Differences

This shows you the differences between two versions of the page.

--- publications [2020/06/26 10:53] – [2020] ivan.pashchenko@unitn.it
+++ publications [2022/09/14 17:41] (current) – Add "Web Cache Deception Escalates!" matteo.golinelli@unitn.it
@@ Line 2: / Line 2: @@
 This page presents the publication of the [[start|Security Group]] in chronological order. You can find them also in the individual [[research_activities|research topics]] or in the pages of the individual [[security_group|members]].
+===== 2022 =====
+   * Seyed Ali Mirheidari, Matteo Golinelli, Kaan Onarlioglu, Engin Kirda, Bruno Crispo. ** Web Cache Deception Escalates!**, The 31st USENIX Security Symposium (USENIX Security '22), 2022. [[https://www.usenix.org/system/files/sec22-mirheidari.pdf|PDF]] [[https://www.usenix.org/conference/usenixsecurity22/presentation/mirheidari|Media]]\\ [[https://portswigger.net/research/top-10-web-hacking-techniques-of-2021-nominations-open|Nominated for Top Web Hacking Technique of 2021.]]
+   * Giorgio Di Tizio, Michele Armellini, Fabio Massacci, **Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats**. IEEE Transactions on Software Engineering (TSE), 2022 - [[https://ieeexplore.ieee.org/document/9780011|Publisher Version]]
+===== 2021 =====
+   * Giorgio Di Tizio, Fabio Massacci, **A Calculus of Tracking: Theory and Practice**. In Proceedings of the 21st Privacy Enhancing Technologies Symposium (PETS 2021), 2021 - {{:: research_activities:ditizio_pets2021.pdf|Author-accepted manuscript}}, [[https://www.youtube.com/watch?v=N1GufkHEjX8|Video]]
+   * Duc-Ly Vu, Fabio Massacci, Ivan Pashchenko, Henrik Plate, and Antonino Sabetta. **LastPyMile: Identifying the Discrepancy between Sources and Packages**. In Proceedings of the 29th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2021 - {{::research_activities:experiments:esecfse2021.pdf |Author-accepted manuscript}}, [[https://doi.org/10.1145/3468264.3468592|Publisher Version]], [[https://www.youtube.com/watch?v=COoqbCwNqbY|Video]]
+   * Duc-Ly Vu, Ivan Pashchenko, and Fabio Massacci. **Please hold on: more time = more patches? Automated program repair as anytime algorithms**. In Proceedings of //ACM/IEEE International Conference on Software Engineering - Automated Program Repair (APR) workshop//, 2021 - {{ :research_activities:vulnerability-analysis:apr2021.pdf |Author-accepted manuscript}}, [[https://doi.org/10.1109/APR52552.2021.00009|Publisher Version]], [[https://www.youtube.com/watch?v=j8ln1qbh2cI|Video]]
+   * Fabio Massacci and Ivan Pashchenko. **Technical Leverage: dependencies mixed blessing**. To Appear in //IEEE Security and Privacy Magazine - Dept. Building Security In//, 2021 - [[ https://assuremoss.eu/en/resources/Papers/2021-SPM |Author-accepted manuscript]]
+   * Fabio Massacci and Ivan Pashchenko. **Technical Leverage in a Software Ecosystem: Development Opportunities and Security Risks**. To Appear in //ACM/IEEE International Conference on Software Engineering//, 2021 - [[https://assuremoss.eu/en/resources/Papers/2021-ICSE|Author-accepted manuscript]]
+   * Ivan Pashchenko, Riccardo Scandariato, Antonino Sabetta, and Fabio Massacci. **Secure Software Development in the Era of Fluid Multi-party Open Software and Services**. To Appear in //ACM/IEEE International Conference on Software Engineering - New Ideas and Emerging Results//, 2021 - [[https://assuremoss.eu/en/resources/Papers/2021-ICSE-NIER|Author-accepted manuscript]]
 ===== 2020 =====
-   * Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. **A Qualitative Study of Dependency Management and Its Security Implications**, To Appear in Proceedings of //the ACM Conference on Computer and Communications Security (CCS)//, 2020 {{:research_activities:experiments:ccs-2020-preprint.pdf|Author's preprint}}
+   * Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. **Vuln4Real: A Methodology for Counting Actually Vulnerable Dependencies**. //IEEE Transactions on Software Engineering Journal//, 2020 - {{:research_activities:vulnerability-analysis:pashchenko-vuln4real.pdf|Author-accepted manuscript}}
-   * Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. **Typosquatting and Combosquatting Attacks on the Python Ecosystem**. To Appear in Proceedings of //the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020)//, 2020 - {{:research_activities:experiments:ly2020typosquatting.pdf|Author's preprint}}
+   * Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. **Towards Using Source Code Repositories to Identify Software Supply Chain Attacks**. In Proceedings of //the ACM Conference on Computer and Communications Security (CCS)//, 2020 - {{:research_activities:experiments:ccs2020poster.pdf|Author's preprint}}, {{:research_activities:experiments:poster_ccs-20.pdf|poster}}, [[https://doi.org/10.1145/3372297.3420015|Publisher Version]]
+   * Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, and William Robertson. ** Cached and Confused: Web Cache Deception in the Wild**, The 29th USENIX Security Symposium (USENIX Security 20), 2020. [[https://www.usenix.org/system/files/sec20-mirheidari.pdf|PDF]] [[https://www.usenix.org/conference/usenixsecurity20/presentation/mirheidari|Media]]\\ [[https://portswigger.net/research/top-10-web-hacking-techniques-of-2019|Voted and let to an award as Top Web Hacking Technique of 2019.]]\\ [[https://www.cybersecurity-insiders.com/investigating-the-top-10-application-vulnerabilities/|Selected among Top 10 Application Vulnerabilities of 2019 by WhiteHat Security.]]\\ [[https://www.csaw.io/research|CSAW 2020 Finalist: Nominated for the Best Applied Research in the 17th annual CSAW conference (CSAW’20).]]\\ [[https://pwnies.com/nominations/active/most-innovative-research/web-cache-deception-in-the-wild/|Pwnie Award Nominee: Nominated for the Most Innovative Research of 2020.]]
+   * Giorgio Di Tizio, Fabio Massacci, Luca Allodi, Stanislav Dashevskyi, Jelena Mirkovic. **An Experimental Approach for Estimating Cyber Risk: a Proposal Building upon Cyber Ranges and Capture the Flags**, To Appear in Proceedings of //the 2nd Workshop on Cyber Range Technologies and Applications (CACOE 2020)//, 2020 - {{:research_activities:cacoe6.pdf|Author's preprint}}
+   * Giorgio Di Tizio, Chan Nam Ngo. **Are You a Favorite Target For Cryptojacking? A Case-Control Study On The Cryptojacking Ecosystem**, To Appear in Proceedings of //the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020)//, 2020 - {{:research_activities:wacco17.pdf|Author's preprint}}
+   * Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. **A Qualitative Study of Dependency Management and Its Security Implications**, In Proceedings of //the ACM Conference on Computer and Communications Security (CCS)//, 2020 {{:research_activities:experiments:ccs-2020-preprint.pdf|Author's preprint}}, [[https://doi.org/10.1145/3372297.3417232|Publisher Version]]
+   * Duc-Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, Antonino Sabetta. **Typosquatting and Combosquatting Attacks on the Python Ecosystem**. In Proceedings of //the 2nd Workshop on Attackers and Cyber-Crime Operations (WACCO 2020)//, 2020 - {{:research_activities:experiments:ly2020typosquatting.pdf|Author's preprint}}, [[https://doi.org/10.1109/EuroSPW51379.2020.00074|Publisher Version]]
    * Ivan Pashchenko, Duc-Ly Vu, Fabio Massacci. **Preliminary Findings on FOSS Dependencies and Security A Qualitative Study on Developers’ Attitudes and Experience (Poster)**. In Proceedings of //the 42nd International Conference on Software Engineering (ICSE)//, 2020 - {{:research_activities:experiments:poster_icse-20.pdf|poster}}, {{:research_activities:experiments:pashchenko2020preliminary.pdf|Author's preprint}} [[https://doi.org/10.1145/3377812.3390903|Publisher Version]]
    * Fabio Massacci, Chan Nam Ngo. **Distributed Financial Exchanges: Security Challenges and Design Principles** IEEE Security & Privacy (Early Access) [[https://ieeexplore.ieee.org/document/9115212|Publisher Version]] [[:sp-2019-05-0134.r1_ngo.pdf|Author's preprint]]
@@ Line 21: / Line 37: @@
    * de Haan, Johannes; Massacci, Fabio; Sterlini, Pierantonia; Bernard Ladkin, Peter; Raspotnig, Christian, **The Risk of Relying on a Public Communications Infrastructure.** in Proceedings of the 27th Safety-Critical Systems Symposium, Bristol, UK: Publisher SCSC, 2019. Proceedings of: SCSC, Bristol, UK, 5-7th February 2019{{:research_activities:economics:sss-rdci-tf_final-2019.pdf|PDF}}
 ===== 2018 =====
+  * Sajjad Arshad, Seyed Ali Mirheidari, Tobias Lauinger, Bruno Crispo, Engin Kirda, and William Robertson. **Large-Scale Analysis of Style Injection by Relative Path Overwrite.** the 2018 World Wide Web Conference (WWW'18), 2018. {{:www2018rpo_paper.pdf|PDF}} \\ [[https://www2018.thewebconf.org/awards/|Honorable Mention award]]
   * Gupta, Sandeep, Attaullah Buriro, and Bruno Crispo. **Demystifying authentication concepts in smartphones: Ways and types to secure access.** Mobile Information Systems 2018 (2018). {{https://doi.org/10.1155/2018/2649598|Full Paper}}
   * Buriro, Attaullah, Bruno Crispo, Sandeep Gupta, and Filippo Del Frari. **Dialerauth: A motion-assisted touch-based smartphone user authentication scheme.** Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. ACM, 2018.{{https://dl.acm.org/citation.cfm?doid=3176258.3176318|Full Paper}}
@@ Line 35: / Line 52: @@
   * I. Pashchenko. **FOSS Version Differentiation as a Benchmark for Static Analysis Security Testing Tools**. In // Proceedings of 2017 11th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’17),// 2017. {{https://drive.google.com/file/d/0B_rJCkKmzPjSWllQcEJpQWNOOVU/view?usp=sharing|Author's PDF}} or {{https://doi.org/10.1145/3106237.3121276|Publisher's Version}}
   * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{:spw17.pdf|Author's draft}}
-  * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http://onlinelibrary.wiley.com/resolve/doi?DOI=10.1111/risa.12864|PDF at Publisher}}, {{http://www.win.tue.nl/~lallodi/allodi-risa-17.pdf|Authors' draft}}
+  * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{https://doi.org/10.1111/risa.12864|PDF at Publisher}}, {{:research_activities:economics:allodi-risa-17.pdf|Author's Preprint}}
   * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_13.pdf|PDF}}
   * F. Massacci, J. Williams. **Cyberinsurance and Public Policy: Self-Protection and Insurance with Endogenous Adversaries.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_14.pdf|PDF}}