* Sept.-Dec. 2007, Internship at SAP Research, Security & Trust, Sophia-Antipolis (France).

* March 2007, M.Sc. in Computer Engineering at the University of Bergamo (Italy). Final grade of 110/110.
The internship & research has been has been performed in the Secunet Security Networks AG offices of Munich (Germany).
Our work had as objective the definition of an innovative architecture for personal computers based on the virtualization paradigm, where the security services are deployed from the user OS into a tamper resistance layer for being them-self protected from illicit attacks. A MAC approach has been adopted to guarantee the protection of the system from attacks conduct with user OS's administration permission. Within this architecture, a novel Antivirus has been developed to intercept the raw disk-sector accesses and to conduct low-level virus analysis.
[ Read my thesis titled Security by Virtualization: a novel antivirus for personal computers or this Italian presentation ]

* Spring semester 2005, Exchange student at the Norwegian University of Science and Technology (NTNU) of Trondheim, Faculty of Computer Science and Telematics.

* July 2004, B.Sc. in Computer Engineering at the University of Bergamo.
The research support and hardware has been offered by ICT Consulting S.p.A., a security consulting company located in Milan (Italy).
The thesis defines and extends the IDS taxonomy with the "context-based" concept. Standard taxonomies group IDS into host-based and network-based IDSs: two large and separated families, based on the source of information. A context-based IDS relies on information that characterizes the monitored host, correlating them with the network traffic, and reducing drastically the false positives, primary reason of current NIDSs' low efficiency.
[ A new model of Intrusion Detection System: The Router-IDS - presentation ]

* 2008, Security Engineer at Criston Software S.A., Sophia-Antipolis (France).
Responsible of researching, implementing and supporting the development of the Precision Vulnerability Scanner solution. In particular my contributions concerned the security scanner engine and the vulnerability tests.
I headed the integration of the Nmap (Network Mapper) product to enhance the scanner's discovery-capabilities (host discovery, port scan, service and OS detection).

* Aug.2006-July.2007, Security Researcher for the German Information Security service provider Secunet Security Networks AG, Munich (Germany).
Research and prototype implementation of a novel Antivirus, integrated within a Virtual Machine layer. See above my M.Sc. thesis. Technology: C/C++/BASH, Linux, Qemu.

* 2006, Security Consultant for Emaze Network S.p.A., Italian company that provides services and products in the Information Security field.
Activities: penetration testing, vulnerability assessment, computer and network forensics, secure architecture review, log analysis.

* 2004-2005, Collaborator for the Dr. Stefano Zanero's Information Security consultant group Secure Network s.r.l. as experienced consultant and tutor for networking, security and Unix issues. Milan (Italy).

"Abusing Social Networks for Automated User Profiling"
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti and Christopher Kruegel
International Symposium on Recent Advances in Intrusion Detection
RAID 2010, Ottowa, Canada, September 15-17 2010
[ abstract, pdf, bib ] Recently, social networks such as Facebook have experienced a huge surge in popularity. The amount of personal information stored on these sites calls for appropriate security precautions to protect this data. In this paper, we describe how we are able to take advantage of a common weakness, namely the fact that an attacker can query popular social networks for registered e-mail addresses on a large scale. Starting with a list of about 10.4 million email addresses, we were able to automatically identify more than 1.2 million user profiles associated with these addresses. By automatically crawling and correlating these profiles, we collect detailed personal information about each user, which we use for automated profiling (i.e., to enrich the information available from each user). Having access to such information would allow an attacker to launch sophisticated, targeted attacks, or to improve the efficiency of spam campaigns. We have contacted the most popular providers, who acknowledged the threat and are currently implementing our proposed countermeasures. Facebook and XING, in particular, have recently fixed the problem.

"Security by virtualization: A novel antivirus for personal computers"
Marco Balduzzi
VDM Verlag Dr. Müller e.K., ISBN 978-3-639-25624-6, Paperback, 104 pages, May 7 2010
[ description, book, cover ] A sort of virtualization appeared four decades ago to perform multi-programming and simple time-sharing tasks inside a single mainframe. Virtualization became quickly the solution to limit cost and save money by server consolidation. Nowadays virtualization is a "hot topic" and it is habitually adopted in develop environments for testing and debugging purposes. This book presents a novel paradigm to secure personal computers. Virtualization is used to isolate the user system within a so-called security shell where multiple security services are configured to ensure the tamper resistance of the user's environment. While conventional personal antivirus can be switched off, manipulated, or avoided by sophisticated malignant codes and technically experienced users, this antivirus enforces a continuous protection of the user's environment from the security shell. The accesses to the file-system are real-time scanned and mobile/encrypted network connections are inspected. The whole system is finally protected by an encryption layer that inconspicuously encrypts the user system.

"Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype"
Antonio Nappa, Aristide Fattori, Marco Balduzzi, Matteo Dell'Amico and Lorenzo Cavallaro
Seventh Conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA 2010, Bonn, Germany, July 8-9 2010
[ abstract, pdf, bib, presentation ] Skype is one of the most used P2P applications on the Internet: VoIP calls, instant messaging, SMS and other features are provided at a low cost to millions of users. Although Skype is a closed source application, an API allows developers to build custom plugins which interact over the Skype network, taking advantage of its reliability and capability to easily bypass firewalls and NAT devices. Since the protocol is completely undocumented, Skype traffic is particularly hard to analyze and to reverse engineer. We propose a novel botnet model that exploits an overlay network such as Skype to build a parasitic overlay, making it extremely difficult to track the botmaster and disrupt the botnet without damaging legitimate Skype users. While Skype is particularly valid for this purpose due to its abundance of features and its widespread installed base, our model is generically applicable to distributed applications that employ overlay networks to send direct messages between nodes (e.g., peer-to-peer software with messaging capabilities). We are convinced that similar botnet models are likely to appear into the wild in the near future and that the threats they pose should not be underestimated. Our contribution strives to provide the tools to correctly evaluate and understand the possible evolution and deployment of this phenomenon.

"A Solution for the Automated Detection of Clickjacking Attacks"
Marco Balduzzi, Manuel Egele, Engin Kirda, Davide Balzarotti, Christopher Kruegel
Symposium on Information, Computer and Communications Security
AsiaCCS 2010, Beijing, China, April 13-16 2010
[ abstract, pdf, bib ] Clickjacking is a web-based attack that has recently received a wide media coverage. In a clickjacking attack, a malicious page is constructed such that it tricks victims into clicking on an element of a different page that is only barely (or not at all) visible. By stealing the victim's clicks, an attacker could force the user to perform an unintended action that is advantageous for the attacker (e.g., initiate an online money transaction). Although clickjacking has been the subject of many discussions and alarming reports, it is currently unclear to what extent clickjacking is being used by attackers in the wild, and how significant the attack is for the security of Internet users. In this paper, we propose a novel solution for the automated and efficient detection of clickjacking attacks. We describe the system that we designed, implemented and deployed to analyze over a million unique web pages. The experiments show that our approach is feasible in practice. Also, the empirical study that we conducted on a large number of popular websites suggests that clickjacking has not yet been largely adopted by attackers on the Internet.

"Abusing Social Networks for Automated User Profiling"
Marco Balduzzi, Christian Platzer, Thorsten Holz, Engin Kirda, Davide Balzarotti, and Christopher Kruegel
EURECOM Research Report RR-10-233, March 3 2010
[ abstract, pdf, bib ] Recently, social networks such as Facebook have experienced a huge surge in popularity. The amount of personal information stored in these sites calls for appropriate security precautions to protect this data. In this paper, we describe how we are able to take advantage of a common weakness, namely the fact that an attacker can query the social network for registered e-mail addresses on a large scale. Starting with a list of about 10.4 million email addresses, we were able to automatically identify more than 1.2 million user profiles associated with these addresses. By crawling these profiles, we collect publicly available personal information about each user, which we use for automated profiling (i.e., to enrich the information available from each user). Finally, we propose a number of mitigation techniques to protect the user's privacy. We have contacted the most popular providers, who acknowledged the threat and are currently implementing our countermeasures. Facebook and XING in particular have recently fixed the problem.

New Insights into Clickjacking, OWASP AppSec Research 2010, Stockholm, Sweden - 24/06/10
[ pdf odp html slideshare ]

Here you find a bunch of "old school" material that I have produced during my past years.

Talks ( - sxi is the openoffice's format )

Security by Virtualization, Metro Olografix Hacking Party - 19/05/07 [ pdf ]

Network multimedia with GNU/Linux, LinuxDay @ School by BgLUG Val Seriana - 04/03/06 [ pdf sxi ]

Secure networking with GNU/Linux, LinuxDay 2005 Bergamo - 26/11/05 [ pdf sxi html recording-mp3 ]

Introduction to software development in the GNU/Linux environment (particular references to C language), Version 0.2, LinuxDay 2004 Bergamo - 27/11/04 [ pdf sxi html ]

Risks and insecurities of IT infrastructures, SatEXPO 2004 Vicenza - 30/09/04 [ pdf sxi html ]

Techniques for prevention, protection and identification of IT attacks, SatEXPO 2004 Vicenza - 30/09/04 [ pdf sxi html ]

Introduction to software development in the GNU/Linux environment (particular references to C language), MOCA 2004 Pescara - 21/05/04 [ pdf sxi html ]

Network programming with libpcap and libnet, Webb.it 2004 Padova - 06/05/04 [ pdf sxi html example-sources ]

Security analysis of routing protocols, Security Date 2004 Ancona - 29/04/04 [ pdf sxi html ]

Intrusion Detection Systems (IDS): state of art and research, HackMeeting 2004 Genova - 02/04/04 [ pdf html ]

Security of the GNU/Linux operating systems, Linuxday 2003 Bergamo - 29/11/03 [ pdf ]

Low-level network programming with libpcap and libnet, HackMeeting 2003 Torino - 20/06/03 [ pdf sxi html example-sources ]

Codes

Nast Packet sniffer and LAN analyzer based on Libnet and Libpcap. It can sniff in normal or in promiscuous mode the packets on a network interface and log them. It dumps packets's header and payload in ascii or ascii-hex formats. You can apply a filter. The sniffed data can be saved in a separated file. As analyzer tool, it has many features like to build LAN hosts list, to follow a TCP-DATA stream, to find LAN internet gateways, to discover promiscuous nodes, to reset an established connection, to perform a single and multi half-open port-scan, to find link type, to catch daemon banner of LAN nodes, to control arp answers for discover possible arp-spoofs, to byte-count, to apply optional filters and to write report logs. [ homepage screenshots ]

Gspoof Tool that makes easier and accurate the building and the sending of TCP/IP packets. It works from console (command line) and it has an easy-to-use graphical interface written in GTK+ too. You can add a payload, send multiple packets specifying delay and number, enable explicit congestion notification support and much more. [ homepage screenshots ]

Vida A multi-datapipe handler, wrote in C with the ncurses library, for unix and unix-like OS. [ homepage ]

UmL Userspace logger that does not require r00t privileges. It works hijacking the libc functs, as described by halflife in "Shared Library Redirection" (Phrack 51). UmL logs read()/recv() output and intercepts open(), open64(), close(), socket(), connect(), exit(). There are many other important functions like recvfrom()/recvmsg(), fopen(), write(), etc... this code it's only a proof on concept ;-)

SS A simple stupid multi-server, very useless stuff :^) Written as training for script-kiddies, just a funny code :pP

IPGenerator An ip-listgenerator (/16 netmask) and an ip-parser for nmap -oG output.

The MCL suite: scanner, parser,translator to C-language and complier MCL language has been developed for the university project of "languages and compiler" (and the "M" stands for the initials of its developers!). MCL is a compact and syntactically clean language, for writing math expressions and procedures in simple and fast way. It supports functions, the while iteration, the if test, global and local variables, input and output, comments and other crazy features :-). The package contains a reference paper (in Italian), the parser (mcl.l) and the scanner (mcl.y), the scripts to build the translator to C-language and the compiler.

Linux VNC-4.1.1 evil client patch - BID 17978 Patch to exploit the VNC vulnerability 17978, which permits to log into the server with NULL authentication, although the password is required. Read my buqtraq post.

Papers

On the Influence of Free Software on Code Reuse in Software Development

How the virus Remote Shell Trojan (RST) works

Suggested related sites

Underground groups:

2600 The Hacker Quarterly: huge American Hacker movement.

Chaos Computer Club: famous German Hacker group that organizes periodically international meetings.

Phrack.org: a Hacker magazine by the community, for the community.

THC The Hacker's Choice: international group of experts that acts in the Information Security from 1995.

Softproject: Italian no-profit association involved in the Information Security. It publishes the BFi magazine.

Security resources:

BugTraq: full disclosure moderated mailing list for the detailed discussion and announcement of computer security vulnerabilities: what they are, how to exploit them, and how to fix them.

Packet Storm: no-profit organization comprised of security professionals that offers an abundant resource of up-to-date and historical security tools, exploits, and advisories.

Security Focus: international website that offers a huge database of advisories and exploits.

Linux related resources:

Linux (the kernel!): the Linux Kernel.

Linux kernel mailing lists: many public mailing lists for linux kernel developers.

You can contact me by:

Email. marco.balduzzi <put the at sign here> iseclab.org

Phone. +33.(0)4.9300.8260

I was used to maintain a resume, but now don't be surprised to find it outdated.
[ English Francais ]