Emanuele Passerini's Homepage

[1] Roberto Paleari, Lorenzo Martignoni, Emanuele Passerini, Drew Davidson, Matt Fredrikson, Jon Giffin, Somesh Jha Automatic Generation of Remediation Procedures for Malware Infections In Proceedings of the 19^th USENIX Security Symposium. [ bib | pdf ].

Abstract: Despite the widespread deployment of malware-detection software, in many situations it is difficult to preemptively block a malicious program from infecting a system. Rather, signatures for detection are usually available only after malware have started to infect a large group of systems. Ideally, infected systems should be reinstalled from scratch. However, due to the high cost of reinstallation, users may prefer to rely on the remediation capabilities of malware detectors to revert the effects of an infection. Unfortunately, current malware detectors perform this task poorly, leaving users' systems in an unsafe or unstable state. This paper presents an architecture to automatically generate remediation procedures from malicious programs.procedures that can be used to remediate all and only the effects of the malware's execution in any infected system. We have implemented a prototype of this architecture and used it to generate remediation procedures for a corpus of more than 200 malware binaries. Our evaluation demonstrates that the algorithm outperforms the remediation capabilities of top-rated commercial malware detectors.

[2] Emanuele Passerini, Roberto Paleari, and Lorenzo Martignoni. How good are malware detectors at remediating infected systems? In Proceedings of the 6^th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA, Como, Italy, Lecture Notes in Computer Science. Springer, July 2009. [ bib | pdf | slides ].

Abstract: Malware detectors are applications that attempt to identify and block malicious programs. Unfortunately, malware detectors might not always be able to preemptively block a malicious program from infecting the system (e.g., when the signatures database is not promptly updated). In these situations, the only way to eradicate the infection without having to reinstall the entire system is to rely on the remediation capabilities of the detectors. Therefore, it is essential to evaluate the efficacy and accuracy of anti-malware software in such situations. This paper presents a testing methodology to assess the quality (completeness) of the remediation procedures used by malware detectors to revert the effect of an infection from a compromised system. To evaluate the efficacy of our testing methodology, we developed a prototype and used it to test six of the top-rated commercial malware detectors currently available on the market. The results of our evaluation witness, that in many situations, the tested malware detectors fail to completely remove the effects of an infection.

[3] Mattia Monga, Roberto Paleari and Emanuele Passerini. A hybrid analysis framework for detecting web application vulnerabilities. In the Proceedings of the 5^th International Workshop on Software Engineering for Secure Systems (SESS'09), 31st International Conference on Software Engineering (ICSE), IEEE Computer Society, Vancouver, Canada, May 2009. [bib | pdf | slides ].

Abstract: Increasingly, web applications handle sensitive data and interface with critical back-end components, but are often written by poorly experienced programmers with low security skills. The majority of vulnerabilities that act web applications can be ascribed to the lack of proper validation of user's input, before it is used as argument of an output function. Several program analysis techniques were proposed to automatically spot these vulnerabilities. One particularly ective is dy- namic taint analysis. Unfortunately, this approach in- troduces a significant run-time penalty. In this paper, we present a hybrid analysis frame- work that blends together the strengths of static and dynamic approaches for the detection of vulnerabilities in web applications: a static analysis, performed just once, is used to reduce the run-time overhead of the dynamic monitoring phase. We designed and implemented a tool, called Phan, that is able to statically analyze PHP bytecode search- ing for dangerous code statements; then, only these statements are monitored during the dynamic analysis phase.

[4] Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi. Fluxor: detecting and monitoring fast-flux service networks. In Proceedings of the 5^th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA, Paris, France, Lecture Notes in Computer Science. Springer, July 2008. [ bib | pdf | slides ].

Abstract: Botnets are large groups of compromised machines (bots) used by miscreants for the most illegal activities (e.g., sending spam emails, denial-of-service attacks, phishing and other web scams). To protect the identity and to maximise the availability of the core components of their business, miscreants have recently started to use fast-flux service networks, large groups of bots acting as front-end proxies to these components. Motivated by the conviction that prompt detection and monitoring of these networks is an essential step to contrast the problem posed by botnets, we have developed FluXOR, a system to detect and monitor fast-flux service networks. FluXOR monitoring and detection strategies entirely rely on the analysis of a set of features observable from the point of view of a victim of the scams perpetrated by the botnets. We have been using FluXOR for about a month and so far we have detected 387 fast-flux service networks, totally composed by 31998 distinct compromised machines, which we believe to be associated with 16 botnets.
Real-time results are publicly available at http://fluxor.laser.dico.unimi.it.