About me

Since May 2008 I have been working at Università degli Studi di Udine as a reasearch assistant, under the supervision of Prof. Furio Ercolessi. My research work is sponsored by The SpamHaus Project, the world largest anti-spam non-profit organization.

From Sep 2006 to May 2008, I was a visiting research scholar at the Department of Computer Science department of the University of Wisconisn–Madison (USA) working on malware analysis and detection under the supervision of Prof. Somesh Jha.

Research interests

Spam and spam prevention
Malware analysis and detection
Program analysis and reverse engineering (with emphasis on the analysis of binary code)
Vulnerability analysis
Exploitation and anti-exploitation techniques
Virtual machines
Computer forensics

Education

Ph.D. in Computer Science, Apr. 2009
Università degli Studi di Milano – Dipartimento di Informatica e Comunicazione.
Dissertation titled "Dynamic techniques for malware analysis"
Advisor: Prof. Danilo Bruschi (Università degli Studi di Milano)
Co-adviser: Prof. Somesh Jha (University of Wisconisn–Madison)
M.Sc. (110/110 cum laude) in Computer Science, Oct. 2004
Università degli Studi di Milano Bicocca – Dipartimento di Informatica Sistemistica e Comunicazione.

Contact information

Email & Jabber/XMPP
GPG Key				0x8B143975 (fingerprint: 363D 3EF3 CC92 2069 949C 4F11 6C57 2D70 8B14 3975)

Projects and software

EmuFuzzer

EmuFuzzer is a fuzzer for CPU emulators. EmuFuzzer “stresses” a CPU emulator with specially crafted test-cases, representing registers and memory configurations, to verify whether the CPU is properly emulated or not. EmuFuzzer detects improper behaviours of the emulator by running the same test-case concurrently on the emulated and on the physical CPUs and by comparing the state of the two after the execution. Differences in the state testify defects in the code of the emulator. Currently EmuFuzzer supports the following CPU emulators:

For more details see the paper Testing CPU emulators.

We also used EmuFuzzer to discover red-pills: programs or procedures capable of identifying if they are executed on a physical CPU or on an emulated CPU. Such red-pills can be used in malicious programs to impede dynamic analysis attempts. For more details see the paper A fistful of red-pills: How to automatically generate procedures to detect CPU emulators and the web-page devoted to the project.

EmuFuzzer is developed by Lorenzo Martignoni, Roberto Paleari, and Giampaolo Fresi Roglia

WUSSTrace

WUSSTrace is a user-space syscall tracer for Microsoft Windows developed for fine grained syscall tracing: it supports the majority of Windows system calls (except GUI system calls), the majority of argument types, and dumps faithfully all the supported types. WUSSTrace produces easy-to-parse XML traces leveraging the Boost serialization library. Tracing is performed by injecting a shared library in the address space of the traced process and by hooking the stubs KiFastSystemCall and KiIntSystemCall in ntdll.dll.

WUSSTrace is developed by Lorenzo Martignoni and Roberto Paleari

Memu

Memu is a malicious code emulator based on QEMU and virtual machine introspection (VMI). Memu can monitor the execution of one or more suspicious program running inside the guest OS (Microsoft Windows XP) and can trace system calls, exceptions, calls to API functions, memory accesses, and even single machine instructions. It also supports taint analysis with arbitrary taint sources and sinks and taint labels up to 32-bits. The emulator exposes an API to develop custom malware analyses.

The behaviour-based malware detector described in the paper A Layered Architecture for Detecting Malicious Behaviors is built as a Memu plugin.

Memu is developed by Lorenzo Martignoni, with the contribution of Matt Fredrikson

ITrace

ITrace provides an easy to use interface to insert a hook into your favourite code emulator or debugger (mine is QEMU) to record on disk the dynamic execution trace for the most exotic off-line analyses. ITrace comes with a trace recorder, a trace reader, and a set of modules to develop your own analyses. If your emulator performs taint analysis, ITrace can record 32-bits taint labels for you in the trace. The trace generated by ITrace is human readable. Executed instructions are interpreted and converted into an intermediate form (IR) which makes explicit all the side effects of each instruction.

Currently ITrace comes with the following modules:

forward dynamic slicer (with support for control dependencies)
backward dynamic slicer (with support for control dependencies)
solver (based on STP) for solving constraints expressed directly in the intermediate form

The intermediate form stores everything you might need for you off-line analysis, from the semantic of each instruction, to the value and the taint label of the operands of the instruction. It looks like the following:

# b49f5b6e testb $0x2, (%esi)
b49f5b6e 2158c1 0 ASGN(R(9 0 0 0 0) C(1 0))
b49f5b6e 2158c2 0 ASGN(R(9 b b 0 0) C(1 0))
b49f5b6e 2158c3 0 ASGN(R(9 6 6 1 3e) (== (& M(R(7 0 1f b4ac1300 3e) 8 88 0) C(8 2)) C(8 0)))
b49f5b6e 2158c4 0 ASGN(R(9 7 7 0 3e) (MSB (& M(R(7 0 1f b4ac1300 3e) 8 88 0) C(8 2))))
# b49f5b73 mov (%esi), %eax
b49f5b73 2158c6 0 ASGN(R(1 0 1f fbad2088 3e) M(R(7 0 1f b4ac1300 3e) 20 fbad2088 0))
# b49f5b75 and $0x1008, %eax
b49f5b75 2158c8 0 ASGN(R(9 0 0 0 0) C(1 0))
b49f5b75 2158c9 0 ASGN(R(9 b b 0 0) C(1 0))
b49f5b75 2158ca 0 ASGN(R(9 6 6 0 3e) (== (& R(1 0 1f fbad2088 3e) C(20 1008)) C(20 0)))
b49f5b75 2158cb 0 ASGN(R(9 7 7 0 3e) (MSB (& R(1 0 1f fbad2088 3e) C(20 1008))))
b49f5b75 2158cc 0 ASGN(R(1 0 1f 8 3e) (& R(1 0 1f fbad2088 3e) C(20 1008)))

ITrace has been successful used by me and by a small group of other persons with QEMU and Pin.

ITrace is developed by Lorenzo Martignoni

PyEA (Python Executable Analyser)

PyEA is a hybrid static/dynamic code analyser written in Python. The analyser was originally developed to statically analyse IA-32 malicious programs, but has soon evolved into a generic analyser for compiled programs. PyEA currently supports PE and ELF executables, disassembles executables using a recursive disassembler, and translates each machine instruction into an intermediate form, that makes side effects explicit. The analyses work directly on the intermediate representation and include:

graph dominance analysis
static and dynamic data- and control-dependency analyses
liveness and reachability analyses
loop analysis

PyEA contains a process execution tracer for GNU/Linux based on ptrace() and interfaces with the STP constraint solver (using the PySTP extension module). Recently, support for hybrid analysis of PHP bytecode has been introduced into this framework.

Some of the algorithms for the normalisation and detection of self-mutating malware described in the papers Code Normalization for Self-Mutating Malware. and Detecting Self-Mutating Malware Using Control Flow Graph Matching have been recently ported to PyEA. The fuzzer described in the paper A Smart Fuzzer for x86 Executables is also implemented on top of PyEA.

PyEA is developed by Lorenzo Martignoni and Roberto Paleari

Publications

[1]	Giampaolo Fresi Roglia, Lorenzo Martignoni, Roberto Paleari, and Danilo Bruschi. Surgically returning to randomized lib(c). In Proceedings of the 25^th Annual Computer Security Applications Conference (ACSAC), Honolulu, Hawaii, USA., pages 60-69. IEEE Computer Society, December 2009. [ Abstract \| BibTeX \| Paper ] To strengthen systems against code injection attacks, the write or execute only policy (W^X) and address space layout randomization (ASLR) are typically used in combination. The former separates data and code, while the latter randomizes the layout of a process. In this paper we present a new attack to bypass W^X and ASLR. The state-of-art attack against this combination of protections is based on brute-force, while ours is based on the leakage of sensitive information about the memory layout of the process. Using our attack an attacker can exploit the large majority of programs vulnerable to stack-based buffer overflows surgically, i.e., in just a single shot. We have estimated that our attack is feasible on 95.6% and 61.8% executables (of medium size) for Intel x86 and x86-64 architectures respectively. We also analyze the effectiveness at preventing our attack of other existing protections, that can be combined with W^X and ASLR. We conclude that position independent executables (PIE) are essential to complement ASLR and to prevent our attack. However, PIE requires recompilation, it is not adopted even when supported, and it is not available on all ASLR-capable operating systems. To overcome these limitations, we propose a new protection that is as effective as PIE, does not require recompilation, and introduces only a minimal overhead (about 2.69% with respect to the unprotected execution).
[2]	Lorenzo Martignoni, Roberto Paleari, and Danilo Bruschi. A framework for behavior-based malware analysis in the cloud. In Proceedings of the 5^th International Conference on Information Systems Security (ICISS 2009), pages 178-192. Springer, December 2009. [ Abstract \| BibTeX \| Paper \| Slides ] To ease the analysis of potentially malicious programs, dynamic behavior-based techniques have been proposed in the literature. Unfortunately, these techniques often give incomplete results because the execution environments in which they are performed are synthetic and do not faithfully resemble the environments of end-users, the intended targets of the malicious activities. In this paper, we present a new framework for improving behavior-based analysis of suspicious programs, that allows an end-user to delegate security labs, the cloud, the execution and the analysis of a program and to force the program to behave as if it were executed directly in the environment of the former. The evaluation demonstrated that the proposed framework allows security labs to improve the completeness of the analysis, by analyzing a piece of malware on behalf of multiple end-users simultaneously, while performing a fine-grained analysis of the behavior of the program with no computational cost for the end-users.
[3]	Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the 3rd USENIX Workshop on Offensive Technologies (WOOT), Montreal, Canada. ACM, August 2009. [ Abstract \| BibTeX \| Paper \| Slides ] Malware includes several protections to complicate their analysis: the longer it takes to analyze a new malware sample, the longer the sample survives and the larger number of systems it compromises. Nowadays, new malware samples are analyzed dynamically using virtual environments (e.g., emulators, virtual machines, or debuggers). Therefore, malware incorporate a variety of tests to detect whether they are executed through such environments and obfuscate their behavior if they suspect their execution is being monitored. Several simple tests, we indistinctly call red-pills, have already been proposed in literature to detect whether the execution of a program is performed in a real or in a virtual environment. In this paper we propose an automatic and systematic technique to generate red-pills, specific for detecting if a program is executed through a CPU emulator. Using this technique we generated thousands of new red-pills, involving hundreds of different opcodes, for two publicly available emulators, which are widely used for analyzing malware.
[4]	Emanuele Passerini, Roberto Paleari, and Lorenzo Martignoni. How good are malware detectors at remediating infected systems? In Proceedings of the 6^th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Como, Italy, Lecture Notes in Computer Science, pages 21-37. Springer, July 2009. [ Abstract \| BibTeX \| Paper ] Malware detectors are applications that attempt to identify and block malicious programs. Unfortunately, malware detectors might not always be able to preemptively block a malicious program from infecting the system (e.g., when the signatures database is not promptly updated). In these situations, the only way to eradicate the infection without having to reinstall the entire system is to rely on the remediation capabilities of the detectors. Therefore, it is essential to evaluate the efficacy and accuracy of anti-malware software in such situations. This paper presents a testing methodology to assess the quality (completeness) of the remediation procedures used by malware detectors to revert the effect of an infection from a compromised system. To evaluate the efficacy of our testing methodology, we developed a prototype and used it to test six of the top-rated commercial malware detectors currently available on the market. The results of our evaluation witness, that in many situations, the tested malware detectors fail to completely remove the effects of an infection.
[5]	Lorenzo Martignoni, Roberto Paleari, Giampaolo Fresi Roglia, and Danilo Bruschi. Testing CPU emulators. In Proceedings of the 2009 International Conference on Software Testing and Analysis (ISSTA), Chicago, Illinois, U.S.A., pages 261-272. ACM, July 2009. [ Abstract \| BibTeX \| Paper \| Slides ] A CPU emulator is a software that simulates a hardware CPU. Emulators are widely used by computer scientists for various kind of activities (e.g., debugging, profiling, and malware analysis). Although no theoretical limitation prevents to develop an emulator that faithfully emulates a physical CPU, writing a fully featured emulator is a very challenging and error-prone task. Modern CISC architectures have a very rich instruction set, some instructions lack proper specifications, and others may have undefined effects in corner-cases. This paper presents a testing methodology specific for CPU emulators, based on fuzzing. The emulator is “stressed” with specially crafted test-cases, to verify whether the CPU is properly emulated or not. Improper behaviours of the emulator are detected by running the same test-case concurrently on the emulated and on the physical CPUs and by comparing the state of the two after the execution. Differences in the final state testify defects in the code of the emulator. We implemented this methodology in a prototype (codenamed EmuFuzzer), analysed four state-of-the-art IA-32 emulators (QEMU, Valgrind, Pin and BOCHS), and found several defects in each of them, some of which can prevent the proper execution of programs.
[6]	Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, and John C. Mitchell. A Layered Architecture for Detecting Malicious Behaviors. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection, RAID, Cambridge, Massachusetts, U.S.A., Lecture Notes in Computer Science. Springer, September 2008. [ Abstract \| BibTeX \| Paper \| Slides ] We address the semantic gap problem in behavioral monitoring by using hierarchical behavior graphs to infer high-level behaviors from myriad low-level events that could be parts of many different kinds of behavior. Our experimental system traces the execution of a process, performing data-flow analysis to identify meaningful actions such as “proxying”, “keystroke logging”, “data leaking”, and “downloading and executing a program” from complex combinations of rudimentary system calls. To preemptively address evasive malware behavior, our specifications are carefully crafted to detect alternate sequences of events that achieve the same high-level goal. We tested seven malicious bots and eleven benign programs and found that we were able to thoroughly identify high-level behaviors across this diverse code base. Moreover, we were able to distinguish malicious execution of high-level behaviors from benign by distinguishing remotely-initiated from locally-initiated actions.
[7]	Emanuele Passerini, Roberto Paleari, Lorenzo Martignoni, and Danilo Bruschi. Fluxor: detecting and monitoring fast-flux service networks. In Proceedings of the 5^th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Paris, France, Lecture Notes in Computer Science. Springer, July 2008. [ Abstract \| BibTeX \| Paper ] Botnets are large groups of compromised machines (bots) used by miscreants for the most illegal activities (e.g., sending spam emails, denial-of-service attacks, phishing and other web scams). To protect the identity and to maximise the availability of the core components of their business, miscreants have recently started to use fast-flux service networks, large groups of bots acting as front-end proxies to these components. Motivated by the conviction that prompt detection and monitoring of these networks is an essential step to contrast the problem posed by botnets, we have developed FluXOR, a system to detect and monitor fast-flux service networks. FluXOR monitoring and detection strategies entirely rely on the analysis of a set of features observable from the point of view of a victim of the scams perpetrated by the botnets. We have been using FluXOR for about a month and so far we have detected 387 fast-flux service networks, totally composed by 31998 distinct compromised machines, which we believe to be associated with 16 botnets. Real-time results are publicly available at http://fluxor.laser.dico.unimi.it.
[8]	Lorenzo Martignoni, Mihai Christodorescu, and Somesh Jha. OmniUnpack: Fast, Generic, and Safe Unpacking of Malware. In Proceedings of the 23^rd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida, USA. IEEE Computer Society, December 2007. [ Abstract \| BibTeX \| Paper \| Slides ] Malicious software (or malware) has become a growing threat as malware writers have learned that signature-based detectors can be easily evaded by “packing” the malicious payload in layers of compression or encryption. State-of-the-art malware detectors have adopted both static and dynamic techinques to recover the payload of packed malware, but unfortunately such techniques are highly ineffective. In this paper we propose a new technique, called OmniUnpack, to monitor the execution of a program in real-time and to detect when the program has removed the various layers of packing. OmniUnpack aids malware detection by directly providing to the detector the unpacked malicious payload. Experimental results demonstrate the effectiveness of our approach. OmniUnpack is able to deal with both known and unknown packing algorithms and introduces a low overhead (at most 11% for packed benign programs).
[9]	Andrea Lanzi, Lorenzo Martignoni, Mattia Monga, and Roberto Paleari. A Smart Fuzzer for x86 Executables. In Proceedings of the 3^rd International Workshop on Software Engineering for Secure Systems, SESS, Minneapolis, MN, USA. ACM, May 2007. [ Abstract \| BibTeX \| Paper ] The automatic identification of security-relevant flaws in binary executables is still a young but promising research area. In this paper, we describe a new approach for the identification of vulnerabilities in object code we called smart fuzzing. While conventional fuzzing uses random input to discover crash conditions, smart fuzzing restricts the input space by using a preliminary static analysis of the program, then refined by monitoring each execution. In other words, the search is driven by a mix of static and dynamic analysis in order to lead the execution path to selected corner cases that are the most likely to expose vulnerabilities, thus improving the effectiveness of fuzzing as a means for finding security breaches in black-box programs.
[10]	Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. Code Normalization for Self-Mutating Malware. Security & Privacy, 5(2):46-54, May 2007. [ Abstract \| BibTeX \| Paper ] Next-generation malware will adopt self-mutation to circumvent current malware detection techniques. The authors propose a strategy based on code normalization that reduces different instances of the same malware into a common form that can enable accurate detection.
[11]	Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. Detecting Self-Mutating Malware Using Control Flow Graph Matching. In Proceedings of the 3^rd Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Berlin, Germany, July 2006. [ Abstract \| BibTeX ] Next generation malware will by be characterized by the intense use of polymorphic and metamorphic techniques aimed at circumventing the current malware detectors, based on pattern matching. In order to deal with this new kind of threat, novel techniques have to be devised for the realization of malware detectors. Recent papers started to address such an issue and this paper represents a further contribution in such a field. More precisely in this paper we propose a strategy for the detection of metamorphic malicious code inside a program P based on the comparison of the control flow graphs of P against the set of control flow graphs of known malware. We also provide experimental data supporting the validity of our strategy.
[12]	Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. Using Code Normalization for Fighting Self-Mutating Malware. In Proceedings of the International Symposium of Secure Software Engineering, ISSSE, Arlington, VA, USA. IEEE Computer Society, March 2006. [ Abstract \| BibTeX ] Self mutating malware has been introduced by computer virus writers who, in '90s, started to write polymorphic and metamorphic viruses in order to defeat anti-virus products. In this paper we present a novel approach for dealing with self mutating code which could represent the basis for a new detection strategy for this type of malware. A tool prototype has been implemented in order to validate the idea and the results are quite encouraging, and indicate that it could represent a new strategy for detecting this kind of malware.
[13]	Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. Using Code Normalization for Fighting Self-Mutating Malware. Technical Report 08-06, Dipartimento di Informatica e Comunicazione - Università degli Studi di Milano, March 2006. [ Abstract \| BibTeX \| Paper ] Self mutating malware has been introduced by computer virus writers who, in '90s, started to write polymorphic and metamorphic viruses in order to defeat anti-virus products. In this paper we present a novel approach for dealing with self mutating code which could represent the basis for a new detection strategy for this type of malware. A tool prototype has been implemented in order to validate the idea and the results are quite encouraging, and indicate that it could represent a new strategy for detecting this kind of malware.
[14]	Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. Detecting Self-Mutating Malware Using Control Flow Graph Matching. Technical Report 09-06, Dipartimento di Informatica e Comunicazione - Università degli Studi di Milano, March 2006. [ Abstract \| BibTeX \| Paper ] Next generation malware will by be characterized by the intense use of polymorphic and metamorphic techniques aimed at circumventing the current malware detectors, based on pattern matching. In order to deal with this new kind of threat, novel techniques have to be devised for the realization of malware detectors. Recent papers started to address such an issue and this paper represents a further contribution in such a field. More precisely in this paper we propose a strategy for the detection of metamorphic malicious code inside a program P based on the comparison of the control flow graphs of P against the set of control flow graphs of known malware. We also provide experimental data supporting the validity of our strategy.
[15]	Danilo Bruschi, Lorenzo Martignoni, and Mattia Monga. How to Reuse Knowledge About Forensic Investigations. In Proceedings of the 4^th Digital Forensic Research Workshop, DFRWS, Linticum, MD, USA., August 2004. [ Abstract \| BibTeX \| Paper ] When detectives perform investigations they manage a huge amount of information, they make use of specialized skills and analyze a wide knowledge base of evidence. Most of the work is not explicitly recorded and this hurdles external reviews and training. In this paper we propose a model able to organize forensic knowledge in a reusable way. Thus, past experience may be used to train new personnel, to foster knowledge sharing among detective communities and to expose collected information to quality assessment by third parties.

Teaching

Operating systems/Sistemi operativi – 2008/2009

The educational materials for the operating system class (laboratory) I taught in the second semester of the academic year 2008/2009 is available on-line at the URL http://homes.dico.unimi.it/~sisop/ (Italian only).

Hacking

I am a member of the hacking team ChocolateMakers, also known as Guard@MyLan0 (you must know Italian very well to appreciate the name of the team), affiliated with the LaSeR laboratory (Università degli Studi di Milano). With the team I partecipated to various hacking contests, including CODEGATE, DEFCON, iCTF and CIPHER.

In 2005 I organized the first Italian Capture The Flag (CTF-IT) and in 2009 I contributed to the organization of the fifth edition of CIPHER.