@inproceedings{dfrws04,
author = {Danilo Bruschi and Lorenzo Martignoni and Mattia Monga},
month = aug,
year = 2004,
booktitle = {Proceedings of the 4$^{th}$ Digital Forensic Research
Workshop, DFRWS, Linticum, MD, USA.},
title = {{How to Reuse Knowledge About Forensic Investigations}},
abstract = { When detectives perform investigations they manage a huge
amount of information, they make use of specialized skills
and analyze a wide knowledge base of evidence. Most of the
work is not explicitly recorded and this hurdles external
reviews and training. In this paper we propose a model able
to organize forensic knowledge in a reusable way. Thus, past
experience may be used to train new personnel, to foster
knowledge sharing among detective communities and to expose
collected information to quality assessment by third
parties.},
paper = {dfrws04.pdf}
}
@inproceedings{dimva06,
author = {Danilo Bruschi and Lorenzo Martignoni and Mattia Monga},
title = {{Detecting Self-Mutating Malware Using Control Flow Graph
Matching}},
booktitle = {Proceedings of the 3$^{rd}$ Conference on Detection of
Intrusions and Malware \& Vulnerability Assessment (DIMVA),
Berlin, Germany},
month = jul,
year = 2006,
abstract = {Next generation malware will by be characterized by the
intense use of polymorphic and metamorphic techniques aimed
at circumventing the current malware detectors, based on
pattern matching. In order to deal with this new kind of
threat, novel techniques have to be devised for the
realization of malware detectors. Recent papers started to
address such an issue and this paper represents a further
contribution in such a field. More precisely in this paper we
propose a strategy for the detection of metamorphic malicious
code inside a program $P$ based on the comparison of the
control flow graphs of $P$ against the set of control flow
graphs of known malware. We also provide experimental data
supporting the validity of our strategy.}
}
@inproceedings{dimva08,
author = {Emanuele Passerini and Roberto Paleari and Lorenzo Martignoni
and Danilo Bruschi},
title = {FluXOR: detecting and monitoring fast-flux service networks },
publisher = {Springer},
series = {Lecture Notes in Computer Science},
booktitle = {Proceedings of the 5$^{th}$ Conference on Detection of
Intrusions and Malware \& Vulnerability Assessment (DIMVA),
Paris, France},
year = 2008,
month = jul,
abstract = { \emph{Botnets} are large groups of compromised machines
(\emph{bots}) used by miscreants for the most illegal
activities (e.g., sending spam emails, denial-of-service
attacks, phishing and other web scams). To protect the
identity and to maximise the availability of the core
components of their business, miscreants have recently
started to use \emph{fast-flux service networks}, large
groups of bots acting as front-end proxies to these
components. Motivated by the conviction that prompt detection
and monitoring of these networks is an essential step to
contrast the problem posed by botnets, we have developed
FluXOR, a system to detect and monitor fast-flux service
networks. FluXOR monitoring and detection strategies entirely
rely on the analysis of a set of features observable from the
point of view of a victim of the scams perpetrated by the
botnets. We have been using FluXOR for about a month and so
far we have detected 387 fast-flux service networks, totally
composed by 31998 distinct compromised machines, which we
believe to be associated with 16 botnets. \textbf{Real-time
results are publicly available at
\url{http://fluxor.laser.dico.unimi.it}.} },
paper = {http://www.springerlink.com/content/r710h553172801x6/fulltext.pdf}
}
@inproceedings{dimva09,
author = {Emanuele Passerini and Roberto Paleari and Lorenzo
Martignoni},
title = {{How good are malware detectors at remediating infected
systems?}},
year = 2009,
month = jul,
publisher = {Springer},
series = {Lecture Notes in Computer Science},
booktitle = {Proceedings of the 6$^{th}$ Conference on Detection of
Intrusions and Malware \& Vulnerability Assessment (DIMVA),
Como, Italy},
abstract = {Malware detectors are applications that attempt to identify
and block malicious programs. Unfortunately, malware
detectors might not always be able to preemptively block a
malicious program from infecting the system (e.g., when the
signatures database is not promptly updated). In these
situations, the only way to eradicate the infection without
having to reinstall the entire system is to rely on the
remediation capabilities of the detectors. Therefore, it is
essential to evaluate the efficacy and accuracy of
anti-malware software in such situations. This paper
presents a testing methodology to assess the quality
(completeness) of the \textit{remediation procedures} used by
malware detectors to revert the effect of an infection from a
compromised system. To evaluate the efficacy of our testing
methodology, we developed a prototype and used it to test six
of the top-rated commercial malware detectors currently
available on the market. The results of our evaluation
witness, that in many situations, the tested malware
detectors fail to completely remove the effects of an
infection. },
paper = {http://www.springerlink.com/content/19h7778mu73lg256/fulltext.pdf},
pages = {21--37}
}
@inproceedings{issse06,
author = {Danilo Bruschi and Lorenzo Martignoni and Mattia Monga},
title = {{Using Code Normalization for Fighting Self-Mutating
Malware}},
booktitle = {Proceedings of the International Symposium of Secure Software
Engineering, ISSSE, Arlington, VA, USA.},
year = 2006,
month = mar,
publisher = {IEEE Computer Society},
abstract = {Self mutating malware has been introduced by computer virus
writers who, in '90s, started to write polymorphic and
metamorphic viruses in order to defeat anti-virus
products. In this paper we present a novel approach for
dealing with self mutating code which could represent the
basis for a new detection strategy for this type of
malware. A tool prototype has been implemented in order to
validate the idea and the results are quite encouraging, and
indicate that it could represent a new strategy for detecting
this kind of malware.}
}
@inproceedings{issta09,
author = {Lorenzo Martignoni and Roberto Paleari and Giampaolo Fresi
Roglia and Danilo Bruschi},
title = {{Testing CPU emulators}},
year = 2009,
month = jul,
publisher = {ACM},
booktitle = {Proceedings of the 2009 International Conference on Software
Testing and Analysis (ISSTA), Chicago, Illinois, U.S.A.},
abstract = {A CPU emulator is a software that simulates a hardware
CPU. Emulators are widely used by computer scientists for
various kind of activities (e.g., debugging, profiling, and
malware analysis). Although no theoretical limitation
prevents to develop an emulator that faithfully emulates a
physical CPU, writing a fully featured emulator is a very
challenging and error-prone task. Modern CISC architectures
have a very rich instruction set, some instructions lack
proper specifications, and others may have undefined effects
in corner-cases. This paper presents a testing methodology
specific for CPU emulators, based on fuzzing. The emulator is
``stressed'' with specially crafted test-cases, to verify
whether the CPU is properly emulated or not. Improper
behaviours of the emulator are detected by running the same
test-case concurrently on the emulated and on the physical
CPUs and by comparing the state of the two after the
execution. Differences in the final state testify defects in
the code of the emulator. We implemented this methodology in
a prototype (codenamed \textsf{EmuFuzzer}), analysed four
state-of-the-art IA-32 emulators (QEMU, Valgrind, Pin and
BOCHS), and found several defects in each of them, some of
which can prevent the proper execution of programs. },
pages = {261--272},
paper = {http://portal.acm.org/ft_gateway.cfm?id=1572303&type=pdf&coll=PORTAL&dl=ACM&CFID=46553390&CFTOKEN=27637410},
slides = {EmuFuzzer.pdf}
}
@inproceedings{omniunpack,
author = {Lorenzo Martignoni and Mihai Christodorescu and Somesh Jha},
title = {{OmniUnpack: Fast, Generic, and Safe Unpacking of Malware}},
booktitle = {Proceedings of the 23$^{rd}$ Annual Computer Security
Applications Conference (ACSAC), Miami Beach, Florida, USA.},
month = dec,
year = 2007,
publisher = {IEEE Computer Society},
abstract = {Malicious software (or malware) has become a growing threat
as malware writers have learned that signature-based
detectors can be easily evaded by ``packing'' the malicious
payload in layers of compression or
encryption. State-of-the-art malware detectors have adopted
both static and dynamic techinques to recover the payload of
packed malware, but unfortunately such techniques are highly
ineffective. In this paper we propose a new technique, called
OmniUnpack, to monitor the execution of a program in
real-time and to detect when the program has removed the
various layers of packing. OmniUnpack aids malware detection
by directly providing to the detector the unpacked malicious
payload. Experimental results demonstrate the effectiveness
of our approach. OmniUnpack is able to deal with both known
and unknown packing algorithms and introduces a low overhead
(at most 11\% for packed benign programs).},
paper = {http://www.acsa-admin.org/2007/papers/151.pdf},
slides = {OmniUnpack.pdf}
}
@inproceedings{raid08,
author = {Lorenzo Martignoni and Elizabeth Stinson and Matt Fredrikson
and Somesh Jha and John C. Mitchell},
title = {{A Layered Architecture for Detecting Malicious Behaviors}},
year = 2008,
month = sep,
publisher = {Springer},
series = {Lecture Notes in Computer Science},
booktitle = {Proceedings of the International Symposium on Recent Advances
in Intrusion Detection, RAID, Cambridge, Massachusetts,
U.S.A.},
abstract = { We address the \textit{semantic gap} problem in behavioral
monitoring by using hierarchical behavior graphs to infer
high-level behaviors from myriad low-level events that could
be parts of many different kinds of behavior. Our
experimental system traces the execution of a process,
performing data-flow analysis to identify meaningful actions
such as ``proxying'', ``keystroke logging'', ``data
leaking'', and ``downloading and executing a program'' from
complex combinations of rudimentary system calls. To
preemptively address evasive malware behavior, our
specifications are carefully crafted to detect alternate
sequences of events that achieve the same high-level goal. We
tested seven malicious bots and eleven benign programs and
found that we were able to thoroughly identify high-level
behaviors across this diverse code base. Moreover, we were
able to distinguish malicious execution of high-level
behaviors from benign by distinguishing remotely-initiated
from locally-initiated actions. },
slides = {raid2008.pdf},
paper = {http://www.springerlink.com/content/f0717078102g3747/fulltext.pdf}
}
@inproceedings{saratoga,
author = {Giampaolo Fresi Roglia and Lorenzo Martignoni and Roberto
Paleari and Danilo Bruschi},
title = {{Surgically returning to randomized lib(c)}},
booktitle = {Proceedings of the 25$^{th}$ Annual Computer Security
Applications Conference (ACSAC), Honolulu, Hawaii, USA.},
month = dec,
year = 2009,
publisher = {IEEE Computer Society},
abstract = {To strengthen systems against code injection attacks, the
write or execute only policy (W^X) and address space layout
randomization (ASLR) are typically used in combination. The
former separates data and code, while the latter randomizes
the layout of a process. In this paper we present a new
attack to bypass W^X and ASLR. The state-of-art attack
against this combination of protections is based on
brute-force, while ours is based on the leakage of sensitive
information about the memory layout of the process. Using our
attack an attacker can exploit the large majority of programs
vulnerable to stack-based buffer overflows \emph{surgically},
i.e., in just a single shot. We have estimated that our
attack is feasible on 95.6\% and 61.8\% executables (of
medium size) for Intel x86 and x86-64 architectures
respectively. We also analyze the effectiveness at preventing
our attack of other existing protections, that can be
combined with W^X and ASLR. We conclude that position
independent executables (PIE) are essential to complement
ASLR and to prevent our attack. However, PIE requires
recompilation, it is not adopted even when supported, and it
is not available on all ASLR-capable operating systems. To
overcome these limitations, we propose a new protection that
is as effective as PIE, does not require recompilation, and
introduces only a minimal overhead (about 2.69\% with respect
to the unprotected execution).},
pages = {60--69},
paper = {http://www.acsac.org/2009/openconf/modules/request.php?module=oc_proceedings&action=view.php&a=Accept&id=243}
}
@inproceedings{smartfuzz,
author = {Andrea Lanzi and Lorenzo Martignoni and Mattia Monga and
Roberto Paleari},
title = {{A Smart Fuzzer for x86 Executables}},
booktitle = {Proceedings of the 3$^{rd}$ International Workshop on
Software Engineering for Secure Systems, SESS, Minneapolis,
MN, USA.},
publisher = {ACM},
month = may,
year = 2007,
abstract = {The automatic identification of security-relevant flaws in
binary executables is still a young but promising research
area. In this paper, we describe a new approach for the
identification of vulnerabilities in object code we called
\textit{smart fuzzing}. While conventional fuzzing uses
random input to discover crash conditions, smart fuzzing
restricts the input space by using a preliminary static
analysis of the program, then refined by monitoring each
execution. In other words, the search is driven by a mix of
static and dynamic analysis in order to lead the execution
path to selected corner cases that are the most likely to
expose vulnerabilities, thus improving the effectiveness of
fuzzing as a means for finding security breaches in black-box
programs.},
paper = {sess07.pdf}
}
@article{sp07,
author = {Danilo Bruschi and Lorenzo Martignoni and Mattia Monga},
title = {{Code Normalization for Self-Mutating Malware}},
journal = {Security \& Privacy},
year = 2007,
volume = 5,
number = 2,
pages = {46--54},
month = may,
publisher = {IEEE Computer Society},
abstract = {Next-generation malware will adopt self-mutation to
circumvent current malware detection techniques. The authors
propose a strategy based on code normalization that reduces
different instances of the same malware into a common form
that can enable accurate detection.},
paper = {http://doi.ieeecomputersociety.org/10.1109/MSP.2007.31}
}
@techreport{tr0806,
author = {Danilo Bruschi and Lorenzo Martignoni and Mattia Monga},
title = {{Using Code Normalization for Fighting Self-Mutating
Malware}},
institution = {Dipartimento di Informatica e Comunicazione -- Universit\`a
degli Studi di Milano},
month = mar,
year = 2006,
number = {08-06},
abstract = {Self mutating malware has been introduced by computer virus
writers who, in '90s, started to write polymorphic and
metamorphic viruses in order to defeat anti-virus
products. In this paper we present a novel approach for
dealing with self mutating code which could represent the
basis for a new detection strategy for this type of
malware. A tool prototype has been implemented in order to
validate the idea and the results are quite encouraging, and
indicate that it could represent a new strategy for detecting
this kind of malware.},
paper = {rt0806.pdf}
}
@techreport{tr0906,
author = {Danilo Bruschi and Lorenzo Martignoni and Mattia Monga},
title = {{Detecting Self-Mutating Malware Using Control Flow Graph
Matching}},
month = mar,
year = 2006,
institution = {Dipartimento di Informatica e Comunicazione -- Universit\`a
degli Studi di Milano},
number = {09-06},
abstract = {Next generation malware will by be characterized by the
intense use of polymorphic and metamorphic techniques aimed
at circumventing the current malware detectors, based on
pattern matching. In order to deal with this new kind of
threat, novel techniques have to be devised for the
realization of malware detectors. Recent papers started to
address such an issue and this paper represents a further
contribution in such a field. More precisely in this paper we
propose a strategy for the detection of metamorphic malicious
code inside a program $P$ based on the comparison of the
control flow graphs of $P$ against the set of control flow
graphs of known malware. We also provide experimental data
supporting the validity of our strategy.},
paper = {rt0906.pdf}
}
@inproceedings{woot09,
author = {Roberto Paleari and Lorenzo Martignoni and Giampaolo Fresi
Roglia and Danilo Bruschi},
title = {A fistful of red-pills: How to automatically generate
procedures to detect {CPU} emulators},
year = 2009,
month = aug,
publisher = {ACM},
booktitle = {Proceedings of the 3rd USENIX Workshop on Offensive
Technologies (WOOT), Montreal, Canada},
abstract = {Malware includes several protections to complicate their
analysis: the longer it takes to analyze a new malware
sample, the longer the sample survives and the larger number
of systems it compromises. Nowadays, new malware samples are
analyzed dynamically using virtual environments (e.g.,
emulators, virtual machines, or debuggers). Therefore,
malware incorporate a variety of tests to detect whether they
are executed through such environments and obfuscate their
behavior if they suspect their execution is being
monitored. Several simple tests, we indistinctly call
\emph{red-pills}, have already been proposed in literature to
detect whether the execution of a program is performed in a
real or in a virtual environment. In this paper we propose an
automatic and systematic technique to generate red-pills,
specific for detecting if a program is executed through a CPU
emulator. Using this technique we generated \emph{thousands
of new red-pills}, involving \emph{hundreds of different
opcodes}, for two publicly available emulators, which are
widely used for analyzing malware.},
paper = {http://www.usenix.org/event/woot09/tech/full_papers/paleari.pdf},
slides = {RedPills.pdf}
}
@inproceedings{iciss09,
author = {Lorenzo Martignoni and Roberto Paleari and Danilo Bruschi},
title = {{A framework for behavior-based malware analysis in the cloud}},
year = 2009,
month = dec,
publisher = {Springer},
booktitle = {Proceedings of the 5$^{th}$ International Conference on Information Systems Security (ICISS 2009)},
abstract = {To ease the analysis of potentially malicious programs, dynamic
behavior-based techniques have been proposed in the
literature. Unfortunately, these techniques often give
incomplete results because the execution environments in
which they are performed are synthetic and do not faithfully
resemble the environments of end-users, the intended targets
of the malicious activities. In this paper, we present a new
framework for improving behavior-based analysis of suspicious
programs, that allows an end-user to delegate security labs,
\emph{the cloud}, the execution and the analysis of a program
and to force the program to behave as if it were executed
directly in the environment of the former. The evaluation
demonstrated that the proposed framework allows security labs
to improve the completeness of the analysis, by analyzing a
piece of malware on behalf of multiple end-users
simultaneously, while performing a fine-grained analysis of
the behavior of the program with no computational cost for
the end-users. },
pages = {178--192},
paper = {http://www.springerlink.com/content/m2u404473702m636/fulltext.pdf},
slides = {SyscallProxying.pdf}
}