Publications

I keep a list of papers here and slides here. Feel free to browse.

2021
Black Widow: Blackbox Data-driven Web Scanning.
Benjamin Eriksson, Giancarlo Pellegrino, and Andrei Sabelfeld.
Proceeding of the 42th IEEE Symposium on Security & Privacy (IEEE SP 2021).
tool/code ]
2020
SentiNet: Detecting Localized Universal Attack Against Deep Learning Systems.
Edward Chou, Florian Tramèr, and Giancarlo Pellegrino.
Proceeding of the 41th IEEE Symposium on Security & Privacy Workshops (SPW).
extd. ver. ]
Automatic Uncovering of Hidden Behaviors from Input Validation in Mobile Apps.
Qingchuan Zhao, Chaoshun Zuo, Brendan Dolan-Gavitt, Giancarlo Pellegrino, and Zhiqiang Lin.
Proceeding of the 41th IEEE Symposium on Security & Privacy (IEEE SP 2020).
Deceptive Previews: A Study of the Link Preview Trustworthiness in Social Platforms.
Giada Stivala and Giancarlo Pellegrino.
27th Annual Network and Distributed System Security symposium, February 2020 (NDSS 2020).
Raccoon: Automated Verification of Guarded Race Conditions in Web Applications.
Simon Koch, Tim Sauer, Martin Johns, and Giancarlo Pellegrino.
The 35th ACM/SIGAPP Symposium on Applied Computing (SAC '20).
2019
AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning.
Florian Tramèr, Pascal Dupré, Gili Rusak, Giancarlo Pellegrino, and Dan Boneh.
Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS '19).
tool/code ]
Geo-locating Drivers: A Study of Sensitive Data Leakagein Ride-Hailing Services.
Qingchuan Zhao, Chaoshun Zuo, Giancarlo Pellegrino, and Zhiqiang Lin.
26th Annual Network and Distributed System Security symposium, February 2019 (NDSS 2019).
Fidelius: Protecting User Secrets from Compromised Browsers.
Saba Eskandarian, Jonathan Cogan, Sawyer Birnbaum, Peh Brandon, Dillon Franke, Forest Fraser, Gaspar Garcia, Eric Gong, Hung Nguyen, Taresh Sethi, Vishal Subbiah, Michael Backes, Giancarlo Pellegrino, and Dan Boneh.
Proceeding of the 40th IEEE Symposium on Security & Privacy (IEEE SP 19).
tool/code ]
2018
AdVersarial: Perceptual Ad Blocking meets Adversarial Machine Learning.
Florian Tramèr, Pascal Dupré, Gili Rusak, Giancarlo Pellegrino, and Dan Boneh.
Arxiv.
tool/code ]
SentiNet: Detecting Localized Universal Attacks Against Deep Learning Systems.
Edward Chou, Florian Tramèr, and Giancarlo Pellegrino.
Arxiv.
Fidelius: Protecting User Secrets from Compromised Browsers.
Saba Eskandarian, Jonathan Cogan, Sawyer Birnbaum, Peh Brandon, Dillon Franke, Forest Fraser, Gaspar Garcia, Eric Gong, Hung Nguyen, Taresh Sethi, Vishal Subbiah, Michael Backes, Giancarlo Pellegrino, and Dan Boneh.
Arxiv.
tool/code ]
Formally Reasoning about the Cost and Efficacy of Securing the Email Infrastructure.
Patrick Speicher, Marcel Steinmetz, Robert Kuennemann, Milivoj Simeonovski, Giancarlo Pellegrino, Jorg Hoffmann, and Michael Backes.
Proceeding of the 3rd IEEE European Symposium on Security and Privacy (EURO SP 2018).
The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators.
Martin Oltrogge, Erik Derr, Christian Stransky, Sascha Fahl, Yasemin Acar, Christian Rossow, Giancarlo Pellegrino, Sven Bugiel, and Michael Backes.
Proceeding of the 39th IEEE Symposium on Security and Privacy (IEEE SP 18).
Didn't You Hear Me? - Towards More Successful Web Vulnerability Notifications.
Ben Stock, Giancarlo Pellegrino, Frank Li, Christian Rossow, and Michael Backes.
25th Annual Network and Distributed System Security symposium (NDSS 2018).
2017
Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs.
Giancarlo Pellegrino, Martin Johns, Simon Koch, Michael Backes, and Christian Rossow.
Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17).
slides ] tool/code ]
Who Controls the Internet?: Analyzing Global Threats Using Property Graph Traversals.
Milivoj Simeonovski, Giancarlo Pellegrino, Christian Rossow, and Michael Backes.
Proceedings of the 26th International Conference on World Wide Web (WWW '17).
2016
Uses and Abuses of Server-Side Requests.
Giancarlo Pellegrino, Onur Catakoglu, Davide Balzarotti, and Christian Rossow.
Research in Attacks, Intrusions, and Defenses: 19th International Symposium, RAID 2016, Paris, France, September 19-21, 2016, Proceedings.
slides ] tool/code ]
Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification.
Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes.
25th USENIX Security Symposium (USENIX Security 16).
POSTER: Mapping the Landscape of Large-Scale Vulnerability Notifications.
Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes.
Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16).
2015
jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications.
Giancarlo Pellegrino, Constantin Tschürtz, Eric Bodden, and Christian Rossow.
Research in Attacks, Intrusions, and Defenses: 18th International Symposium, RAID 2015, Kyoto, Japan,November 2-4, 2015. Proceedings.
slides ] tool/code ]
In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services.
Giancarlo Pellegrino, Davide Balzarotti, Stefan Winter, and Neeraj Suri.
24th USENIX Security Symposium (USENIX Security 15).
On the Feasibility of Side-Channel Attacks in a Virtualized Environment.
Tsvetoslava Vateva-Gurova, Jesus Luna, Giancarlo Pellegrino, and Neeraj Suri.
E-Business and Telecommunications: 11th International Joint Conference, ICETE 2014, Vienna, Austria, August 28-30, 2014, Revised Selected Papers.
Technical Implementation and Feasibility.
Gert Låssøe Mikkelsen, Kasper Damgård, Hans Guldager, Jonas Lindstrøm Jensen, Jesus Luna Garcia, Janus Dam Nielsen, Pascal Paillier, Giancarlo Pellegrino, Michael Bladt Stausholm, Neeraj Suri, and Heng Zhang.
Chapter in Attribute-based Credentials for Trust: Identity in the Information Society.
Cashing Out the Great Cannon? On Browser-Based DDoS Attacks and Economics.
Giancarlo Pellegrino, Christian Rossow, Fabrice J. Ryba, Thomas C. Schmidt, and Matthias Wählisch.
9th USENIX Workshop on Offensive Technologies ((WOOT) 15).
2014
Towards a framework for assessing the feasibility of side-channel attacks in virtualized environments.
T. Vateva-Gurova, J. Luna, G. Pellegrino, and N. Suri.
2014 11th International Conference on Security and Cryptography (SECRYPT).
Toward Black-Box Detection of Logic Flaws in Web Applications.
Giancarlo Pellegrino and Davide Balzarotti.
21st Annual Network and Distributed System Security symposium (NDSS 2014).
2013
An Authentication Flaw in Browser-based Single Sign-On Protocols: Impact and Remediations.
Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuéllar, Giancarlo Pellegrino, and Alessandro Sorniotti.
Computers and Security vol. 33, 2013.
A Tool for Supporting Developers in Analyzing the Security of Web-Based Security Protocols.
Giancarlo Pellegrino, Luca Compagna, and Thomas Morreggia.
Testing Software and Systems: 25th IFIP WG 6.1 International Conference, ICTSS 2013, Istanbul, Turkey, November 13-15, 2013, Proceedings.
2012
From Model-Checking to Automated Testing of Security Protocols: Bridging the Gap.
Alessandro Armando, Giancarlo Pellegrino, Roberto Carbone, Alessio Merlo, and Davide Balzarotti.
Tests and Proofs: 6th International Conference, TAP 2012, Prague, Czech Republic, May 31 -- June 1, 2012. Proceedings.
The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures.
Alessandro Armando, Wihem Arsac, Tigran Avanesov, Michele Barletta, Alberto Calvi, Alessandro Cappai, Roberto Carbone, Yannick Chevalier, Luca Compagna, Jorge Cuéllar, Gabriel Erzse, Simone Frau, Marius Minea, Sebastian Möaut;dersheim, David Oheimb, Giancarlo Pellegrino, Serena Elisa Ponta, Marco Rocchetto, Michael Rusinowitch, Mohammad Torabi Dashti, Mathieu Turuani, and Luca Viganò.
Tools and Algorithms for the Construction and Analysis of Systems: 18th International Conference, TACAS 2012, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2012, Tallinn, Estonia, March 24 -- April 1, 2012. Proceedings.
2011
From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?.
Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuéllar, Giancarlo Pellegrino, and Alessandro Sorniotti.
Chapter in From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?.
Security Validation of Business Processes via Model-Checking.
Wihem Arsac, Luca Compagna, Giancarlo Pellegrino, and Serena Elisa Ponta.
Chapter in Security Validation of Business Processes via Model-Checking.
Automatic Security Analysis of SAML-based Single Sign-On Protocols.
Alessandro Armando, Roberto Carbone, and Luca Compagna.
Chapter in Digital Identity and Access Management: Technologies and Framework, Business Science.
2010
Model-Checking Driven Security Testing of Web-Based Applications.
A. Armando, R. Carbone, L. Compagna, K. Li, and G. Pellegrino.
2010 Third International Conference on Software Testing, Verification, and Validation Workshops.

Presentations and Talks