G. Vigna, R. Kemmerer, D. Balzarotti, G. Banks, M. Cova, V. Felmetsger, W. Robertson, and F. Valeur "EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing"

BIBTEX: @Misc{mcdaniel07_voting, author = {P. McDaniel and M. Blaze and G. Vigna and et al.}, title = {{EVEREST: Evaluation and Validation of Election-Related Equipment, Standards and Testing}}, howpublished = {Ohio Secretary of State's EVEREST Project Report}, month = {December}, year = 2007 }

G. Vigna, R. Kemmerer, D. Balzarotti, G. Banks, M. Cova, V. Felmetsger, W. Robertson, and F. Valeur "Security Evaluation of the Sequoia Voting System"

BIBTEX: @Misc{vigna07_sequoia, author = {G. Vigna and R. Kemmerer and D. Balzarotti and G. Banks and M. Cova and V. Felmetsger and W. Robertson and F. Valeur}, title = {{Security Evaluation of the Sequoia Voting System}}, howpublished = {Top-To-Bottom Review of the California Voting Machines}, month = {July}, year = 2007 }

C. Kruegel, D. Balzarotti, W. Robertson, G. Vigna "Improving Signature Testing Through Dynamic Data Flow Analysis"

ABSTRACT: In recent years, web applications have become tremendously popular, and nowadays they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has increased, the number and sophistication of attacks against these applications have grown as well. Current approaches to securing web applications focus either on detecting and blocking web-based attacks using application-level firewalls, or on using vulnerability analysis techniques to identify security problems before deployment. The vulnerability analysis of web applications is made difficult by a number of factors, such as the use of scripting languages, the structuring of the application logic into separate pages and code modules, and the interaction with back-end databases. So far, approaches to web application vulnerability analysis have focused on single application modules to identify insecure uses of information provided as input to the application. Unfortunately, these approaches are limited in scope, and, therefore, they cannot detect multi-step attacks that exploit the interaction among multiple modules of an application. We have developed a novel vulnerability analysis approach that characterizes both the extended state and the intended workflow of a web application. By doing this, our analysis approach is able to take into account inter-module relationships as well as the interaction of an application's modules with back-end databases. As a result, our vulnerability analysis technique is able to identify sophisticated multi-step attacks against the application's workflow that were not addressed by previous approaches. We implemented our technique in a prototype tool, called MiMoSA, and tested it on several applications, identifying both known and new vulnerabilities.

BIBTEX: @InProceedings{balzarotti07:mimosa, author = {C. Kruegel and D. Balzarotti and W. Robertson and G. Vigna}, title = {{Improving Signature Testing Through Dynamic Data Flow Analysis}}, booktitle = {{Proceedings of the Annual Computer Security Applications Conference (ACSAC)}}, address = {Miami, FL}, month = {December}, year = 2007, }

D. Balzarotti, M. Cova , V. Felmetsger G. Vigna "Multi-Module Vulnerability Analysis of Web-based Applications"

ABSTRACT: In recent years, web applications have become tremendously popular, and nowadays they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has increased, the number and sophistication of attacks against these applications have grown as well. Current approaches to securing web applications focus either on detecting and blocking web-based attacks using application-level firewalls, or on using vulnerability analysis techniques to identify security problems before deployment. The vulnerability analysis of web applications is made difficult by a number of factors, such as the use of scripting languages, the structuring of the application logic into separate pages and code modules, and the interaction with back-end databases. So far, approaches to web application vulnerability analysis have focused on single application modules to identify insecure uses of information provided as input to the application. Unfortunately, these approaches are limited in scope, and, therefore, they cannot detect multi-step attacks that exploit the interaction among multiple modules of an application. We have developed a novel vulnerability analysis approach that characterizes both the extended state and the intended workflow of a web application. By doing this, our analysis approach is able to take into account inter-module relationships as well as the interaction of an application's modules with back-end databases. As a result, our vulnerability analysis technique is able to identify sophisticated multi-step attacks against the application's workflow that were not addressed by previous approaches. We implemented our technique in a prototype tool, called MiMoSA, and tested it on several applications, identifying both known and new vulnerabilities.

BIBTEX: @InProceedings{balzarotti07:mimosa, author = {D.Balzarotti and M.Cova and V.Felmetsger and G.Vigna} title = {Multi-Module Vulnerability Analysis of Web-based Applications}, booktitle = {Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS)}, year = 2007, address = {Alexandria, VA}, month = {October}, }

M. Cova , D. Balzarotti, V. Felmetsger G. Vigna "Swaddler: An Approach for the Anomaly-based Detection of State Violations in Web Applications"

ABSTRACT: In recent years, web applications have become tremendously popular, and nowadays they are routinely used in security-critical environments, such as medical, financial, and military systems. As the use of web applications for critical services has increased, the number and sophistication of attacks against these applications have grown as well. Most approaches to the detection of web-based attacks analyze the interaction of a web application with its clients and back-end servers. Even though these approaches can effectively detect and block a number of attacks, there are attacks that cannot be detected only by looking at the external behavior of a web application. In this paper, we present Swaddler, a novel approach to the anomaly-based detection of attacks against web applications. Swaddler analyzes the internal state of a web application and learns the relationships between the application's critical execution points and the application's internal state. By doing this, Swaddler is able to identify attacks that attempt to bring an application in an inconsistent, anomalous state, such as violations of the intended workflow of a web application. We developed a prototype of our approach for the PHP language and we evaluated it with respect to several real-world applications.

BIBTEX:

M. Van Gundy, D. Balzarotti, G. Vigna "Catch Me, If You Can: Evading Network Signatures with Web-based Polymorphic Worms"

ABSTRACT: Polymorphic worms are self-replicating malware that change their representation as they spread throughout networks in order to evade worm detection systems. A number of approaches to detect polymorphic worms have been proposed. These approaches use samples of a polymorphic worm (and of benign traffic as well) to derive a signature that can detect all instances of the worm without producing excessive false positives. Even though these systems claim to be able to generate signatures for any type of worm, all the examples that are used to show the ability to detect polymorphic worms are based on exploits that target memory corruption vulnerabilities. In this paper, we show how a different class of worms, namely those based on web vulnerabilities and scripting languages, can be much harder to detect than "traditional" polymorphic worms. We developed a polymorphic engine for PHP code and we tested the ability of state-of-the-art tools to detect this type of worm. The results of our experiments show that a PHP-based polymorphic worm would be able to successfully evade existing signature generation systems.

BIBTEX:

Davide Balzarotti, Paolo Costa, Gian Pietro Picco "The LighTS Tuple Space Frawework and its Customization for Context-Aware Applications"

ABSTRACT: Our experience with using the tuple space abstraction in context-aware applications, evidenced that the traditional Linda matching semantics based on value equality are not appropriate for this domain, where queries often require the ability to match on value ranges, deal with uncertainty, and perform data aggregation. Originally developed as the core tuple space layer for the LIME middleware, LIGHTS provides a flexible framework that makes it easy to extend the tuple space in many ways, including changing the back-end implementation, redefining the matching semantics, and providing new constructs. In this paper, we describe the design and programming interface of LIGHTS, and show how its flexible architecture can be easily extended to define novel constructs supporting the development of context-aware applications.

BIBTEX: @Article{balzarotti07:lights, author = {Davide Balzarotti and Paolo Costa and Gian Pietro Picco}, title = {The LighTS Tuple Space Frawework and its Customization for Context-Aware Applications}, journal = {International Journal on Web Intelligence and Agent Systems (WAIS)}, Volume = 5, Number = 2, Pages = {215--231} year = 2007, }

Davide Balzarotti, Carlo Ghezzi, Mattia Monga "Supporting cooperative software processes in a decentralized and nomadic world"

ABSTRACT: Recent advances in wireless networks enable decentralized cooperative and nomadic work scenarios where mobile users can interact in performing some tasks without being permanently online. Scenarios where connectivity is transient and the network topology may change dynamically are considered. Connectivity among nodes does not require the support offered by a permanent infrastructure but may rely on ad hoc networking facilities. In this paper, a scenario in which a nomadic group of software engineers cooperate in developing an application is investigated. The proposed solution, however, is not software process specific but holds for other cases where shared documents are developed cooperatively by a number of interacting nomadic partners. Support tools for these groups are normally based on a client-server architecture, which appears to be unsuitable in highly dynamic environments. Peer-to-peer solutions, which do not rely on services provided by centralized servers, look more promising. This paper presents a fully decentralized cooperative infrastructure centered around peer-to-peer versioning system (PeerVerSy), a configuration management tool based on a peer-to-peer architecture, which supports cooperative services even when some of the collaborating nodes are offline. Some preliminary experiences gained from its use in a teaching environment are also discussed

BIBTEX: @Article{balzarotti06:tsmca, Author = {Davide Balzarotti and Carlo Ghezzi and Mattia Monga}, Title = {Supporting cooperative software processes in a decentralized and nomadic world}, Journal = {IEEE Transactions on Systems, Man, and Cybernetics-- Part A: Systems and Humans}, Volume = 36, Number = 6, Pages = {1098--1109}, doi = {http://doi.ieeecomputersociety.org/10.1109/TSMCA.2006.883165}, issn = {1083-4427}, month = nov, year = 2006 }

Davide Balzarotti "Testing Network Intrusion Detection Systems"

ABSTRACT: Intrusion detection systems (IDSs) are tools designed to detect the evidence of computer intrusions. IDSs usually rely on models of attacks (called signatures) to identify the manifestation of intrusive behavior. The quality of these models is directly correlated to the system's ability to identify all instances of a certain attack without making mistakes. Unfortunately, writing good signatures is hard, and, in the past, a number of evaluations pointed out the poor quality of signatures used in both open-source and commercial systems. If the models used in intrusion detection were known, it would be possible to examine them to identify possible "blind spots" that could be exploited by an attacker to perform an attack while avoiding detection. Unfortunately, commercial systems do not provide access to the signatures they use to detect intrusions. Moreover, even in the cases when detection models are available, it is extremely time-consuming to devise testing procedures that analyze the models and identify blind spots. This dissertation proposes a novel black-box technique to test and evaluate misuse detection models in the case of network-based intrusion detection systems. The testing methodology is based on an automated mechanism to generate a large number of test cases by applying mutant operators to an attack template. Each operator implements a transformation function that is able to change the attack manifestation while preserving its functionality. The lack of knowledge about the signature internal details forces the mutation process to be performed blindly. Typically, this implies that all possible combinations of available transformations must be generated, thus reducing the effectiveness of the whole testing process. To avoid this problem, we improved our technique to automatically select a subset of the available mutants based on information gathered by analyzing the dynamic behavior of the intrusion detection system under test. The idea consists in applying data flow analysis techniques to the intrusion detection system binary to automatically identify which parts of a network stream are used to detect an attack and what tests are performed on such data. This information is then used to drive a mutation engine so that it can focus on modifying the most detection-critical parts of an attack. Our testing technique was used as a basis to develop an automated testing tool named Sploit which was able to spot a substantial number of weaknesses in the signatures of three well-known intrusion detection systems.

BIBTEX: @PhdThesis{balzarot06:thesis, author = {D. Balzarotti}, title = {{Testing Network Intrusion Detection Systems}}, school = {Politecnico di Milano}, year = 2006 }

Davide Balzarotti, Mattia Monga, Sabrina Sicari "Assessing the risk of using vulnerable components"

ABSTRACT: This paper discusses how information about the architecture and the vulnerabilities affecting a distributed system can be used to quantitatively assess the risk to which the system is exposed. Our approach to risk evaluation can be used to assess how much one should believe in system trust worthiness and to compare different solutions, providing a tool for deciding if the additional cost of a more secure component is worth to be afforded.

BIBTEX: @InProceedings{balzarotti06:risk, author = {Davide Balzarotti and Mattia Monga and Sabrina Sicari}, title = {Assessing the risk of using vulnerable components}, booktitle = {Quality of Protection: Security Measurements and Metrics}, year = "2006", editor = "Dieter Gollmann and Fabio Massacci and Artsiom Yautsiukhin", publisher = "Springer", series = "Advances in Information Security", pages = "65--78", isbn-10 = 0-387-29016-8, }

Davide Balzarotti, Antonio Castaldo D'Ursi, Luca Cavallaro, Mattia Monga "Slicing AspectJ Woven Code"

ABSTRACT: The AspectJ programming language allows for the expression, in a compact way, of computations that affect several points in a program (join points), even without knowing where these point exactly are. This is claimed to ease the separation of cross-cutting code. However, it is not clear how real the separation is. In fact it might be difficult to figure out the behavior of the whole system. In order to analyze how an aspect affects the system, one has to consider the slices of the system affected by aspectual computations. However, the expressive power of AspectJ constructs makes difficult to implement slicing algorithms that are both precise and produce useful, i.e., small enough, slices. In this paper we describe our approach to slice AspectJ programs, based on the analysis of the woven code.

BIBTEX: @InProceedings{monga05:slicing, Author = {Davide Balzarotti and Antonio Castaldo D'Ursi and Luca Cavallaro and Mattia Monga}, Title = {Slicing {AspectJ} Woven Code}, BookTitle = {Proceedings of the Foundations of Aspect-Oriented Languages workshop ({FOAL2005})}, Address = {Chicago, IL (USA)}, file = {foal05.pdf}, month = mar, year = 2005, }

Gian Pietro Picco, Davide Balzarotti, Paolo Costa "LighTS: A Lightweight, Customizable Tuple Space Supporting Context-Aware Applications"

ABSTRACT: The tuple space model inspired by Linda has recently been rediscovered by distributed middleware. Moreover, some researchers also applied it in the challenging scenarios involving mobility and more specifically context-aware computing. Context information can be stored in the tuple space, and queried like any other data. Nevertheless, it turns out that conventional tuple space implementations fall short of expectations in this new domain. On one hand, many of the available systems provide a wealth of features, which make the resulting implementation unnecessarily bloated and incompatible with the tight resource constraints typical of this field. Moreover, the traditional Linda matching semantics based on value equality are not appropriate for context-aware computing, where queries are often formulated over value ranges, and where there is a prominent need to deal with imprecise information coming from multiple sources. In this paper, we describe a new tuple space implementation called LighTS. Originally developed as the tuple space core of the Lime system, LighTS provides an extensible framework that makes it easy to introduce extensions to the tuple space, and in general customize the tuple space implementation. The design and programming interface of LighTS is presented, and its flexibility demonstrated by illustrating extensions that proved useful in the development of context-aware applications.

BIBTEX: @InProceedings{picco05:lights, author = {Gian Pietro Picco and Davide Balzarotti and Paolo Costa}, title = {{{\sc LighTS}: A Lightweight, Customizable Tuple Space Supporting Context-Aware Applications}}, booktitle = {Proceedings of the 20$^{th}$ ACM Symposium on Applied Computing (SAC05)}, pages = {1134--1140}, year = 2005, address = {Santa Fe (New Mexico, USA)}, month = mar, publisher = {ACM Press}, }

G. Vigna, W. Robertson, D. Balzarotti "Testing Network-based Intrusion Detection Signatures Using Mutant Exploits"

ABSTRACT: Misuse-based intrusion detection systems rely on models of attacks to identify the manifestation of intrusive behavior. Therefore, the ability of these systems to reliably detect attacks is strongly affected by the quality of their models, which are often cal led "signatures". A perfect model would be able to detect all the instances of an attack without making mistakes, that is, it would produce a 100% detection rate with 0 false alarms. Unfortunately, writing good models (or good signatures) is hard. Attacks that exploit a specific vulnerability may do so in completely different ways, and writing models that take into account al l possible variations is very difficult. For this reason, it would be beneficial to have testing tools that are able to evaluate the "goodness" of detection signatures. This work describes a technique to test and evaluate misuse detection models in the case of network-based intrusion detection systems. The testing technique is based on a mechanism that generates a large number of variations of an exploit by applying mutant operators to an exploit template. These mutant exploits are then run against a victim host protected by a network-based intrusion detection system. The results of the systems in detecting these variations provide a quantitative basis for the evaluation of the quality of the corresponding detection model.

BIBTEX: @InProceedings{vigna04:sploit, author = {G. Vigna and W. Robertson and D. Balzarotti}, title = {Testing Network-based Intrusion Detection Signatures Using Mutant Exploits}, booktitle = {Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS)}, pages = {21--30}, year = 2004, address = {Washington, DC}, month = {October}, }

Davide Balzarotti, Mattia Monga "Using Program Slicing to Analyze Aspect-Oriented Composition"

ABSTRACT: AspectJ language was proposed to make cross-cutting concerns clearly identi able with special linguistic constructs called aspects. In order to analyze the properties of an aspect one should consider the aspect itself and the part of the system it a ects. This part is just a slice of the entire system and can be extracted by exploiting program slicing algorithms. However, the expressive power of AspectJ constructs forces slicers to take into account big portions of programs. We suggest that AspectJ should regulate more formally the interaction among code units, by de ning some stricter boundaries around aspect in uence, otherwise the separation turns out to be just syntactic sugar.

BIBTEX: @InProceedings{balza04:aopslice, Author = {Davide Balzarotti and Mattia Monga}, Title = {Using Program Slicing to Analyze Aspect-Oriented Composition}, BookTitle = {Proceedings of Foundations of Aspect-Oriented Languages Workshop at {AOSD} 2004}, Editor = {Curtis Clifton and Ralf Lammel and Gary T. Leavens}, Pages = {25--29}, Address = {Lancaster (UK)}, Publisher = {Iowa State University}, file = {foal2004.pdf}, month = mar, year = 2004, }

Davide Balzarotti, Carlo Ghezzi, Mattia Monga "Supporting Configuration Management for Virtual Workgroups in a Peer-to-Peer Setting "

ABSTRACT: In this paper we describe a configuration management tool suitable for the untethered scenarios typical in a mobile environment. The scenario envisions a number of homogeneous peers that are able to provide the same services, disconnect frequently from the net, and perform part of their work while disconnected. In these contexts the absence of a host is not the exceptional case, but rather the normal behavior. Thus, a traditional architecture based on a central repository exposes the system to failures when the server is unavailable. Instead, we build our system on a peer-to-peer middleware able to provide the abstraction of global virtual data structure, i.e., a data structure composed by all the data actually connected in a given instant. Thanks to this, we can exploit the service provided by the network even if relevant hosts are disconnected.

BIBTEX: @InProceedings{balzarotti02:seke, Author = {Davide Balzarotti and Carlo Ghezzi and Mattia Monga}, Title = {Supporting Configuration Management for Virtual Workgroups in a Peer-to-Peer Setting }, BookTitle = {Proceedings of International Conference on Software Engineering and Knowledge Engineering}, Address = {Ischia, Italy}, Organization = {ACM}, month = jul, year = 2002, }

Davide Balzarotti, Carlo Ghezzi, Mattia Monga "Freeing Cooperation From Servers Tyranny"

ABSTRACT: This paper deals with computer supported cooperative work in the context of untethered scenarios typical of mobile environments. The scenario envisions a number of homogeneous peers that are able to provide the same services, disconnect frequently from the net, and perform part of their work while disconnected. The application we choose is Configuration Management (CM), a critical cooperative activity occurring in software development. We discuss an implementation of a configuration management tool in a peer-to-peer setting, evaluate our solution with respect to other systems, and draw conclusions for future development.

BIBTEX: @InCollection{balzarotti02:p2p, Author = {Davide Balzarotti and Carlo Ghezzi and Mattia Monga}, Title = {Freeing Cooperation From Servers Tyranny}, BookTitle = {Web Engineering and Peer-to-Peer Computing}, Publisher = {Springer-Verlag}, Editor = {Enrico Gregori and Ludmila Cherkasova and Gianpaolo Cugola and Fabio Panzieri and Gian Pietro Picco}, Volume = 2376, Series = {LNCS}, Pages = {235--246}, year = 2002, }