F. Massacci, C. N. Ngo, J. Nie, D. Venturi and J. Williams.
FuturesMEX: Secure, Distributed Futures Market Exchange. To appear in
IEEE Symposium on Security and Privacy (SS&P'18), 2018.
Prepub version,
IEEE S&P Youtube channel presentation, also available as longer talk
* F. Massacci, C. N. Ngo, D. Venturi and J. Williams. Non-Monotonic Security Protocols and Failures in Financial Intermediation
To appear in Security Protocols Workshop (SPW 18), 2018. Prepub version
* S. Dashevsky, A.D. Brucker, F. Massacci. A Screening Test for Disclosed Vulnerabilities in
FOSS Components.
, To appear in IEEE Transactions on Software Engineering, 2018. camera-ready.pdf
* K. Labunets, F. Massacci, F. Paci, S. Marczak, F. Moreira de Oliveira. Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations.
Journal first presentation at International Conference on Software Engineering (ICSE'18). Full paper.
* P. D. Phuc, F. Massacci. Mac-A-Mal: An Automated Platform for Mac Malware Hunting.
To be presented at BlackHat Asia 2018.
===== 2017 =====
* I. Pashchenko, S. Dashevskyi, F. Massacci. Delta-Bench: Differential Benchmark for Static Analysis Security Testing Tools
. International Symposium on Empirical Software Engineering and Measurement (ESEM2017), 2017. Prepub version
* I. Pashchenko. FOSS Version Differentiation as a Benchmark for Static Analysis Security Testing Tools
. In Proceedings of 2017 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’17), 2017. Author's PDF or Publisher's Version
* F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations
. To appear in Security Protocols Workshop (SPW) 2017. Author's draft
* L. Allodi, F. Massacci. Security Events and Vulnerability Data for Cyber Security Risk Estimation.
To appear in Risk Analysis (Special Issue on Risk Analysis and Big Data), 2017.PDF at Publisher, Authors' draft
* L. Allodi, F. Massacci, J. Williams. The Work Averse Attacker Model.
In Workshop on Economics of Information Security (WEIS), 2017. PDF
* F. Massacci, J. Williams. Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Adversaries.
In Workshop on Economics of Information Security (WEIS), 2017. PDF
* M. de Gramatica, F. Massacci, W. Shim, U. Turhan, J. Williams. Agency Problems and Airport Security: Quantitative and Qualitative Evidence on the Impact of Security Training
. To appear in Risk Analysis. Authors' PDF or Publisher's Early View Copy.
* M. Riaz, J. King, J. Slankas, L. Williams, F. Massacci, C. Quesada-López, M. Jenkins. Identifying the implied: Findings from three differentiated replications on the use of security requirements templates
. To appear in Empirical Software Engineering. Authors' PDF or Publisher's Online First.
* K. Labunets, F. Massacci, F. Paci, S. Marczak, F. Moreira de Oliveira. Model Comprehension for Security Risk Assessment: An Empirical Comparison of Tabular vs. Graphical Representations
To appear in Empirical Software Engineering. Available at SSRN: https://ssrn.com/abstract=2906745
* K. Labunets, F. Massacci, F. Paci. On the Equivalence Between Graphical and Tabular Representations for Security Risk Assessment
. In Proceedings of REFSQ'17. Authors' Draft PDF.
* A. Buriro, B. Crispo, and Y. Zhauniarovich. Please Hold On: Unobtrusive User Authentication using Smartphone’s built-in Sensors
. In Proceedings of IEEE International Conference on Identity, Security and Behavior Analysis (ISBA 2017), pp.1–8, 2017.
* A. Buriro, S. Gupta, and B. Crispo. Evaluation of Motion-based Touch-typing Biometrics in Online Financial Environments
. To appear in 16th International Conference of the Biometrics Special Interest Group 20.-22.09.2017, Darmstadt (BIOSIG 2017).
* A. Buriro, Z. Akhtar, B. Crispo, S. Gupta, Mobile Biometrics: Towards A Comprehensive Evaluation Methodology
. To appear in The 51st International Carnahan Conference on Security Technology Madrid, Spain (ICCST 2017), October 23-26, 2017.
* Z. Akhtar, A. Buriro, B. Crispo, and T. H. Falk. Multimodal Smartphone User Authentication using Touchstroke, Phone-movements and Face Patterns
. To appear in 5th IEEE Global Conference on Signal and Information Processing (GlobalSIP 2017).
===== 2016 =====
* L. Allodi, M. Corradin, F. Massacci. Then and Now: On The Maturity of the Cybercrime Markets. The lesson black-hat marketeers learned.
IEEE Transactions on Emerging Topics in Computing. 4(1):35-46, 2016. Author's Draft PDF http://doi.org/10.1109/TETC.2015.2397395.
* S. Dashevskyi, A. D. Brucker, F. Massacci. On the Security Cost of Using a Free and Open Source Component in a Proprietary Product.
Proc. of ESSoS 2016 pp. 190-206. 2016.
* M. de Gramatica, K. Labunets, F. Massacci, F. Paci, M. Ragosta, A. Tedeschi. On the Effectiveness of Sourcing Knowledge from Catalogues in Security Risk Assessment
.
* K. Elliott, F. Massacci, J. Williams. Action, Inaction, Trust, and Cybersecurity's Common Property Problem.
IEEE Security & Privacy 14(1), 2016. http://doi.org/10.1109/MSP.2016.2
* K. Elliott, F. Massacci, C.N. Ngo, J. Williams. Unruly Innovation: Distributed Ledgers, Blockchains and the Protection of Transactional Rents
. Technical Report on SSRN 2888872, (December 22, 2016). Available at SSRN: http://ssrn.com/abstract=2888872
* F. Massacci, C.N. Ngo, J. Williams. Decentralized Transaction Clearing Beyond Blockchains
. Technical Report on SSRN 2794913, (June 13, 2016). Available at SSRN: http://ssrn.com/abstract=2794913
* F. Massacci, R. Ruprai, M. Collison, J. Williams. Economic Impacts of Rules-based versus Risk-based Cybersecurity Regulations in Critical Infrastructure Providers (Bulk Electricity Providers).
IEEE Security and Privacy Magazine 14(03):52-60, 2016. Authors' draft. http://doi.org/10.1109/MSP.2016.48.
* V.H. Nguyen, S. Dashevskyi, and F. Massacci. An Automatic Method for Assessing the Versions Affected by a Vulnerability
, Empirical Software Engineering Journal. 21(6):2268-2297, 2016. Publisher's copy
* A. Buriro, Z. Akhtar, B. Crispo, and Filippo Del Frari. Age, Gender and Operating-Hand Estimation on Smart Mobile Devices
. In Proceedings of the 15th International Conference of the Biometrics Special Interest Group (BIOSIG 2016), 21.-23.09.2016, Darmstadt, pp.1–5, 2016.
* A. Buriro, B. Crispo, F. Del Frari, and K. Wrona. Hold and Sign: A Novel Behavioral Biometrics for Smartphone User Authentication
. In Proceedings of the IEEE Computer Society Security and Privacy Workshops attached with the IEEE Symposium on Security and Privacy (IEEE S&P 2016), pp.276–285, 2016.
===== 2015 =====
* P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. 10 years Most Influential Paper Award at the 2015 IEEE Requirements Engineering Conference.
Read the original paper on Modeling Security Requirements Through Ownership, Permission and Delegation of the IEEE RE'2005. See the MIP presentation at RE'2015.
* L. Allodi. The Heavy Tails of Vulnerability Exploitation
In the Proceedings of ESSoS 2015 PDF.
* L. Allodi, F. Massacci. The Work-Averse Attacker Model.
In the Proceedings of the 23rd European Conference on Information Systems (2015). PDF.
* M. De Gramatica, F. Massacci, W. Shim, A. Tedeschi, J. Williams IT Interdependence and the Economic Fairness of Cyber-security Regulations for Civil Aviation.
IEEE Security and Privacy Magazine 13(5):52-61, 2015. Authors' draft PDF. http://doi.org/10.1109/MSP.2015.98
* M. de Gramatica, K. Labunets, F. Massacci, F. Paci, A. Tedeschi. The Role of Catalogues of Threats and Security Controls in Security Risk Assessment: An Empirical Study with ATM Professionals
In the Proceedings of REFSQ 2015. PDF.
* K. Labunets, Y. Li, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi. Preliminary Experiments on the Relative Comprehensibility of Tabular and Graphical Risk Models
, In the Proceedings of 5th SESAR Innovation Days (SIDs'15). PDF
* K. Labunets, F. Paci, F. Massacci. Which Security Catalogue Is Better for Novices?
In Proc. of EmpiRE Workshop at IEEE RE'15. PDF (preprint)
* M. Ngo, F. Massacci, D. Milushev, F. Piessens. Runtime Enforcement of Security Policies on Black Box Reactive Programs
In Proc. of POPL 2015 PDF.
* Y. Zhauniarovich, M. Ahmad, O. Gadyatskaya, B. Crispo, F. Massacci. StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Applications.
Proc. of CODASPY'15. pp. 37-48, 2015.
* Y. Zhauniarovich, A. Philippov, O. Gadyatskaya, B. Crispo, F. Massacci. Towards Black Box Testing of Android Apps.
Proc. of ARES 2015.pp. 501-510, 2015.
* Attaullah Buriro, Bruno Crispo, Filippo Del Frari, Jeffrey Klardie and Konrad Wrona. ITSME: Multi-modal and Unobtrusive Behavioural User Authentication for Smartphones
. In Proceedings of the International Conference on Passwords (PASSWORDS 2015), pp.45–61, 2015
* Attaullah Buriro, Bruno Crispo, Filippo Del Frari, and Konrad Wrona. Touchstroke: Smartphone User Authentication Based on Touch-Typing Biometrics
. In Proceedings of the New Trends in Image Analysis and Processing (ICIAP 2015 Workshops), pp. 27–34, 2015
===== 2014 =====
* L. Allodi, F. Massacci. Comparing vulnerability severity and exploits using case-control studies.
In ACM Transactions on Information and System Security (TISSEC).PDF (Draft)
* S. Dashevskyi, D.R. dos Santos, F. Massacci, and A. Sabetta. TestREx: a Testbed for Repeatable Exploits
, In Proceedings of the 7th USENIX conference on Cyber Security Experimentation and Test (CSET), 2014. PDF
* M. de Gramatica, F. Massacci and O. Gadyatskaya. An Empirical Study of the Technology Transfer Potential of EU Security and Trust R&D Projects.
In Cyber Security and Privacy - Third Cyber Security and Privacy EU Forum, CSP Forum 2014, Athens, Greece, May 21-22, 2014, Revised Selected Papers, pp. 159–170, 2014. Springer.
* M. Giacalone, R. Mammoliti, F. Massacci, F. Paci, R. Perugino, and C. Selli. Security Triage: A Report of a Lean Security Requirements Methodology for Cost-Effective Security Analysis.
A short summary appears In Proc. of EmpiRE Workshop at IEEE RE'14. 3 pages PDF. A longer Industry report appears in Proc. of ESEM'2014. PDF (preprint)
* O. Gadyatskaya, F. Massacci, and Y. Zhauniarovich. Emerging Mobile Platforms: Firefox
OS and Tizen
, In IEEE Computer, June 2014, draft.pdf
* F. Massacci, V.H. Nguyen. An Empirical Methodology to Evaluate Vulnerability Discovery Models.
In IEEE Transactions on Software Engineering (TSE), 40(12):1147-1162, 2014. PDF (draft)
* F. Massacci, F. Paci, L.M.S. Tran, A. Tedeschi. Assessing a requirements evolution approach: Empirical studies in the air traffic management domain.
Journal of Systems and Software 95:70-88, 2014. Publisher's PDF
* M. Ngo, F. Massacci. Programmable Enforcement Framework of Information Flow Policies.
In Proc. of ICTCS 2014 PDF.
* K. Labunets, F. Massacci, F. Paci, M. Ragosta, B. Solhaug, K. Stølen, A. Tedeschi. A First Empirical Evaluation Framework for Security Risk Assessment Methods in the ATM Domain
, In the Proceedings of 4th SESAR Innovation Days (SIDs'14). PDF
* K. Labunets, F. Paci, F. Massacci, and R. Ruprai. An Experiment on Comparing Textual vs. Visual Industrial Methods for Security Risk Assessment.
In Proc. of EmpiRE Workshop at IEEE RE'14 PDF
* L.M.S. Tran, F. Massacci. An Approach for Decision Support on the Uncertainty in Feature Model Evolution.
Accepted for publication in Proc. of IEEE RE'14. PDF Preprint
===== 2013 =====
* M. Ngo, F. Massacci, O. Gadyatskaya. MAP-REDUCE Enforcement Framework of Information Flow Policies.
In Informal Proc. of FCS 2013 PDF.
* L. Allodi. Internet-scale vulnerability risk assessment (Extended Abstract).
In Proceedings of Usenix Security LEET 2013, Washington D.C., USA. PDF
* L. Allodi, V. Kotov, F. Massacci. MalwareLab: Experimenting with Cybercrime Attack Tools.
In: Proc. of Usenix Security CSET 2013, Washington D.C., USA. PDF
* L. Allodi, F. Massacci. How CVSS is DOSsing your patching policy (and wasting your money).
Presentation at BlackHat USA 2013, Las Vegas, USA. PDF presentation slides White Paper
* L. Allodi, W. Shim, F.Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring.
In: Proceedings of the 2013 IEEE S&P International Workshop on Cyber Crime (IWCC'13), May 19-24, 2013, San Francisco, USA. PDF
* P. Barsocchi, Gabriele Oligeri, Claudio Soriente, SHAKE: Single HAsh Key Establishment for Resource Constrained Devices.
Ad Hoc Networks (Elsevier), Volume 11, Issue 1, Jannuary 2013, pp. 288-297.
* R. Di Pietro, Gabriele Oligeri, Jamming Mitigation in Cognitive Radio Networks.
To appear in IEEE Network Magazine, Special Issue on Security in Cognitive Radio Networks.
* R. Di Pietro, Gabriele Oligeri, COKE: Crypto-less Over-The-Air Key-establishment.
In IEEE Transactions on Information Forensics and Security, Vol. 8, Issue 1, 2013, pp.163-173.
* O. Gadyatskaya, F. Massacci, Q.-H. Nguyen, and B. Chetali. Load time code certification for mobile phone Java cards
, In Journal of Information Security and Applications 18/2-3 (Sept 2013) pp. 108–129 .pdf
* V. Kotov and F. Massacci. Anatomy of Exploit Kits: Preliminary Analysis of Exploit Kits as Software Artefacts.
Proc. of ESSoS 2013, pp. 181–196 PDF
* Labunets, K., Massacci, F., Paci, F., and Tran, L.M.S. An experimental comparison of two risk-based security methods.
In Proceedings of the 7th ACM International Symposium on Empirical Software Engineering and Measurement (ESEM), 163–172, 2013. PDF
* V.H.Nguyen and F.Massacci. The (Un)Reliability of Vulnerable Version Data of NVD: an Empirical Experiment on Chrome Vulnerabilities.
In: Proceeding of the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS)'13, May 7-10, 2013, Hangzhou, China PDF Slides.
* M. Rizwan Asghar and Daniele Miorandi. A holistic view of security and privacy issues in smart grids.
In Proc. of Smart Grid Security (SmartGridSec), volume 7823 of Lecture Notes in Computer Science, pages 58-71. Springer Berlin Heidelberg, 2013. PDF
* Muhammad Rizwan Asghar, Giovanni Russello, Bruno Crispo, and Mihaela Ion. Supporting Complex Queries and Access Policies for Multi-user Encrypted Databases
, In Proceedings of The 5th ACM Workshop on Cloud Computing Security Workshop (CCSW) in conjunction with the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, November 2013.
* Muhammad Rizwan Asghar, Mihaela Ion, Giovanni Russello, and Bruno Crispo, ESPOON
ERBAC: Enforcing Security Policies in Outsourced Environments
, Elsevier Computers & Security (COSE), Volume 35, 2013. PDF
* S. Roy Chowdhury, Muhammad Imran, Muhammad Rizwan Asghar, Sihem Amer-Yahia, and Carlos Castillo. Tweet4act: Using incident-specific profiles for classifying crisis-related messages. In The 10th International Conference on Information Systems for Crisis Response and Management (ISCRAM), May 2013. PDF
* Tran L.M.S. Early Dealing with Evolving Risks in Software Systems.
In: The 3rd International Workshop on Information Systems Security Engineering (WISSE'13), co-located with CAiSE 2013. PDF
* Y. Zhauniarovich, O. Gadyatskaya, and B. Crispo. Demo: Enabling trusted stores for Android
, In proc. of ACM CCS 2013 .pdf
===== 2012 =====
* Woohyun Shim, Luca Allodi, Fabio Massacci. Crime Pays If You Are Just an Average Hacker.
Proceedings of IEEE/ASE 2012 Cyber Security Conference. Complementary publication in ASE Journal 2012, Vol. 2, Best paper award.Link,PDF
* Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild.
In Proceedings of ACM BADGERS 2012 CCS Workshop. ACM,PDF
* Luca Allodi. The dark side of vulnerability exploitation. Proceedings of the 2012 ESSoS Conference Doctoral Symposium.PDF
* Muhammad Rizwan Asghar and Giovanni Russello. ACTORS: A goal-driven approach for capturing and managing consent in e-health systems. In 2012 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pages 61-69, July 2012. PDF
* Muhammad Rizwan Asghar, Mihaela Ion, Giovanni Russello, and Bruno Crispo. Securing data provenance in the cloud. In Jan Camenisch and Dogan Kesdogan, editors, Open Problems in Network Security, volume 7039 of Lecture Notes in Computer Science, pages 145-160. Springer Berlin Heidelberg, 2012. PDF
* Muhammad Rizwan Asghar and Giovanni Russello. Flexible and dynamic consent-capturing. In Jan Camenisch and Dogan Kesdogan, editors, Open Problems in Network Security, volume 7039 of Lecture Notes in Computer Science, pages 119-131. Springer Berlin Heidelberg, 2012.
* Massacci F., and Paci F. How to Select a Security Requirements Method? A comparative study with students and practitioners.
In Proceedings of the 17th Nordic Conference in Secure IT Systems (NordSec), 2012.PDF
* Massacci F., Nagaraj D., Paci F., Tran L.M.S, Tedeschi, A. Assessing a Requirements Evolution Approach: Empirical Studies in the Air Traffic Management Domain.
In Proceedings of International Workshop on Empirical Requirements Engineering (EmpiRE), 49–56, 2012.PDF.
* Paci F., Massacci F., Bouquet F., Debricon, S.Managing Evolution by Orchestrating Requirements and Testing Engineering Processes. In Proceedings of the Third International Workshop on Security Testing (SecTest), 834–841, 2012.PDF
* V.H.Nguyen and F.Massacci. An Independent Validation of Vulnerability Discovery Models.** In:
Proceeding of the 7th ACM Symposium on Information, Computer and Communications Security (ASIACCS)'12, May 2-4, 2012, Seoul, Korean
PDF.