Emanuele Iannone

Institute of Software Security

Blohmstraße 15, 21079

Hamburg, Germany

Hello, I am Emanuele (/Eh-maa-noo-eh-leh/), Postdoctoral Researcher (Research Assistant) at the Hamburg University of Technology (TUHH), Germany. I am part of the Institute of Software Security (SoftSec), where I work on mining and creating proof of vulnerabilities (e.g., security test cases, exploits, etc.) and developing novel automated vulnerability repair solutions, contributing to the Horizon EU project Sec4AI4Sec.

In February 2024, I earned a Ph.D. in Computer Science at the University of Salerno (UNISA), Italy. I defended a thesis on software vulnerabilities in the field of Software Maintenance and Evolution (thesis title: There’s Something about Vulnerabilities: Empirical Comprehension and Novel Automated Approaches), supervised (and academically raised) by Prof. Fabio Palomba at the Software Engineering (SeSa) Lab.

My research approach involves employing empirical methods to address software vulnerabilities, such as building vulnerability prediction models, automatically assessing their risk, and devising new security testing techniques. My research falls within Empirical Software Engineering, a sub-domain of Software Engineering that focuses on conducting experiments on software systems and developers.

My main research topics are:

     Mining Software Repositories & Software Analytics
     AI for Software Security Engineering
     Search-based Software Engineering
     Software Reengineering

I have also worked on topics like:

     Green Software Engineering
     Program Comprehension
     Organizational Aspects in Software Engineering

In September 2020, I earned an M.Sc. Degree in Computer Science at the University of Salerno, defending a thesis on Automated Exploit Generation of Known Java API vulnerabilities advised by Prof. F. Palomba and Prof. A. De Lucia (110/110 cum laude). Two years earlier, In July 2018, I earned an B.Sc. Degree in Computer Science at the University of Salerno, defending a thesis on Automated Refactoring of Android-specific Energy Smells advised by Prof. A. De Lucia (110/110 cum laude).

I am 100% Salernitan. I was born in Salerno, grew up there, and attended school there. I am a proud millennial, born in 1996. I have always been fond of video games, especially role-playing games (RPG), and I used to play them for hours each day. But since my professional life has given me new perspectives, I have had to change my habits and switch to more flexible hobbies: anime and TV series. My favorite video game series are Final Fantasy and Pokémon, and I am a great fan of Attack on Titan and Jojo’s Bizzare Adventures TV show.

Contact me at: <first-name>.<last-name>@tuhh.de

Selected Publications

2024

TOSEM
Early and Realistic Exploitability Prediction of Just-Disclosed Software Vulnerabilities: How Reliable Can It Be?

Emanuele Iannone, Giulia Sellitto, Emanuele Iaccarino, Filomena Ferrucci, Andrea De Lucia, and Fabio Palomba

ACM Trans. Softw. Eng. Methodol., Mar 2024

Just Accepted

PDF Abstract BibTeX

With the rate of discovered and disclosed vulnerabilities escalating, researchers have been experimenting with machine learning to predict whether a vulnerability will be exploited. Existing solutions leverage information unavailable when a CVE is created, making them unsuitable just after the disclosure. This paper experiments with early exploitability prediction models driven exclusively by the initial CVE record, i.e., the original description and the linked online discussions. Leveraging NVD and Exploit Database, we evaluate 72 prediction models trained using six traditional machine learning classifiers, four feature representation schemas, and three data balancing algorithms. We also experiment with five pre-trained large language models (LLMs). The models leverage seven different corpora made by combining three data sources, i.e., CVE description, Security Focus, and BugTraq. The models are evaluated in a realistic, time-aware fashion by removing the training and test instances that cannot be labeled “neutral” with sufficient confidence. The validation reveals that CVE descriptions and Security Focus discussions are the best data to train on. Pre-trained LLMs do not show the expected performance, requiring further pre-training in the security domain. We distill new research directions, identify possible room for improvement, and envision automated systems assisting security experts in assessing the exploitability.
@article{iannone:tosem2024:exploitability:prediction, author = {Iannone, Emanuele and Sellitto, Giulia and Iaccarino, Emanuele and Ferrucci, Filomena and De Lucia, Andrea and Palomba, Fabio}, title = {Early and Realistic Exploitability Prediction of Just-Disclosed Software Vulnerabilities: How Reliable Can It Be?}, year = {2024}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, issn = {1049-331X}, url = {https://doi.org/10.1145/3654443}, doi = {10.1145/3654443}, note = {Just Accepted}, journal = {ACM Trans. Softw. Eng. Methodol.}, month = mar, keywords = {Exploitability Prediction, Software Vulnerabilities, Machine Learning, Text Mining, Natural Language Processing.} }

2023

TSE
The Secret Life of Software Vulnerabilities: A Large-Scale Empirical Study

Emanuele Iannone, Roberta Guadagni, Filomena Ferrucci, Andrea De Lucia, and Fabio Palomba

IEEE Transactions on Software Engineering, Jan 2023

PDF Abstract BibTeX

Software vulnerabilities are weaknesses in source code that can be potentially exploited to cause loss or harm. While researchers have been devising a number of methods to deal with vulnerabilities, there is still a noticeable lack of knowledge on their software engineering life cycle, for example how vulnerabilities are introduced and removed by developers. This information can be exploited to design more effective methods for vulnerability prevention and detection, as well as to understand the granularity at which these methods should aim. To investigate the life cycle of known software vulnerabilities, we focus on how, when, and under which circumstances the contributions to the introduction of vulnerabilities in software projects are made, as well as how long, and how they are removed. We consider 3,663 vulnerabilities with public patches from the National Vulnerability Database—pertaining to 1,096 open-source software projects on GitHub—and define an eight-step process involving both automated parts (e.g., using a procedure based on the SZZ algorithm to find the vulnerability-contributing commits) and manual analyses (e.g., how vulnerabilities were fixed). The investigated vulnerabilities can be classified in 144 categories, take on average at least 4 contributing commits before being introduced, and half of them remain unfixed for at least more than one year. Most of the contributions are done by developers with high workload, often when doing maintenance activities, and removed mostly with the addition of new source code aiming at implementing further checks on inputs. We conclude by distilling practical implications on how vulnerability detectors should work to assist developers in timely identifying these issues.
@article{iannone:tse2022:secret:life, author = {Iannone, Emanuele and Guadagni, Roberta and Ferrucci, Filomena and De Lucia, Andrea and Palomba, Fabio}, journal = {IEEE Transactions on Software Engineering}, title = {The Secret Life of Software Vulnerabilities: A Large-Scale Empirical Study}, year = {2023}, volume = {49}, number = {1}, pages = {44-63}, keywords = {}, doi = {10.1109/TSE.2022.3140868}, issn = {1939-3520}, month = jan }

2022

JSS
Just-in-time software vulnerability detection: Are we there yet?

Francesco Lomio, Emanuele Iannone, Andrea De Lucia, Fabio Palomba, and Valentina Lenarduzzi

Journal of Systems and Software, Jan 2022

PDF Abstract BibTeX

Background: Software vulnerabilities are weaknesses in source code that might be exploited to cause harm or loss. Previous work has proposed a number of automated machine learning approaches to detect them. Most of these techniques work at release-level, meaning that they aim at predicting the files that will potentially be vulnerable in a future release. Yet, researchers have shown that a commit-level identification of source code issues might better fit the developer’s needs, speeding up their resolution. Objective: To investigate how currently available machine learning-based vulnerability detection mechanisms can support developers in the detection of vulnerabilities at commit-level. Method: We perform an empirical study where we consider nine projects accounting for 8991 commits and experiment with eight machine learners built using process, product, and textual metrics. Results: We point out three main findings: (1) basic machine learners rarely perform well; (2) the use of ensemble machine learning algorithms based on boosting can substantially improve the performance; and (3) the combination of more metrics does not necessarily improve the classification capabilities. Conclusion: Further research should focus on just-in-time vulnerability detection, especially with respect to the introduction of smart approaches for feature selection and training strategies.
@article{lomio:jss2022:jit:vulnerability:prediction, title = {Just-in-time software vulnerability detection: Are we there yet?}, journal = {Journal of Systems and Software}, volume = {188}, pages = {111283}, year = {2022}, issn = {0164-1212}, doi = {https://doi.org/10.1016/j.jss.2022.111283}, url = {https://www.sciencedirect.com/science/article/pii/S0164121222000437}, author = {Lomio, Francesco and Iannone, Emanuele and {De Lucia}, Andrea and Palomba, Fabio and Lenarduzzi, Valentina}, keywords = {Software vulnerabilities, Machine learning, Empirical SE} }