William Enck

Co-authored papers

2024

• VFCFinder: Pairing Security Advisories and Patches

  ACM ASIA Conference on Computer and Communications Security

  Trevor Dunlap, Elizabeth Lin, William Enck, and Bradley Reaves

  DOI PDF

  Our natural-language-to-programming-language model matches vulnerability reports to their fixing commits with 96.6% top-5 recall, backfilling over 300 missing patch links accepted into the GitHub Security Advisory database.

• Pairing Security Advisories with Vulnerable Functions Using Open-Source LLMs

  Conference on Detection of Intrusions and Malware and Vulnerability Assessment

  Trevor Dunlap, John Speed Meyers, Bradley Reaves, and William Enck

  DOI PDF

  Open-source LLMs can pinpoint which functions a security patch fixes, achieving 173% higher precision than treating all changed functions as vulnerable.

2023

• ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions

  Proceedings of the USENIX Security Symposium

  Siddharth Muralee, Igibek Koishybayev, Aleksandr Nahapetyan, Greg Tystahl, Brad Reaves, Antonio Bianchi, William Enck, Alexandros Kapravelos, and Aravind Machiry

  PDF

  ARGUS is the first static taint analysis of GitHub Actions, and it discovered code injection vulnerabilities in 4,307 workflows and 80 Actions.

• Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis

  IEEE European Symposium on Security and Privacy

  Trevor Dunlap, Seaver Thorn, William Enck, and Bradley Reaves

  DOI PDF

  Differential Alert Analysis compares static analysis results across commits to discover silently fixed vulnerabilities with high precision, even when using noisy off-the-shelf SAST tools.

• MSNetViews: Geographically Distributed Management of Enterprise Network Security Policy

  Proceedings of the ACM Symposium on Access Control Models and Technologies

  Iffat Anjum, Jessica Sokal, Hafiza Ramzah Rehman, Ben Weintraub, Ethan Leba, William Enck, Cristina Nita-Rotaru, and Bradley Reaves

  DOI PDF

  Extends NetViews policy enforcement to geographically distributed sites with roaming users.

2022

• Removing the Reliance on Perimeters for Security Using Network Views

  Proceedings of the ACM Symposium on Access Control Models and Technologies

  Iffat Anjum, Daniel Kostecki, Ethan Leba, Jessica Sokal, Rajit Bharambe, William Enck, Cristina Nita-Rotaru, and Bradley Reaves

  DOI PDF

  SDNs can provide least-privilege, zero-trust networking by implementing a concept we call “network views.”

• A Study of Application Sandbox Policies in Linux

  Proceedings of the ACM Symposium on Access Control Models and Technologies

  Trevor Dunlap, William Enck, and Bradley Reaves

  DOI PDF

  Flatpak and Snap sandbox policies improve Linux security, but frequent privilege mismatches between the two platforms for the same application reveal that defining least-privilege policy remains error-prone.

2020

• Cardpliance: PCI-DSS Compliance of Android Applications

  Proceedings of the USENIX Security Symposium

  Samin Yaseer Mahmud, Akhil Acharya, Benjamin Andow, William Enck, and Bradley Reaves

  PDF

  Static analysis can automatically check PCI-DSS compliance of Android apps; 1.67% of 358 popular apps improperly store card numbers or verification codes.

• Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Dataflow Analysis with PoliCheck

  Proceedings of the USENIX Security Symposium

  Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman

  PDF Video Slides

  Up to 42% of Android apps incorrectly disclose or omit privacy-sensitive data flows in their policy policy.

2019

• Thou Shalt Discuss Security: Quantifying the Impacts of Instructions to RFC Authors

  Proceedings of the Security Standardisation Research Conference

  Justin Whitaker, Sathvik Prasad, Bradley Reaves, and William Enck

  DOI PDF

  Mandating security consideration sections in RFCs measurably increased security content volume and breadth across decades of Internet standards.

• PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play

  Proceedings of the USENIX Security Symposium

  Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Tao Xie

  PDF Video

  Automated analysis found that 14% of 11,430 app privacy policies contradict themselves, indicating misleading data practices.

• HomeSnitch: Behavior Transparency and Control for Smart Home IoT Devices

  Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks

  TJ O'Connor, Reham Mohamed, Markus Miettinen, William Enck, Bradley Reaves, and Ahmad-Reza Sadeghi

  PDF

  A network-level system classifies encrypted smart home IoT traffic into semantic behaviors with over 99% accuracy, enabling transparency without payload inspection.

• Hestia: Simple Least Privilege Network Policies for Smart Homes

  Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks

  Sanket Goutam, William Enck, and Bradley Reaves

  PDF

  Classifies smart home devices as controllers or non-controllers to generate least-privilege network policies that isolate compromised IoT devices.

• Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-home Internet of Things

  Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks

  TJ O'Connor, William Enck, and Bradley Reaves

  PDF

  Sensor blinding and state confusion attacks exploit telemetry flaws in 22 of 24 smart home devices, silently suppressing alerts and disrupting functionality.

2017

• Phonion: Practical protection of metadata in telephony networks

  Proceedings on Privacy Enhancing Technologies

  Stephan Heuser, Bradley Reaves, Praveen Kumar Pendyala, Henry Carter, Alexandra Dmitrienko, William Enck, Negar Kiyavash, Ahmad-Reza Sadeghi, and Patrick Traynor

  DOI PDF

  Phonion routes traditional voice calls across multiple carriers to provide unlinkable communication with good voice quality.

2016

• *droid: Assessment and evaluation of Android application analysis tools

  ACM Computing Surveys

  Bradley Reaves, Jasmine Bowers, Sigmond A. Gorski III, Olabode Anise, Rahul Bobhate, Raymond Cho, Hiranava Das, Sharique Hussain, Hamza Karachiwala, Nolen Scaife, Byron Wright, Kevin Butler, William Enck, and Patrick Traynor

  PDF

  Systematically evaluates published Android security analysis tools, finding most suffer from poor maintenance and fail on apps with known vulnerabilities.

2013

• MAST: Triage for Market-scale Mobile Malware Analysis

  Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks

  Saurabh Chakradeo, Bradley Reaves, Patrick Traynor, and William Enck

  PDF

  App markets can scale malicious code detection by triaging on app package metadata to find 95% of malware while examining only 13% of benign apps.