S2Lab · Systems Security

SYSTEMS SECURITY

Intimate knowledge of low-level details enables adversaries to infiltrate and abuse whole systems with ever more sophisticated attacks. As defenders it’s integral that we can meet that knowledge with similar expertise to protect against them.

By thinking like adversaries and performing our own exploitation development, we’re able to stay one step ahead and develop defences against new attacks before they’re discovered and exploited by bad actors.

On the other side of the same coin, new techniques in vulnerability discovery and analysis can prevent bugs and secure existing systems to mitigate potential attack vectors. To do so at a large scale, we can make use of automated techniques such as program analysis which allow for systematic, repeatable software assessments.

As one of our core research streams, output from this area heavily informs our other efforts, providing a toolkit for a wide array of useful techniques such as code obfuscation, automated software transplantation, and binary analysis.

Related Publications

ChainReactor: Automated Privilege Escalation Chain Discovery via AI Planning
Giulio De Pasquale, Ilya Grishchenko, Riccardo Iesari, Gabriel Pizarro, Lorenzo Cavallaro, Christopher Kruegel, and Giovanni Vigna
USENIX Sec 2024 · 33rd USENIX Security Symposium, 2024

@inproceedings{depasquale24ChainReactor,

   author    = {Giulio De Pasquale, Ilya Grishchenko, Riccardo Iesari, Gabriel Pizarro, Lorenzo Cavallaro, Christopher Kruegel, and Giovanni Vigna},

   title     = {{ChainReactor}: Automated Privilege Escalation Chain Discovery via AI Planning},

   booktitle = {33rd USENIX Security Symposium},

   year      = {2024},

}

Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers
Limin Yang, Zhi Chen, Jacopo Cortellazzi, Feargus Pendlebury, Kevin Tu, Fabio Pierazzi, Lorenzo Cavallaro, Gang Wang
IEEE S&P 2023 · 44th IEEE Symposium on Security and Privacy, 2023

@article{yang2022jigsaw,

  author    = {Limin Yang, Zhi Chen, Jacopo Cortellazzi, Feargus Pendlebury, Kevin Tu, Fabio Pierazzi, Lorenzo Cavallaro, Gang Wang},

  title     = {Jigsaw Puzzle: Selective Backdoor Attack
 to Subvert Malware Classifiers},

  booktitle = {{IEEE} Symposium on Security and Privacy},

  volume    = {abs/2202.05470},

  year      = {2023},

  url       = {https://arxiv.org/abs/2202.05470},

  eprint    = {2202.05470},

}

ROPfuscator: Robust Obfuscation with ROP
Giulio De Pasquale and Fukutomo Nakanishi and Daniele Ferla and Lorenzo Cavallaro
WOOT 2023 · 17th IEEE Workshop on Offensive Technologies, 2023

@inproceedings{depasquale23,

  author    = {Giulio De Pasquale and Fukutomo Nakanishi and Daniele Ferla and Lorenzo Cavallaro},

  title     = {ROPfuscator: Robust Obfuscation with ROP},

  booktitle = {{IEEE} Workshop on Offensive Technologies ({WOOT})},

  year      = {2023},

}

Realizable Universal Adversarial Perturbations for Malware
Raphael Labaca-Castro, Luis Muñoz-González, Feargus Pendlebury, Gabi Dreo Rodosek, Fabio Pierazzi, Lorenzo Cavallaro
CoRR 2022 · arXiv CoRR, 2022

@article{labacacastro2022uaps,

  author    = {Raphael Labaca-Castro and Luis Muñoz-González and Feargus Pendlebury and Gabi Dreo Rodosek and Fabio Pierazzi and Lorenzo Cavallaro},

  title     = {Realizable Universal Adversarial Perturbations for Malware},

  journal   = {CoRR},

  volume    = {abs/2102.06747},

  year      = {2022},

  url       = {https://arxiv.org/abs/2102.06747},

  eprint    = {2102.06747},

  archivePrefix = {arXiv}

}

Identifying Authorship in Malicious Binaries: Features, Challenges & Datasets
Jason Gray, Daniele Sgandurra, Lorenzo Cavallaro, Jorge Blasco Alis
CSUR 2024 · ACM Computing Surveys, 2024

@article{Grayetal2024,

  author    = {Gray, Jason and Sgandurra, Daniele and Cavallaro, Lorenzo and Blasco Alis, Jorge},

  title     =  {Identifying Authorship in Malicious Binaries: Features, Challenges \& Datasets},

  journal   = {ACM Comput. Surv.},

  issue_date   = {August 2024},
 
  publisher   = {Association for Computing Machinery},

  address   = {New York, NY, USA},

  volume    = {56},

  number    = {8},

  month     = {apr},

  year      = {2024},

  articleno      = {212},

  numpages       = {36},

  url       = {https://doi.org/10.1145/3653973},

  doi       = {10.1145/3653973},

  issn = {0360-0300},

}

Intertwining ROP Gadgets and Opaque Predicates for Robust Obfuscation
Fukutomo Nakanishi, Giulio De Pasquale, Daniele Ferla, Lorenzo Cavallaro
CoRR 2020 · arXiv CoRR, 2020

@article{nakanishi2020rop,

  author    = {Fukutomo Nakanishi and Giulio De Pasquale and Daniele Ferla and Lorenzo Cavallaro},

  title     = {Intertwining ROP Gadgets and Opaque Predicates for Robust Obfuscation},

  journal   = {CoRR},

  volume    = {abs/2012.09163},

  year      = {2020},

  url       = {http://arxiv.org/abs/2012.09163},

  eprint    = {2012.09163},

  archivePrefix = {arXiv}

}

Probabilistic Naming of Functions in Stripped Binaries
James Patrick-Evans, Lorenzo Cavallaro, Johannes Kinder
ACSAC 2020 · Annual Computer Security Applications Conference, 2020

@inproceedings{patrickevans2020punstrip,

  author = {James Patrick-Evans and Lorenzo Cavallaro and Johannes Kinder},

  title = {Probabilistic Naming of Functions in Stripped Binaries},

  booktitle = {Annual Computer Security Applications Conference (ACSAC)},

  year = {2020},

}

On the Dissection of Evasive Malware
Daniele Cono D'Elia, Emilio Coppa, Federico Palmaro, and Lorenzo Cavallaro
IEEE TIFS 2020 · IEEE Trans. Information Forensics and Security, 2020

@article{DBLP:journals/tifs/delia,

 author    = {Daniele Cono D'Elia and Emilio Coppa and Federico Palmaro and Lorenzo Cavallaro},

 title     = {{On the Dissection of Evasive Malware}},

 journal   = {{IEEE Trans. Information Forensics and Security}},

 volume    = {15},

 pages     = {2750--2765},

 year      = {2020},

 url       = {https://doi.org/10.1109/TIFS.2020.2976559},

 doi       = {10.1109/TIFS.2020.2976559},

 bibsource = {dblp computer science bibliography, http://dblp.org},

 note = {IEEE TIFS}

}

BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews
Claudio Rizzo, Lorenzo Cavallaro, and Johannes Kinder
RAID 2018 · 21st International Symposium on Research in Attacks, Intrusions and Defenses, 2018

@inproceedings{DBLP:conf/raid/RizzoCK18,

  author    = {Claudio Rizzo and Lorenzo Cavallaro and Johannes Kinder},

  title     = {BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews},

  booktitle = {{RAID}},

  series    = {Lecture Notes in Computer Science},

  volume    = {11050},

  pages     = {25--46},

  publisher = {Springer},

  year      = {2018}

}

POTUS: Probing Off-The-Shelf USB Drivers with Symbolic Fault Injection
James Patrick-Evans, Lorenzo Cavallaro, and Johannes Kinder
USENIX Sec-WOOT 2017 · 11th USENIX Workshop on Offensive Technologies, 2017 · Best Paper Award

@inproceedings{woot2017,

  author = {James Patrick-Evans and Lorenzo Cavallaro and Johannes Kinder},

  title = {{POTUS}: Probing Off-The-Shelf {USB} Drivers with Symbolic Fault Injection},

  booktitle = {11th USENIX Workshop on Offensive Technologies (WOOT)},

  note = {USENIX WOOT Best Paper Award},

  year = 2017,

}

Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting
Li Li, Daoyuan Li, Tegawende F. Bissyande, Jacques Klein, Yves Le Traon, David Lo, and Lorenzo Cavallaro
IEEE TIFS 2017 · IEEE Trans. Information Forensics and Security, 2017

@article{DBLP:journals/tifs/0029LBKTLC17,

 author    = {Li Li and Daoyuan Li and Tegawende F. Bissyande and Jacques Klein and Yves Le Traon and David Lo and Lorenzo Cavallaro},

 title     = {{Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting}},

 journal   = {{IEEE Trans. Information Forensics and Security}},

 volume    = {12},

 number    = {6},

 pages     = {1269--1284},

 year      = {2017},

 url       = {https://doi.org/10.1109/TIFS.2017.2656460},

 doi       = {10.1109/TIFS.2017.2656460},

 timestamp = {Sun, 28 May 2017 13:17:25 +0200},

 biburl    = {http://dblp.uni-trier.de/rec/bib/journals/tifs/0029LBKTLC17},

 bibsource = {dblp computer science bibliography, http://dblp.org},

 note = {IEEE TIFS}

}

Modular Synthesis of Heap Exploits
Dusan Repel, Johannes Kinder, and Lorenzo Cavallaro
ACM CCS-PLAS 2017 · ACM SIGSAC Workshop on Programming Languages and Analysis for Security, 2017

@inproceedings{plas2017,

 author = {Dusan Repel and Johannes Kinder and Lorenzo Cavallaro},

 title = {Modular Synthesis of Heap Exploits},

 booktitle = {Proc. ACM SIGSAC Workshop on Programming Languages and Analysis for Security (PLAS 2017)},

 year = 2017,

 note = {ACM CCS-PLAS}

}

Stack Object Protection with Low Fat Pointers
Gregory Duck, Roland Yap, and Lorenzo Cavallaro
NDSS 2017 · 24th Annual Network and Distributed System Security Symposium, 2017

@InProceedings{lowfatstack-ndss2017,

 author =       {Gregory Duck and Roland Yap and Lorenzo Cavallaro},

 title =        {{Stack Object Protection with Low Fat Pointers}},

 booktitle = {24th Annual Network and Distributed System Security Symposium, San Diego, California, USA},

 year =      2017,

 month = {February},

 note = {NDSS}

}

The Evolution of Android Malware and Android Analysis Techniques
Kimberly Tam, Ali Feizollah, Badrul Nor Anuar, Rosli Salleh, and Lorenzo Cavallaro
ACM CSUR 2017 · ACM Computing Surveys, 2017

@article{Tam:2017:EAM:3022634.3017427,

 author = {Kimberly Tam and Ali Feizollah and Badrul Nor Anuar and Rosli Salleh and Lorenzo Cavallaro},

 title = {{The Evolution of Android Malware and Android Analysis Techniques}},

 journal = {ACM Compututing Surveys},

 issue_date = {February 2017},

 volume = {49},

 number = {4},

 month = {January},

 year = {2017},

 issn = {0360-0300},

 pages = {76:1--76:41},

 articleno = {76},

 numpages = {41},

 url = {http://doi.acm.org/10.1145/3017427},

 doi = {10.1145/3017427},

 acmid = {3017427},

 publisher = {ACM},

 address = {New York, NY, USA},

 keywords = {Android, classification, detection, dynamic analysis, malware, static analysis},

 note = {ACM CSUR}

}

CopperDroid: Automatic Reconstruction of Android Malware Behaviors
Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro
NDSS 2015 · 22nd Annual Network and Distributed System Security Symposium, 2015

@InProceedings{copperdroid-ndss2015,

 author =       {Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro},

 title =        {{CopperDroid: Automatic Reconstruction of Android Malware Behaviors}},

 booktitle = {22nd Annual Network and Distributed System Security Symposium, San Diego, California, USA},

 year =      2015,

 month = {February},

 note = {NDSS}

}

PuppetDroid: A User-Centric UI Exerciser for Automatic Dynamic Analysis of Similar Android Applications
Andrea Gianazza, Federico Maggi, Aristide Fattori, Lorenzo Cavallaro, and Stefano Zanero
CoRR 2014 · arXiv CoRR, 2014

@article{DBLP:journals/corr/GianazzaMFCZ14,

 author    = {Andrea Gianazza and Federico Maggi and Aristide Fattori and Lorenzo Cavallaro and Stefano Zanero},

 title     = {{PuppetDroid: A User-Centric UI Exerciser for Automatic Dynamic Analysis of Similar Android Applications}},

 journal   = {arXiv CoRR},

 year      = {2014},

 volume    = {abs/1402.4826},

 url       = {http://arxiv.org/abs/1402.4826},

 timestamp = {Wed, 10 Sep 2014 17:05:02 +0200},

 biburl    = {http://dblp.uni-trier.de/rec/bib/journals/corr/GianazzaMFCZ14},

 bibsource = {dblp computer science bibliography, http://dblp.org},

 note = {arXiv CoRR}

}