from 1st March to 31st May

Publications & Demonstrators

All accepted publications from SPARTA partners under its funding as well as videos presenting some of the work done under SPARTA


Borrowing Your Enemy’s Arrows: the Case of Code Reuse in Android via Direct Inter-app Code Invocation

Jun Gao, Li Li, Pingfan Kong, Tegawendé F. Bissyandé and Jacques Klein

The Android ecosystem offers different facilities to enable commu- nication among app components and across apps to ensure that rich services can be composed through functionality reuse. At the heart of this system is the Inter-component communication (ICC) scheme, which has been largely studied in the literature. Less known in...More>>

Domains: Android, Java, Reflection, DICI

Android Run-time Permission Exploitation User Awareness by Means of Formal Methods

Fausto Fasano, Fabio Martinelli, Francesco Mercaldo, Antonella Santone

Our mobile devices store a lot of sensitive and critical information. Moreover, considering the ability of smartphones and tables to detect the position and to record audio, it is not absolutely an exaggeration to admit that potentially our devices can easily spy on us. The ability to perform these crucial...More>>

Domains: Android

Android Collusion: Detecting Malicious Applications Inter-Communication through SharedPreferences

Rosangela Casolare, Fabio Martinelli, Francesco Mercaldo, Antonella Santone

The Android platform is currently targeted by malicious writers, continuously focused on the development of new types of attacks to extract sensitive and private information from our mobile devices. In this landscape, one recent trend is represented by the collusion attack. In a nutshell this attack requires that two or...More>>

Domains: colluding, malware, model, checking, formal, methods, security, Android, mobile

An Edge-Fog Secure Self-Authenticable Data Transfer Protocol

Venčkauskas A, Morkevicius N, Jukavičius V, Damaševičius R, Toldinas J, Grigaliūnas Š.

Development of the Internet of Things (IoT) opens many new challenges. As IoT devices are getting smaller and smaller, the problems of so-called “constrained devices” arise. The traditional Internet protocols are not very well suited for constrained devices comprising localized network nodes with tens of devices primarily communicating with each...More>>

Domains: fog, computing, communication, protocol, CoAP, information, security, lightweight, security, protocols, wireless, sensors, actuators

Accidental Sensitive Data Leaks Prevention via Formal Verification

Madalina G. Ciobanu, Fausto Fasano, Fabio Martinelli, Francesco Mercaldo, Antonella Santone

Our mobile devices, if compared to their desktop counterpart, store a lot of sensitive and private information. Considering how easily permissions to sensitive and critical resources in the mobile environment are released, for example in Android, sometimes the developer unwittingly causes the leakage of sensitive information, endangering the privacy of...More>>

Domains: Mobile, Security, Security, Verification, Validation

A FPGA-based Control-Flow Integrity Solution for Securing Bare-Metal Embedded Systems

Nicolò Manuearo (POLITO), Gianluca Roascio (POLITO), Paolo Prinetto (Polito), Antonio Varriale (B5 Labs Ltd.)

Memory corruption vulnerabilities, mainly present in C and C++ applications, may enable attackers to maliciously take control over the program running on a target machine by forcing it to execute an unintended sequence of instructions present in memory. This is the principle of modern Code-Reuse Attacks (CRAs) and of famous...More>>

Domains: security, , code-reuse, attacks, return-oriented, programming, ROP, JOP, embedded, systems, microcontrollers, firmware, bare-metal, backward, edges, forward, interrupt

A First Look at Android Applications in Google Play related to Covid-19

Jordan Samhi, Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein

Due to the convenience of access-on-demand to information and business solutions, mobile apps have become an important asset in the digital world. In the context of the Covid-19 pandemic, app developers have joined the response effort in various ways by releasing apps that target different user bases (e.g., all citizens...More>>

Domains: Covid-19, Coronavirus, Android, apps, Statistics

A Deep-Learning-Based Framework for Supporting Analysis and Detection of Attacks on CAN Buses

Alfredo Cuzzocrea, Francesco Mercaldo, Fabio Martinelli

Modern vehicles contain a plethora of electronic units aimed to send and receive data by exploiting the serial communication provided by the CAN bus. CAN packets are broadcasted to all components and it is in charge of the single component to decide if it is the receiver of the packets....More>>

Domains: automotivedeep, learningCAN, busartificial, intelligence

Reflection: An Essential Step Towards Whole-Program Analysis of Android Apps

Xiaoyu Sun, Li Li, Tegawendé F. Bissyandé, Jacques Klein, Damien Octeau, John Grundy , Taming

\ Abstract: Android developers heavily use reflection in their apps for legitimate reasons. However, reflection is also significantly used for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of reflective calls which they usually ignore. Thus, the results of their security analysis,...More>>

Domains: Android, Apps