Emanuele Iannone

Institute of Software Security

Blohmstraße 15, 21079

Hamburg, Germany

Hello, I am Emanuele (/Eh-maa-noo-eh-leh/), Postdoctoral Researcher (Research Assistant) at the Hamburg University of Technology (TUHH), Germany.

I am part of the Institute of Software Security (SoftSec), where I dedicate my effort (and passion) to security testing. I am involved in the Horizon EU project Sec4AI4Sec, where I work on automated mining and generation of proof of vulnerabilities (i.e., vulnerability test cases) and developing novel automated vulnerability repair solutions.

In February 2024, I earned a Ph.D. in Computer Science at the University of Salerno (UNISA), Italy. I defended a thesis on software vulnerabilities in the context of software maintenance and evolution (thesis title: There’s Something about Vulnerabilities: Empirical Comprehension and Novel Automated Approaches), supervised (and academically raised) by Prof. Fabio Palomba at the Software Engineering (SeSa) Lab.

My research is entirely rooted in Empirical Software Engineering. In this area, I focused on software security, in particular to security testing, automated exploit generation, mining vulnerability-related data from software repositories, and vulnerability assessment. I adopt AI tools and techniques on a daily basis, without forgetting the (good ol’) heuristic and more traditional approaches.

To summarize, my active research topics are:

     Security Vulnerability Testing
     Mining Software Repositories & Software Analytics (esp. applied to vulnerability-related data)
     AI for Software Security Engineering
     Search-based Software Engineering

I recently got interest in new topics:

Automatic Vulnerability Repair
Human Aspects in Software Security

I have also worked on some others topics that I am not considering much today, though it would still be good to go back to them sometimes:

     Program Comprehension
     Software Refactoring
     Organizational Aspects in Software Engineering
     Green Software Engineering

In September 2020, I earned an M.Sc. Degree in Computer Science at the University of Salerno, defending a thesis on Automated Exploit Generation of Known Java API vulnerabilities advised by Prof. F. Palomba and Prof. A. De Lucia (110/110 cum laude). Two years earlier, In July 2018, I earned an B.Sc. Degree in Computer Science at the University of Salerno, defending a thesis on Automated Refactoring of Android-specific Energy Smells advised by Prof. A. De Lucia (110/110 cum laude).

I am 100% Salernitan. I was born in Salerno, grew up there, and want to school there. I am a proud millennial, born in 1996. I have always been fond of video games, especially role-playing games (RPG), and I used to play them for hours each day. But since my professional life has given me new perspectives, I have had to change my habits and switch to more flexible hobbies, though sometimes I go back doing some retro gaming (nostalgia kicks in).

If you want to hear me talking for an indefinite amount of time, just introduce the topic Pokémon. If you want to hear me only for few hours, you can pick one among Final Fantasy, Attack on Titan, Steins;Gate, Dragon Ball and Jojo’s Bizzare Adventures.

Random facts about me:

Apparently people have trouble with my last name. They keep misspelling it…
I am former World of Warcraft player with a Human Retribution Paladin (For the Alliance, deal with it).

Contact me at: <first-name>.<last-name>@tuhh.de

Selected Publications

2024

TOSEM
Early and Realistic Exploitability Prediction of Just-Disclosed Software Vulnerabilities: How Reliable Can It Be?

Emanuele Iannone, Giulia Sellitto, Emanuele Iaccarino, Filomena Ferrucci, Andrea De Lucia, and Fabio Palomba

ACM Trans. Softw. Eng. Methodol., Mar 2024

Just Accepted

PDF Abstract BibTeX Publisher

With the rate of discovered and disclosed vulnerabilities escalating, researchers have been experimenting with machine learning to predict whether a vulnerability will be exploited. Existing solutions leverage information unavailable when a CVE is created, making them unsuitable just after the disclosure. This paper experiments with early exploitability prediction models driven exclusively by the initial CVE record, i.e., the original description and the linked online discussions. Leveraging NVD and Exploit Database, we evaluate 72 prediction models trained using six traditional machine learning classifiers, four feature representation schemas, and three data balancing algorithms. We also experiment with five pre-trained large language models (LLMs). The models leverage seven different corpora made by combining three data sources, i.e., CVE description, Security Focus, and BugTraq. The models are evaluated in a realistic, time-aware fashion by removing the training and test instances that cannot be labeled “neutral” with sufficient confidence. The validation reveals that CVE descriptions and Security Focus discussions are the best data to train on. Pre-trained LLMs do not show the expected performance, requiring further pre-training in the security domain. We distill new research directions, identify possible room for improvement, and envision automated systems assisting security experts in assessing the exploitability.
@article{iannone:tosem2024:exploitability:prediction, author = {Iannone, Emanuele and Sellitto, Giulia and Iaccarino, Emanuele and Ferrucci, Filomena and De Lucia, Andrea and Palomba, Fabio}, title = {Early and Realistic Exploitability Prediction of Just-Disclosed Software Vulnerabilities: How Reliable Can It Be?}, year = {2024}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, issn = {1049-331X}, url = {https://dl.acm.org/doi/10.1145/3654443}, doi = {10.1145/3654443}, note = {Just Accepted}, journal = {ACM Trans. Softw. Eng. Methodol.}, month = mar, keywords = {Exploitability Prediction, Software Vulnerabilities, Machine Learning, Text Mining, Natural Language Processing.} }

2023

TSE
The Secret Life of Software Vulnerabilities: A Large-Scale Empirical Study

Emanuele Iannone, Roberta Guadagni, Filomena Ferrucci, Andrea De Lucia, and Fabio Palomba

IEEE Transactions on Software Engineering, Jan 2023

PDF Abstract BibTeX Publisher

Software vulnerabilities are weaknesses in source code that can be potentially exploited to cause loss or harm. While researchers have been devising a number of methods to deal with vulnerabilities, there is still a noticeable lack of knowledge on their software engineering life cycle, for example how vulnerabilities are introduced and removed by developers. This information can be exploited to design more effective methods for vulnerability prevention and detection, as well as to understand the granularity at which these methods should aim. To investigate the life cycle of known software vulnerabilities, we focus on how, when, and under which circumstances the contributions to the introduction of vulnerabilities in software projects are made, as well as how long, and how they are removed. We consider 3,663 vulnerabilities with public patches from the National Vulnerability Database—pertaining to 1,096 open-source software projects on GitHub—and define an eight-step process involving both automated parts (e.g., using a procedure based on the SZZ algorithm to find the vulnerability-contributing commits) and manual analyses (e.g., how vulnerabilities were fixed). The investigated vulnerabilities can be classified in 144 categories, take on average at least 4 contributing commits before being introduced, and half of them remain unfixed for at least more than one year. Most of the contributions are done by developers with high workload, often when doing maintenance activities, and removed mostly with the addition of new source code aiming at implementing further checks on inputs. We conclude by distilling practical implications on how vulnerability detectors should work to assist developers in timely identifying these issues.
@article{iannone:tse2022:secret:life, author = {Iannone, Emanuele and Guadagni, Roberta and Ferrucci, Filomena and De Lucia, Andrea and Palomba, Fabio}, journal = {IEEE Transactions on Software Engineering}, title = {The Secret Life of Software Vulnerabilities: A Large-Scale Empirical Study}, year = {2023}, volume = {49}, number = {1}, pages = {44-63}, keywords = {}, doi = {10.1109/TSE.2022.3140868}, url = {https://ieeexplore.ieee.org/document/9672730}, issn = {1939-3520}, month = jan }

2022

JSS
Just-in-time software vulnerability detection: Are we there yet?

Francesco Lomio, Emanuele Iannone, Andrea De Lucia, Fabio Palomba, and Valentina Lenarduzzi

Journal of Systems and Software, Jan 2022

PDF Abstract BibTeX Publisher

Background: Software vulnerabilities are weaknesses in source code that might be exploited to cause harm or loss. Previous work has proposed a number of automated machine learning approaches to detect them. Most of these techniques work at release-level, meaning that they aim at predicting the files that will potentially be vulnerable in a future release. Yet, researchers have shown that a commit-level identification of source code issues might better fit the developer’s needs, speeding up their resolution. Objective: To investigate how currently available machine learning-based vulnerability detection mechanisms can support developers in the detection of vulnerabilities at commit-level. Method: We perform an empirical study where we consider nine projects accounting for 8991 commits and experiment with eight machine learners built using process, product, and textual metrics. Results: We point out three main findings: (1) basic machine learners rarely perform well; (2) the use of ensemble machine learning algorithms based on boosting can substantially improve the performance; and (3) the combination of more metrics does not necessarily improve the classification capabilities. Conclusion: Further research should focus on just-in-time vulnerability detection, especially with respect to the introduction of smart approaches for feature selection and training strategies.
@article{lomio:jss2022:jit:vulnerability:prediction, title = {Just-in-time software vulnerability detection: Are we there yet?}, journal = {Journal of Systems and Software}, volume = {188}, pages = {111283}, year = {2022}, issn = {0164-1212}, doi = {https://doi.org/10.1016/j.jss.2022.111283}, url = {https://www.sciencedirect.com/science/article/pii/S0164121222000437}, author = {Lomio, Francesco and Iannone, Emanuele and {De Lucia}, Andrea and Palomba, Fabio and Lenarduzzi, Valentina}, keywords = {Software vulnerabilities, Machine learning, Empirical SE} }