Intimate knowledge of low-level details enables adversaries to infiltrate and abuse whole systems with ever more sophisticated attacks. As defenders it’s integral that we can meet that knowledge with similar expertise to protect against them.
By thinking like adversaries and performing our own exploitation development, we’re able to stay one step ahead and develop defences against new attacks before they’re discovered and exploited by bad actors.
On the other side of the same coin, new techniques in vulnerability discovery and analysis can prevent bugs and secure existing systems to mitigate potential attack vectors. To do so at a large scale, we can make use of automated techniques such as program analysis which allow for systematic, repeatable software assessments.
As one of our core research streams, output from this area heavily informs our other efforts, providing a toolkit for a wide array of useful techniques such as code obfuscation, automated software transplantation, and binary analysis.
Related Publications
Jigsaw Puzzle: Selective Backdoor Attack to Subvert Malware Classifiers
IEEE S&P · 44th IEEE Symposium on Security and Privacy, 2023
IEEE S&P · 44th IEEE Symposium on Security and Privacy, 2023
@article{yang2022jigsaw,
author = {Limin Yang, Zhi Chen, Jacopo Cortellazzi, Feargus Pendlebury, Kevin Tu, Fabio Pierazzi, Lorenzo Cavallaro, Gang Wang},
title = {Jigsaw Puzzle: Selective Backdoor Attack
to Subvert Malware Classifiers},
booktitle = {{IEEE} Symposium on Security and Privacy},
volume = {abs/2202.05470},
year = {2023},
url = {https://arxiv.org/abs/2202.05470},
eprint = {2202.05470},
}
@inproceedings{depasquale23,
author = {Giulio De Pasquale and Fukutomo Nakanishi and Daniele Ferla and Lorenzo Cavallaro},
title = {ROPfuscator: Robust Obfuscation with ROP},
booktitle = {{IEEE} Workshop on Offensive Technologies ({WOOT})},
year = {2023},
}
@article{labacacastro2022uaps,
author = {Raphael Labaca-Castro and Luis Muñoz-González and Feargus Pendlebury and Gabi Dreo Rodosek and Fabio Pierazzi and Lorenzo Cavallaro},
title = {Realizable Universal Adversarial Perturbations for Malware},
journal = {CoRR},
volume = {abs/2102.06747},
year = {2022},
url = {https://arxiv.org/abs/2102.06747},
eprint = {2102.06747},
archivePrefix = {arXiv}
}
Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets
CoRR · arXiv CoRR, 2021
CoRR · arXiv CoRR, 2021
@article{gray2021aptclass,
author = {Jason Gray and Daniele Sgandurra and Lorenzo Cavallaro},
title = {Identifying Authorship Style in Malicious Binaries: Techniques, Challenges & Datasets},
journal = {CoRR},
volume = {abs/2101.06124},
year = {2021},
url = {http://arxiv.org/abs/2101.06124},
eprint = {2101.06124},
archivePrefix = {arXiv}
}
@article{nakanishi2020rop,
author = {Fukutomo Nakanishi and Giulio De Pasquale and Daniele Ferla and Lorenzo Cavallaro},
title = {Intertwining ROP Gadgets and Opaque Predicates for Robust Obfuscation},
journal = {CoRR},
volume = {abs/2012.09163},
year = {2020},
url = {http://arxiv.org/abs/2012.09163},
eprint = {2012.09163},
archivePrefix = {arXiv}
}
Probabilistic Naming of Functions in Stripped Binaries
ACSAC · Annual Computer Security Applications Conference, 2020
ACSAC · Annual Computer Security Applications Conference, 2020
@inproceedings{patrickevans2020punstrip,
author = {James Patrick-Evans and Lorenzo Cavallaro and Johannes Kinder},
title = {Probabilistic Naming of Functions in Stripped Binaries},
booktitle = {Annual Computer Security Applications Conference (ACSAC)},
year = {2020},
}
On the Dissection of Evasive Malware
IEEE T-IFS · IEEE Trans. Information Forensics and Security, 2020
IEEE T-IFS · IEEE Trans. Information Forensics and Security, 2020
@article{DBLP:journals/tifs/delia,
author = {Daniele Cono D'Elia and Emilio Coppa and Federico Palmaro and Lorenzo Cavallaro},
title = {{On the Dissection of Evasive Malware}},
journal = {{IEEE Trans. Information Forensics and Security}},
volume = {15},
pages = {2750--2765},
year = {2020},
url = {https://doi.org/10.1109/TIFS.2020.2976559},
doi = {10.1109/TIFS.2020.2976559},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {IEEE TIFS}
}
BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews
RAID · 21st International Symposium on Research in Attacks, Intrusions and Defenses, 2018
RAID · 21st International Symposium on Research in Attacks, Intrusions and Defenses, 2018
@inproceedings{DBLP:conf/raid/RizzoCK18,
author = {Claudio Rizzo and Lorenzo Cavallaro and Johannes Kinder},
title = {BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews},
booktitle = {{RAID}},
series = {Lecture Notes in Computer Science},
volume = {11050},
pages = {25--46},
publisher = {Springer},
year = {2018}
}
POTUS: Probing Off-The-Shelf USB Drivers with Symbolic Fault Injection
USENIX Sec-WOOT · 11th USENIX Workshop on Offensive Technologies, 2017 · Best Paper Award
USENIX Sec-WOOT · 11th USENIX Workshop on Offensive Technologies, 2017 · Best Paper Award
@inproceedings{woot2017,
author = {James Patrick-Evans and Lorenzo Cavallaro and Johannes Kinder},
title = {{POTUS}: Probing Off-The-Shelf {USB} Drivers with Symbolic Fault Injection},
booktitle = {11th USENIX Workshop on Offensive Technologies (WOOT)},
note = {USENIX WOOT Best Paper Award},
year = 2017,
}
Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting
IEEE T-IFS · IEEE Trans. Information Forensics and Security, 2017
IEEE T-IFS · IEEE Trans. Information Forensics and Security, 2017
@article{DBLP:journals/tifs/0029LBKTLC17,
author = {Li Li and Daoyuan Li and Tegawende F. Bissyande and Jacques Klein and Yves Le Traon and David Lo and Lorenzo Cavallaro},
title = {{Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting}},
journal = {{IEEE Trans. Information Forensics and Security}},
volume = {12},
number = {6},
pages = {1269--1284},
year = {2017},
url = {https://doi.org/10.1109/TIFS.2017.2656460},
doi = {10.1109/TIFS.2017.2656460},
timestamp = {Sun, 28 May 2017 13:17:25 +0200},
biburl = {http://dblp.uni-trier.de/rec/bib/journals/tifs/0029LBKTLC17},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {IEEE TIFS}
}
Modular Synthesis of Heap Exploits
ACM CCS-PLAS · ACM SIGSAC Workshop on Programming Languages and Analysis for Security, 2017
ACM CCS-PLAS · ACM SIGSAC Workshop on Programming Languages and Analysis for Security, 2017
@inproceedings{plas2017,
author = {Dusan Repel and Johannes Kinder and Lorenzo Cavallaro},
title = {Modular Synthesis of Heap Exploits},
booktitle = {Proc. ACM SIGSAC Workshop on Programming Languages and Analysis for Security (PLAS 2017)},
year = 2017,
note = {ACM CCS-PLAS}
}
Stack Object Protection with Low Fat Pointers
NDSS · 24th Annual Network and Distributed System Security Symposium, 2017
NDSS · 24th Annual Network and Distributed System Security Symposium, 2017
@InProceedings{lowfatstack-ndss2017,
author = {Gregory Duck and Roland Yap and Lorenzo Cavallaro},
title = {{Stack Object Protection with Low Fat Pointers}},
booktitle = {24th Annual Network and Distributed System Security Symposium, San Diego, California, USA},
year = 2017,
month = {February},
note = {NDSS}
}
The Evolution of Android Malware and Android Analysis Techniques
ACM CSUR · ACM Computing Surveys, 2017
ACM CSUR · ACM Computing Surveys, 2017
@article{Tam:2017:EAM:3022634.3017427,
author = {Kimberly Tam and Ali Feizollah and Badrul Nor Anuar and Rosli Salleh and Lorenzo Cavallaro},
title = {{The Evolution of Android Malware and Android Analysis Techniques}},
journal = {ACM Compututing Surveys},
issue_date = {February 2017},
volume = {49},
number = {4},
month = {January},
year = {2017},
issn = {0360-0300},
pages = {76:1--76:41},
articleno = {76},
numpages = {41},
url = {http://doi.acm.org/10.1145/3017427},
doi = {10.1145/3017427},
acmid = {3017427},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {Android, classification, detection, dynamic analysis, malware, static analysis},
note = {ACM CSUR}
}
CopperDroid: Automatic Reconstruction of Android Malware Behaviors
NDSS · 22nd Annual Network and Distributed System Security Symposium, 2015
NDSS · 22nd Annual Network and Distributed System Security Symposium, 2015
@InProceedings{copperdroid-ndss2015,
author = {Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro},
title = {{CopperDroid: Automatic Reconstruction of Android Malware Behaviors}},
booktitle = {22nd Annual Network and Distributed System Security Symposium, San Diego, California, USA},
year = 2015,
month = {February},
note = {NDSS}
}
PuppetDroid: A User-Centric UI Exerciser for Automatic Dynamic Analysis of Similar Android Applications
CoRR · arXiv CoRR, 2014
CoRR · arXiv CoRR, 2014
@article{DBLP:journals/corr/GianazzaMFCZ14,
author = {Andrea Gianazza and Federico Maggi and Aristide Fattori and Lorenzo Cavallaro and Stefano Zanero},
title = {{PuppetDroid: A User-Centric UI Exerciser for Automatic Dynamic Analysis of Similar Android Applications}},
journal = {arXiv CoRR},
year = {2014},
volume = {abs/1402.4826},
url = {http://arxiv.org/abs/1402.4826},
timestamp = {Wed, 10 Sep 2014 17:05:02 +0200},
biburl = {http://dblp.uni-trier.de/rec/bib/journals/corr/GianazzaMFCZ14},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {arXiv CoRR}
}