Publications

Most of the documents in this page are postprints and are provided as a means to ensure timely dissemination of scholarly and technical work on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author’s copyright. These works may not be reposted without the explicit permission of the copyright holder.

Journal Articles

  1. Information flow control for comparative privacy analyses with Zubair Ahmad, Samuele Casarin and Ben Stock, in International Journal of Information Security (IJIS), 2024. [ doi ]
  2. An empirical analysis of web storage and its applications to web tracking with Zubair Ahmad and Samuele Casarin, in ACM Transactions on the Web (TWEB), 2023.
  3. Certifying machine learning models against evasion attacks by program analysis with Pietro Ferrara and Claudio Lucchese, in Journal of Computer Security (JCS), 2023.
  4. Beyond robustness: resilience verification of tree-based classifiers with Lorenzo Cazzaro, Claudio Lucchese, Federico Marcuzzi and Salvatore Orlando, in Computers & Security (CoSe), 2022. [ arxiv version | doi ]
  5. Feature partitioning for robust tree ensembles and their certification in adversarial scenarios with Claudio Lucchese, Federico Marcuzzi and Salvatore Orlando, in EURASIP Journal on Information Security, 2021.
  6. Measuring web session security at scale with Hugo Jonker, Benjamin Krumnow and Alvise Rabitti, in Computers & Security (CoSe), 2021. [ doi ]
  7. Treant: Training evasion-aware decision trees with Claudio Lucchese, Gabriele Tolomei, Seyum Assefa Abebe and Salvatore Orlando, in Data Mining and Knowledge Discovery (DAMI), 2020.
  8. Machine learning for web vulnerability detection: the case of cross-site request forgery with Mauro Conti, Riccardo Focardi, Alvise Rabitti and Gabriele Tolomei, in IEEE Security & Privacy Magazine, 2020. [ companion paper ]
  9. Sub-session hijacking on the Web: root causes and prevention with Alvise Rabitti and Michele Bugliesi, in Journal of Computer Security (JCS), 2019.
  10. Semantics-based analysis of Content Security Policy deployment with Alvise Rabitti and Michele Bugliesi, in ACM Transactions on the Web (TWEB), 2018.
  11. Surviving the Web: a journey into web session security with Riccardo Focardi, Marco Squarcina and Mauro Tempesta, in ACM Computing Surveys (CSUR), 2017.
  12. Formal methods for web security with Michele Bugliesi and Riccardo Focardi, in Journal of Logical and Algebraic Methods in Programming (JLAMP), 2017.
  13. Security protocol specification and verification with AnBx with Michele Bugliesi, Paolo Modesti and Sebastian Moedersheim, in Journal of Information Security and Applications (JISA), 2016.
  14. CookiExt: patching the browser against session hijacking attacks with Michele Bugliesi, Riccardo Focardi and Wilayat Khan, in Journal of Computer Security (JCS), 2015.
  15. A supervised learning approach to protect client authentication on the Web with Gabriele Tolomei, Andrea Casini, Michele Bugliesi and Salvatore Orlando, in ACM Transactions on the Web (TWEB), 2015. [ dataset ]
  16. Affine refinement types for secure distributed programming with Michele Bugliesi, Fabienne Eigner and Matteo Maffei, in ACM Transactions on Programming Languages and Systems (TOPLAS), 2015.

Conference and Workshop Papers

  1. Verifiable boosted tree ensembles with Lorenzo Cazzaro, Claudio Lucchese and Giulio Ermanno Pibiri, in IEEE Symposium on Security and Privacy (S&P), 2025 (to appear).
  2. Web Platform Threats: Automated detection of web security issues with WPT with Pedro Bernardo, Lorenzo Veronese, Valentino Dalla Valle, Marco Squarcina, Pedro Adao and Matteo Maffei, in USENIX Security Symposium, 2024.
  3. Verifiable learning for robust tree ensembles with Lorenzo Cazzaro, Giulio Ermanno Pibiri and Nicola Prezza, in ACM Conference on Computer and Communication Security (CCS), 2023.
  4. You call this archaeology? Evaluating web archives for reproducible web security measurements with Florian Hantke, Moritz Wilhelm, Alvise Rabitti and Ben Stock, in ACM Conference on Computer and Communication Security (CCS), 2023.
  5. Explainable global fairness verification of tree-based classifiers with Lorenzo Cazzaro, Claudio Lucchese and Salvatore Orlando, in IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), 2023.
  6. The security lottery: measuring client-side web security inconsistencies with Sebastian Roth, Moritz Wilhelm, Alvise Rabitti and Ben Stock, in USENIX Security Symposium, 2022.
  7. What storage? An empirical analysis of web storage in the wild with Zubair Ahmad and Samuele Casarin, in Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb), 2022.
  8. Can I take your subdomain? Exploring same-site attacks on the modern Web with Marco Squarcina, Mauro Tempesta, Lorenzo Veronese and Matteo Maffei, in USENIX Security Symposium, 2021.
  9. The remote on the local: exacerbating web attacks via service workers caches with Marco Squarcina and Matteo Maffei, in Workshop on Offensive Technologies (WOOT), 2021.
  10. AMEBA: an adaptive approach to the black-box evasion of machine learning models with Lorenzo Cazzaro and Claudio Lucchese, in ACM Asia Conference on Computer and Communications Security (AsiaCCS), 2021.
  11. Reining in the Web’s inconsistencies with Site Policy with Tobias Urban, Dennis Tatang, Marius Steffens and Ben Stock, in Network and Distributed System Security Symposium (NDSS), 2021.
  12. Bulwark: holistic and verified security monitoring of web protocols with Lorenzo Veronese and Luca Compagna, in European Symposium on Research in Computer Security (ESORICS), 2020.
  13. Certifying decision trees against evasion attacks by program analysis with Pietro Ferrara and Claudio Lucchese, in European Symposium on Research in Computer Security (ESORICS), 2020.
  14. On compliance of cookie purposes with the purpose specification principle with Imane Fouad, Cristiana Santos, Feras Al Kassar and Nataliia Bielova, in International Workshop on Privacy Engineering (IWPE), 2020.
  15. A tale of two headers: A formal analysis of inconsistent click-jacking protection on the Web with Sebastian Roth, Alvise Rabitti, Michael Backes and Ben Stock, in USENIX Security Symposium, 2020.
  16. A hard lesson: Assessing the HTTPS deployment of Italian university websites with Riccardo Focardi, Alvise Rabitti and Lorenzo Soligo, in Italian Conference on Cybersecurity (ITASEC), 2020. [ companion page ]
  17. Language-based web session integrity with Riccardo Focardi, Niklas Grimm, Matteo Maffei and Mauro Tempesta, in IEEE Computer Security Foundations Symposium (CSF), 2020. [ tech report ]
  18. Complex Security Policy? A longitudinal analysis of deployed content security policies with Sebastian Roth, Timothy Barron, Nick Nikiforakis and Ben Stock, in Network and Distributed Systems Security Symposium (NDSS), 2020.
  19. Adversarial training of gradient-boosted decision trees with Claudio Lucchese and Gabriele Tolomei, in ACM International Conference on Information and Knowledge Management (CIKM), 2019.
  20. Testing for integrity flaws in web sessions with Alvise Rabitti, Alessio Ragazzo and Michele Bugliesi, in European Symposium on Research in Computer Security (ESORICS), 2019.
  21. Mitch: A machine learning approach to the black-box detection of CSRF vulnerabilities with Mauro Conti, Riccardo Focardi, Alvise Rabitti and Gabriele Tolomei, in IEEE European Symposium on Security and Privacy (EuroS&P), 2019.
  22. Postcards from the post-HTTP world: Amplification of HTTPS vulnerabilities in the web ecosystem with Riccardo Focardi, Matus Nemec, Alvise Rabitti and Marco Squarcina, in IEEE Symposium on Security and Privacy (S&P), 2019. [ wired ]
  23. Semantically sound analysis of content security policies with Alvise Rabitti and Michele Bugliesi, in IFIP Joint International Conference on Formal Techniques for Distributed Systems (FORTE), 2019. [ full version ]
  24. WPSE: Fortifying web protocols via browser-side security monitoring with Riccardo Focardi, Matteo Maffei, Clara Schneidewind, Marco Squarcina and Mauro Tempesta, in USENIX Security Symposium, 2018.
  25. Surviving the Web: a journey into web session security (extended abstract) with Riccardo Focardi, Marco Squarcina and Mauro Tempesta, in The Web Conference (Journal Track), 2018. [ full version ]
  26. Dr Cookie and Mr Token – Web session implementations and how to live with them with Alvise Rabitti and Michele Bugliesi, in Italian Conference on Cybersecurity (ITASEC), 2018.
  27. CCSP: Controlled relaxation of content security policies by runtime policy composition with Alvise Rabitti and Michele Bugliesi, in USENIX Security Symposium, 2017.
  28. A sound flow-sensitive heap abstraction for the static analysis of Android applications with Ilya Grishchenko, Adrien Koutsos and Matteo Maffei, in IEEE Computer Security Foundations Symposium (CSF), 2017.
  29. Content Security Problems? Evaluating the effectiveness of Content Security Policy in the wild with Alvise Rabitti and Michele Bugliesi, in ACM Conference on Computer and Communication Security (CCS), 2016.
  30. Static detection of collusion attacks in ARBAC-based workflow systems with Alvise Rabitti, Enrico Steffinlongo and Michele Bugliesi, in IEEE Computer Security Foundations Symposium (CSF), 2016.
  31. Micro-policies for web session security with Riccardo Focardi, Matteo Maffei and Niklas Grimm, in IEEE Computer Security Foundations Symposium (CSF), 2016.
  32. HornDroid: Sound and practical static analysis of Android applications by SMT solving with Ilya Grishchenko and Matteo Maffei, in IEEE European Symposium on Security and Privacy (EuroS&P), 2016. [ website ]
  33. Compositional typed analysis of ARBAC policies with Alvise Rabitti and Michele Bugliesi, in IEEE Computer Security Foundations Symposium (CSF), 2015. [ full version ]
  34. Fine-grained detection of privilege escalation attacks on browser extensions with Silvia Crafa, Enrico Steffinlongo and Michele Bugliesi, in European Symposium on Programming (ESOP), 2015. [ full version ]
  35. Formal verification of Liferay RBAC with Alvise Rabitti and Michele Bugliesi, in International Symposium on Engineering Secure Software and Systems (ESSoS), 2015. [ full version ]
  36. Client side web session integrity as a non-interference property with Wilayat Khan, Michele Bugliesi, Willem De Groef and Frank Piessens, in International Conference on Information and System Security (ICISS), 2014.
  37. Provably sound browser-based enforcement of web session integrity with Michele Bugliesi, Riccardo Focardi, Wilayat Khan and Mauro Tempesta, in IEEE Computer Security Foundations Symposium (CSF), 2014. [ full version ]
  38. Quite a mess in my cookie jar! Leveraging machine learning to protect web authentication with Gabriele Tolomei, Michele Bugliesi and Salvatore Orlando, in International World Wide Web Conference (WWW), 2014.
  39. Automatic and robust client-side protection for cookie-based sessions with Michele Bugliesi, Riccardo Focardi and Wilayat Khan, in International Symposium on Engineering Secure Software and Systems (ESSoS), 2014.
  40. Lintent: towards security type-checking of Android applications with Michele Bugliesi and Alvise Spanò, in IFIP Joint International Conference on Formal Techniques for Distributed Systems (FORTE/FMOODS), 2013.
  41. Logical foundations of secure resource management in protocol implementations with Michele Bugliesi, Fabienne Eigner and Matteo Maffei, in International Conference on Principles of Security and Trust (POST), 2013.
  42. Affine refinement types for authentication and authorization with Michele Bugliesi, Fabienne Eigner and Matteo Maffei, in International Symposium on Trustworthy Global Computing (TGC), 2012.
  43. Gran: model checking grsecurity RBAC policies with Michele Bugliesi, Riccardo Focardi and Marco Squarcina, in IEEE Computer Security Foundations Symposium (CSF), 2012.
  44. Resource-aware authorization policies for statically typed cryptographic protocols with Michele Bugliesi, Fabienne Eigner and Matteo Maffei, in IEEE Computer Security Foundations Symposium (CSF), 2011.
  45. Secrecy and authenticity types for secure distributed messaging with Michele Bugliesi and Damiano Macedonio, in Joint Workshop on Automated Reasoning for Security Protocol
    Analysis and Issues in the Theory of Security (ARSPA-WITS)
    , 2010.

PhD Dissertation