User Tools

Site Tools


publications

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
publications [2020/11/20 06:01]
seyedali.mirheidari@unitn.it [2020]
publications [2022/09/14 17:41] (current)
matteo.golinelli@unitn.it Add "Web Cache Deception Escalates!"
Line 2: Line 2:
  
 This page presents the publication of the [[start|Security Group]] in chronological order. You can find them also in the individual [[research_activities|research topics]] or in the pages of the individual [[security_group|members]]. This page presents the publication of the [[start|Security Group]] in chronological order. You can find them also in the individual [[research_activities|research topics]] or in the pages of the individual [[security_group|members]].
 +
 +===== 2022 =====
 +   * Seyed Ali Mirheidari, Matteo Golinelli, Kaan Onarlioglu, Engin Kirda, Bruno Crispo. ** Web Cache Deception Escalates!**,​ The 31st USENIX Security Symposium (USENIX Security '22), 2022. [[https://​www.usenix.org/​system/​files/​sec22-mirheidari.pdf|PDF]] [[https://​www.usenix.org/​conference/​usenixsecurity22/​presentation/​mirheidari|Media]]\\ [[https://​portswigger.net/​research/​top-10-web-hacking-techniques-of-2021-nominations-open|Nominated for Top Web Hacking Technique of 2021.]]
 +   * Giorgio Di Tizio, Michele Armellini, Fabio Massacci, **Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats**. IEEE Transactions on Software Engineering (TSE), 2022 - [[https://​ieeexplore.ieee.org/​document/​9780011|Publisher Version]]
 +===== 2021 =====
 +   * Giorgio Di Tizio, Fabio Massacci, **A Calculus of Tracking: Theory and Practice**. In Proceedings of the 21st Privacy Enhancing Technologies Symposium (PETS 2021), 2021 - {{:: research_activities:​ditizio_pets2021.pdf|Author-accepted manuscript}},​ [[https://​www.youtube.com/​watch?​v=N1GufkHEjX8|Video]]
 +   * Duc-Ly Vu, Fabio Massacci, Ivan Pashchenko, Henrik Plate, and Antonino Sabetta. **LastPyMile:​ Identifying the Discrepancy between Sources and Packages**. In Proceedings of the 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2021 - {{::​research_activities:​experiments:​esecfse2021.pdf |Author-accepted manuscript}},​ [[https://​doi.org/​10.1145/​3468264.3468592|Publisher Version]], [[https://​www.youtube.com/​watch?​v=COoqbCwNqbY|Video]]
 +   * Duc-Ly Vu, Ivan Pashchenko, and Fabio Massacci. **Please hold on: more time = more patches? Automated program repair as anytime algorithms**. In Proceedings of //ACM/IEEE International Conference on Software Engineering - Automated Program Repair (APR) workshop//, 2021 - {{ :​research_activities:​vulnerability-analysis:​apr2021.pdf |Author-accepted manuscript}},​ [[https://​doi.org/​10.1109/​APR52552.2021.00009|Publisher Version]], [[https://​www.youtube.com/​watch?​v=j8ln1qbh2cI|Video]]
 +   * Fabio Massacci and Ivan Pashchenko. **Technical Leverage: dependencies mixed blessing**. To Appear in //IEEE Security and Privacy Magazine - Dept. Building Security In//, 2021 - [[ https://​assuremoss.eu/​en/​resources/​Papers/​2021-SPM |Author-accepted manuscript]]
 +   * Fabio Massacci and Ivan Pashchenko. **Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks**. To Appear in //ACM/IEEE International Conference on Software Engineering//,​ 2021 - [[https://​assuremoss.eu/​en/​resources/​Papers/​2021-ICSE|Author-accepted manuscript]]
 +   * Ivan Pashchenko, Riccardo Scandariato,​ Antonino Sabetta, and Fabio Massacci. **Secure Software Development in the Era of Fluid Multi-party Open Software and Services**. To Appear in //ACM/IEEE International Conference on Software Engineering - New Ideas and Emerging Results//, 2021 - [[https://​assuremoss.eu/​en/​resources/​Papers/​2021-ICSE-NIER|Author-accepted manuscript]]
  
 ===== 2020 ===== ===== 2020 =====
-   * Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. **Vuln4Real:​ A Methodology for Counting Actually Vulnerable Dependencies**. ​To Appear in //IEEE Transactions on Software Engineering Journal//, 2020 - {{:​research_activities:​vulnerability-analysis:​pashchenko-vuln4real.pdf|Author-accepted manuscript}} +   * Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. **Vuln4Real:​ A Methodology for Counting Actually Vulnerable Dependencies**. //IEEE Transactions on Software Engineering Journal//, 2020 - {{:​research_activities:​vulnerability-analysis:​pashchenko-vuln4real.pdf|Author-accepted manuscript}} 
-   * Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. **Poster: ​Towards Using Source Code Repositories to Identify Software Supply Chain Attacks**. ​To Appear in Proceedings of //the ACM Conference on Computer and Communications Security (CCS)//, 2020 - {{:​research_activities:​experiments:​ccs2020poster.pdf|Author'​s preprint}}, {{:​research_activities:​experiments:​poster_ccs-20.pdf|poster}}+   * Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. **Towards Using Source Code Repositories to Identify Software Supply Chain Attacks**. ​In Proceedings of //the ACM Conference on Computer and Communications Security (CCS)//, 2020 - {{:​research_activities:​experiments:​ccs2020poster.pdf|Author'​s preprint}}, {{:​research_activities:​experiments:​poster_ccs-20.pdf|poster}}, [[https://​doi.org/​10.1145/​3372297.3420015|Publisher Version]]
    * Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, and William Robertson. ** Cached and Confused: Web Cache Deception in the Wild**, The 29th USENIX Security Symposium (USENIX Security 20), 2020. [[https://​www.usenix.org/​system/​files/​sec20-mirheidari.pdf|PDF]] [[https://​www.usenix.org/​conference/​usenixsecurity20/​presentation/​mirheidari|Media]]\\ [[https://​portswigger.net/​research/​top-10-web-hacking-techniques-of-2019|Voted and let to an award as Top Web Hacking Technique of 2019.]]\\ [[https://​www.cybersecurity-insiders.com/​investigating-the-top-10-application-vulnerabilities/​|Selected among Top 10 Application Vulnerabilities of 2019 by WhiteHat Security.]]\\ [[https://​www.csaw.io/​research|CSAW 2020 Finalist: Nominated for the Best Applied Research in the 17th annual CSAW conference (CSAW’20).]]\\ [[https://​pwnies.com/​nominations/​active/​most-innovative-research/​web-cache-deception-in-the-wild/​|Pwnie Award Nominee: Nominated for the Most Innovative Research of 2020.]]    * Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, and William Robertson. ** Cached and Confused: Web Cache Deception in the Wild**, The 29th USENIX Security Symposium (USENIX Security 20), 2020. [[https://​www.usenix.org/​system/​files/​sec20-mirheidari.pdf|PDF]] [[https://​www.usenix.org/​conference/​usenixsecurity20/​presentation/​mirheidari|Media]]\\ [[https://​portswigger.net/​research/​top-10-web-hacking-techniques-of-2019|Voted and let to an award as Top Web Hacking Technique of 2019.]]\\ [[https://​www.cybersecurity-insiders.com/​investigating-the-top-10-application-vulnerabilities/​|Selected among Top 10 Application Vulnerabilities of 2019 by WhiteHat Security.]]\\ [[https://​www.csaw.io/​research|CSAW 2020 Finalist: Nominated for the Best Applied Research in the 17th annual CSAW conference (CSAW’20).]]\\ [[https://​pwnies.com/​nominations/​active/​most-innovative-research/​web-cache-deception-in-the-wild/​|Pwnie Award Nominee: Nominated for the Most Innovative Research of 2020.]]
    * Giorgio Di Tizio, Fabio Massacci, Luca Allodi, Stanislav Dashevskyi, Jelena Mirkovic. **An Experimental Approach for Estimating Cyber Risk: a Proposal Building upon Cyber Ranges and Capture the Flags**, To Appear in Proceedings of //the 2nd Workshop on Cyber Range Technologies and Applications (CACOE 2020)//, 2020 - {{:​research_activities:​cacoe6.pdf|Author'​s preprint}}    * Giorgio Di Tizio, Fabio Massacci, Luca Allodi, Stanislav Dashevskyi, Jelena Mirkovic. **An Experimental Approach for Estimating Cyber Risk: a Proposal Building upon Cyber Ranges and Capture the Flags**, To Appear in Proceedings of //the 2nd Workshop on Cyber Range Technologies and Applications (CACOE 2020)//, 2020 - {{:​research_activities:​cacoe6.pdf|Author'​s preprint}}
    * Giorgio Di Tizio, Chan Nam Ngo. **Are You a Favorite Target For Cryptojacking?​ A Case-Control Study On The Cryptojacking Ecosystem**,​ To Appear in Proceedings of //the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020)//, 2020 - {{:​research_activities:​wacco17.pdf|Author'​s preprint}}    * Giorgio Di Tizio, Chan Nam Ngo. **Are You a Favorite Target For Cryptojacking?​ A Case-Control Study On The Cryptojacking Ecosystem**,​ To Appear in Proceedings of //the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020)//, 2020 - {{:​research_activities:​wacco17.pdf|Author'​s preprint}}
-   * Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. **A Qualitative Study of Dependency Management and Its Security Implications**, ​To Appear in Proceedings of //the ACM Conference on Computer and Communications Security (CCS)//, 2020 {{:​research_activities:​experiments:​ccs-2020-preprint.pdf|Author'​s preprint}} +   * Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. **A Qualitative Study of Dependency Management and Its Security Implications**, ​In Proceedings of //the ACM Conference on Computer and Communications Security (CCS)//, 2020 {{:​research_activities:​experiments:​ccs-2020-preprint.pdf|Author'​s preprint}}, [[https://​doi.org/​10.1145/​3372297.3417232|Publisher Version]] 
-   * Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. **Typosquatting and Combosquatting Attacks on the Python Ecosystem**. ​To Appear in Proceedings of //the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020)//, 2020 - {{:​research_activities:​experiments:​ly2020typosquatting.pdf|Author'​s preprint}}+   * Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. **Typosquatting and Combosquatting Attacks on the Python Ecosystem**. ​In Proceedings of //the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020)//, 2020 - {{:​research_activities:​experiments:​ly2020typosquatting.pdf|Author'​s preprint}}, [[https://​doi.org/​10.1109/​EuroSPW51379.2020.00074|Publisher Version]]
    * Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. **Preliminary Findings on FOSS Dependencies and Security A Qualitative Study on Developers’ Attitudes and Experience (Poster)**. In Proceedings of //the 42nd International Conference on Software Engineering (ICSE)//, 2020 - {{:​research_activities:​experiments:​poster_icse-20.pdf|poster}},​ {{:​research_activities:​experiments:​pashchenko2020preliminary.pdf|Author'​s preprint}} [[https://​doi.org/​10.1145/​3377812.3390903|Publisher Version]]    * Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. **Preliminary Findings on FOSS Dependencies and Security A Qualitative Study on Developers’ Attitudes and Experience (Poster)**. In Proceedings of //the 42nd International Conference on Software Engineering (ICSE)//, 2020 - {{:​research_activities:​experiments:​poster_icse-20.pdf|poster}},​ {{:​research_activities:​experiments:​pashchenko2020preliminary.pdf|Author'​s preprint}} [[https://​doi.org/​10.1145/​3377812.3390903|Publisher Version]]
    * Fabio Massacci, Chan Nam Ngo. **Distributed Financial Exchanges: Security Challenges and Design Principles** IEEE Security & Privacy (Early Access) [[https://​ieeexplore.ieee.org/​document/​9115212|Publisher Version]] [[:​sp-2019-05-0134.r1_ngo.pdf|Author'​s preprint]]    * Fabio Massacci, Chan Nam Ngo. **Distributed Financial Exchanges: Security Challenges and Design Principles** IEEE Security & Privacy (Early Access) [[https://​ieeexplore.ieee.org/​document/​9115212|Publisher Version]] [[:​sp-2019-05-0134.r1_ngo.pdf|Author'​s preprint]]
Line 41: Line 52:
   * I. Pashchenko. **FOSS Version Differentiation as a Benchmark for Static Analysis Security Testing Tools**. In // Proceedings of 2017 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/​FSE’17),//​ 2017. {{https://​drive.google.com/​file/​d/​0B_rJCkKmzPjSWllQcEJpQWNOOVU/​view?​usp=sharing|Author'​s PDF}} or {{https://​doi.org/​10.1145/​3106237.3121276|Publisher'​s Version}}   * I. Pashchenko. **FOSS Version Differentiation as a Benchmark for Static Analysis Security Testing Tools**. In // Proceedings of 2017 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/​FSE’17),//​ 2017. {{https://​drive.google.com/​file/​d/​0B_rJCkKmzPjSWllQcEJpQWNOOVU/​view?​usp=sharing|Author'​s PDF}} or {{https://​doi.org/​10.1145/​3106237.3121276|Publisher'​s Version}}
   * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{:​spw17.pdf|Author'​s draft}}   * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{:​spw17.pdf|Author'​s draft}}
-  * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http://onlinelibrary.wiley.com/resolve/​doi?​DOI=10.1111/​risa.12864|PDF at Publisher}},​ {{http://​www.win.tue.nl/​~lallodi/​allodi-risa-17.pdf|Authors' ​draft}}+  * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{https://doi.org/​10.1111/​risa.12864|PDF at Publisher}},​ {{:research_activities:​economics:​allodi-risa-17.pdf|Author's Preprint}}
   * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://​weis2017.econinfosec.org/​wp-content/​uploads/​sites/​3/​2017/​05/​WEIS_2017_paper_13.pdf|PDF}}   * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://​weis2017.econinfosec.org/​wp-content/​uploads/​sites/​3/​2017/​05/​WEIS_2017_paper_13.pdf|PDF}}
   * F. Massacci, J. Williams. **Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Adversaries.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://​weis2017.econinfosec.org/​wp-content/​uploads/​sites/​3/​2017/​05/​WEIS_2017_paper_14.pdf|PDF}}   * F. Massacci, J. Williams. **Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Adversaries.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://​weis2017.econinfosec.org/​wp-content/​uploads/​sites/​3/​2017/​05/​WEIS_2017_paper_14.pdf|PDF}}
publications.1605848484.txt.gz · Last modified: 2021/01/29 10:58 (external edit)