PUBLICATIONS
List of publications: DBLP,
Google Scholar
"A Security Analysis of CNC Machines in Industry 4.0"
Marco Balduzzi, Francesco Sortino, Fabio Castello, Leandro Pierguidi
The 20th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2023, Hamburg, Germany, July 12-14 2023
[ abstract,
pdf
]
Computer numerical control (CNC) machines are extensively
used in production plants and are considered a crucial asset for organizations worldwide. These machines require unique controllers that differ
from those used in other types of machine tools in terms of software architecture, protocols, and design, so to meet the high precision and accuracy
demands of their applications. The growing adoption of network-enabled systems in the industrial domain, driven by Industry 4.0, has resulted in
an increased use of CNC machines. These machines have evolved from traditional mechanical machines to full-fledged systems with multiple
networking services for smart connectivity. This study investigates the risks associated with this technological development. Using actual
machine installations, we conducted the first empirical evaluation of the privacy and security implications of Industry 4.0 in the CNC domain.
Our findings revealed that malicious users could conduct five types of attacks: compromise, denial-of-service, damage, hijacking, and theft. We
reported our findings to the affected vendors and proposed mitigations to manufacturers, integrators and end-users. Our work aims to provide
an opportunity to increase awareness in a domain where security does not appear to be a priority at present.
"An Empirical Evaluation of CNC Machines in Industry 4.0 (short paper)"
Marco Balduzzi, Francesco Sortino, Fabio Castello, Leandro Pieguidi
The 17th International Conference on Critical Information Infrastructures Security
CRITIS 2022, Munich, Germany, September 14-16 2022
[ abstract,
pdf,
bib
]
CNC machines are largely used in production plants and constitute a critical asset for organizations globally. The strong push dictated
by the Industry 4.0 paradigm led to the introduction of technologies for the wide connectivity of industrial equipment. As a result, modern CNCs
resemble more to fully fledged systems rather than mechanical machines, offering numerous networking services for smart connectivity. This work
explores the risks associated with the strong technological development observed in the domain of CNC machines. We performed an empirical
evaluation of four representative controller manufacturers, by analyzing the technologies introduced to satisfy the needs of the Industry 4.0
paradigm, and conducting a series of practical attacks against real-world CNC installations. Our findings revealed that malicious users could abuse
of such technologies to conduct attacks like denial-of-service, damage, hijacking or data theft. We reported our findings to the affected controller
vendors and proposed mitigation. This work wants to be an opportunity to raise awareness in a domain in which, unfortunately, security doesn’t
seem to be, yet, an important driver.
"Smart Factory Security: A Case Study on a Modular Smart Manufacturing System"
Marcello Pogliani, Federico Maggi, Marco Balduzzi, Davide Quarta, Stefano Zanero, Giacomo Tavola, Walter Quadrini
The 2020 International Conference on Industry 4.0 and Smart Manufacturing
ISM 2020, Linz, Austria Virtual, 23-25 November 2020
[ abstract,
pdf,
bib
]
Smart manufacturing systems are an attractive target for cyber attacks, because they embed valuable data and
critical equipment. Despite the market is driving towards integrated and interconnected factories, current smart
manufacturing systems are still designed under the assumption that they will stay isolated from the corporate
network and the outside world. This choice may result in an internal architecture with insufficient network and
system compartmentalization. As a result, once an attacker has gained access, they have full control of the entire
production plant because of the lack of network segmentation.
With the goal of raising cybersecurity awareness, in this paper we describe a practical case study showing attack
scenarios that we have validated on a real modular smart manufacturing system, and suggest practical security
countermeasures. The testbed smart manufacturing system is part of the Industry 4.0 research laboratory hosted by
Politecnico di Milano, and comprises seven assembly stations, each with their programmable logic controllers and
human-computer interfaces, as well as an industrial robotic arm that performs pick-and-place tasks.
On this testbed we show two indirect attacks to gain initial access, even under the best-case scenario of a system not
directly connected to any public network. We conclude by showing two post-exploitation scenarios that an adversary
can use to cause physical impact on the production, or keep persistent access to the plant.
We are unaware of a similar security analysis performed within the premises of a research facility, following a
scientific methodology, so we believe that this work can represent a good first step to inspire follow up research on
the many verticals that we touch.
"Detecting Insecure Code Patterns in Industrial Robot Programs"
Marcello Pogliani, Federico Maggi, Marco Balduzzi, Davide Quarta, Stefano Zanero
The 15th ACM Asia Conference on Computer and Communications Security
AsiaCCS 2020, Taipei, Taiwan Virtual, October 5-9 2020
[ abstract,
pdf,
bib
]
Industrial robots are complex and customizable machines that can be programmed with proprietary domain-specific languages.
These languages provide not only movement instructions, but also access to low-level system resources such as the network
or the file system. Although useful, these features can lead to taint-style vulnerabilities and can be misused to implement
malware -- on par with general-purpose programming languages. In this paper, we analyze the languages of 8 leading industrial
robot vendors, systematize their technical features, and discuss cases of vulnerable and malicious uses. We then describe a
static source-code analyzer that we created to analyze robotic programs and discover insecure or potentially malicious code paths.
We focused our proof-of-concept implementation on two popular languages, namely ABB's RAPID and KUKA's KRL. By evaluating our
tool on a set of publicly available programs, we show that insecure patterns are found in real-world code; therefore, static
source-code analysis is an effective security screening mechanism, for example to prevent commissioning insecure or malicious
industrial task programs. Finally, we discuss remediation steps that developers and vendors can adopt to mitigate such issues.
"Good to Bad: When Industrial Protocol Translation Goes Wrong (technical report)"
Marco Balduzzi, Charles Perine, Philippe Lin, Ryan Flores, Rainer Vosseler, Luca Bongiorni
The 15th International Conference on Critical Information Infrastructures Security
CRITIS 2020, Bristol, UK Virtual, September 2-3 2020
[ abstract,
pdf
]
Protocol gateways are embedded devices used in industrial installations to facilitate the communication between production units
like control servers, PLCs or machinery; and for the integration of IT and OT networks. These gateways translate ICS protocols --
e.g. Modbus, Profibus or BACnet -- to enable legacy devices like on serial buses to communicate and interface with modern TCP/IP
networks. For example, in a typical Modbus installation, a gateway translates the requests originating from a control server
located in a TCP/IP control network (and acting as a master node) to a PLC on RS232 (i.e., a slave node). Given the importance of
protocol gateways in the operation of modern industrial networks, we conducted a security evaluation aimed at understanding how
industrial protocols are translated, and at discovering potential risks of abuse. We considered 5 protocol gateway products from
well-known, established vendors and observed similar classes of problems across the different vendors. In addition, although our
evaluation focused on protocol translation, we also encountered a series of related problems e.g. with authentication and
reliability that can facilitate attacks like sabotage or information leakage.
"A Security Evaluation of Industrial Radio Remote Controllers"
Federico Maggi, Marco Balduzzi, Jonathan Andersson, Philippe Lin, Stephen Hilt, Akira Urano, Rainer Vosseler
The 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2019, Götheborg, Sweden, June 19-20 2019
[ abstract,
pdf,
bib
]
Heavy industrial machinery is a primary asset for the operation of key
sectors such as construction, manufacturing, and logistics. Targeted
attacks against these assets could result
in incidents, fatal injuries, and substantial financial loss. Given the importance of such
scenarios, we analyzed and evaluated the security implications of the technology used to
operate and control this machinery, namely industrial radio remote
controllers. We conducted the first-ever security analysis of this
technology, which relies on proprietary radio-frequency protocols toloca
implement remote-control functionalities.
Through a two-phase evaluation approach we discovered important
flaws in the design and implementation of industrial
remote controllers. In this paper we introduce and describe 5 practical attacks affecting
major vendors and multiple real-world installations. We
conclude by discussing how a challenging responsible disclosure process
resulted in first-ever security patches and improved security awareness.
"Investigating Web Defacement Campaigns at Large"
Federico Maggi, Marco Balduzzi, Ryan Flores, Lion Gu, Vincenzo Ciancaglini
The 13th ACM Asia Conference on Computer and Communications Security
AsiaCCS 2018, Incheon, Korea, June 4-7 2018
[ abstract,
pdf,
bib
]
Website defacement is the practice of altering the web pages of a
website after its compromise. The altered pages, called deface pages,
can negatively affect the reputation and business of the victim site.
Previous research has focused primarily on detection, rather than
exploring the defacement phenomenon in depth. While investigating
several defacements, we observed that the artifacts left by the
defacers allow an expert analyst to investigate the actors' modus
operandi and social structure, and expand from the single deface
page to a group of related defacements (i.e., a campaign). However,
manually performing such analysis on millions of incidents is
tedious, and poses scalability challenges. From these observations, we
propose an automated approach that efficiently builds intelligence
information out of raw deface pages. Our approach streamlines the
analysts job by automatically recognizing defacement campaigns,
and assigning meaningful textual labels to them. Applied to a com-
prehensive dataset of 13 million defacement records, from Jan. 1998
to Sep. 2016, our approach allowed us to conduct the first large-scale
measurement on web defacement campaigns. In addition, our
approach is meant to be adopted operationally by analysts to identify
live campaigns in the real world.
We go beyond confirming anecdotal evidence. We analyze the
social structure of modern defacers, which includes lone individuals
as well as actors that cooperate with each others, or with teams,
which evolve over time and dominate the scene. We conclude by
drawing a parallel between the time line of World-shaping events
and defacement campaigns, representing the evolution of the
interests and orientation of modern defacers.
"Exploring the Long Tail of (Malicious) Software Downloads"
Babak Rahbarinia, Marco Balduzzi, Roberto Perdisci
The 47th IEEE/IFIP International Conference on Dependable Systems and Networks
DSN 2017, Denver, Colorado, USA, June 26-29 2017
[ abstract,
pdf,
bib
]
In this paper, we present a large-scale study of global
trends in software download events, with an analysis of both benign and
malicious downloads,
and a categorization of events for which no ground truth is currently available.
Our measurement study is based on a unique, real-world dataset collected at Trend Micro
containing more than 3 million in-the-wild web-based software download events
involving hundreds of thousands of Internet machines, collected over a period of seven months.
Somewhat surprisingly, we found that despite our best efforts and
the use of multiple sources of ground truth, more than 83% of all downloaded software
files remain unknown, i.e. cannot be classified as benign or malicious,
even two years after they were first observed. If we consider the number of machines
that have downloaded at least one unknown file, we find that more than 69% of the
entire machine/user population downloaded one or more unknown software file.
Because the accuracy of malware detection systems reported in the academic literature
is typically assessed only over software files that can be labeled, our findings raise
concerns on their actual effectiveness in large-scale real-world deployments,
and on their ability to defend the majority of Internet machines from infection.
To better understand what these unknown software files may be,
we perform a detailed analysis of their properties. We then explore whether it is
possible to extend the labeling of software downloads by building a rule-based
system that automatically learns from the available ground truth and can be used
to identify many more benign and malicious files with very high confidence.
This allows us to greatly expand the number of software files that can be labeled
with high confidence, thus providing results that can benefit the evaluation of
future malware detection systems.
"Attacks Landscape in the Dark Side of the Web" (Best Paper Award)
Onur Catakoglu, Marco Balduzzi, Davide Balzarotti
The 16th Edition of the Computer Security track at the 32th ACM Symposium on Applied Computing
SEC@SAC 2017, Marrakech, Morocco, April 3-7 2017
[ abstract,
pdf,
bib
]
The Dark Web is known as the part of the Internet operated
by decentralized and anonymous-preserving protocols
like Tor. To date, the research community has focused on
understanding the size and characteristics of the Dark Web
and the services and goods that are offered in its underground
markets. However, little is still known about the
attacks landscape in the Dark Web.
For the traditional Web, it is now well understood how
websites are exploited, as well as the important role played
by Google Dorks and automated attack bots to form some
sort of "background attack noise" to which public websites
are exposed.
This paper tries to understand if these basic concepts and
components have a parallel in the Dark Web. In particular,
by deploying a high interaction honeypot in the Tor network
for a period of seven months, we conducted a measurement
study of the type of attacks and of the attackers behavior
that affect this still relatively unknown corner of the Web.
"Real-Time Detection of Malware Downloads via Large-Scale URL->File->Machine Graph Mining"
Babak Rahbarinia, Marco Balduzzi, Roberto Perdisci
The 11th ACM Asia Conference on Computer and Communications Security
AsiaCCS 2016, Xi'an, China, May 30 - June 3 2016
[ abstract,
pdf,
bib,
slides
]
In this paper we propose Mastino, a novel defense system
to detect malware download events. A download event is a
3-tuple that identifies the action of downloading a file from
a URL that was triggered by a client (machine). Mastino
utilizes global situation awareness and continuously monitors
various network- and system-level events of the clients' machines
across the Internet and provides real time classification
of both files and URLs to the clients upon submission
of a new, unknown file or URL to the system. To
enable detection of the download events, Mastino builds a
large download graph that captures the subtle relationships
among the entities of download events, i.e. files, URLs, and
machines. We implemented a prototype version of Mastino
and evaluated it in a large-scale real-world deployment. Our
experimental evaluation shows that Mastino can accurately
classify malware download events with an average of 95.5%
true positive (TP), while incurring less than 0.5% false
positives (FP). In addition, we show the Mastino can classify
a new download event as either benign or malware in just a
fraction of a second, and is therefore suitable as a real time
defense system.
"MobiPot: Understanding Mobile Telephony Threats with Honeycards"
Marco Balduzzi, Payas Gupta, Lion Gu, Debin Gao and Mustaque Ahamad
The 11th ACM Asia Conference on Computer and Communications Security
AsiaCCS 2016, Xi'an, China, May 30 - June 3 2016
[ abstract,
pdf
bib
]
Over the past decade, the number of mobile phones has
increased dramatically, overtaking the world population in
October 2014. In developing countries like India and China,
mobile subscribers outnumber traditional landline users and
account for over 90% of the active population. At the same
time, convergence of telephony with the Internet with
technologies like VoIP makes it possible to reach a large number
of telephone users at a low or no cost via voice calls or SMS
(short message service) messages. As a consequence,
cybercriminals are abusing the telephony channel to launch
attacks, e.g., scams that offer fraudulent services and
voice-based phishing or vishing, that have previously relied on
the Internet. In this paper, we introduce and deploy the
first mobile phone honeypot called MobiPot that allow us to
collect fraudulent calls and SMS messages. We implement
multiple ways of advertising mobile numbers (honeycards)
on MobiPot to investigate how fraudsters collect phone
numbers that are targeted by them. During a period of over
seven months, MobiPot collected over two thousand voice
calls and SMS messages, and we confirmed that over half of
them were unsolicited. We found that seeding honeycards
enables us to discover attacks on the mobile phone numbers
which were not known before.
"Automatic Extraction of Indicators of Compromise for Web Application"
Onur Catakoglu, Marco Balduzzi, Davide Balzarotti
The 25th International World Wide Web Conference
WWW 2016, Montreal, Canada, April 11-15 2016
[ abstract,
pdf,
bib,
slides
]
Indicators of Compromise (IOCs) are forensic artifacts that are used as
signs that a system has been compromised by an attack or that it has
been infected with a particular malicious software. In this paper we
propose for the first time an automated technique to extract and
validate IOCs for web applications, by analyzing the information
collected by a high-interaction honeypot.
Our approach has several advantages compared with traditional
techniques used to detect malicious websites. First of all, not all the
compromised web pages are malicious or harmful for the user. Some may
be defaced to advertise product or services, and some may be part of
affiliate programs to redirect users toward (more or less legitimate) online
shopping websites. In any case, it is important to detect these pages
to inform their owners and to alert the users on the fact that the content
of the page has been compromised and cannot be trusted.
Also in the case of more traditional drive-by-download pages, the use
of IOCs allows for a prompt detection and correlation of infected
pages, even before they may be blocked by more traditional URLs
blacklists.
Our experiments show that our system is able to automatically generate
web indicators of compromise that have been used by attackers for
several months (and sometimes years) in the wild without being
detected. So far, these apparently harmless scripts were able to stay
under the radar of the existing detection methodologies -- despite being hosted
for a long time on public web sites.
"A Security Evaluation of AIS, Automated Identification System"
Marco Balduzzi, Alessandro Pasta, Kyle Wilhoit
The 30th Annual Computer Security Applications Conference
ACSAC 2014, New Orleans, Louisiana, USA, December 8-12 2014
[ abstract,
pdf,
bib,
slides,
sourcecode ]
AIS, Automatic Identification System, is an application of
cyber-physical systems (CPS) to smart transportation at
sea. Being primarily used for collision avoidance and traffic
monitoring by ship captains and maritime authorities, AIS
is a mandatory installation for over 300,000 vessels worldwide
since 2002. Other promoted benefits are accident investigation,
aids to navigation and search and rescue (SAR)
operations. In this paper, we present a unique security evaluation
of AIS, by introducing threats affecting both the implementation
in online providers and the protocol specification.
Using a novel software-based AIS transmitter that
we designed, we show that our findings affect all transponders
deployed globally on vessels and other maritime stations
like lighthouses, buoys, AIS gateways, vessel traffic
services and aircraft involved in SAR operations. Our concerns
have been acknowledged by online providers and inter-
national standards organizations, and we are currently and
actively working together to improve the overall security.
"Soundsquatting: Uncovering the use of homophones in domain squatting" (Best Paper Award)
Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, Wouter Joosen
The 17th Information Security Conference
ISC 2014, Hong Kong, October 12-14 2014
[ abstract,
pdf,
bib,
slides ]
In this paper we present soundsquatting, a previously unreported type of domain squatting which we uncovered during
analysis of cybersquatting domains. In soundsquatting, an attacker takes advantage of homophones,
i.e., words that sound alike, and registers homophone-including variants of popular domain names.
We explain why soundsquatting is different from existing domain-squatting attacks, and
describe a tool for the automatic generation of soundsquatting domains. Using our tool, we discover that attackers
are already aware of the principles of soundsquatting and are monetizing them in various unethical and illegal ways.
In addition, we register our own soundsquatting domains and study the population of users who
reach our monitors, recording a monthly average of more than 1,700 non-bot page requests. Lastly, we show how
sound-dependent users are particularly vulnerable to soundsquatting through the abuse of text-to-speech software.
"Automated Measurements of Novel Internet Threats [Paperback]"
Dr. Marco Balduzzi
LAP LAMBERT Academic Publishing, ISBN 978-3-659-41582-1, 120 pages, July 20 2013
[ description,
book,
bib,
cover ]
In the last twenty years, the Internet has grown from a simple, small network to a complex,
large-scale system. While it was originally used to offer static content that was organized
around simple websites, today, it provides both content and services (e.g. chat, e-mail, web)
as well as the outsourcing of computation and applications (e.g. cloud computing).
Attackers are not indifferent to this evolution. Often driven by a flourishing underground
economy, attackers are constantly looking for vulnerabilities, misconfigurations and novel
techniques to access protected and authorized systems, to steal private information, or to
deliver malicious content. In this thesis, we advance the state of the art in large scale
testing and measurement of Internet threats. We research into three novel classes of
security problems that affect Internet systems that experienced a fast surge in popularity
(i.e., ClickJacking, HTTP Parameter Pollution, and commercial cloud computing services that
allow the outsourcing of server infrastructures). We introduce the first, large scale attempt
to estimate the prevalence and relevance of these problems on the Internet.
"Targeted Attacks Detection With SPuNge"
Marco Balduzzi, Vincenzo Ciangaglini, Robert McArdle
The 11th Annual Conference on Privacy, Security and Trust
PST 2013, Tarragona, Catalonia, July 10-12 2013
[ abstract,
pdf,
bib ]
Over the past several years there has been a noticeable rise in the number of reported targeted
attacks, which are also commonly referred to as advanced persistent threats (APTs). This is seen
by security experts as a landscape shift from a world dominated by
widespread malware that infect indiscriminately, to a more selectively targeted approach with
higher gain.
One thing that is clear about targeted attacks is that they are difficult to detect, and not
much research has been conducted so far in detecting these attacks. In this paper,
we propose a novel system called SPuNge that processes threat information collected
on the users' side to detect potential targeted attacks for further investigation. We use a combination
of clustering and correlation techniques to identify groups of machines that share a similar
behavior with respect to the malicious resources they access and the industry in which they operate (e.g., oil & gas).
We evaluated our system against real data collected by an antivirus vendor
from over 20 million customers installations worldwide. Our results show that our approach works well in practice
and is helpful in assisting security analysts in cybercrime investigations.
"The Role of Phone Numbers in Understanding Cyber-Crime Schemes"
Andrei Costin, Jelena Isacenkova, Marco Balduzzi, Aurélien Francillon, Davide Balzarotti
The 11th Annual Conference on Privacy, Security and Trust
PST 2013, Tarragona, Catalonia, July 10-12 2013
[ abstract,
pdf,
bib ]
Internet and telephones are part of everyone’s
modern life. Unfortunately, several criminal activities also rely
on these technologies to reach their victims. While the use and
importance of the Internet has been largely studied, previous
work overlooked the role that phone numbers can play in
understanding online threats.
In this work we aim at determining if leveraging phone
numbers analysis can improve our understanding of the un-
derground markets, illegal computer activities, or cyber-crime
in general. This knowledge could then be adopted by several
defensive mechanisms, including blacklists or advanced spam
heuristics.
Our results show that, in scam activities, phone numbers
remain often more stable over time than email addresses. Using
a combination of graph analysis and geographical Home Location
Register (HLR) lookups, we identify recurrent cyber-criminal
business models and link together scam communities that spread
over different countries.
"The role of phone numbers in understanding cyber-crime (technical report)"
Andrei Costin, Jelena Isacenkova, Marco Balduzzi, Aurélien Francillon, Davide Balzarotti
EURECOM Research Report RR-13-277, February 2013
[ abstract,
pdf,
bib ]
Internet and telephones are part of everyone's modern life. Unfortunately, also several
criminal activities rely on these technologies to reach their victims. While the use
and importance of the network has been largely studied, previous work overlooked the
role that phone numbers can play into understanding online threats. In this work we aim
at determining if leveraging phone numbers analysis can improve our understanding of
the underground markets, illegal computer activities, or cyber-crime in general. This
knowledge could then be adopted by several defensive mechanisms, including blacklists or
advanced spam heuristics. In our study we collected phone numbers from various public
or private sources and we designed a framework for mining, analyzing, enriching and,
finally, correlating phone numbers to malicious activities. Our results show that,
in scam activities, phones numbers remain often more stable over time than email
addresses. Finally, using a combination of graph analysis and geographical HLR lookup,
we were able to identify recurrent cyber-criminal business models and to link together
scam communities that spread over different countries.
"Web Application Security, Dagstuhl Seminar 12401 (conference report)"
Lieven Desmet, Martin Johns, Benjamin Livshits, Andrei Sabelfeld
Schloss Dagstuhl, 30/09/12 - 05/10/12
[ abstract,
pdf,
bib ]
This report documents the program and the outcomes of Dagstuhl Seminar 12401 ``Web Application Security''.
The seminar brought 44 web security researchers together, coming from companies and research institutions
across Europe and the US. The seminar had a well-filled program, with 3 keynotes, 28 research talks, and
15 5-minute talks. As web application security is a broad research domain, a diverse set of recent research
results was presented during the talks, covering the web security vulnerability landscape, information-flow
control, JavaScript formalization, JavaScript confinement, and infrastructure and server hardening.
In addition to the plenary program, the seminar also featured three parallel break-out sessions on
Cross-Site Scripting (XSS), JavaScript and Information-flow control.
"A Security Analysis of Amazon's Elastic Compute Cloud Service"
Marco Balduzzi, Jonas Zaddach, Davide Balzarotti, Engin Kirda, Sergio Loureiro
The 11th Edition of the Computer Security track at the 27th ACM Symposium on Applied Computing
SEC@SAC 2012, Trento, Italy, March 26-30 2012
[ abstract,
pdf,
bib,
press (forbes|
infoWorld|
ZDNet) ]
Cloud services such as Amazon's Elastic Compute Cloud and IBM's
SmartCloud are quickly changing the way organizations are dealing with IT
infrastructures and are providing online services. Today, if an
organization needs computing power, it can simply buy it online by
instantiating a virtual server image on the cloud. Servers can be
quickly launched and shut down via application programming interfaces,
offering the user a greater flexibility compared to traditional server
rooms. A popular approach in cloud-based services is to allow users to
create and share virtual images with other users. In addition to these
user-shared images, the cloud providers also often provide virtual images
that have been pre-configured with popular software such as open source
databases and web servers.
This paper explores the general security risks associated with using
virtual server images from the public catalogs of cloud service
providers. In particular, we investigate in detail the security problems
of public images that are available on the Amazon EC2 service. We
describe the design and implementation of an automated system that we
used to instantiate and analyze the security of public AMIs on the Amazon
EC2 platform, and provide detailed descriptions of the security tests
that we performed on each image. Our findings demonstrate that both the
users and the providers of public AMIs may be vulnerable to security
risks such as unauthorized access, malware infections, and loss of
sensitive information. The Amazon Web Services Security Team has
acknowledged our findings, and has already taken steps to properly
address all the security risks we present in this paper.
"Reverse Social Engineering Attacks in Online Social Networks"
Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, Calton Pu
The 8th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2011, Amsterdam, The Netherlands, July 7-8 2011
[ abstract,
pdf,
bib,
slides ]
Social networks are some of the largest and fastest growing
online services today. Facebook, for example, has been ranked as the
second most visited site on the Internet, and has been reporting
growth rates as high as 3% per week. One of the key features of
social networks is the support they provide for finding new
friends. For example, social network sites may try to automatically
identify which users know each other in order to propose friendship
recommendations.
Clearly, most social network sites are critical with respect to
user's security and privacy due to the large amount of information
available on them, as well as their very large user base. Previous
research has shown that users of online social networks tend to
exhibit a higher degree of trust in friend requests and messages
sent by other users. Even though the problem of unsolicited messages
in social networks (i.e., spam) has already been studied in detail,
to date, reverse social engineering attacks in social networks have
not received any attention. In a reverse social engineering attack,
the attacker does not initiate contact with the victim. Rather, the
victim is tricked into contacting the attacker herself. As a result,
a high degree of trust is established between the victim and the
attacker as the victim is the entity that established the
relationship.
In this paper, we present the first user study on reverse social
engineering attacks in social networks. That is, we discuss and show
how attackers, in practice, can abuse some of the friend-finding
features that online social networks provide with the aim of
launching reverse social engineering attacks. Our results
demonstrate that reverse social engineering attacks are feasible and
effective in practice.
"Exposing the Lack of Privacy in File Hosting Services"
Nick Nikiforakis, Marco Balduzzi, Steven Van Acker, Wouter Joosen, Davide Balzarotti
The 4th Usenix Workshop on Large-Scale Exploits and Emergent Threats
LEET 2011, Boston, US, March 29 2011
[ abstract,
pdf,
bib,
slides,
press (the register|
slashdot) ]
File hosting services (FHSs) are used daily by thousands of people as a way
of storing and sharing files. These services normally rely on a
security-through-obscurity approach to enforce access control: For each
uploaded file, the user is given a secret URI that she can share with other
users of her choice.
In this paper, we present a study of 100 file hosting services and we show
that a significant percentage of them generate secret URIs in a predictable
fashion, allowing attackers to enumerate their services and access their
file list. Our experiments demonstrate how an attacker can access
hundreds of thousands of files in a short period of time, and how this poses
a very big risk for the privacy of FHS users. Using a novel
approach, we also demonstrate that attackers are aware of these
vulnerabilities and are already exploiting them to get access to other users'
files. Finally we present SecureFS, a client-side protection mechanism
which can protect a user's files when uploaded to insecure FHSs, even if the
files end up in the possession of attackers.
"Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications" (Best Paper Award)
Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, Engin Kirda
The 18th Annual Network and Distributed System Security Symposium
NDSS 2011, San Diego, US, February 6-9 2011
[ abstract,
pdf,
bib,
code ]
In the last twenty years, web applications have grown
from simple, static pages to complex, full-fledged dynamic
applications. Typically, these applications are built using
heterogeneous technologies and consist of code that runs
both on the client and on the server. Even simple web applications
today may accept and process hundreds of different
HTTP parameters to be able to provide users with
interactive services. While injection vulnerabilities such as
SQL injection and cross-site scripting are well-known and
have been intensively studied by the research community, a
new class of injection vulnerabilities called HTTP Parameter
Pollution (HPP) has not received as much attention. If
a web application does not properly sanitize the user input
for parameter delimiters, exploiting an HPP vulnerability,
an attacker can compromise the logic of the application to
perform either client-side or server-side attacks.
In this paper, we present the first automated approach for
the discovery of HTTP Parameter Pollution vulnerabilities
in web applications. Using our prototype implementation
called PAPAS (PArameter Pollution Analysis System), we
conducted a large-scale analysis of more than 5,000 popular
websites. Our experimental results show that about
30% of the websites that we analyzed contain vulnerable
parameters and that 46.8% of the vulnerabilities we discovered
(i.e., 14% of the total websites) can be exploited via
HPP attacks. The fact that PAPAS was able to find vulnerabilities
in many high-profile, well-known websites suggests
that many developers are not aware of the HPP problem.
We informed a number of major websites about the vulnerabilities
we identified, and our findings were confirmed.
"EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis"
Leyla Bilge, Engin Kirda, Christopher Kruegel, Marco Balduzzi
The 18th Annual Network and Distributed System Security Symposium
NDSS 2011, San Diego, US, February 6-9 2011
[ abstract,
pdf,
bib,
slides ]
The domain name service (DNS) plays an important role
in the operation of the Internet, providing a two-way mapping
between domain names and their numerical identifiers.
Given its fundamental role, it is not surprising that a wide
variety of malicious activities involve the domain name service
in one way or another. For example, bots resolve DNS
names to locate their command and control servers, and
spam mails contain URLs that link to domains that resolve
to scam servers. Thus, it seems beneficial to monitor the
use of the DNS system for signs that indicate that a certain
name is used as part of a malicious operation.
In this paper, we introduce EXPOSURE, a system that
employs large-scale, passive DNS analysis techniques to
detect domains that are involved in malicious activity. We
use 15 features that we extract from the DNS traffic that allow
us to characterize different properties of DNS names
and the ways that they are queried.
Our experiments with a large, real-world data set consisting
of 100 billion DNS requests, and a real-life deployment
for two weeks in an ISP show that our approach is
scalable and that we are able to automatically identify unknown
malicious domains that are misused in a variety of
malicious activity (such as for botnet command and control,
spamming, and phishing).
"A Summary of Two Practical Attacks against Social Networks (invited paper)"
Leyla Bilge, Marco Balduzzi, Davide Balzarotti, Engin Kirda
The 21st Tyrrhenian Workshop on Digital Communications: Trustworthy Internet
Island of Ponza, Italy, September 6-8 2010
[ abstract,
bib ]
Social networking sites have been increasingly gaining popularity,
and they have already changed the communication habits of hundred of
millions of users. Unfortunately, this new technology can easily be
misused to collect private information and violate the users’ privacy.
In this chapter, we summarize two practical attacks we have presented
in the past: an impersonation attack in which we automatically clone a
user profile, and an attack that abuses the information provided by social
networks to automatically correlate information extracted from different
social networks. Our results show that these attacks are very successful
in practice and that they can significantly impact the users’ privacy.
Therefore, these attacks represent a first important step to raise awareness
among users about the privacy and security risks involved in sharing
information in one or more social networks.
"Abusing Social Networks for Automated User Profiling"
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti and Christopher Kruegel
The 13th International Symposium on Recent Advances in Intrusion Detection
RAID 2010, Ottowa, Canada, September 15-17 2010
[ abstract,
pdf,
bib,
slideshare ]
Recently, social networks such as Facebook have experienced a huge
surge in popularity. The amount of personal information stored on
these sites calls for appropriate security precautions to protect
this data.
In this paper, we describe how we are able to take advantage of a
common weakness, namely the fact that an attacker can query popular
social networks for registered e-mail addresses on a large scale.
Starting with a list of about 10.4 million email addresses, we were
able to automatically identify more than 1.2 million user profiles
associated with these addresses. By automatically crawling and
correlating these profiles, we
collect detailed personal information about each user,
which we use for automated profiling (i.e., to enrich the
information available from each user). Having access to such
information would allow an
attacker to launch sophisticated, targeted attacks, or to improve the
efficiency of spam campaigns. We have contacted the most popular
providers, who acknowledged the
threat and are currently implementing our proposed countermeasures. Facebook
and XING, in particular, have recently fixed the problem.
"Security by virtualization: A novel antivirus for personal computers [Paperback]"
Marco Balduzzi
VDM Verlag Dr. Müller e.K., ISBN 978-3-639-25624-6, Paperback, 104 pages, May 7 2010
[ description,
book,
bib,
cover ]
A sort of virtualization appeared four decades ago to perform multi-programming
and simple time-sharing tasks inside a single mainframe. Virtualization became
quickly the solution to limit cost and save money by server consolidation.
Nowadays virtualization is a "hot topic" and it is habitually adopted in develop
environments for testing and debugging purposes. This book presents a novel paradigm
to secure personal computers. Virtualization is used to isolate the user system
within a so-called security shell where multiple security services are configured
to ensure the tamper resistance of the user's environment. While conventional
personal antivirus can be switched off, manipulated, or avoided by sophisticated
malignant codes and technically experienced users, this antivirus enforces a
continuous protection of the user's environment from the security shell.
The accesses to the file-system are real-time scanned and mobile/encrypted
network connections are inspected. The whole system is finally protected
by an encryption layer that inconspicuously encrypts the user system.
"Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype"
Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico and Lorenzo Cavallaro
The 7th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2010, Bonn, Germany, July 8-9 2010
[ abstract,
pdf,
bib,
slides ]
Skype is one of the most used P2P applications on the Internet:
VoIP calls, instant messaging, SMS and other features are provided
at a low cost to millions of users. Although Skype is a closed
source application, an API allows developers to build custom
plugins which interact over the Skype network, taking advantage of
its reliability and capability to easily bypass firewalls and NAT
devices. Since the protocol is completely undocumented, Skype
traffic is particularly hard to analyze and to reverse engineer.
We propose a novel botnet model that exploits an overlay network
such as Skype to build a parasitic overlay, making it
extremely difficult to track the botmaster and disrupt the botnet
without damaging legitimate Skype users. While Skype is
particularly valid for this purpose due to its abundance of
features and its widespread installed base, our model is
generically applicable to distributed applications that employ
overlay networks to send direct messages between nodes (e.g.,
peer-to-peer software with messaging capabilities). We are
convinced that similar botnet models are likely to appear into the
wild in the near future and that the threats they pose should not
be underestimated. Our contribution strives to provide the tools to
correctly evaluate and understand the possible evolution and
deployment of this phenomenon.
"A Solution for the Automated Detection of Clickjacking Attacks"
Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, Christopher Kruegel
The 5th ACM Symposium on Information, Computer and Communications Security
AsiaCCS 2010, Beijing, China, April 13-16 2010
[ abstract,
pdf,
bib ]
Clickjacking is a web-based attack that has recently received a wide
media coverage. In a clickjacking attack, a malicious page is
constructed such that it tricks victims into clicking on an element
of a different page that is only barely (or not at all) visible. By
stealing the victim's clicks, an attacker could force the user to
perform an unintended action that is advantageous for the attacker
(e.g., initiate an online money transaction). Although clickjacking
has been the subject of many discussions and alarming reports, it is
currently unclear to what extent clickjacking is being used by
attackers in the wild, and how significant the attack is for the
security of Internet users.
In this paper, we propose a novel solution for the automated and
efficient detection of clickjacking attacks. We describe the system
that we designed, implemented and deployed to analyze over a million
unique web pages. The experiments show that our approach is feasible
in practice. Also, the empirical study that we conducted on a large number
of popular websites suggests that clickjacking has not yet been
largely adopted by attackers on the Internet.