Emanuele Iannone

Institute of Softare Security

Blohmstraße 15, 21079

Hamburg, Germany

Hello, I am Emanuele (E-muh-nuh-el-E), Postdoctoral Researcher at the Hamburg University of Technology (TUHH), Germany, and Ph.D. candidate in Computer Science at the University of Salerno (UNISA), Italy. In TUHH, I am part of the Institute of Software Security (SoftSec), while in UNISA I was academically raised by Prof. Fabio Palomba and Prof. Andrea De Lucia at the Software Engineering (SeSa) Lab.

I am 100% Salernitan: born in Salerno, grown up in Salerno, went to school in Salerno, graduated in Salerno! I am a proud millenial, born in 1996.

My research revolves around the analysis of software vulnerabilities in the field of Software Maintenance and Evolution. In particular, I am working on mining and generating security tests and exploits for vulnerabilities, as well as automated vulnerability repair. More in general, my research approach consists of empirical methods for dealing with software vulnerabilities, such as building vulnerability prediction models, assessing their risk automatically, and devising new security testing techniques. My research falls within Empirical Software Engineering, a sub-domain of Software Engineering focusing on conducting experiments on software systems and developers.

To summarize, my main research topics are:

     Mining Software Repositories & Software Analytics
     Machine Learning for Software Engineering
     Search-based Software Engineering
     Software Reengineering

I have also worked on side topics like:

     Green Software Engineering
     Program Comprehension
     Organizational Aspects in Software Engineering

In September 2020, I received the M.Sc. Degree in Computer Science at University of Salerno, defending a thesis on Automatic Exploit Generation of Known Java API vulnerabilities advised by Prof. F. Palomba and Prof. A. De Lucia (110/110 cum laude) . Two years before, In July 2018, I received the B.Sc. Degree in Computer Science at University of Salerno, defending a thesis on Automatic Refactoring of Android-specific Energy Smells advised by Prof. A. De Lucia (110/110 cum laude).

I have always been fond of video games, especially role-playing games (RPG), playing like hours each day. But since my professional life got new perspectives, I had to change my habits, so I had to switch on more flexible hobbies: anime and TV series. My favourite video game series are Final Fantasy and Pokémon, and I am a great fan of Attack on Titan and Jojo’s Bizzare Adventures TV show.

Selected Publications

2023

EMSE
Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security

Emanuele Iannone, Zadia Codabux, Valentina Lenarduzzi, Andrea De Lucia, and Fabio Palomba

Empirical Software Engineering, May 2023

PDF Abstract BibTeX

Software refactoring is a behavior-preserving activity to improve the source code quality without changing its external behavior. Unfortunately, it is often a manual and error-prone task that may induce regressions in the source code. Researchers have provided initial compelling evidence of the relation between refactoring and defects, yet little is known about how much it may impact software security. This paper bridges this knowledge gap by presenting a large-scale empirical investigation into the effects of refactoring on the security profile of applications. We conduct a three-level mining software repository study to establish the impact of 14 refactoring types on (i) security-related metrics, (ii) security technical debt, and (iii) the introduction of known vulnerabilities. The study covers 39 projects and a total amount of 7,708 refactoring commits. The key results show that refactoring has a limited connection to security. However, Inline Method and Extract Interface statistically contribute to improving some security aspects connected to encapsulating security-critical code components. Extract Superclass and Pull Up Attribute refactoring are commonly found in commits violating specific security best practices for writing secure code. Finally, Extract Superclass and Extract & Move Method refactoring tend to occur more often in commits contributing to the introduction of vulnerabilities. We conclude by distilling lessons learned and recommendations for researchers and practitioners.
@article{iannone:emse2023:refactoring:security, author = {Iannone, Emanuele and Codabux, Zadia and Lenarduzzi, Valentina and De Lucia, Andrea and Palomba, Fabio}, title = {Rubbing salt in the wound? A large-scale investigation into the effects of refactoring on security}, journal = {Empirical Software Engineering}, year = {2023}, month = may, day = {24}, volume = {28}, number = {4}, pages = {89}, issn = {1573-7616}, doi = {10.1007/s10664-023-10287-x}, url = {https://doi.org/10.1007/s10664-023-10287-x} }
TSE
The Secret Life of Software Vulnerabilities: A Large-Scale Empirical Study

Emanuele Iannone, Roberta Guadagni, Filomena Ferrucci, Andrea De Lucia, and Fabio Palomba

IEEE Transactions on Software Engineering, Jan 2023

PDF Abstract BibTeX

Software vulnerabilities are weaknesses in source code that can be potentially exploited to cause loss or harm. While researchers have been devising a number of methods to deal with vulnerabilities, there is still a noticeable lack of knowledge on their software engineering life cycle, for example how vulnerabilities are introduced and removed by developers. This information can be exploited to design more effective methods for vulnerability prevention and detection, as well as to understand the granularity at which these methods should aim. To investigate the life cycle of known software vulnerabilities, we focus on how, when, and under which circumstances the contributions to the introduction of vulnerabilities in software projects are made, as well as how long, and how they are removed. We consider 3,663 vulnerabilities with public patches from the National Vulnerability Database—pertaining to 1,096 open-source software projects on GitHub—and define an eight-step process involving both automated parts (e.g., using a procedure based on the SZZ algorithm to find the vulnerability-contributing commits) and manual analyses (e.g., how vulnerabilities were fixed). The investigated vulnerabilities can be classified in 144 categories, take on average at least 4 contributing commits before being introduced, and half of them remain unfixed for at least more than one year. Most of the contributions are done by developers with high workload, often when doing maintenance activities, and removed mostly with the addition of new source code aiming at implementing further checks on inputs. We conclude by distilling practical implications on how vulnerability detectors should work to assist developers in timely identifying these issues.
@article{iannone:tse2022:secret:life, author = {Iannone, Emanuele and Guadagni, Roberta and Ferrucci, Filomena and De Lucia, Andrea and Palomba, Fabio}, journal = {IEEE Transactions on Software Engineering}, title = {The Secret Life of Software Vulnerabilities: A Large-Scale Empirical Study}, year = {2023}, volume = {49}, number = {1}, pages = {44-63}, keywords = {}, doi = {10.1109/TSE.2022.3140868}, issn = {1939-3520}, month = jan }

2022

JSS
Just-in-time software vulnerability detection: Are we there yet?

Francesco Lomio, Emanuele Iannone, Andrea De Lucia, Fabio Palomba, and Valentina Lenarduzzi

Journal of Systems and Software, Jan 2022

PDF Abstract BibTeX

Background: Software vulnerabilities are weaknesses in source code that might be exploited to cause harm or loss. Previous work has proposed a number of automated machine learning approaches to detect them. Most of these techniques work at release-level, meaning that they aim at predicting the files that will potentially be vulnerable in a future release. Yet, researchers have shown that a commit-level identification of source code issues might better fit the developer’s needs, speeding up their resolution. Objective: To investigate how currently available machine learning-based vulnerability detection mechanisms can support developers in the detection of vulnerabilities at commit-level. Method: We perform an empirical study where we consider nine projects accounting for 8991 commits and experiment with eight machine learners built using process, product, and textual metrics. Results: We point out three main findings: (1) basic machine learners rarely perform well; (2) the use of ensemble machine learning algorithms based on boosting can substantially improve the performance; and (3) the combination of more metrics does not necessarily improve the classification capabilities. Conclusion: Further research should focus on just-in-time vulnerability detection, especially with respect to the introduction of smart approaches for feature selection and training strategies.
@article{lomio:jss2022:jit:vulnerability:prediction, title = {Just-in-time software vulnerability detection: Are we there yet?}, journal = {Journal of Systems and Software}, volume = {188}, pages = {111283}, year = {2022}, issn = {0164-1212}, doi = {https://doi.org/10.1016/j.jss.2022.111283}, url = {https://www.sciencedirect.com/science/article/pii/S0164121222000437}, author = {Lomio, Francesco and Iannone, Emanuele and {De Lucia}, Andrea and Palomba, Fabio and Lenarduzzi, Valentina}, keywords = {Software vulnerabilities, Machine learning, Empirical SE} }

2021

ICPC
Toward Automated Exploit Generation for Known Vulnerabilities in Open-Source Libraries

Emanuele Iannone, Dario Di Nucci, Antonino Sabetta, and Andrea De Lucia

In 2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC), May 2021

PDF Abstract BibTeX Slides

Modern software applications, including commercial ones, extensively use Open-Source Software (OSS) components, accounting for 90% of software products on the market. This has serious security implications, mainly because developers rely on non-updated versions of libraries affected by software vulnerabilities. Several tools have been developed to help developers detect these vulnerable libraries and assess and mitigate their impact. The most advanced tools apply sophisticated reachability analyses to achieve high accuracy; however, they need additional data (in particular, concrete execution traces, such as those obtained by running a test suite) that is not always readily available.In this work, we propose SIEGE, a novel automatic exploit generation approach based on genetic algorithms, which generates test cases that execute the methods in a library known to contain a vulnerability. These test cases represent precious, concrete evidence that the vulnerable code can indeed be reached; they are also useful for security researchers to better understand how the vulnerability could be exploited in practice. This technique has been implemented as an extension of EVOSUITE and applied on set of 11 vulnerabilities exhibited by widely used OSS JAVA libraries. Our initial findings show promising results that deserve to be assessed further in larger-scale empirical studies.
@inproceedings{iannone:icpc2021:siege, author = {Iannone, Emanuele and Di Nucci, Dario and Sabetta, Antonino and De Lucia, Andrea}, booktitle = {2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC)}, title = {Toward Automated Exploit Generation for Known Vulnerabilities in Open-Source Libraries}, year = {2021}, volume = {}, number = {}, pages = {396-400}, keywords = {}, doi = {10.1109/ICPC52881.2021.00046}, issn = {2643-7171}, month = may }