User Tools

Site Tools


publications

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
publications [2019/06/09 22:52]
fabio.massacci@unitn.it [2019]
publications [2022/09/14 17:41] (current)
matteo.golinelli@unitn.it Add "Web Cache Deception Escalates!"
Line 2: Line 2:
  
 This page presents the publication of the [[start|Security Group]] in chronological order. You can find them also in the individual [[research_activities|research topics]] or in the pages of the individual [[security_group|members]]. This page presents the publication of the [[start|Security Group]] in chronological order. You can find them also in the individual [[research_activities|research topics]] or in the pages of the individual [[security_group|members]].
 +
 +===== 2022 =====
 +   * Seyed Ali Mirheidari, Matteo Golinelli, Kaan Onarlioglu, Engin Kirda, Bruno Crispo. ** Web Cache Deception Escalates!**,​ The 31st USENIX Security Symposium (USENIX Security '22), 2022. [[https://​www.usenix.org/​system/​files/​sec22-mirheidari.pdf|PDF]] [[https://​www.usenix.org/​conference/​usenixsecurity22/​presentation/​mirheidari|Media]]\\ [[https://​portswigger.net/​research/​top-10-web-hacking-techniques-of-2021-nominations-open|Nominated for Top Web Hacking Technique of 2021.]]
 +   * Giorgio Di Tizio, Michele Armellini, Fabio Massacci, **Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats**. IEEE Transactions on Software Engineering (TSE), 2022 - [[https://​ieeexplore.ieee.org/​document/​9780011|Publisher Version]]
 +===== 2021 =====
 +   * Giorgio Di Tizio, Fabio Massacci, **A Calculus of Tracking: Theory and Practice**. In Proceedings of the 21st Privacy Enhancing Technologies Symposium (PETS 2021), 2021 - {{:: research_activities:​ditizio_pets2021.pdf|Author-accepted manuscript}},​ [[https://​www.youtube.com/​watch?​v=N1GufkHEjX8|Video]]
 +   * Duc-Ly Vu, Fabio Massacci, Ivan Pashchenko, Henrik Plate, and Antonino Sabetta. **LastPyMile:​ Identifying the Discrepancy between Sources and Packages**. In Proceedings of the 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2021 - {{::​research_activities:​experiments:​esecfse2021.pdf |Author-accepted manuscript}},​ [[https://​doi.org/​10.1145/​3468264.3468592|Publisher Version]], [[https://​www.youtube.com/​watch?​v=COoqbCwNqbY|Video]]
 +   * Duc-Ly Vu, Ivan Pashchenko, and Fabio Massacci. **Please hold on: more time = more patches? Automated program repair as anytime algorithms**. In Proceedings of //ACM/IEEE International Conference on Software Engineering - Automated Program Repair (APR) workshop//, 2021 - {{ :​research_activities:​vulnerability-analysis:​apr2021.pdf |Author-accepted manuscript}},​ [[https://​doi.org/​10.1109/​APR52552.2021.00009|Publisher Version]], [[https://​www.youtube.com/​watch?​v=j8ln1qbh2cI|Video]]
 +   * Fabio Massacci and Ivan Pashchenko. **Technical Leverage: dependencies mixed blessing**. To Appear in //IEEE Security and Privacy Magazine - Dept. Building Security In//, 2021 - [[ https://​assuremoss.eu/​en/​resources/​Papers/​2021-SPM |Author-accepted manuscript]]
 +   * Fabio Massacci and Ivan Pashchenko. **Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks**. To Appear in //ACM/IEEE International Conference on Software Engineering//,​ 2021 - [[https://​assuremoss.eu/​en/​resources/​Papers/​2021-ICSE|Author-accepted manuscript]]
 +   * Ivan Pashchenko, Riccardo Scandariato,​ Antonino Sabetta, and Fabio Massacci. **Secure Software Development in the Era of Fluid Multi-party Open Software and Services**. To Appear in //ACM/IEEE International Conference on Software Engineering - New Ideas and Emerging Results//, 2021 - [[https://​assuremoss.eu/​en/​resources/​Papers/​2021-ICSE-NIER|Author-accepted manuscript]]
 +
 +===== 2020 =====
 +   * Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. **Vuln4Real:​ A Methodology for Counting Actually Vulnerable Dependencies**. //IEEE Transactions on Software Engineering Journal//, 2020 - {{:​research_activities:​vulnerability-analysis:​pashchenko-vuln4real.pdf|Author-accepted manuscript}}
 +   * Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. **Towards Using Source Code Repositories to Identify Software Supply Chain Attacks**. In Proceedings of //the ACM Conference on Computer and Communications Security (CCS)//, 2020 - {{:​research_activities:​experiments:​ccs2020poster.pdf|Author'​s preprint}}, {{:​research_activities:​experiments:​poster_ccs-20.pdf|poster}},​ [[https://​doi.org/​10.1145/​3372297.3420015|Publisher Version]]
 +   * Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, and William Robertson. ** Cached and Confused: Web Cache Deception in the Wild**, The 29th USENIX Security Symposium (USENIX Security 20), 2020. [[https://​www.usenix.org/​system/​files/​sec20-mirheidari.pdf|PDF]] [[https://​www.usenix.org/​conference/​usenixsecurity20/​presentation/​mirheidari|Media]]\\ [[https://​portswigger.net/​research/​top-10-web-hacking-techniques-of-2019|Voted and let to an award as Top Web Hacking Technique of 2019.]]\\ [[https://​www.cybersecurity-insiders.com/​investigating-the-top-10-application-vulnerabilities/​|Selected among Top 10 Application Vulnerabilities of 2019 by WhiteHat Security.]]\\ [[https://​www.csaw.io/​research|CSAW 2020 Finalist: Nominated for the Best Applied Research in the 17th annual CSAW conference (CSAW’20).]]\\ [[https://​pwnies.com/​nominations/​active/​most-innovative-research/​web-cache-deception-in-the-wild/​|Pwnie Award Nominee: Nominated for the Most Innovative Research of 2020.]]
 +   * Giorgio Di Tizio, Fabio Massacci, Luca Allodi, Stanislav Dashevskyi, Jelena Mirkovic. **An Experimental Approach for Estimating Cyber Risk: a Proposal Building upon Cyber Ranges and Capture the Flags**, To Appear in Proceedings of //the 2nd Workshop on Cyber Range Technologies and Applications (CACOE 2020)//, 2020 - {{:​research_activities:​cacoe6.pdf|Author'​s preprint}}
 +   * Giorgio Di Tizio, Chan Nam Ngo. **Are You a Favorite Target For Cryptojacking?​ A Case-Control Study On The Cryptojacking Ecosystem**,​ To Appear in Proceedings of //the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020)//, 2020 - {{:​research_activities:​wacco17.pdf|Author'​s preprint}}
 +   * Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. **A Qualitative Study of Dependency Management and Its Security Implications**,​ In Proceedings of //the ACM Conference on Computer and Communications Security (CCS)//, 2020 {{:​research_activities:​experiments:​ccs-2020-preprint.pdf|Author'​s preprint}}, [[https://​doi.org/​10.1145/​3372297.3417232|Publisher Version]]
 +   * Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. **Typosquatting and Combosquatting Attacks on the Python Ecosystem**. In Proceedings of //the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020)//, 2020 - {{:​research_activities:​experiments:​ly2020typosquatting.pdf|Author'​s preprint}}, [[https://​doi.org/​10.1109/​EuroSPW51379.2020.00074|Publisher Version]]
 +   * Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. **Preliminary Findings on FOSS Dependencies and Security A Qualitative Study on Developers’ Attitudes and Experience (Poster)**. In Proceedings of //the 42nd International Conference on Software Engineering (ICSE)//, 2020 - {{:​research_activities:​experiments:​poster_icse-20.pdf|poster}},​ {{:​research_activities:​experiments:​pashchenko2020preliminary.pdf|Author'​s preprint}} [[https://​doi.org/​10.1145/​3377812.3390903|Publisher Version]]
 +   * Fabio Massacci, Chan Nam Ngo. **Distributed Financial Exchanges: Security Challenges and Design Principles** IEEE Security & Privacy (Early Access) [[https://​ieeexplore.ieee.org/​document/​9115212|Publisher Version]] [[:​sp-2019-05-0134.r1_ngo.pdf|Author'​s preprint]]
 +   * Luca Allodi, Marco Cremonini, Fabio Massacci, Woohyun Shim. **Measuring the accuracy of software vulnerability assessments:​ experiments with students and professionals**,​ Empirical Software Engineering 25:​1063–1094 [[https://​doi.org/​10.1007/​s10664-019-09797-4|Open Access PDF]]
 +   * Gabriel Kuper, Fabio Massacci, Woohyun Shim, Julian Williams. **Who Should Pay for Interdependent Risk? Policy Implications for Security Interdependence Among Airports**, Risk Analysis [[https://​doi.org/​10.1111/​risa.13454|Open Access PDF]]
 +   ​* ​ Pierantonia Sterlini, Fabio Massacci, Natalia Kadenko, Tobias Fiebig, Michel van Eeten. **Governance Challenges for European Cybersecurity Policies: Stakeholder Views** IEEE Security & Privacy: 17-31 [[https://​doi.org/​10.1109/​MSEC.2019.2945309|Publisher Version]], {{:​research_activities:​economics:​ieee_governance_v28-cleaned.pdf|Author'​s preprint}}.
 +
 +
  
 ===== 2019 ===== ===== 2019 =====
    * Fabio Massacci. **Is ‘deny access’ a valid ‘fail-safe default’ principle for building security in cyber-physical systems?** IEEE Security and Privacy (2019).{{:​whitepapers:​spm-fail-safe-v7.pdf|Pre-print}}    * Fabio Massacci. **Is ‘deny access’ a valid ‘fail-safe default’ principle for building security in cyber-physical systems?** IEEE Security and Privacy (2019).{{:​whitepapers:​spm-fail-safe-v7.pdf|Pre-print}}
-   * Gupta, Sandeep, Attaullah Buriro, and Bruno Crispo. **DriverAuth:​ A Risk-based Multi-modal Biometric-based Driver Authentication Scheme for Ride-sharing Platforms.** Computers & Security (2019).{{https://​www.sciencedirect.com/​science/​article/​pii/​S0167404818310113|Full Paper}} +   * Ettore Battaiola, Fabio Massacci, Chan Nam Ngo, Pierantonia Sterlini. **Blockchain-based Invoice Factoring: from business requirements to commitments.** DLT@ITASEC 2019: 17-31 [[http://​ceur-ws.org/​Vol-2334/​DLTpaper2.pdf|PDF]]. 
-   * Gupta, Sandeep, Attaullah Buriro, and Bruno Crispo. **DriverAuth:​ Behavioral biometric-based driver authentication mechanism for on-demand ride and ridesharing infrastructure.** ICT Express 5.1 (2019): 16-20. ​{{https://​www.sciencedirect.com/​science/​article/​pii/​S2405959517302710|Full Paper}}+   * Gupta, Sandeep, Attaullah Buriro, and Bruno Crispo. **DriverAuth:​ A Risk-based Multi-modal Biometric-based Driver Authentication Scheme for Ride-sharing Platforms.** Computers & Security (2019).[[https://​www.sciencedirect.com/​science/​article/​pii/​S0167404818310113|Full Paper]] 
 +   * Gupta, Sandeep, Attaullah Buriro, and Bruno Crispo. **DriverAuth:​ Behavioral biometric-based driver authentication mechanism for on-demand ride and ridesharing infrastructure.** ICT Express 5.1 (2019): 16-20. ​[[https://​www.sciencedirect.com/​science/​article/​pii/​S2405959517302710|Full Paper]] 
 +   * de Haan, Johannes; Massacci, Fabio; Sterlini, Pierantonia;​ Bernard Ladkin, Peter; Raspotnig, Christian, **The Risk of Relying on a Public Communications Infrastructure.** in Proceedings of the 27th Safety-Critical Systems Symposium, Bristol, UK: Publisher SCSC, 2019. Proceedings of: SCSC, Bristol, UK, 5-7th February 2019{{:​research_activities:​economics:​sss-rdci-tf_final-2019.pdf|PDF}}
 ===== 2018 ===== ===== 2018 =====
 +  * Sajjad Arshad, Seyed Ali Mirheidari, Tobias Lauinger, Bruno Crispo, Engin Kirda, and William Robertson. **Large-Scale Analysis of Style Injection by Relative Path Overwrite.** the 2018 World Wide Web Conference (WWW'​18),​ 2018. {{:​www2018rpo_paper.pdf|PDF}} \\ [[https://​www2018.thewebconf.org/​awards/​|Honorable Mention award]]
   * Gupta, Sandeep, Attaullah Buriro, and Bruno Crispo. **Demystifying authentication concepts in smartphones:​ Ways and types to secure access.** Mobile Information Systems 2018 (2018). {{https://​doi.org/​10.1155/​2018/​2649598|Full Paper}}   * Gupta, Sandeep, Attaullah Buriro, and Bruno Crispo. **Demystifying authentication concepts in smartphones:​ Ways and types to secure access.** Mobile Information Systems 2018 (2018). {{https://​doi.org/​10.1155/​2018/​2649598|Full Paper}}
   * Buriro, Attaullah, Bruno Crispo, Sandeep Gupta, and Filippo Del Frari. **Dialerauth:​ A motion-assisted touch-based smartphone user authentication scheme.** Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. ACM, 2018.{{https://​dl.acm.org/​citation.cfm?​doid=3176258.3176318|Full Paper}}   * Buriro, Attaullah, Bruno Crispo, Sandeep Gupta, and Filippo Del Frari. **Dialerauth:​ A motion-assisted touch-based smartphone user authentication scheme.** Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. ACM, 2018.{{https://​dl.acm.org/​citation.cfm?​doid=3176258.3176318|Full Paper}}
   * Buriro, Attaullah, Bruno Crispo, Mojtaba Eskandri, Sandeep Gupta, Athar Mahboob, and Rutger Van Acker. **Snap Auth: A Gesture-Based Unobtrusive Smartwatch User Authentication Scheme.** International Workshop on Emerging Technologies for Authorization and Authentication. Springer, Cham, 2018.{{https://​link.springer.com/​chapter/​10.1007/​978-3-030-04372-8_3|Conference paper}}   * Buriro, Attaullah, Bruno Crispo, Mojtaba Eskandri, Sandeep Gupta, Athar Mahboob, and Rutger Van Acker. **Snap Auth: A Gesture-Based Unobtrusive Smartwatch User Authentication Scheme.** International Workshop on Emerging Technologies for Authorization and Authentication. Springer, Cham, 2018.{{https://​link.springer.com/​chapter/​10.1007/​978-3-030-04372-8_3|Conference paper}}
-  * I. Pashchenko, H. Plate, S. Ponta, A. Sabetta and F. Massacci. **Vulnerable Open Source Dependencies:​ Counting Those That Matter** To appear in //​International Symposium on Empirical Software Engineering and Measurement (ESEM2018),//​ 2018. {{https://drive.google.com/​file/​d/​1IewO3T_cZuz2GkRctDJYvyMJAqXxTamc/​view?​usp=sharing|Camera-ready}}+  * I. Pashchenko, H. Plate, S. Ponta, A. Sabetta and F. Massacci. **Vulnerable Open Source Dependencies:​ Counting Those That Matter** To appear in //​International Symposium on Empirical Software Engineering and Measurement (ESEM2018),//​ 2018. {{:research_activities:​vulnerability_discovery_model:​esem-2018-final.pdf|}}
   * F. Massacci, C. N. Ngo, J. Nie, D. Venturi and J. Williams. **FuturesMEX:​ Secure, Distributed Futures Market Exchange.** To appear in //IEEE Symposium on Security and Privacy (SS&​P'​18)//,​ 2018. {{:​sp18proceedings.pdf|Prepub version}}, [[https://​www.youtube.com/​watch?​v=cOGgB9GdPT0|IEEE S&P Youtube channel presentation]],​ also available as {{:​research_activities:​economics:​futuremex-1h-no-animation.pdf|longer talk}}.   * F. Massacci, C. N. Ngo, J. Nie, D. Venturi and J. Williams. **FuturesMEX:​ Secure, Distributed Futures Market Exchange.** To appear in //IEEE Symposium on Security and Privacy (SS&​P'​18)//,​ 2018. {{:​sp18proceedings.pdf|Prepub version}}, [[https://​www.youtube.com/​watch?​v=cOGgB9GdPT0|IEEE S&P Youtube channel presentation]],​ also available as {{:​research_activities:​economics:​futuremex-1h-no-animation.pdf|longer talk}}.
   * F. Massacci, C. N. Ngo, D. Venturi and J. Williams. **Non-Monotonic Security Protocols and Failures in Financial Intermediation** To appear in //Security Protocols Workshop (SPW 18)//, 2018. {{:​research_activities:​economics:​nonmonotonicsecurity.pdf|Prepub version}}   * F. Massacci, C. N. Ngo, D. Venturi and J. Williams. **Non-Monotonic Security Protocols and Failures in Financial Intermediation** To appear in //Security Protocols Workshop (SPW 18)//, 2018. {{:​research_activities:​economics:​nonmonotonicsecurity.pdf|Prepub version}}
Line 22: Line 52:
   * I. Pashchenko. **FOSS Version Differentiation as a Benchmark for Static Analysis Security Testing Tools**. In // Proceedings of 2017 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/​FSE’17),//​ 2017. {{https://​drive.google.com/​file/​d/​0B_rJCkKmzPjSWllQcEJpQWNOOVU/​view?​usp=sharing|Author'​s PDF}} or {{https://​doi.org/​10.1145/​3106237.3121276|Publisher'​s Version}}   * I. Pashchenko. **FOSS Version Differentiation as a Benchmark for Static Analysis Security Testing Tools**. In // Proceedings of 2017 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/​FSE’17),//​ 2017. {{https://​drive.google.com/​file/​d/​0B_rJCkKmzPjSWllQcEJpQWNOOVU/​view?​usp=sharing|Author'​s PDF}} or {{https://​doi.org/​10.1145/​3106237.3121276|Publisher'​s Version}}
   * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{:​spw17.pdf|Author'​s draft}}   * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{:​spw17.pdf|Author'​s draft}}
-  * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http://onlinelibrary.wiley.com/resolve/​doi?​DOI=10.1111/​risa.12864|PDF at Publisher}},​ {{http://​www.win.tue.nl/​~lallodi/​allodi-risa-17.pdf|Authors' ​draft}}+  * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{https://doi.org/​10.1111/​risa.12864|PDF at Publisher}},​ {{:research_activities:​economics:​allodi-risa-17.pdf|Author's Preprint}}
   * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://​weis2017.econinfosec.org/​wp-content/​uploads/​sites/​3/​2017/​05/​WEIS_2017_paper_13.pdf|PDF}}   * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://​weis2017.econinfosec.org/​wp-content/​uploads/​sites/​3/​2017/​05/​WEIS_2017_paper_13.pdf|PDF}}
   * F. Massacci, J. Williams. **Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Adversaries.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://​weis2017.econinfosec.org/​wp-content/​uploads/​sites/​3/​2017/​05/​WEIS_2017_paper_14.pdf|PDF}}   * F. Massacci, J. Williams. **Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Adversaries.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://​weis2017.econinfosec.org/​wp-content/​uploads/​sites/​3/​2017/​05/​WEIS_2017_paper_14.pdf|PDF}}
publications.txt · Last modified: 2022/09/14 17:41 by matteo.golinelli@unitn.it