Attack modeling. Among all the existing Attack models, Attack graphs represent a nice abstraction to capture the notion of multi-step attack i.e., an attack toward a specific target executed taking intermediate steps in which the attacker compromises several entireties and exploits their vulnerability to reach the target. Several attack graph representations exist in literature but they suffer the same limitation: they are poorly scalable and consider only vulnerability related to the underlying network infrastructure. We study how to improve the scalability of the attack graph generation process and how to enrich the attack graph with other types of information (e.g., application vulnerabilities, human vulnerabilities, etc.).
Representation models for binary code. The exponential growth of the internet of things and the related growth of firmware require automated techniques that could scale and analyze thousands of binaries in a short amount of time. The Cybersecurity group at DIAG has a keen interest in developing techniques to represent and analyze binaries using Deep Neural Networks. Specifically, it has an experience on the problem of binary similarity (recognize if two binaries share some similarities) and automated function naming (assign automatically meaningful names to snippets of binary code). These works are carried out in collaboration with companies and other universities.
Blockchain. Blockchain is an emerging paradigm that allows storing data in a fully decentralized system guaranteeing data integrity and transparency in the data flow. Actually, several technologies exist that allow users to develop and deploy his/her own blockchain. We are studying issues related to blockchain scalability (in terms of achieved performance) and security against external attacks.
Cyber-physical systems. Protection and preventive control of cyber-physical systems (including robots) via model-based control-theoretical approaches and machine learning approaches. Robust control and model predictive control are being utilized to safely operate complex systems, such as SCADA controlled Critical Infrastructures (e.g., Power Networks), in order to assure service resilience and operational efficiency. On a related research line, we study novel solutions for the protection of IoT devices from external malicious interactions based on the behavioral analysis of the attacker. Finally, we exploit machine learning (in particular, unsupervised or semi-supervised methods) to detect anomalies in complex cyber-physical systems, including robots interaction with people in public environments.
Analysis-Resistant Code. We develop methodologies and tools for both anticipating attackers and helping defenders, as in: program analyses for adversarial code showing anti-analysis techniques, code protection methods against reverse engineering attacks, identification of transparency flaws in popular program instrumentation systems, analysis of payloads encoded using weird-machine abstractions. We strive to build solutions that can meet the day-to-day needs of security professionals (for instance, we developed effective solutions for handling evasive malware that hides its true colors when executing in a controlled environment), and work on cutting-edge instrumentation systems (e.g., dynamic binary instrumentation, virtual machine introspection) and program encoding schemes (such as weird machine abstractions). Malware analysis and software protection are the two most prominent application domains for this strand of research.
Malware Analysis Support Tools. Understanding the behavior of malware requires a semiautomatic approach including complex software tools and human analysts in the loop. However, the huge number of malicious samples developed daily calls for some prioritization mechanism to carefully select the samples that really deserve to be further examined by analysts. This avoids computational resources be overloaded and human analysts saturated. We investigate a malware triage stage where samples are quickly and automatically examined to promptly decide whether they should be immediately dispatched to human analysts or to other specific automatic analysis queues, rather than following the common and slow analysis pipeline.
Privacy Preserving Applications. Private computing provides a clever way to process data without revealing any details about the data itself to the party in charge of processing it. Data protection can be achieved by encrypting the signals and processing them in encrypted form. Possible applications of this approach are virtually endless. Among them, we explore privacy-preserving biometric matching, biomedical signal processing, private sensor fusion in IoT swarms, and private sample analysis for malware identification.
Code Reuse Attacks and Defenses. Code reuse attacks are exploits in which an attacker can execute arbitrary code on a compromised machine without having to inject any instruction in memory, as they achieve the intended behavior by joining fragments of code belonging to a legit software component already present in memory. Return oriented programming (ROP) attacks are the most common form of such attacks. We have been building a collection of ROP exploits of increasing complexity to foster their study in the research community; we also developed a tool for inspecting and analyzing how a ROP attack takes place, which can sometimes be a cumbersome task even for security professionals due to the entanglements of ROP code, and frequently a disheartening one for researchers. We are exploring how to ameliorate the overheads of existing system defenses against code reuse attacks by leveraging monitoring primitives available in the most recent families of processors, as performance is a key factor for their adoption.
Side Channels. Protecting the confidentiality of security-sensitive information in modern computer systems is a requirement more and more challenging to satisfy in the face of increasingly sophisticated microarchitectural side-channel attacks. These attacks allow adversaries to leak information from victim execution by observing changes in the microarchitectural state, typically via timing measurements. We study automatic hardening transformations for software victims such as cryptography libraries subject to timing leaks, and investigate attacks for hardware victims as it is the case with popular transient execution attacks.
Swarm Attestation. Remote attestation protocols are widely used to detect device configuration (e.g., software and/or data) compromise in Internet of Things (IoT) scenarios. Unfortunately, the performances of such protocols are unsatisfactory when dealing with thousands of smart devices. Upon the recent concept of noninteractive attestation, we are approaching the collective attestation problem by reducing it into a minimum consensus one and the results confirm the suitability of such a solution for low-end devices, and highly unstructured networks.
Symbolic execution. In recent years symbolic execution has drawn considerable attention from academic and industrial researchers, with notable applications to, e.g., software testing, program verification, and security. We authored a survey of symbolic execution techniques, reviewing the state of the art in the design, implementation, and open research problems in the area, with particular attention to cybersecurity aspects. We have been researching in memory modeling problems for symbolic executors, proposing a model that can accurately capture pointer dereferencing operations, which are critical for instance in the detection of vulnerabilities (such as use-after-free and heap overflow) and in turn for their exploitation. We also explored how symbolic execution can help reconstruct the protocol used in Remote Access Trojans, which are weapons used by cybercriminals to control infected endpoints. Finally, we have explored how to effectively run in parallel a symbolic executor and a coverage-guided fuzzer in a hybrid setup in order to find bugs and vulnerabilities in real-world programs.
Visual analytics for cybersecurity. Visual Analytics is the science of analytical reasoning facilitated by visual interactive interfaces. In the cyber-security domain it allows the human to manipulate and manage large quantities of data through powerful visual abstractions, supporting heterogeneous analysis tasks like monitoring, proactive and reactive analysis, what-if analysis and prediction. The support is at different levels, ranging from strategic decision processes down to active cyber-attacks countermeasures. We are actively studying novel visual analytics solutions for cybersecurity, focused on supporting proactive analysis of cyber-risk status for complex networks, real-time response to cyber attacks, effective explanation of learning process for malware classifiers, cybersecurity policy assessment and specification through standard frameworks (e.g. NIST cyber-security framework). Solutions regarding improving situational awareness of cyber-security operators under stressful situations and support to digital forensics activities are currently under development.
Multimedia forensics and security. Multimedia forensics aims to introduce novel methodologies to support clue analysis and to provide an aid for making a decision about sophisticated crimes and terrorist threats by looking at multimedia content as an investigated material. In all cases (e.g., forensic investigations, fake news debunking, information warfare, and cyberattacks) where images and videos serve as critical demonstrative evidence, forensic technologies that help to determine the origin, authenticity of sources, and integrity of multimedia content can become essential tools. For this reason, we are developing technological instruments for verifying image and video origin and authenticity; proposing techniques that basically allow the user to identify forgeries in multimedia objects, distinguishing among deepfake/pristine content and to infer the origin of a digital content at acquisition device and social media level.
The cybersecurity group members are also strongly involved in the activities of the Research Center of Cyber Intelligence and Information Security (CIS). CIS does leadership applied research in the context of cyber security, information assurance, critical information infrastructure protection, trend prediction, open-source intelligence, cyber physical systems and smart complex systems. Advanced capabilities in cyber intelligence will be indeed essential in the next years due to the pervasiveness of cloud, social computing and mobility technologies, that lower the control that organizations and governments have over systems, infrastructure and data. CIS aims at designing better information security methodologies, threat profiles and at elaborating defense strategies taking into account the economic and legal impact in a unique framework. Research results are applied to real world contexts such as cyberwarfare, fraud detection, stock market stability, detection of tax evasion, monitoring of mission-critical systems, early warning systems, and smart environments.