PhD in Computer Science
 Roberto Paleari, Lorenzo Martignoni, Emanuele Passerini, Drew Davidson, Matt Fredrikson, Jon Giffin, Somesh Jha Automatic Generation of Remediation Procedures for Malware Infections In Proceedings of the 19th USENIX Security Symposium. [ bib | pdf ].
Abstract: Despite the widespread deployment of malware-detection software, in many situations it is difficult to preemptively block a malicious program from infecting a system. Rather, signatures for detection are usually available only after malware have started to infect a large group of systems. Ideally, infected systems should be reinstalled from scratch. However, due to the high cost of reinstallation, users may prefer to rely on the remediation capabilities of malware detectors to revert the effects of an infection. Unfortunately, current malware detectors perform this task poorly, leaving users' systems in an unsafe or unstable state. This paper presents an architecture to automatically generate remediation procedures from malicious programs.procedures that can be used to remediate all and only the effects of the malware's execution in any infected system. We have implemented a prototype of this architecture and used it to generate remediation procedures for a corpus of more than 200 malware binaries. Our evaluation demonstrates that the algorithm outperforms the remediation capabilities of top-rated commercial malware detectors. Emanuele Passerini, Roberto Paleari, and Lorenzo Martignoni. How good are malware detectors at remediating infected systems? In Proceedings of the 6th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA, Como, Italy, Lecture Notes in Computer Science. Springer, July 2009. [ bib | pdf | slides ].
Abstract: Malware detectors are applications that attempt to identify and block malicious programs. Unfortunately, malware detectors might not always be able to preemptively block a malicious program from infecting the system (e.g., when the signatures database is not promptly updated). In these situations, the only way to eradicate the infection without having to reinstall the entire system is to rely on the remediation capabilities of the detectors. Therefore, it is essential to evaluate the efficacy and accuracy of anti-malware software in such situations. This paper presents a testing methodology to assess the quality (completeness) of the remediation procedures used by malware detectors to revert the effect of an infection from a compromised system. To evaluate the efficacy of our testing methodology, we developed a prototype and used it to test six of the top-rated commercial malware detectors currently available on the market. The results of our evaluation witness, that in many situations, the tested malware detectors fail to completely remove the effects of an infection. Mattia Monga, Roberto Paleari and Emanuele Passerini. A hybrid analysis framework for detecting web application vulnerabilities. In the Proceedings of the 5th International Workshop on Software Engineering for Secure Systems (SESS'09), 31st International Conference on Software Engineering (ICSE), IEEE Computer Society, Vancouver, Canada, May 2009. [bib | pdf | slides ].
Abstract: Increasingly, web applications handle sensitive data
and interface with critical back-end components, but
are often written by poorly experienced programmers
with low security skills. The majority of vulnerabilities
that act web applications can be ascribed to the lack
of proper validation of user's input, before it is used
as argument of an output function. Several program
analysis techniques were proposed to automatically spot
these vulnerabilities. One particularly ective is dy-
namic taint analysis. Unfortunately, this approach in-
troduces a significant run-time penalty.
In this paper, we present a hybrid analysis frame-
work that blends together the strengths of static and
dynamic approaches for the detection of vulnerabilities
in web applications: a static analysis, performed just
once, is used to reduce the run-time overhead of the
dynamic monitoring phase.
We designed and implemented a tool, called Phan,
that is able to statically analyze PHP bytecode search-
ing for dangerous code statements; then, only these
statements are monitored during the dynamic analysis
Abstract: Botnets are large groups of compromised machines (bots) used by
miscreants for the most illegal activities (e.g., sending spam emails,
denial-of-service attacks, phishing and other web scams). To protect the
identity and to maximise the availability of the core components of their
business, miscreants have recently started to use fast-flux service
networks, large groups of bots acting as front-end proxies to these
components. Motivated by the conviction that prompt detection and monitoring
of these networks is an essential step to contrast the problem posed by
botnets, we have developed FluXOR, a system to detect and monitor
fast-flux service networks. FluXOR monitoring and detection strategies
entirely rely on the analysis of a set of features observable from the point
of view of a victim of the scams perpetrated by the botnets. We have been
using FluXOR for about a month and so far we have detected 387 fast-flux
service networks, totally composed by 31998 distinct compromised machines,
which we believe to be associated with 16 botnets.