Publications

I keep a list of papers here and slides here. Feel free to browse.

2018
Formally Reasoning about the Cost and Efficacy of Securing the Email Infrastructure.
Patrick Speicher, Marcel Steinmetz, Robert Kuennemann, Milivoj Simeonovski, Giancarlo Pellegrino, Jorg Hoffmann, and Michael Backes.
Proceeding of the 3rd IEEE European Symposium on Security and Privacy (EURO SP 2018).
The Rise of the Citizen Developer: Assessing the Security Impact of Online App Generators.
Martin Oltrogge, Erik Derr, Christian Stransky, Sascha Fahl, Yasemin Acar, Christian Rossow, Giancarlo Pellegrino, Sven Bugiel, and Michael Backes.
Proceeding of the 39th IEEE Symposium on Security and Privacy (IEEE SP 18).
Didn't You Hear Me? - Towards More Successful Web Vulnerability Notifications.
Ben Stock, Giancarlo Pellegrino, Frank Li, Christian Rossow, and Michael Backes.
25th Annual Network and Distributed System Security symposium (NDSS 2018).
2017
Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs.
Giancarlo Pellegrino, Martin Johns, Simon Koch, Michael Backes, and Christian Rossow.
Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17).
slides tool/code
Who Controls the Internet?: Analyzing Global Threats Using Property Graph Traversals.
Milivoj Simeonovski, Giancarlo Pellegrino, Christian Rossow, and Michael Backes.
Proceedings of the 26th International Conference on World Wide Web (WWW '17).
2016
Uses and Abuses of Server-Side Requests.
Giancarlo Pellegrino, Onur Catakoglu, Davide Balzarotti, and Christian Rossow.
Research in Attacks, Intrusions, and Defenses: 19th International Symposium, RAID 2016, Paris, France, September 19-21, 2016, Proceedings.
slides tool/code
Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification.
Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes.
25th USENIX Security Symposium (USENIX Security 16).
POSTER: Mapping the Landscape of Large-Scale Vulnerability Notifications.
Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes.
Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16).
2015
jÄk: Using Dynamic Analysis to Crawl and Test Modern Web Applications.
Giancarlo Pellegrino, Constantin Tschürtz, Eric Bodden, and Christian Rossow.
Research in Attacks, Intrusions, and Defenses: 18th International Symposium, RAID 2015, Kyoto, Japan,November 2-4, 2015. Proceedings.
slides tool/code
In the Compression Hornet's Nest: A Security Study of Data Compression in Network Services.
Giancarlo Pellegrino, Davide Balzarotti, Stefan Winter, and Neeraj Suri.
24th USENIX Security Symposium (USENIX Security 15).
On the Feasibility of Side-Channel Attacks in a Virtualized Environment.
Tsvetoslava Vateva-Gurova, Jesus Luna, Giancarlo Pellegrino, and Neeraj Suri.
E-Business and Telecommunications: 11th International Joint Conference, ICETE 2014, Vienna, Austria, August 28-30, 2014, Revised Selected Papers.
Technical Implementation and Feasibility.
Gert Låssøe Mikkelsen, Kasper Damgård, Hans Guldager, Jonas Lindstrøm Jensen, Jesus Luna Garcia, Janus Dam Nielsen, Pascal Paillier, Giancarlo Pellegrino, Michael Bladt Stausholm, Neeraj Suri, and Heng Zhang.
Chapter in Attribute-based Credentials for Trust: Identity in the Information Society.
Cashing Out the Great Cannon? On Browser-Based DDoS Attacks and Economics.
Giancarlo Pellegrino, Christian Rossow, Fabrice J. Ryba, Thomas C. Schmidt, and Matthias Wählisch.
9th USENIX Workshop on Offensive Technologies ((WOOT) 15).
2014
Towards a framework for assessing the feasibility of side-channel attacks in virtualized environments.
T. Vateva-Gurova, J. Luna, G. Pellegrino, and N. Suri.
2014 11th International Conference on Security and Cryptography (SECRYPT).
Toward Black-Box Detection of Logic Flaws in Web Applications.
Giancarlo Pellegrino and Davide Balzarotti.
21st Annual Network and Distributed System Security Symposium, {NDSS} 2014, San Diego, California, USA, February 23-26, 2014.
2013
An Authentication Flaw in Browser-based Single Sign-On Protocols: Impact and Remediations.
Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuéllar, Giancarlo Pellegrino, and Alessandro Sorniotti.
Computers and Security vol. 33, 2013.
A Tool for Supporting Developers in Analyzing the Security of Web-Based Security Protocols.
Giancarlo Pellegrino, Luca Compagna, and Thomas Morreggia.
Testing Software and Systems: 25th IFIP WG 6.1 International Conference, ICTSS 2013, Istanbul, Turkey, November 13-15, 2013, Proceedings.
2012
From Model-Checking to Automated Testing of Security Protocols: Bridging the Gap.
Alessandro Armando, Giancarlo Pellegrino, Roberto Carbone, Alessio Merlo, and Davide Balzarotti.
Tests and Proofs: 6th International Conference, TAP 2012, Prague, Czech Republic, May 31 -- June 1, 2012. Proceedings.
The AVANTSSAR Platform for the Automated Validation of Trust and Security of Service-Oriented Architectures.
Alessandro Armando, Wihem Arsac, Tigran Avanesov, Michele Barletta, Alberto Calvi, Alessandro Cappai, Roberto Carbone, Yannick Chevalier, Luca Compagna, Jorge Cuéllar, Gabriel Erzse, Simone Frau, Marius Minea, Sebastian Möaut;dersheim, David Oheimb, Giancarlo Pellegrino, Serena Elisa Ponta, Marco Rocchetto, Michael Rusinowitch, Mohammad Torabi Dashti, Mathieu Turuani, and Luca Viganò.
Tools and Algorithms for the Construction and Analysis of Systems: 18th International Conference, TACAS 2012, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2012, Tallinn, Estonia, March 24 -- April 1, 2012. Proceedings.
2011
From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?.
Alessandro Armando, Roberto Carbone, Luca Compagna, Jorge Cuéllar, Giancarlo Pellegrino, and Alessandro Sorniotti.
Chapter in From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?.
Security Validation of Business Processes via Model-Checking.
Wihem Arsac, Luca Compagna, Giancarlo Pellegrino, and Serena Elisa Ponta.
Chapter in Security Validation of Business Processes via Model-Checking.
Automatic Security Analysis of SAML-based Single Sign-On Protocols.
Alessandro Armando, Roberto Carbone, and Luca Compagna.
Chapter in Digital Identity and Access Management: Technologies and Framework, Business Science.
2010
Model-Checking Driven Security Testing of Web-Based Applications.
A. Armando, R. Carbone, L. Compagna, K. Li, and G. Pellegrino.
2010 Third International Conference on Software Testing, Verification, and Validation Workshops.