Prof. Davide Balzarotti

EURECOM, France

Talk title: Malware Analysis

Abstract: Researchers have been fighting malware, in its different forms, for over three decades. In these lectures we look at malware analysis, i.e., at the process of studying new malware samples to understand their behavior, their characteristics, and ultimately their nature (either malicious or benign). The first part will focus on understanding the overall process, the techniques, and the fundamental role of automation in malware analysis. We will also look at the history of malware analysis and at the key challenges that shaped the research in this field over the past two decades. In the second part of these lectures we will discuss in more details some recent contributions in malware analysis - with a focus on malware for IoT devices and on measurement studies we are conducting to better understand the malware ecosystem.

Prof. Mauro Conti

University of Padova, Italy

Prof. Bruno Crispo

University of Trento, Italy

Talk title: Android Security

Abstract: The lecture will focus on the main aspects related to Android security, including both OS and applications issues. Prof. Crispo will start covering the many security mechanisms and services already provided by Google, by describing how they work, what they are intended for and for some of them, also their shortcomings. Then, he will provide an overview of what researchers proposed to address and overcome some of these shortcomings. Finally, he will end with hands-on experience to show how to use some popular tools and get familiar with the difficult task of reverse engineering Android apps.

Prof. Lucas Davi

University of Duisburg-Essen, Germany

Talk title: Exploiting Software Errors: From Control-Flow to Data-Oriented Exploits

Abstract: Memory corruption attacks exploit program errors to alter program information such as function pointers and program variables maintained in memory. In the recent past, we have witnessed a variety of different attack strategies starting from classic code injection attacks to sophisticated return-oriented programming attacks that encapsulate malicious program actions inside a chain of existing and benign code sequences from shared libraries. The good news is that both academia and industry have significantly raised the bar for these attacks by proposing and implementing mitigation technologies such as control-flow integrity, code pointer integrity, and code and data layout randomization. However, the latest trend in exploitation moves from control-flow attacks to subtle data-oriented attacks. These attacks do not violate control-flow integrity but only alter program variables to trigger malicious program actions. In this lecture, we provide a detailed overview on the evolution of memory corruption attacks from control-flow to data-oriented attacks. In addition, we discuss defensive strategies and include a hands-on lab for the development of sample exploits against vulnerable proof-of-concept applications.

Dr. Mariano Graziano

CISCO, Italy

Talk title: Hackademic notes

Abstract: In this talk I will give some hints to the young and motivated PhD students attending the summer school on how to be a good academic researcher with a strong and solid technical background. We will start with a short introduction about hacking and its history. Then, we will move to the CTF scene and the bug bounty world. We will discuss how to be always up-to-date about the industrial research and avoid flames with researchers in the private sector. Similarly, we will focus on academia and how to be a diligent PhD student. Finally, we will zoom on binary analysis, in particular for ELF and we will discuss several anti-analysis and anti-debugging techniques. In the end, we will propose an easy ELF challenge. At the end of this talk you should be ready to start your journey to be a real hackademic researcher!

Talk title: Automation for binary analysis

Abstract: Over the years the number of samples received by security companies grew exponentially. In 2019, on average companies collect around 2M samples from external feeds. A good percentage of these samples is known, but the remaining part needs to be processed. At this point the volume is still too large and cannot be analyze manually. This phase needs automation to cope with the remaining overwhelming number of samples. In this talk we will show possible strategies to automate the analysis of large-scale datasets using state-of-the-art techniques. The second half of the talk will focus on automation for binary analysis. After the first step using known techniques we sill have samples that need manual inspection and we see how we can speedup this part by creating containers exposing REST APIs as well as the scripting capabilities available on tools used on a daily basis by the security researchers (e.g. IDA Pro, GDB, etc). We will show also tools developed by Cisco Talos such as FIRST and Pyrebox and how they are used in practice in a possible pipeline.

Daniele Lain

ETH Zurich, Switzerland

Talk title: Adventures in User Authentication: Challenges and Solutions

Abstract: Most Internet services require users to prove their identity, usually by the means of proving they know something secret - a password. In the era of password leaks, phishing websites, and tens of services asking us to authenticate daily, is this still a good mechanism? In this talk, I will overview the field of user authentication. Starting from the conventional username and password approach and its weaknesses, we will explore improvements to the authentication process, such as multi-factor and biometric techniques, and their shortcomings. Finally, we will discuss remaining challenges in the field, such as runtime phishing, how to bind identities when credentials are shared, and spouseware.

Prof. Nele Mentens

KU Leuven, Belgium

Talk title: Hardware security primitives

Abstract: Hardware security primitives are indispensable for the protection of electronic systems. They prevent access by unauthorized users and protect the system against physical attacks. This lecture explains the working principles and discusses the vulnerabilities of three important hardware security components, namely Physically Unclonable Functions (PUFs), True Random Number Generators (TRNGs) and cryptographic hardware coprocessors.

Prof. Giovanni Russello

University of Auckland, New Zealand

Talk title: SGX Overview

Abstract: In this lecture, Prof. Russello will provide an overview of Intel SGX, its basic functionality and the security guarantees it offers. He will also discuss some of the issues with this technology and some of the attacks that have been presented.

Prof. Ahmad-Reza Sadeghi

TU Darmstadt, Germany

Talk title: Available Soon

Abstract: Available Soon

Research Associate Riccardo Spolaor

University of Oxford, UK

Talk title: Mobile Systems’ Data Logging for Security Researchers and Sandboxes Enhancement

Abstract: Smartphones and tablets are becoming year after year more and more pervasive and advanced. Along with increasing computational power, they are equipped with a variety of sensors and provide an extensive set of API. This makes possible to extract data that is extremely valuable in research fields such as security and Human-computer Interaction (HCI). For these reasons, researchers need a solid and reliable logging tool to collect such valuable data. In this talk, we present DELTA - Data Extraction and Logging Tool for Android, a solution that offers flexibility, fine-grained tuning capabilities, extensibility, and available set of logging features. DELTA tool also has a low impact on the performance of the system, on battery consumption, and user experience. Sensors’ data and events collected with DELTA can be used to enhance sandboxes. Hence, we present Mirage, a malware sandbox architecture for Android focused on dynamic analysis evasion attacks. We designed the components of Mirage to be extensible via software modules, to build specific countermeasures against such attacks. As a representative case study, we present a Mirage module that tackles evasion attacks based on sensors API return values.

Talk title: Security and Privacy Threats on Mobile Systems through Side-Channels Analysis

Abstract: In recent years, mobile devices (such as smartphones and tablets) have become essential tools for daily communication activities and social network interactions, thus they contain a huge amount of private and sensitive information. For this reason, mobile devices become popular targets of attacks to harm users' privacy, among which a passive attack called side-channel analysis. The side-channels are a physical phenomenon that can be measured from both inside or outside a device. They are mostly due to the user interaction with a mobile device, but also to the context in which the device is used, hence they can reveal sensitive user information such as identity and habits, environment, and the operating system itself. The first side-channel is encrypted network traffic. We consider an adversary who is able to eavesdrop the network traffic of the device on the network side (e.g., controlling a WiFi access point). Our work proves that it is possible to leverage machine learning techniques to identify user activity and apps installed on mobile devices analyzing the encrypted network traffic they produce. Such insights are becoming a very attractive data gathering technique for adversaries, network administrators, investigators, and marketing agencies. The second side-channel is electric energy consumption. In this case, an adversary is able to measure with a power monitor the amount of energy supplied to a mobile device. In fact, we observed that the usage of obile device resources (e.g., CPU, network capabilities) directly impacts the amount of energy retrieved from the supplier, i.e., USB port for smartphones, wall-socket for laptops. Leveraging energy traces, we are able to recognize a specific laptop user among a group and detect intruders (i.e., a user not belonging to the group). Moreover, we show the feasibility of a covert channel on Android mobile devices to exfiltrate user data which relies on temporized energy consumption bursts.

Prof. Corrado Aaron Visaggio

University of Sannio, Italy

Talk title: Machine learning for malware detection and classification: benefits, limitations and future directions

Abstract: To detect and classify malware is a very hard task rich of pitfalls and obstacles: for this reason, researchers have been looking for effective solutions that support these two processes. Machine learning is considered one of the main means for this aim and it has been widely investigated. Unfortunately, machine learning shows limitations that do not allow to consider it the definitive solution; however, machine learning can produce benefits if it’s employed properly. This seminar will provide an analysis of the most prominent findings offered by the literature about machine and deep learning, aiming at shedding light on when and how machine learning can be applied for detecting and recognizing malware.