Eng. Marco Balduzzi, Ph.D.


General Information

MB's picture
I am a proud member of the International Secure Systems Lab since November 2008. I hold a Ph.D. in applied IT security from Télécom ParisTech and a M.Sc. in computer engineering from the University of Bergamo. My interests concern all aspect of computer security, with particular emphasis on real problems that affect systems and networks. Some topics I worked on are web and browser security, code analysis, botnets detection, cybercrime investigation, privacy and threats in social networks and new technologies, malware and intrusion detection systems.

I have been involved in IT security for more than 12 years with international experiences in both industry and academia. I previously worked as security consultant and engineer for different companies in Milan, Munich and Sophia-Antipolis, before joining Trend Micro Research as senior research scientist. I published in top peer-reviewed conferences, e.g. NDSS, RAID, ACSAC and DIMVA, and spoke at major security venues like Black Hat, Hack In The Box, OWASP AppSec and others. My applied applied research has been recognized and published by important media such as Forbes, MIT Technology Review, The Register, Slashdot, Info World, Dark Reading, CNN and BBC.

Being a Free Software sympathizer, I have been involved in several open source projects and underground hacking groups, mainly during my studies. Nowadays I am more into climbing, and research, of course :)

News

  • The slides of the Summer School in Cagliari: #1 #2 #3
  • Online the brochure of our next conference in Venice
  • Our latest papers on Soundsquatting and AIS have been accepted for publication in the proceedings of ISC and ACSAC 2014, respectively :-)
  • Cassandra blogged about our talk at the Italian hacking camp HackIT 0x11.
  • I am now a proud member of the Review Board of Hack In The Box.

Education

  • Nov. 2008 - Dec. 2011, Ph.D. at EURECOM & TELECOM ParisTech, under the supervision of Prof. Engin Kirda.
    My Ph.D. thesis is titled Automated Measurements of Novel Internet Threats [ PDF ]
    In the last twenty years, the Internet has grown from a simple, small network to a complex, large-scale system. Attackers are not indifferent to the evolution of the Internet. Often driven by a flourishing underground economy, attackers are constantly looking for vulnerabilities, misconfigurations and novel techniques to access protected and authorized systems, to steal private information, or to deliver malicious content. Traditional vulnerabilities such as buffer overflows or SQL injections are still exploited. However, new alternative attack vectors that leverage unconventional channels on a large scale (e.g. cloud computing) are also being discovered. To date, not much research has been conducted to measure the importance and extent of these emerging Internet threats. Conventional detection techniques cannot easily scale to large scale installations, and novel methodologies are required to analyze and discover bugs and vulnerabilities in these complex systems. In this thesis, we advance the state of the art in large scale testing and measurement of Internet threats. We research into three novel classes of security problems that affect Internet systems that experienced a fast surge in popularity (i.e., ClickJacking, HTTP Parameter Pollution, and commercial cloud computing services that allow the outsourcing of server infrastructures). We introduce the first, large scale attempt to estimate the prevalence and relevance of these problems on the Internet.

  • Sept.-Dec. 2007, Internship at SAP Research, Security & Trust, Sophia-Antipolis (France).
    During this internship, I performed research in network security aimed at the integration of wireless sensor networks (WSNs) in enterprise applications (e.g. SAP).

  • March 2007, M.Sc. in Computer Engineering at the University of Bergamo (Italy). Final grade of 110/110.
    My M.Sc. thesis is titled Security by Virtualization: a novel antivirus for personal computers. [PDF, Slides ]
    In this work, we introduce a novel security architecture for personal computers based on the virtualization paradigm, in which we move the security services from the user's operating system into a tamper resistance virtual machine layer, or hypervisor. We propose a novel antivirus that intercepts raw I/O disk-sector accesses to conduct low-level virus analysis.

  • 2006, Internship in Security R&D at Secunet Security Networks AG, Munich (Germany)
    Research and prototype implementation of an antivirus framework based on virtualization. Adopted technology: QEMU, Linux, C++, Bash/Python.

  • 2005, Exchange student at the Norwegian University of Science and Technology (NTNU) of Trondheim, Faculty of Computer Science and Telematics.

  • July 2004, B.Sc. in Computer Engineering at the University of Bergamo.
    My B.Sc. thesis is titled A new model of Intrusion Detection System: The Router-IDS [ PDF, Slides ]
    In this thesis, I define and extend the IDS taxonomy with what I called a ``context-based IDS''. The standard taxonomy groups IDSs into host-based and network-based families, depending from the type of information that is processed (host vs network). A context-based IDS, instead, correlates both host-based information and network traffic in order to reduce the amount of false positives, which is among the primary reasons of failure for current network-based IDS.

  • 2003, Internship in Security R&D at ICT Consulting S.p.A., Milano (Italy)
    During this internship, I designed a router-based intrusion detection system (IDS) that integrates network sensors into existing device nodes to detect distributed security issues, e.g. DoS attacks, portscans, SPAM activities and botnets. Adopted technology: Cisco IOS, SNMP, Linux, C.

Professional activities

  • Since 2012, Member of the following Program Committees and Review Boards
    - HITB 2014+, Hack In The Box Conference
    - IBMSGS 2015, International Summit on Bio-Metrics and Smart Government
    - eCrime 2014, APWG Symposium on Electronic Crime Research
    - CEEC 2014, 6th Computer Science and Electronic Engineering Conference
    - WNM 2013, 7th IEEE Workshop on Network Measurements

    - IEEE Transactions on Dependable and Secure Computing, TDSC 2014
    - User Community Discovery in the Web and the Social Web, Springer Book 2014
    - Journal of Computer Security, JCS 2012

  • Since April 2012, Senior Research Scientist at Trend Micro Research
    I work for Trend Micro's forward looking threat research (FTR) team as senior researcher. In my daily job, I try to bridge academia and industry, by keeping one leg into scientific research, publishing in peer-reviewed conferences, and the other into the needs of an industrial-driven environment, for example advising on internal innovative engineering projects. The team itself is responsible for researching malware and hacking threats, security of emerging technologies and user privacy, and designing solution to detect and mitigate them. We actively interface with universities, external research groups, law enforcement and CERTs for research and knowledge sharing, and we regularly attend both academic and hacking security conferences.

  • 2011, Occasional Journal Writer for the Software Press's Hakin9 IT Security Megazine.

  • 2008, Senior Security Engineer at Numara Software (ex Criston Software S.A.), Sophia-Antipolis (France).
    As security expert, I was responsible of researching, implementing and supporting the development of the a Vulnerability Management solution. I held the research and development of the security scanner and its vulnerability tests. During my stay, I replaced a strong portion of the existing code with the NMap Security Scanner solution that we licensed and adopted.

  • Aug.2006 - July.2007, Security Researcher at Secunet Security Networks AG, Munich (Germany), largest information security service provider in Germany.
    Research and prototype implementation of a novel antivirus, which we integrated within a virtual machine framework (hypervisor) to make it tamper-proof resistant to malware running in the operating system. More information are included in my M.Sc. thesis above. Technology: C/C++/BASH, Linux, Qemu, VirtualBox.

  • 2006, Security Consultant (freelancer) for Emaze Network S.p.A., Italian company that provides services and products in the Information Security field.
    Traditional security consulting services like: penetration testing, vulnerability assessment, computer forensics, system hardening, network and log analysis, architecture designing, compliance, training.

  • 2004 - 2005, Security Consultant (freelancer) for Secure Network s.r.l., Information Security consultant group in Milan.
    Traditional security consulting services like: penetration testing, vulnerability assessment, computer forensics, system hardening, network and log analysis, architecture designing, compliance, training.

Publications

"A Security Evaluation of AIS, Automated Identification System"
Marco Balduzzi, Alessandro Pasta, Kyle Wilhoit
The 30th Annual Computer Security Applications Conference
ACSAC 2014, New Orleans, Louisiana, USA, December 8-12 2014

[ to appear ]

"Soundsquatting: Uncovering the use of homophones in domain squatting"
Nick Nikiforakis, Marco Balduzzi, Lieven Desmet, Frank Piessens, Wouter Joosen
The 17th Information Security Conference
ISC 2014, Hong Kong, October 12-14 2014

[ to appear ]

"Automated Measurements of Novel Internet Threats [Paperback]"
Dr. Marco Balduzzi
LAP LAMBERT Academic Publishing, ISBN 978-3-659-41582-1, 120 pages, July 20 2013
[ description, book, bib, cover ]

"Targeted Attacks Detection With SPuNge"
Marco Balduzzi, Vincenzo Ciangaglini, Robert McArdle
The 11th Annual Conference on Privacy, Security and Trust
PST 2013, Tarragona, Catalonia, July 10-12 2013

[ abstract, pdf ]

"The Role of Phone Numbers in Understanding Cyber-Crime Schemes"
Andrei Costin, Jelena Isacenkova, Marco Balduzzi, Aurélien Francillon, Davide Balzarotti
The 11th Annual Conference on Privacy, Security and Trust
PST 2013, Tarragona, Catalonia, July 10-12 2013

[ abstract, pdf ]

"The role of phone numbers in understanding cyber-crime (technical report)"
Andrei Costin, Jelena Isacenkova, Marco Balduzzi, Aurélien Francillon, Davide Balzarotti
EURECOM Research Report RR-13-277, February 2013
[ abstract, pdf, bib ]

"Web Application Security, Dagstuhl Seminar 12401 (conference report)"
Lieven Desmet, Martin Johns, Benjamin Livshits, Andrei Sabelfeld
Schloss Dagstuhl, 30/09/12 - 05/10/12
[ abstract, pdf, bib ]

"A Security Analysis of Amazon's Elastic Compute Cloud Service"
Marco Balduzzi, Jonas Zaddach, Davide Balzarotti, Engin Kirda, Sergio Loureiro
The 11th Edition of the Computer Security track at the 27th ACM Symposium on Applied Computing
SEC@SAC 2012, Trento, Italy, March 26-30 2012

[ abstract, pdf, bib, press (forbes| infoWorld| ZDNet) ]

"Reverse Social Engineering Attacks in Online Social Networks"
Danesh Irani, Marco Balduzzi, Davide Balzarotti, Engin Kirda, Calton Pu
The 8th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2011, Amsterdam, The Netherlands, July 7-8 2011

[ abstract, pdf, bib, slides ]

"Exposing the Lack of Privacy in File Hosting Services"
Nick Nikiforakis, Marco Balduzzi, Steven Van Acker, Wouter Joosen, Davide Balzarotti
The 4th Usenix Workshop on Large-Scale Exploits and Emergent Threats
LEET 2011, Boston, US, March 29 2011

[ abstract, pdf, bib, slides, press (the register| slashdot) ]

"Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications" (Best Paper Award)
Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, Engin Kirda
The 18th Annual Network and Distributed System Security Symposium
NDSS 2011, San Diego, US, February 6-9 2011

[ abstract, pdf, bib ]

"EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis"
Leyla Bilge, Engin Kirda, Christopher Kruegel, Marco Balduzzi
The 18th Annual Network and Distributed System Security Symposium
NDSS 2011, San Diego, US, February 6-9 2011

[ abstract, pdf, bib, slides ]

"A Summary of Two Practical Attacks against Social Networks (invited paper)"
Leyla Bilge, Marco Balduzzi, Davide Balzarotti, Engin Kirda
The 21st Tyrrhenian Workshop on Digital Communications: Trustworthy Internet
Island of Ponza, Italy, September 6-8 2010

[ abstract, bib ]

"Abusing Social Networks for Automated User Profiling"
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti and Christopher Kruegel
The 13th International Symposium on Recent Advances in Intrusion Detection
RAID 2010, Ottowa, Canada, September 15-17 2010

[ abstract, pdf, bib, slideshare ]

"Security by virtualization: A novel antivirus for personal computers [Paperback]"
Marco Balduzzi
VDM Verlag Dr. Müller e.K., ISBN 978-3-639-25624-6, Paperback, 104 pages, May 7 2010
[ description, book, bib, cover ]

"Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype"
Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico and Lorenzo Cavallaro
The 7th Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2010, Bonn, Germany, July 8-9 2010

[ abstract, pdf, bib, slides ]

"A Solution for the Automated Detection of Clickjacking Attacks"
Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, Christopher Kruegel
The 5th ACM Symposium on Information, Computer and Communications Security
AsiaCCS 2010, Beijing, China, April 13-16 2010

[ abstract, pdf, bib ]

"Abusing Social Networks for Automated User Profiling (technical report)"
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, and Christopher Kruegel
EURECOM Research Report RR-10-233, March 3 2010
[ abstract, pdf, bib ]

Talks

International Academic Conferences

  • ACSAC 2014, New Orleans, US (upcoming)
  • ISC 2014, Hong Kong (upcoming)
  • BTIA 2014, Summer School, Cagliari, Italy
  • PST 2013, Tarragona, Spain
  • Schloss Dagstuhl, Web Application Security Seminar 2012, Saarbrucken, Germany
  • SEC@SAC 2012, Trento, Italy
  • DIMVA 2011, Amsterdam, NL
  • LEET 2011, Boston, US
  • NDSS 2011, San Diego, US
  • RAID 2010, Ottawa, Canada
  • AsiaCCS 2010, Beijing, China

Speaking in the following upcoming conferences

  • ISACA and OWASP Venice Conference, 3rd of October
  • Hacking Conferences

    AIS Exposed. New vulnerabilities and attacks. Hack In The Box 2014 (HITB AMS), Amsterdam, Netherlands - 28/05/2014
    [ abstract, slides (slideshare), press (PCWorld | CHE FUTURO) ]

    AIS Exposed. Understanding Vulnerabilities and Attacks 2.0, Black Hat Asia, Singapore - 27/03/2014
    [ abstract, video recording ]

    The Vessel Tracking & Monitoring Conference, London, UK - 27/02/2014

    Hey Captain, Where’s Your Ship? Attacking Vessel Tracking Systems for Fun and Profit, Hack In The Box 2013 (HITB KUL), Kuala Lumpur, Malaysia - 16/10/2013
    [ abstract, slides (slideshare), press (ABC News | Net Security | MIT Techology Review | Softpedia) ]

    HTTP(S)-Based Clustering for Assisted Cybercrime Investigations
    - OWASP AppSec Research Europe 2013, Hamburg, Germany - 22/08/2013 [ abstract, slides (slideshare), video recording ]
    - OWASP Italy @ Security Summit 2014, Milan, Italy - 18/03/2014

    Cutting-edge research in system security, OWASP Italy Day 2012, Rome, Italy - 23/11/2012 (invited talk)
    [ slides ]

    SatanCloud: Un Viaje por los Riesgos a la Privacidad y Seguridad del Cloud Computing
    - SECURITY-ZONE 2012, Cali, Colombia - 06/12/2012 (invited talk) [abstract]
    - 8dot8 Computer Security Conference 2012, Santiago, Chile - 18/10/2012 (invited talk) [abstract, press (El Mercurio)]

    SatanCloud: A Journey Into the Privacy and Security Risks of Cloud Computing, Hack In The Box 2012 (HITB AMS), Amsterdam, Netherlands - 25/05/2012
    [ abstract, slides (slideshare), video recording ]

    A journey into the privacy and security risks of a cloud computing service, Black Hat Webcast Series, April 2012 - 19/04/2012 (invited talk)
    [ abstract, slides ]

    Detección Automática de vulnerabilidades HPP en aplicaciones Web
    - SECURITY-ZONE 2011, Cali, Colombia - 28/11/2011 (invited talk) [ abstract ]
    - 8dot8 Computer Security Conference, Santiago, Chile - 18/11/2011 [ abstract, press (yahoo!) ]

    Attacking the Privacy of Social Network Users, Hack In The Box 2011 (HITB KUL), Kuala Lumpur, Malaysia - 11/10/2011
    [ abstract, slides (slideshare), video recording, press ]

    Automated Detection of HPP Vulnerabilities in Web Applications, Black Hat USA 2011, Las Vegas, NV - 04/08/2011
    [ abstract, slides v.03 ]

    The (in)security of File Hosting Services, OWASP Netherlands Chapter Meeting, Amsterdam - 06/07/2011 (invited talk)
    [ abstract, slides (pdf) ]

    Emerging Attacks on Social Networks, FORTINET, Sophia-Antipolis - 30/06/2011 (invited talk)

    HPP v.02, Black Hat Webcast Series, May 2011 - 25/05/2011 (invited talk)
    [ abstract + registration, slides v.02 ]

    Building Large Scale Detectors for Web-based Malware (Cova, Canali), OWASP AppSec Europe 2011, Dublin, Ireland - 09/07/2011
    [ Conference Page, slides (pdf) ]

    HTTP Parameter Pollution, Swiss Cyber Storm 2011, Rapperswil, Switzerland - 12/05/2011
    [ abstract, video recording ]

    Security Info Session, SAP - 27/04/2011 (invited talk)

    CSI Filter 3, Computer Security Institute - 07/04/2011 (invited talk)
    [ program ]

    HTTP Parameter Pollution Vulnerabilities in Web Applications, Black Hat Europe 2011, Barcelona, Spain - 17/03/2011
    [ abstract, whitepaper, slides (pdf), slides (slideshare), press (forbes | la stampa) ]

    Clickjacking, OWASP BeNeLux 2010, Eindhoven, Netherlands - 02/11/2010 (invited talk)
    [ pdf, odp, html ]

    New Insights into Clickjacking, OWASP AppSec Research Europe 2010, Stockholm, Sweden - 24/06/2010
    [ pdf, odp, html, slideshare, video recordings (1, 2) ]

    Security by Virtualization, Metro Olografix Hacking Party, Pescara, Italy - 19/05/2007
    [ pdf ]

    Network multimedia with GNU/Linux, LinuxDay @ School by BgLUG, Val Seriana, Italy - 04/03/2006
    [ pdf sxi ]

    Secure networking with GNU/Linux, LinuxDay 2005, Bergamo, Italy - 26/11/2005
    [ pdf sxi html recording-mp3 ]

    Introduction to software development in the GNU/Linux environment (particular references to C language), Version 0.2, LinuxDay 2004, Bergamo, Italy - 27/11/2004
    [ pdf sxi html ]

    Risks and insecurities of IT infrastructures, SatEXPO 2004, Vicenza, Italy - 30/09/2004
    [ pdf sxi html ]

    Techniques for prevention, protection and identification of IT attacks, SatEXPO 2004, Vicenza, Italy - 30/09/2004
    [ pdf sxi html ]

    Introduction to software development in the GNU/Linux environment (particular references to C language), MOCA 2004, Pescara, Italy - 21/05/2004
    [ pdf sxi html ]

    Network programming with libpcap and libnet, Webb.it 2004, Padova, Italy - 06/05/2004
    [ pdf sxi html example-sources ]

    Security analysis of routing protocols, Security Date 2004, Ancona, Italy - 29/04/2004
    [ pdf sxi html ]

    Intrusion Detection Systems (IDS): state of art and research, HackMeeting 2004, Genova, Italy - 02/04/2004
    [ pdf html ]

    Security of the GNU/Linux operating systems, Linuxday 2003, Bergamo, Italy - 29/11/2003
    [ pdf ]

    Low-level network programming with libpcap and libnet, HackMeeting 2003, Torino, Italy - 20/06/2003
    [ pdf sxi html example-sources ]

    More

    I had the chance to supervise, work or collaborate in research projects with several good students, including:
  • 2014, Babak Rahbarinia, Malware Modeling and Detection
  • 2013, Maurizio Abba', Web Security -- Now with LastLine Inc.
  • 2012, Mariano Graziano, Malware Analysis -- Now Ph.D. with EURECOM
  • 2011, Dario Ghilardi, Web Security (static analysis techniques) -- Now with WebRain

  • Bonus articles:
  • (IN)SECURE Magazine #40, Digital ship pirates: Researchers crack vessel tracking system [ pdf ]
  • Hakin9 Issue 7/2011 on Web App Security, HTTP Parameter Pollution Vulnerabilities in Web Applications [ download ]
  • Hakin9 Issue Exploiting Software 1/2011, Smashing the Stack 1 [ download ]
  • Hakin9 Issue Exploiting Software 2/2011, Smashing the Stack 2 [ download ]

  • Contacts

    • Email. marco.balduzzi <put the at sign here> iseclab.org
    • LinkedIn. View Marco Balduzzi's profile on LinkedIn
    • Twitter. @embyte

    Old School

    Here you find a bunch of "old school" material that I have produced several years ago... :-)

    Codes
    Nast
    Packet sniffer and LAN analyzer based on Libnet and Libpcap. It can sniff in normal or in promiscuous mode the packets on a network interface and log them. It dumps packets's header and payload in ascii or ascii-hex formats. You can apply a filter. The sniffed data can be saved in a separated file. As analyzer tool, it has many features like to build LAN hosts list, to follow a TCP-DATA stream, to find LAN internet gateways, to discover promiscuous nodes, to reset an established connection, to perform a single and multi half-open port-scan, to find link type, to catch daemon banner of LAN nodes, to control arp answers for discover possible arp-spoofs, to byte-count, to apply optional filters and to write report logs.
    [ homepage screenshots ]
    Gspoof
    Tool that makes easier and accurate the building and the sending of TCP/IP packets. It works from console (command line) and it has an easy-to-use graphical interface written in GTK+ too. You can add a payload, send multiple packets specifying delay and number, enable explicit congestion notification support and much more.
    [ homepage screenshots ]
    Vida
    A multi-datapipe handler, wrote in C with the ncurses library, for unix and unix-like OS.
    [ homepage ]
    UmL
    Userspace logger that does not require r00t privileges. It works hijacking the libc functs, as described by halflife in "Shared Library Redirection" (Phrack 51). UmL logs read()/recv() output and intercepts open(), open64(), close(), socket(), connect(), exit(). There are many other important functions like recvfrom()/recvmsg(), fopen(), write(), etc... this code it's only a proof on concept ;-)
    SS
    A simple stupid multi-server, very useless stuff :^) Written as training for script-kiddies, just a funny code :pP
    IPGenerator
    An ip-listgenerator (/16 netmask) and an ip-parser for nmap -oG output.
    The MCL suite: scanner, parser,translator to C-language and complier
    MCL language has been developed for the university project of "languages and compiler" (and the "M" stands for the initials of its developers!). MCL is a compact and syntactically clean language, for writing math expressions and procedures in simple and fast way. It supports functions, the while iteration, the if test, global and local variables, input and output, comments and other crazy features :-).
    The package contains a reference paper (in Italian), the parser (mcl.l) and the scanner (mcl.y), the scripts to build the translator to C-language and the compiler.
    Linux VNC-4.1.1 evil client patch - BID 17978
    Patch to exploit the VNC vulnerability 17978, which permits to log into the server with NULL authentication, although the password is required.
    Read my buqtraq post.

    Papers
    On the Influence of Free Software on Code Reuse in Software Development
    How the virus Remote Shell Trojan (RST) works

    Suggested related sites
    Underground groups:
    2600 The Hacker Quarterly: huge American Hacker movement.
    Chaos Computer Club: famous German Hacker group that organizes periodically international meetings.
    Phrack.org: a Hacker magazine by the community, for the community.
    THC The Hacker's Choice: international group of experts that acts in the Information Security from 1995.
    Softproject: Italian no-profit association involved in the Information Security. It publishes the BFi magazine.
    Security resources:
    BugTraq: full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.
    Packet Storm: no-profit organization comprised of security professionals that offers an abundant resource of up-to-date and historical security tools, exploits, and advisories.
    Security Focus: international website that offers a huge database of advisories and exploits.
    Linux related resources:
    Linux (the kernel!): the Linux Kernel.
    Linux kernel mailing lists: many public mailing lists for linux kernel developers.


    International Secure Systems Lab www.iseclab.org