User Tools

Site Tools


publications

Publications of the Security Group in Trento

This page presents the publication of the Security Group in chronological order. You can find them also in the individual research topics or in the pages of the individual members.

2022

  • Seyed Ali Mirheidari, Matteo Golinelli, Kaan Onarlioglu, Engin Kirda, Bruno Crispo. Web Cache Deception Escalates!, The 31st USENIX Security Symposium (USENIX Security '22), 2022. PDF Media
    Nominated for Top Web Hacking Technique of 2021.
  • Giorgio Di Tizio, Michele Armellini, Fabio Massacci, Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats. IEEE Transactions on Software Engineering (TSE), 2022 - Publisher Version

2021

  • Giorgio Di Tizio, Fabio Massacci, A Calculus of Tracking: Theory and Practice. In Proceedings of the 21st Privacy Enhancing Technologies Symposium (PETS 2021), 2021 - Author-accepted manuscript, Video
  • Duc-Ly Vu, Fabio Massacci, Ivan Pashchenko, Henrik Plate, and Antonino Sabetta. LastPyMile: Identifying the Discrepancy between Sources and Packages. In Proceedings of the 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2021 - Author-accepted manuscript, Publisher Version, Video
  • Duc-Ly Vu, Ivan Pashchenko, and Fabio Massacci. Please hold on: more time = more patches? Automated program repair as anytime algorithms. In Proceedings of ACM/IEEE International Conference on Software Engineering - Automated Program Repair (APR) workshop, 2021 - Author-accepted manuscript, Publisher Version, Video
  • Fabio Massacci and Ivan Pashchenko. Technical Leverage: dependencies mixed blessing. To Appear in IEEE Security and Privacy Magazine - Dept. Building Security In, 2021 - Author-accepted manuscript
  • Fabio Massacci and Ivan Pashchenko. Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks. To Appear in ACM/IEEE International Conference on Software Engineering, 2021 - Author-accepted manuscript
  • Ivan Pashchenko, Riccardo Scandariato, Antonino Sabetta, and Fabio Massacci. Secure Software Development in the Era of Fluid Multi-party Open Software and Services. To Appear in ACM/IEEE International Conference on Software Engineering - New Ideas and Emerging Results, 2021 - Author-accepted manuscript

2020

  • Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies. IEEE Transactions on Software Engineering Journal, 2020 - Author-accepted manuscript
  • Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. Towards Using Source Code Repositories to Identify Software Supply Chain Attacks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2020 - Author's preprint, poster, Publisher Version
  • Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, and William Robertson. Cached and Confused: Web Cache Deception in the Wild, The 29th USENIX Security Symposium (USENIX Security 20), 2020. PDF Media
    Voted and let to an award as Top Web Hacking Technique of 2019.
    Selected among Top 10 Application Vulnerabilities of 2019 by WhiteHat Security.
    CSAW 2020 Finalist: Nominated for the Best Applied Research in the 17th annual CSAW conference (CSAW’20).
    Pwnie Award Nominee: Nominated for the Most Innovative Research of 2020.
  • Giorgio Di Tizio, Fabio Massacci, Luca Allodi, Stanislav Dashevskyi, Jelena Mirkovic. An Experimental Approach for Estimating Cyber Risk: a Proposal Building upon Cyber Ranges and Capture the Flags, To Appear in Proceedings of the 2nd Workshop on Cyber Range Technologies and Applications (CACOE 2020), 2020 - Author's preprint
  • Giorgio Di Tizio, Chan Nam Ngo. Are You a Favorite Target For Cryptojacking? A Case-Control Study On The Cryptojacking Ecosystem, To Appear in Proceedings of the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020), 2020 - Author's preprint
  • Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. A Qualitative Study of Dependency Management and Its Security Implications, In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2020 Author's preprint, Publisher Version
  • Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. Typosquatting and Combosquatting Attacks on the Python Ecosystem. In Proceedings of the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020), 2020 - Author's preprint, Publisher Version
  • Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. Preliminary Findings on FOSS Dependencies and Security A Qualitative Study on Developers’ Attitudes and Experience (Poster). In Proceedings of the 42nd International Conference on Software Engineering (ICSE), 2020 - poster, Author's preprint Publisher Version
  • Fabio Massacci, Chan Nam Ngo. Distributed Financial Exchanges: Security Challenges and Design Principles IEEE Security & Privacy (Early Access) Publisher Version Author's preprint
  • Luca Allodi, Marco Cremonini, Fabio Massacci, Woohyun Shim. Measuring the accuracy of software vulnerability assessments: experiments with students and professionals, Empirical Software Engineering 25:1063–1094 Open Access PDF
  • Gabriel Kuper, Fabio Massacci, Woohyun Shim, Julian Williams. Who Should Pay for Interdependent Risk? Policy Implications for Security Interdependence Among Airports, Risk Analysis Open Access PDF
  • Pierantonia Sterlini, Fabio Massacci, Natalia Kadenko, Tobias Fiebig, Michel van Eeten. Governance Challenges for European Cybersecurity Policies: Stakeholder Views IEEE Security & Privacy: 17-31 Publisher Version, Author's preprint.

2019

  • Fabio Massacci. Is ‘deny access’ a valid ‘fail-safe default’ principle for building security in cyber-physical systems? IEEE Security and Privacy (2019).Pre-print
  • Ettore Battaiola, Fabio Massacci, Chan Nam Ngo, Pierantonia Sterlini. Blockchain-based Invoice Factoring: from business requirements to commitments. DLT@ITASEC 2019: 17-31 PDF.
  • Gupta, Sandeep, Attaullah Buriro, and Bruno Crispo. DriverAuth: A Risk-based Multi-modal Biometric-based Driver Authentication Scheme for Ride-sharing Platforms. Computers & Security (2019).Full Paper
  • Gupta, Sandeep, Attaullah Buriro, and Bruno Crispo. DriverAuth: Behavioral biometric-based driver authentication mechanism for on-demand ride and ridesharing infrastructure. ICT Express 5.1 (2019): 16-20. Full Paper
  • de Haan, Johannes; Massacci, Fabio; Sterlini, Pierantonia; Bernard Ladkin, Peter; Raspotnig, Christian, The Risk of Relying on a Public Communications Infrastructure. in Proceedings of the 27th Safety-Critical Systems Symposium, Bristol, UK: Publisher SCSC, 2019. Proceedings of: SCSC, Bristol, UK, 5-7th February 2019PDF

2018

  • Sajjad Arshad, Seyed Ali Mirheidari, Tobias Lauinger, Bruno Crispo, Engin Kirda, and William Robertson. Large-Scale Analysis of Style Injection by Relative Path Overwrite. the 2018 World Wide Web Conference (WWW'18), 2018. PDF
    Honorable Mention award
  • Gupta, Sandeep, Attaullah Buriro, and Bruno Crispo. Demystifying authentication concepts in smartphones: Ways and types to secure access. Mobile Information Systems 2018 (2018). Full Paper
  • Buriro, Attaullah, Bruno Crispo, Sandeep Gupta, and Filippo Del Frari. Dialerauth: A motion-assisted touch-based smartphone user authentication scheme. Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. ACM, 2018.Full Paper
  • Buriro, Attaullah, Bruno Crispo, Mojtaba Eskandri, Sandeep Gupta, Athar Mahboob, and Rutger Van Acker. Snap Auth: A Gesture-Based Unobtrusive Smartwatch User Authentication Scheme. International Workshop on Emerging Technologies for Authorization and Authentication. Springer, Cham, 2018.Conference paper
  • I. Pashchenko, H. Plate, S. Ponta, A. Sabetta and F. Massacci. Vulnerable Open Source Dependencies: Counting Those That Matter To appear in International Symposium on Empirical Software Engineering and Measurement (ESEM2018), 2018. esem-2018-final.pdf
  • F. Massacci, C. N. Ngo, J. Nie, D. Venturi and J. Williams. FuturesMEX: Secure, Distributed Futures Market Exchange. To appear in IEEE Symposium on Security and Privacy (SS&P'18), 2018. Prepub version, IEEE S&P Youtube channel presentation, also available as longer talk.
  • F. Massacci, C. N. Ngo, D. Venturi and J. Williams. Non-Monotonic Security Protocols and Failures in Financial Intermediation To appear in Security Protocols Workshop (SPW 18), 2018. Prepub version
  • S. Dashevsky, A.D. Brucker, F. Massacci. A Screening Test for Disclosed Vulnerabilities in FOSS Components., To appear in IEEE Transactions on Software Engineering, 2018. camera-ready.pdf
  • K. Labunets, F. Massacci, F. Paci, S. Marczak, F. Moreira de Oliveira. Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations. Journal first presentation at International Conference on Software Engineering (ICSE'18). Full paper.
  • P. D. Phuc, F. Massacci. Mac-A-Mal: An Automated Platform for Mac Malware Hunting. To be presented at BlackHat Asia 2018.

2017

  • I. Pashchenko, S. Dashevskyi, F. Massacci. Delta-Bench: Differential Benchmark for Static Analysis Security Testing Tools. International Symposium on Empirical Software Engineering and Measurement (ESEM2017), 2017. Prepub version
  • I. Pashchenko. FOSS Version Differentiation as a Benchmark for Static Analysis Security Testing Tools. In Proceedings of 2017 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’17), 2017. Author's PDF or Publisher's Version
  • F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations. To appear in Security Protocols Workshop (SPW) 2017. Author's draft
  • L. Allodi, F. Massacci. Security Events and Vulnerability Data for Cyber Security Risk Estimation. To appear in Risk Analysis (Special Issue on Risk Analysis and Big Data), 2017.PDF at Publisher, Author's Preprint
  • L. Allodi, F. Massacci, J. Williams. The Work Averse Attacker Model. In Workshop on Economics of Information Security (WEIS), 2017. PDF
  • F. Massacci, J. Williams. Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Adversaries. In Workshop on Economics of Information Security (WEIS), 2017. PDF
  • M. de Gramatica, F. Massacci, W. Shim, U. Turhan, J. Williams. Agency Problems and Airport Security: Quantitative and Qualitative Evidence on the Impact of Security Training. To appear in Risk Analysis. Authors' PDF or Publisher's Early View Copy.
  • M. Riaz, J. King, J. Slankas, L. Williams, F. Massacci, C. Quesada-López, M. Jenkins. Identifying the implied: Findings from three differentiated replications on the use of security requirements templates. To appear in Empirical Software Engineering. Authors' PDF or Publisher's Online First.
  • K. Labunets, F. Massacci, F. Paci, S. Marczak, F. Moreira de Oliveira. Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations To appear in Empirical Software Engineering. Available at SSRN: https://ssrn.com/abstract=2906745
  • K. Labunets, F. Massacci, F. Paci. On the Equivalence Between Graphical and Tabular Representations for Security Risk Assessment. In Proceedings of REFSQ'17. Authors' Draft PDF.
  • A. Buriro, B. Crispo, and Y. Zhauniarovich. Please Hold On: Unobtrusive User Authentication using Smartphone’s built-in Sensors. In Proceedings of IEEE International Conference on Identity, Security and Behavior Analysis (ISBA 2017), pp.1–8, 2017.
  • A. Buriro, S. Gupta, and B. Crispo. Evaluation of Motion-based Touch-typing Biometrics in Online Financial Environments. To appear in 16th International Conference of the Biometrics Special Interest Group 20.-22.09.2017, Darmstadt (BIOSIG 2017).
  • A. Buriro, Z. Akhtar, B. Crispo, S. Gupta, Mobile Biometrics: Towards A Comprehensive Evaluation Methodology. To appear in The 51st International Carnahan Conference on Security Technology Madrid, Spain (ICCST 2017), October 23-26, 2017.
  • Z. Akhtar, A. Buriro, B. Crispo, and T. H. Falk. Multimodal Smartphone User Authentication using Touchstroke, Phone-movements and Face Patterns. To appear in 5th IEEE Global Conference on Signal and Information Processing (GlobalSIP 2017).

2016

  • L. Allodi, M. Corradin, F. Massacci. Then and Now: On The Maturity of the Cybercrime Markets. The lesson black-hat marketeers learned. IEEE Transactions on Emerging Topics in Computing. 4(1):35-46, 2016. Author's Draft PDF http://doi.org/10.1109/TETC.2015.2397395.
  • S. Dashevskyi, A. D. Brucker, F. Massacci. On the Security Cost of Using a Free and Open Source Component in a Proprietary Product. Proc. of ESSoS 2016 pp. 190-206. 2016.
  • M. de Gramatica, K. Labunets, F. Massacci, F. Paci, M. Ragosta, A. Tedeschi. On the Effectiveness of Sourcing Knowledge from Catalogues in Security Risk Assessment.
  • K. Elliott, F. Massacci, J. Williams. Action, Inaction, Trust, and Cybersecurity's Common Property Problem. IEEE Security & Privacy 14(1), 2016. http://doi.org/10.1109/MSP.2016.2
  • K. Elliott, F. Massacci, C.N. Ngo, J. Williams. Unruly Innovation: Distributed Ledgers, Blockchains and the Protection of Transactional Rents. Technical Report on SSRN 2888872, (December 22, 2016). Available at SSRN: http://ssrn.com/abstract=2888872
  • F. Massacci, C.N. Ngo, J. Williams. Decentralized Transaction Clearing Beyond Blockchains. Technical Report on SSRN 2794913, (June 13, 2016). Available at SSRN: http://ssrn.com/abstract=2794913
  • F. Massacci, R. Ruprai, M. Collison, J. Williams. Economic Impacts of Rules-based versus Risk-based Cybersecurity Regulations in Critical Infrastructure Providers (Bulk Electricity Providers). IEEE Security and Privacy Magazine 14(03):52-60, 2016. Authors' draft. http://doi.org/10.1109/MSP.2016.48.
  • V.H. Nguyen, S. Dashevskyi, and F. Massacci. An Automatic Method for Assessing the Versions Affected by a Vulnerability, Empirical Software Engineering Journal. 21(6):2268-2297, 2016. Publisher's copy
  • A. Buriro, Z. Akhtar, B. Crispo, and Filippo Del Frari. Age, Gender and Operating-Hand Estimation on Smart Mobile Devices. In Proceedings of the 15th International Conference of the Biometrics Special Interest Group (BIOSIG 2016), 21.-23.09.2016, Darmstadt, pp.1–5, 2016.
  • A. Buriro, B. Crispo, F. Del Frari, and K. Wrona. Hold and Sign: A Novel Behavioral Biometrics for Smartphone User Authentication. In Proceedings of the IEEE Computer Society Security and Privacy Workshops attached with the IEEE Symposium on Security and Privacy (IEEE S&P 2016), pp.276–285, 2016.

2015

  • L. Allodi. The Heavy Tails of Vulnerability Exploitation In the Proceedings of ESSoS 2015 PDF.
  • L. Allodi, F. Massacci. The Work-Averse Attacker Model. In the Proceedings of the 23rd European Conference on Information Systems (2015). PDF.
  • M. De Gramatica, F. Massacci, W. Shim, A. Tedeschi, J. Williams IT Interdependence and the Economic Fairness of Cyber-security Regulations for Civil Aviation. IEEE Security and Privacy Magazine 13(5):52-61, 2015. Authors' draft PDF. http://doi.org/10.1109/MSP.2015.98
  • M. de Gramatica, K. Labunets, F. Massacci, F. Paci, A. Tedeschi. The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals In the Proceedings of REFSQ 2015. PDF.
  • K. Labunets, Y. Li, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi. Preliminary Experiments on the Relative Comprehensibility of Tabular and Graphical Risk Models, In the Proceedings of 5th SESAR Innovation Days (SIDs'15). PDF
  • K. Labunets, F. Paci, F. Massacci. Which Security Catalogue Is Better for Novices? In Proc. of EmpiRE Workshop at IEEE RE'15. PDF (preprint)
  • M. Ngo, F. Massacci, D. Milushev, F. Piessens. Runtime Enforcement of Security Policies on Black Box Reactive Programs In Proc. of POPL 2015 PDF.
  • Y. Zhauniarovich, M. Ahmad, O. Gadyatskaya, B. Crispo, F. Massacci. StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications. Proc. of CODASPY'15. pp. 37-48, 2015.
  • Y. Zhauniarovich, A. Philippov, O. Gadyatskaya, B. Crispo, F. Massacci. Towards Black Box Testing of Android Apps. Proc. of ARES 2015.pp. 501-510, 2015.
  • Attaullah Buriro, Bruno Crispo, Filippo Del Frari, Jeffrey Klardie and Konrad Wrona. ITSME: Multi-modal and Unobtrusive Behavioural User Authentication for Smartphones. In Proceedings of the International Conference on Passwords (PASSWORDS 2015), pp.45–61, 2015
  • Attaullah Buriro, Bruno Crispo, Filippo Del Frari, and Konrad Wrona. Touchstroke: Smartphone User Authentication Based on Touch-Typing Biometrics. In Proceedings of the New Trends in Image Analysis and Processing (ICIAP 2015 Workshops), pp. 27–34, 2015

2014

  • L. Allodi, F. Massacci. Comparing vulnerability severity and exploits using case-control studies. In ACM Transactions on Information and System Security (TISSEC).PDF (Draft)
  • S. Dashevskyi, D.R. dos Santos, F. Massacci, and A. Sabetta. TestREx: a Testbed for Repeatable Exploits, In Proceedings of the 7th USENIX conference on Cyber Security Experimentation and Test (CSET), 2014. PDF
  • M. de Gramatica, F. Massacci and O. Gadyatskaya. An Empirical Study of the Technology Transfer Potential of EU Security and Trust R&D Projects. In Cyber Security and Privacy - Third Cyber Security and Privacy EU Forum, CSP Forum 2014, Athens, Greece, May 21-22, 2014, Revised Selected Papers, pp. 159–170, 2014. Springer.
  • M. Giacalone, R. Mammoliti, F. Massacci, F. Paci, R. Perugino, and C. Selli. Security Triage: A Report of a Lean Security Requirements Methodology for Cost-Effective Security Analysis. A short summary appears In Proc. of EmpiRE Workshop at IEEE RE'14. 3 pages PDF. A longer Industry report appears in Proc. of ESEM'2014. PDF (preprint)
  • O. Gadyatskaya, F. Massacci, and Y. Zhauniarovich. Emerging Mobile Platforms: Firefox OS and Tizen, In IEEE Computer, June 2014, draft.pdf
  • F. Massacci, V.H. Nguyen. An Empirical Methodology to Evaluate Vulnerability Discovery Models. In IEEE Transactions on Software Engineering (TSE), 40(12):1147-1162, 2014. PDF (draft)
  • F. Massacci, F. Paci, L.M.S. Tran, A. Tedeschi. Assessing a requirements evolution approach: Empirical studies in the air traffic management domain. Journal of Systems and Software 95:70-88, 2014. Publisher's PDF
  • M. Ngo, F. Massacci. Programmable Enforcement Framework of Information Flow Policies. In Proc. of ICTCS 2014 PDF.
  • K. Labunets, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi. A First Empirical Evaluation Framework for Security Risk Assessment Methods in the ATM Domain, In the Proceedings of 4th SESAR Innovation Days (SIDs'14). PDF
  • K. Labunets, F. Paci, F. Massacci, and R. Ruprai. An Experiment on Comparing Textual vs. Visual Industrial Methods for Security Risk Assessment. In Proc. of EmpiRE Workshop at IEEE RE'14 PDF
  • L.M.S. Tran, F. Massacci. An Approach for Decision Support on the Uncertainty in Feature Model Evolution. Accepted for publication in Proc. of IEEE RE'14. PDF Preprint

2013

  • M. Ngo, F. Massacci, O. Gadyatskaya. MAP-REDUCE Enforcement Framework of Information Flow Policies. In Informal Proc. of FCS 2013 PDF.
  • L. Allodi. Internet-scale vulnerability risk assessment (Extended Abstract). In Proceedings of Usenix Security LEET 2013, Washington D.C., USA. PDF
  • L. Allodi, V. Kotov, F. Massacci. MalwareLab: Experimenting with Cybercrime Attack Tools. In: Proc. of Usenix Security CSET 2013, Washington D.C., USA. PDF
  • L. Allodi, F. Massacci. How CVSS is DOSsing your patching policy (and wasting your money). Presentation at BlackHat USA 2013, Las Vegas, USA. PDF presentation slides White Paper
  • L. Allodi, W. Shim, F.Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring. In: Proceedings of the 2013 IEEE S&P International Workshop on Cyber Crime (IWCC'13), May 19-24, 2013, San Francisco, USA. PDF
  • P. Barsocchi, Gabriele Oligeri, Claudio Soriente, SHAKE: Single HAsh Key Establishment for Resource Constrained Devices. Ad Hoc Networks (Elsevier), Volume 11, Issue 1, Jannuary 2013, pp. 288-297.
  • R. Di Pietro, Gabriele Oligeri, Jamming Mitigation in Cognitive Radio Networks. To appear in IEEE Network Magazine, Special Issue on Security in Cognitive Radio Networks.
  • R. Di Pietro, Gabriele Oligeri, COKE: Crypto-less Over-The-Air Key-establishment. In IEEE Transactions on Information Forensics and Security, Vol. 8, Issue 1, 2013, pp.163-173.
  • O. Gadyatskaya, F. Massacci, Q.-H. Nguyen, and B. Chetali. Load time code certification for mobile phone Java cards, In Journal of Information Security and Applications 18/2-3 (Sept 2013) pp. 108–129 .pdf
  • V. Kotov and F. Massacci. Anatomy of Exploit Kits: Preliminary Analysis of Exploit Kits as Software Artefacts. Proc. of ESSoS 2013, pp. 181–196 PDF
  • Labunets, K., Massacci, F., Paci, F., and Tran, L.M.S. An experimental comparison of two risk-based security methods. In Proceedings of the 7th ACM International Symposium on Empirical Software Engineering and Measurement (ESEM), 163–172, 2013. PDF
  • V.H.Nguyen and F.Massacci. The (Un)Reliability of Vulnerable Version Data of NVD: an Empirical Experiment on Chrome Vulnerabilities. In: Proceeding of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS)'13, May 7-10, 2013, Hangzhou, China PDF Slides.
  • M. Rizwan Asghar and Daniele Miorandi. A holistic view of security and privacy issues in smart grids. In Proc. of Smart Grid Security (SmartGridSec), volume 7823 of Lecture Notes in Computer Science, pages 58-71. Springer Berlin Heidelberg, 2013. PDF
  • Muhammad Rizwan Asghar, Giovanni Russello, Bruno Crispo, and Mihaela Ion. Supporting Complex Queries and Access Policies for Multi-user Encrypted Databases, In Proceedings of The 5th ACM Workshop on Cloud Computing Security Workshop (CCSW) in conjunction with the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 2013.
  • Muhammad Rizwan Asghar, Mihaela Ion, Giovanni Russello, and Bruno Crispo, ESPOONERBAC: Enforcing Security Policies in Outsourced Environments, Elsevier Computers & Security (COSE), Volume 35, 2013. PDF
  • S. Roy Chowdhury, Muhammad Imran, Muhammad Rizwan Asghar, Sihem Amer-Yahia, and Carlos Castillo. Tweet4act: Using incident-specific profiles for classifying crisis-related messages. In The 10th International Conference on Information Systems for Crisis Response and Management (ISCRAM), May 2013. PDF
  • Tran L.M.S. Early Dealing with Evolving Risks in Software Systems. In: The 3rd International Workshop on Information Systems Security Engineering (WISSE'13), co-located with CAiSE 2013. PDF
  • Y. Zhauniarovich, O. Gadyatskaya, and B. Crispo. Demo: Enabling trusted stores for Android, In proc. of ACM CCS 2013 .pdf

2012

  • Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker. Proceedings of IEEE/ASE 2012 Cyber Security Conference. Complementary publication in ASE Journal 2012, Vol. 2, Best paper award.Link,PDF
  • Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. In Proceedings of ACM BADGERS 2012 CCS Workshop. ACM,PDF
  • Luca Allodi. The dark side of vulnerability exploitation. Proceedings of the 2012 ESSoS Conference Doctoral Symposium.PDF
  • Muhammad Rizwan Asghar and Giovanni Russello. ACTORS: A goal-driven approach for capturing and managing consent in e-health systems. In 2012 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pages 61-69, July 2012. PDF
  • Muhammad Rizwan Asghar, Mihaela Ion, Giovanni Russello, and Bruno Crispo. Securing data provenance in the cloud. In Jan Camenisch and Dogan Kesdogan, editors, Open Problems in Network Security, volume 7039 of Lecture Notes in Computer Science, pages 145-160. Springer Berlin Heidelberg, 2012. PDF
  • Muhammad Rizwan Asghar and Giovanni Russello. Flexible and dynamic consent-capturing. In Jan Camenisch and Dogan Kesdogan, editors, Open Problems in Network Security, volume 7039 of Lecture Notes in Computer Science, pages 119-131. Springer Berlin Heidelberg, 2012.
  • Massacci F., and Paci F. How to Select a Security Requirements Method? A comparative study with students and practitioners. In Proceedings of the 17th Nordic Conference in Secure IT Systems (NordSec), 2012.PDF
  • Massacci F., Nagaraj D., Paci F., Tran L.M.S, Tedeschi, A. Assessing a Requirements Evolution Approach: Empirical Studies in the Air Traffic Management Domain. In Proceedings of International Workshop on Empirical Requirements Engineering (EmpiRE), 49–56, 2012.PDF.
  • Paci F., Massacci F., Bouquet F., Debricon, S.Managing Evolution by Orchestrating Requirements and Testing Engineering Processes. In Proceedings of the Third International Workshop on Security Testing (SecTest), 834–841, 2012.PDF
  • V.H.Nguyen and F.Massacci. An Independent Validation of Vulnerability Discovery Models. In: Proceeding of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS)'12, May 2-4, 2012, Seoul, Korean PDF.
  • V.H.Nguyen and F.Massacci. An Idea of an Independent Validation of Vulnerability Discovery Models. In: Proceeding of the International Symposium on Engineering Secure Software and Systems (ESSoS)'12, February 16-17, 2012, Eindhoven, The Netherlands PDF.
  • O.Gadyatskaya and F.Massacci: Controlling Application Interactions on the Novel Smart Cards with Security-by-Contract. In Proceedings of HATS-2012 Summer School, Springer PDF
  • O.Gadyatskaya, F.Massacci and E.Lostal: Extended Abstract: Embeddable Security-by-Contract Verifier for Java Card. In BYTECODE-2012, Tallinn, Estonia, 2012. PDF
  • O. Gadyatskaya, F. Massacci and A. Philippov: Security-by-Contract for the OSGi Platform. In Proceedings of 27th IFIP TC 11 Information Security and Privacy Conference (SEC 2012), Springer 2012 PDF
  • Roberto Di Pietro, Gabriele Oligeri, Claudio Soriente, Gene Tsudik, United We Stand: Intrusion Resilience in Mobile Unattended WSNs. IEEE Transaction on Mobile Computing, Online, 31 May 2012.

2011

  • Muhammad Rizwan Asghar, Giovanni Russello, and Bruno Crispo. Poster: ESPOONERBAC: Enforcing security policies in outsourced environments with encrypted RBAC. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 841-844. ACM, 2011.
  • Muhammad Rizwan Asghar, Mihaela Ion, Giovanni Russello, and Bruno Crispo. ESPOON: Enforcing Encrypted Security Policies in Outsourced Environments. In The Sixth International Conference on Availability, Reliability and Security, ARES'11, pages 99-108. IEEE Computer Society, August 2011. PDF
  • Asnar, Y., Li, T., Massacci, F., Paci, F. Computer Aided Threat Identification. In Proceedings of the IEEE Conference on Commerce and Enterprise Computing (CEC), 145–52, 2011.PDF
  • Asnar Y., Massacci F.: A Method for Security Governance, Risk, and Compliance (GRC): A Goal-Process Approach. Foundations of Security Analysis and Design V: Tutorial Lectures 2011:152-184 - This is a tutorial on the GRC Approach. PDF
  • Asnar Y., Massacci F., Saïdane A., Riccucci C., Felici M., Tedeschi A., El Khoury P., Li K., Seguran M., Zannone N.: Organizational Patterns for Security and Dependability: From Design to Application. International Journal of Secure Software Engineering 2(3):1-22 (2011)
  • Felix, E., Delande, O., Massacci, F., Paci, F. Managing Changes with Legacy Security Engineering Processes.In Proceedings of the IEEE Intelligence and Security Informatics Conference (ISI), 137–142, 2011.PDF
  • Bergmann, G., Massacci, F., Paci, F., Tun, T.T, Varro, D., Yu, Y. SeCMER: A Tool to Gain Control over Security Requirements Evolution.In Proceedings of ServiceWave, Demonstration Track, 49–56, 2011.PDF
  • Bergmann, G., Massacci, F., Paci, F., Tun, T.T, Varro, D., Yu, Y. A Tool for ManagingEvolving Security Requirements. In Proceedings of CAISE'11 FORUM, 110–125, 2011.PDF
  • Bielova N., Devriese D.,Massacci F., Piessens F.: Reactive non-interference for a browser model. Proc. of NSS’11. p 97-104. IEEE 2011. PDFFull version as Technical Report at K.U.Leuven
  • Bielova N., Massacci F.: Computer-Aided Generation of Enforcement Mechanisms for Error-Tolerant Policies. Proc. of POLICY’11. p. 89-96. IEEE 2011. PDF
  • Bielova N., Massacci F.: Do you really mean what you actually enforced? - Edited automata revisited. . International Journal of Information Security 10(4):239-254 (2011) PDF
  • Bielova N., Massacci F.: Iterative Enforcement by Suppression: Towards Practical Enforcement Theories. Journal of Computer Security 2011. PDF
  • Massacci, F., Mylopoulos, J., Paci, f.,Tun, T.T, Yu, Y. An extended Ontology for Security Requirements.In Proceedings of The First International Workshop on Information Systems Security Engineering (WISSE), 622–636, 2011.PDF
  • Tran L.M.S, Massacci, F. Towards a Game-Theoretic Foundation for Software Requirement Evolution. In: 23rd International Conference on Advanced Information Systems Engineering (CAiSE'11) London, June 2011. PDF
  • F.Massacci, S.Neuhaus and V.H.Nguyen. After-Life Vulnerabilities: A Study on Firefox Evolution, its Vulnerabilities and Fixes. In Proceeding of the International Symposium on Engineering Secure Software and Systems (ESSoS)'11, February 9-10, 2011, Madrid, Spain. PDF
  • O. Gadyatskaya, F. Massacci and E. Lostal: Load Time Security Verification. In Proceedings of International Conference on Information Systems Security (ICISS 2011), Kolkata, India, vol. LNCS 7093 pp. 250-264, Springer.PDF
  • N. Dragoni, O. Gadyatskaya and F. Massacci: Supporting Software Evolution for Open Smart Cards by Security-by-Contract. In Petre et al.: Dependability and Computer Engineering: Concepts for Software-Intensive Systems, IGI Global, 2011. PDF available at the IGI Global web site Link
  • N. Dragoni, O. Gadyatskaya, F. Massacci, F. Paci and E. Lostal: Loading-Time Verification for Open Multi-Application Smart Cards. In Proceedings of the IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY 2011), Pisa, Italy, 2011, pp. 153-156, IEEE Computer Society. PDF
  • Gabriele Oligeri, Stefano Chessa, Gaetano Giunta. Loss Tollerant Video Streaming Authentication in Heterogeneous Wireless Networks, Computer Communications, Vol. 34, Issue 11, pp. 1307-1315, 15 July 2011.
  • Gabriele Oligeri, Stefano Chessa, Roberto Di Pietro, Gaetano Giunta. Robust and Efficient Authentication of Video Stream Broadcasting. ACM Transactions on Information and System Security, Vol.14, No.1, pp.1–25, May 2011.

2010

  • Bielova N., Massacci F.: Predictability of Enforcement. In Proc. of ESSoS’10. Springer p 73-86.PDF
  • Compagna L., El Khoury P., Massacci F., Saïdane A.: A Dynamic Security Framework for Ambient Intelligent Systems: A Smart-Home Based eHealth Application. Transactions on Computational Science 10:1-24 (2010)
  • Karsai G., Massacci F., Osterweil L.J., Schieferdecker I.: Evolving Embedded Systems. IEEE Computer 43(5): 34-40 2010. PDF at Publisher
  • Massacci F. and Zannone N.. Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank. In Social Modeling for Requirements Engineering. MIT Press, 2010.
  • F.Massacci and V.H.Nguyen. Which is the Right Source of Vulnerability Studies? An Empirical Analysis on Mozilla Firefox. In Proceeding of the International Workshop on Security Measurement and Metrics (MetriSec)'10, Ed: Laurie Williams, Riccardo Scandariato, September 15,2010, Bolzano-Bozen, Italy. PDF
  • O. Gadyatskaya, F. Massacci, F. Paci, S. Stankevich: Java Card Architecture for Autonomous Yet Secure Evolution of Smart Cards Applications. In Proceedings of NordSec 2010, LNCS 7127, pp187-192. Springer 2012. PDF
  • N. Dragoni, O. Gadyatskaya and F. Massacci: Supporting Applications' Evolution in Multi-Application Smart Cards by Security-by-Contract. In Proceedings of the 4th Workshop in Information Security Theory and Practices (WISTP 2010), Passau, Germany, 2010, vol. LNCS 6033, pp.221-228, Springer. PDF

2009

  • Bielova N., Massacci F., Micheletti A.: Towards Practical Enforcement Theories. Proc. of NordSec’09 p. 239-254, Springer 2009. PDF
  • Compagna L., El Khoury P., Krausová A., Massacci F, and Zannone N..How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns. Artificial Intelligence and Law Journal 17(1):1-30, 2009.
  • Dragoni N., Massacci F., Saïdane A. A self-protecting and self-healing framework for negotiating services and trust in autonomic communication systems. Computer Networks 53(10):1628-1648 2009.
  • Dragoni N., Massacci F., Walter T., Schaefer C.. What the Heck is this application doing? - A security-by-contract architecture for pervasive services, Computer & Security 28(7):566-577 2009. PDF at Elsevier
  • Kuper G.M., Massacci F., Rassadko N.. Generalized XML security views. International Journal of Information Security 8(3): 173-203 2009
  • F. Massacci, F. Piessens, I. Siahaan: Security-by-contract for the future internet. Proc. of FIS’09. LNCS 5468. p. 29-43, Springer 2009.PDF

2008

  • Aktug I., Naliuka K.: ConSpec — A formal language for policy specification. Science of Computer Programming 74(1–2):2-12, 2008. PDF. PDF at Elsevier
  • Bielova N., Dragoni N., Massacci N., Naliuka K., Siahaan I.: Matching in security-by-contract for mobile code. Journal of Logic and Algebraic Programming 78(5):340-358, (2009)PDF
  • Desmet L, Joosen W., Massacci F., Philippaerts P., Piessens F., Siahaan I., Vanoverberghe D., Security-by-contract on the .NET platform. Information Security Technical Report 13 (1):25-32, Jan 2008. (most cited paper of the journal) PDF at Elsevier. Short version appeared at ACM CSAW (see below)
  • Desmet L., Joosen W., Massacci F., Naliuka K., Philippaerts P., Piessens F., Vanoverberghe D.. The S3MS.NET Run Time Monitor. Tool Demonstration. ENTCS 253(5):153-159, 2009.
  • N. Dragoni, F. Massacci, K. Naliuka: An inline monitoring system for .NET mobile devices. Proc. of IFIPTM’08. 363-366, 2008.
  • Koshutanski H., Massacci F.: Interactive access control for autonomic systems: From theory to implementation. ACM Transactions on Autonomous and Autonomic Systems 3(3): 2008. PDF
  • F. Massacci, K. Naliuka: Towards practical security monitors of UML policies for mobile applications. Proc. of ARES Workshops’08. p. 1112-1119, 2008.
  • F. Massacci, I. Siahaan. Simulating Midlet’s Security Claims with Automata Modulo Theory. In Proc. of PLAS’08. May 2008 Tucson (USA), p 1-19, ACM Press, 2008.

2007

  • L. Desmet, W. Joosen, F. Massacci, K. Naliuka, P. Philippaerts, F. Piessens, D. Vanoverbergh: A flexible security architecture to support third-party applications on mobile devices. In Proc. of CSAW’07. p. 19-28 ACM Press 2007.PDF
  • N. Dragoni, F. Massacci: Security-by-contract for web services. In Proc. of SWS’07. p. 90-98 ACM Press 2007.
  • N. Dragoni, F. Massacci, K. Naliuka, I. Siahaan: Security-by-Contract: Toward a Semantics for Digital Signatures on Mobile Code. In Proc. of EuroPKI 2007. LNCS, 4582, p. 297-312 Springer, 2007.PDF
  • N. Dragoni, F. Massacci, C. Schaefer, T. Walter, E. Vetillard. A Security-by-Contracts Architecture for Pervasive Services. In Proc. of SecPerU’07. p 49 – 54, IEEE Press 2007.
  • Kohutanski, H., Massacci F.: A Negotiation Scheme for Access Rights Establishment in Autonomic Communication. Journal of Network and Systems Management 15(1):117-136 2007. PDF
  • F. Massacci, K. Naliuka: Towards Practical Security Monitors of UML Policies for Mobile Applications. In Proc. of Policy 2007, p. 278-278. , IEEE Press.
  • F. Massacci, I. Siahaan. Matching Midlet's Security Claims with a Platform Security Policy using Automata Modulo Theory. In Proc. of NordSec’07. 2007. PDF
  • Massacci F., and Mylopoulos J., Zannone N. Computer-aided Support for Secure Tropos. Automated Software Engineering. 14(3): 341-364, 2007.
  • Massacci F., Mylopoulos J., Zannone N., “From Hippocratic Databases to Secure Tropos: a Computer-Aided Re-Engineering Approach”. International Journal of Software engineering and Knowledge Engineering, 17(2):265-284, 2007.

2006

  • Bella G., Massacci F., Paulson L.C,: Verifying the SET Purchase Protocols. Journal of Automated Reasoning 36(1-2):5-37, 2006
  • Dobson S., Denazis S., Fernández A., Gaïti D., Gelenbe E., Massacci F., Nixon P., Saffre F., Schmidt N., Zambonelli F.: A survey of autonomic communications. ACM Transactions on Autonomous and Autonomic Systems 1(2):223-259, 2006 PDF at Publisher
  • Giorgini P., Massacci F., Mylopoulos J., Zannone N., “Requirements Engineering for Trust Management: Model, Methodology, and Reasoning”. International Journal of Information Security, 5(4):257-274, 2006.
  • Massacci F., Mylopoulos J., Zannone N., “Hierarchical Hippocratic Databases with Minimal Disclosure for Virtual Organizations”. In VLDB Journal, 15(4): 370-387. 2006.

2005

  • Bella G., Massacci F., Paulson L. C., “Overview of the Verification of SET”. International Journal on Information Security, 4(1-2):17-28. 2005.
  • Massacci F., Prest M., Zannone N., “Using a Security Requirements Engineering Methodology in Practice: the compliance with the Italian Data Protection Legislation”. Computer Standards & Interfaces, 2005, v. 27, n. 5, p. 445-455.
  • Giorgini P., Massacci F., Zannone N., “Security and Trust Requirements Engineering”. In Foundations of Security Analysis and Design III: Tutorial Lectures. In Aldini A., Gorrieri R., Martinelli F. (eds), Springer, 2005, p. 237-272., Lecture Notes in Computer Science, 3655;

Earlier papers

  • Bella G., Massacci F., Paulson L. C., “Verifying the SET registration protocols”. IEEE Journal on Selected Areas in Communications, 21(1):77-87, 2003.
  • Fiorini C., Massacci F., Martinelli E., “How to fake an RSA signature by encoding modular root finding as a SAT problem”. Discrete Applied Mathematics, 130(2): 101-127, 2003.
  • Massacci F., Marraro L., “Logical Cryptanalysis as a SAT-Problem: Encoding and Analysis of the U.S. Data Encryption Standard”. Journal of Automated Reasoning, 24(1-2):165-203, 2000.
  • Carlucci Aiello L., Massacci F., “Planning attacks to security protocols: case studies in logic programming”. In Computational logic: logic programming and beyond : essays in honor of Robert A. Kowalski, Springer, 2002. p. 533-560
  • Massacci F. and Marraro L.. Logical cryptanalysis as a SAT-problem: Encoding and analysis of the U.S. Data Encryption Standard. In SAT-2000: Highlights of Satisfiability Research at the Year 2000, vol. 63 of Frontiers in AI and Applications, p. 343-376. IOS Press, 2000. Essentially the same as the JAR Paper.
publications.txt · Last modified: 2022/09/14 17:41 by matteo.golinelli@unitn.it