Artifact for Understanding the Status and Strategies of the Code Signing Abuse Ecosystem
The artifact contains a CSV table and a ZIP folder of certificate files. The CSV file mainly records metadata of abusive certificates—such as hash, serial number, subject, issuer, validity period, and abuse category—and provides the VirusTotal report of one representative software sample signed by each certificate. The ZIP folder contains the original .cer files of all abused certificates listed in the CSV. Each file is named after its MD5 value, and the total number of certificates (2,072) is consistent with the description in Section IV.C of the paper.
The artifact evaluated for NDSS 2026 is permanently archived at:
https://doi.org/10.5281/zenodo.17666996
The paper can be seen at NDSS26_FINAL_VERSION.pdf.
If you use the dataset in your research, please cite:
@inproceedings{xxx,
title={Understanding the Status and Strategies of the Code Signing Abuse Ecosystem},
author={Zhao, Hanqing and Zhang, Yiming and Ying, Lingyun and Zhang, Mingming and Liu, Baojun and Duan, Haixin and You, Zi-Quan and Zhang, Shuhao},
booktitle={Network and Distributed System Security (NDSS) Symposium},
year={2026},
doi={10.14722/ndss.2026.242857}
}
-
You can visit my personal website: https://zhaohq00.github.io/
-
You can also reach me via email: zhaohq23@mails.tsinghua.edu.cn
This artifact is released under the MIT License (see LICENSE).