
threatening message that informs the victim of what just
happened, or how crypto and file-system APIs are (ab)used to
surreptitiously encrypt the valuable data.
After having overviewed these aspects, we will describe how
they can be effectively detected with specific static
features. We will present a lightweight Smali emulator to
track the instruction sequences that implement device-locking
mechanisms. To detect malicious encryption attempts, we will
present a static, dataflow-based program-analysis technique
and tool that track file-system operations (e.g., file
listing, file reading) to determine if they are "connected"
to encryption flows. Since the most recent families have
started to abuse the device-administration API (e.g., to lock
the device), obfuscated method names and reflection to hinder
automatic static analysis, we will show a couple of
counter-tricks. Last, we will show how the threatening
messages can be recognized from normal text using a
language-analysis technique, which classifies text based on
the appearance of key terms frequently found in ransomware
samples but not in benign sources. Since static
program-analysis approaches like ours can be time and
resource consuming, we describe a fast triaging pre-filtering
technique to quickly discard strikingly benign applications.
This filter is generic and ransomware-agnostic. Thus, in
principle, it could be applied to any app-vetting pipeline.
With this talk we will release the source code of a prototype
that implements (part of) the described techniques, and a
dataset comprising tenths of thousands of ransomware
applications targeting the Android platform, each labeled
with the set of features that characterize their
statically-extracted behavior.},
location = {London, UK},
url = {https://www.blackhat.com/eu-16/briefings.html},
date = {2016-11-03},
howpublished = {Peer-reviewed Talk},
file = {files/talks/maggi_greateatlonbheu_talk_2016.pdf}
}
@Unpublished{ maggi_banksealer_talk_2016,
shorttitle = {BankSealer},
author = {Maggi, Federico},
title = {Fast and Transparent Online Banking Fraud Detection and
Investigation},
eventtitle = {Hek.si},
location = {Ljubljana, Slovenia},
date = {2016-04-15},
howpublished = {Invited Talk},
file = {files/talks/maggi_banksealer_talk_2016.pdf}
}
@Unpublished{ maggi_mobilemalware_talk_2015,
shorttitle = {MobileMalware},
author = {Maggi, Federico and Fratantonio, Yanick},
title = {Malware on Mobile: The What, The Why, and The How},
eventtitle = {Science and Engineering Council of Santa Barbara},
location = {Santa Barbara, CA},
date = {2015-11-11},
howpublished = {Invited Talk},
file = {files/talks/maggi_mobilemalware_talk_2015.pdf}
}
@Unpublished{ maggi_droydseuss_talk_2015,
shorttitle = {DroydSeuss},
author = {Maggi, Federico},
title = {A walk through the construction of the first mobile malware
tracker},
eventtitle = {Android Security Symposium},
location = {Vienna, Austria},
date = {2015-09-11},
url = {https://usmile.at/symposium/program},
howpublished = {Invited Talk},
file = {files/talks/maggi_droydseuss_talk_2015.pdf}
}
@Unpublished{ maggi_mobileransomware_talk_2015,
shorttitle = {MobileRansomware},
author = {Maggi, Federico},
title = {Mobile Ransomware},
eventtitle = {6th National Conference on Cyber Warfare},
location = {Milano, Italy},
date = {2015-06-03},
url = {http://www.infowar.it/},
howpublished = {Invited Talk},
file = {files/talks/maggi_mobileransomware_talk_2015.pdf}
}
@Unpublished{ maggi_cybercrimethreatanalysis_talk_2015,
shorttitle = {CybercrimeThreatAnalysis},
author = {Maggi, Federico},
title = {From Cybercrime to Threat Analysis},
location = {Università degli Studi di Trento},
date = {2015-04-20},
howpublished = {Invited Talk},
file = {files/talks/maggi_cybercrimethreatanalysis_talk_2015.pdf}
}
@Unpublished{ maggi_threatanalysis_talk_2015,
shorttitle = {ThreatAnalysis},
author = {Maggi, Federico},
title = {From Cybercrime to Threat Analysis},
eventtitle = {Catedra Europa},
date = {2015-03-18},
url = {http://www.uninorte.edu.co/web/catedra-europa},
howpublished = {Invited Talk},
file = {files/talks/maggi_threatanalysis_talk_2015.pdf}
}
@Unpublished{ maggi_cybercrime_talk_2014,
shorttitle = {Cybercrime},
author = {Maggi, Federico},
title = {Current and Future Cybercrime Tactics},
eventtitle = {5th National Conference on Cyber Warfare},
location = {Milano, Italy},
date = {2014-10-13},
url = {http://www.infowar.it/past/2014_october/index.php},
howpublished = {Invited Talk},
file = {files/talks/maggi_cybercrime_talk_2014.pdf}
}
@Unpublished{ maggi_andradar_talk_2014,
shorttitle = {AndRadar},
author = {Maggi, Federico},
title = {Come to the Dark Side: We have Apps!},
eventtitle = {HackInBo},
location = {Bologna, Italy},
date = {2014-10-11},
url = {http://www.hackinbo.it/},
howpublished = {Invited Talk},
file = {files/talks/maggi_andradar_talk_2014.pdf}
}
@Unpublished{ maggi_androidre_talk_2014,
shorttitle = {AndroidRe},
author = {Maggi, Federico},
title = {Static Analysis of Android Applications},
eventtitle = {2nd SysSec Summer Institution},
location = {Amsterdam, The Netherlands},
date = {2014-09-25},
url = {http://www.syssec-project.eu/events/summer-school-2014/program/},
howpublished = {Invited Lecture},
file = {files/talks/maggi_androidre_talk_2014.pdf}
}
@Unpublished{ maggi_virtualization_talk_2014,
shorttitle = {Virtualization},
author = {Maggi, Federico},
title = {Virtualization},
eventtitle = {5th Int. Summer Institution on Information Security and
Protection},
location = {Verona, Italy},
date = {2014-07-27},
url = {http://issisp2014.di.univr.it/},
howpublished = {Invited Lecture},
file = {files/talks/maggi_virtualization_talk_2014.pdf}
}
@Unpublished{ maggi_phoenixhoneynet_talk_2014,
shorttitle = {PhoenixHoneynet},
author = {Maggi, Federico},
title = {Tracking and Characterizing Botnets Using Automatically
Generated Domains},
eventtitle = {Honeynet Workshop},
abstract = {Modern botnets rely on domain-generation algorithms (DGAs)
to build resilient command-and-control infrastructures.
Recent works focus on recognizing automatically generated
domains (AGDs) from DNS traffic, which potentially allows to
identify previously unknown AGDs to hinder or disrupt
botnets' communication capabilities. The state-of-the-art
approaches require to deploy low-level DNS sensors to access
data whose collection poses practical and privacy issues,
making their adoption problematic. We propose a mechanism
that overcomes the above limitations by analyzing DNS traffic
data through a combination of linguistic and IP-based
features of suspicious domains. In this way, we are able to
identify AGD names, characterize their DGAs and isolate
logical groups of domains that represent the respective
botnets. Moreover, our system enriches these groups with new,
previously unknown AGD names, and produce novel knowledge
about the evolving behavior of each tracked botnet. We used
our system in real-world settings, to help researchers that
requested intelligence on suspicious domains and were able to
label them as belonging to the correct botnet automatically.
Additionally, we ran an evaluation on 1,153,516 domains,
including AGDs from both modern (e.g., Bamital) and
traditional (e.g., Conficker, Torpig) botnets. Our approach
correctly isolated families of AGDs that belonged to distinct
DGAs, and set automatically generated from non-automatically
generated domains apart in 94.8 percent of the cases.},
location = {Warsaw, Poland},
date = {2014-05-14},
howpublished = {Invited Talk},
file = {files/talks/maggi_phoenixhoneynet_talk_2014.pdf}
}
@Unpublished{ maggi_phoenixgoogle_talk_2014,
shorttitle = {PhoenixGoogle},
author = {Maggi, Federico},
title = {Phoenix \& Cerberus: Botnet Tracking via Precise DGA
Characterization},
eventtitle = {Google Tech Talk},
location = {Google, Mountain View, CA, USA},
date = {2014-05},
howpublished = {Invited Talk},
file = {files/talks/maggi_phoenixgoogle_talk_2014.pdf}
}
@Unpublished{ maggi_androidmalware_talk_2014,
shorttitle = {AndroidMalware},
author = {Maggi, Federico},
title = {Malicious Android Apps: Overview, Status and Dilemmas},
location = {Qualcomm, San Diego, USA},
date = {2014-01-03},
url = {http://s.maggi.cc/android-malware-2013},
howpublished = {Invited Talk},
file = {files/talks/maggi_androidmalware_talk_2014.pdf}
}
@Unpublished{ maggi_phoenixinfosek_talk_2013,
shorttitle = {PhoenixInfosek},
author = {Maggi, Federico},
title = {Modern Botnets and the Rise of Automatically Generated
Domains},
eventtitle = {InfoSek},
location = {Nova Gorica, Slovenia},
date = {2013-11-20},
howpublished = {Invited Talk},
file = {files/talks/maggi_phoenixinfosek_talk_2013.pdf}
}
@Unpublished{ maggi_andrototalinfosek_talk_2013,
shorttitle = {AndroTotalInfosek},
author = {Maggi, Federico},
title = {AndroTotal: A Scalable Framework for Android Antivirus
Testing},
eventtitle = {InfoSek},
location = {Nova Gorica, Slovenia},
date = {2013-11-20},
howpublished = {Invited Talk},
file = {files/talks/maggi_andrototalinfosek_talk_2013.pdf}
}