Publications
2025
-
It Should Be Easy but... New Users' Experiences and Challenges with Secret Management Tools
Proceedings of the ACM SIGSAC Conference on Computer and Communications Security
Lorenzo Neil, Deepthi Mungara, Laurie Williams, Yasemin Acar, and Bradley Reaves
Insufficient documentation and poor interface design prevent developers from effectively adopting secret management tools, even in simple and ideal scenarios.
-
Characterizing Robocalls with Multiple Vantage Points
Proceedings of the IEEE Symposium on Security and Privacy
Sathvik Prasad, Aleksandr Nahapetyan, and Bradley Reaves
Cross-validates five independent robocall measurement vantage points, finding unsolicited calls slowly declining and robocallers adapting to STIR/SHAKEN authentication.
-
AssetHarvester: A Static Analysis Tool for Detecting Secret-Asset Pairs in Software Artifacts
Proceedings of the IEEE/ACM International Conference on Software Engineering
Setu Kumar Basak, K. Virgil English, Ken Ogura, Vitesh Kambara, Bradley Reaves, and Laurie Williams
Static analysis can automatically detects secret-asset pairs across software artifacts, enabling developers to distinguish benign and catastrophic credential exposure.
2024
-
Jäger: Automated Telephone Call Traceback
Proceedings of the ACM Conference on Computer and Communications Security
David Adei, Varun Madathil, Sathvik Prasad, Bradley Reaves, and Alessandra Scafuro
A cryptographic protocol automates abusive phone call traceback in seconds while preserving caller privacy and carrier trade secrets.
-
Fixing Insecure Cellular System Information Broadcasts For Good
International Symposium on Research in Attacks, Intrusions and Defenses
Alexander J. Ross, Bradley Reaves, Yomna Nasser, Gil Cukierman, and Roger Piqueras Jover
LTE and 5G networks can implement backwards-compatible integrity protection for configuration broadcasts with marginal overhead.
-
VFCFinder: Pairing Security Advisories and Patches
ACM ASIA Conference on Computer and Communications Security
Trevor Dunlap, Elizabeth Lin, William Enck, and Bradley Reaves
Our natural-language-to-programming-language model matches vulnerability reports to their fixing commits with 96.6% top-5 recall, backfilling over 300 missing patch links accepted into the GitHub Security Advisory database.
-
Pairing Security Advisories with Vulnerable Functions Using Open-Source LLMs
Conference on Detection of Intrusions and Malware and Vulnerability Assessment
Trevor Dunlap, John Speed Meyers, Bradley Reaves, and William Enck
Open-source LLMs can pinpoint which functions a security patch fixes, achieving 173% higher precision than treating all changed functions as vulnerable.
-
On SMS Phishing Tactics and Infrastructure
Proceedings of the IEEE Symposium on Security and Privacy
Aleksandr Nahapetyan, Sathvik Prasad, Kevin Childs, Adam Oest, Yeganeh Ladwig, Alexandros Kapravelos, and Bradley Reaves
67,991 SMS phishing messages were linked to over 600 distinct operations that reuse cloud infrastructure, phishing kits, and provide early warning potential by monitoring certificate transparency logs.
2023
-
A Comparative Study of Software Secrets Reporting by Secret Detection Tools
ACM/IEEE International Symposium on Empirical Software Engineering and Measurement
Setu Basak, Jameson Cox, Bradley Reaves, and Laurie Williams
Benchmarks run on nine secret detection tools show that no tool dominates both precision and recall, with errors traced to generic regexes and incomplete rulesets.
-
Diving into Robocall Content with SNORCall
Proceedings of the USENIX Security Symposium
Sathvik Prasad, Trevor Dunlap, Alexander Ross, and Bradley Reaves
Applies weak-supervision labeling to 232,000 robocall transcripts, producing the first large-scale estimates of robocall scam prevalence and campaign infrastructure.
-
Who Comes Up with this Stuff? Interviewing Authors to Understand How They Produce Security Advice
Symposium on Usable Privacy and Security
Lorenzo Neil, Harshini Sri Ramulu, Yasemin Acar, and Bradley Reaves
Interviews with 21 security advice authors reveal that prioritizing breadth over curation drives the overproduction of guidance that overwhelms users.
-
ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions
Proceedings of the USENIX Security Symposium
Siddharth Muralee, Igibek Koishybayev, Aleksandr Nahapetyan, Greg Tystahl, Brad Reaves, Antonio Bianchi, William Enck, Alexandros Kapravelos, and Aravind Machiry
ARGUS is the first static taint analysis of GitHub Actions, and it discovered code injection vulnerabilities in 4,307 workflows and 80 Actions.
-
Diving into Robocall Content with SnorCall
USENIX Login
Sathvik Prasad, and Bradley Reaves
Research overview of “SnorCall” for USENIX Login
-
Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis
IEEE European Symposium on Security and Privacy
Trevor Dunlap, Seaver Thorn, William Enck, and Bradley Reaves
Differential Alert Analysis compares static analysis results across commits to discover silently fixed vulnerabilities with high precision, even when using noisy off-the-shelf SAST tools.
-
MSNetViews: Geographically Distributed Management of Enterprise Network Security Policy
Proceedings of the ACM Symposium on Access Control Models and Technologies
Iffat Anjum, Jessica Sokal, Hafiza Ramzah Rehman, Ben Weintraub, Ethan Leba, William Enck, Cristina Nita-Rotaru, and Bradley Reaves
Extends NetViews policy enforcement to geographically distributed sites with roaming users.
-
What Challenges Do Developers Face About Checked-in Secrets in Software Artifacts?
Proceedings of the IEEE/ACM International Conference on Software Engineering
Setu Kumar Basak, Lorenzo Neil, Bradley Reaves, and Laurie Williams
This qualitative analysis of 779 Stack Exchange questions shows developers face 27 challenges managing checked-in secrets in source code.
-
Towards Simultaneous Attacks on Multiple Cellular Networks
Proceedings of the Workshop on Offensive Technologies
Alexander Ross, and Bradley Reaves
The rigid scheduling of LTE downlink transmissions enables a single software-defined radio to surveil multiple cellular networks simultaneously.
-
SecretBench: A Dataset of Software Secrets
Mining Software Repositories Data and Showcase Track
Setu Kumar Basak, Lorenzo Neil, Bradley Reaves, and Laurie Williams
A labeled benchmark of 97,479 secrets across 818 GitHub repositories enables systematic evaluation of secret detection tools.
2022
-
What are the practices for secret management in software artifacts?
Proceedings of the IEEE Secure Development Conference
Setu Basak, Lorenzo Neil, Bradley Reaves, and Laurie Williams
A grey literature review distills 24 secret management practices into six categories, finding that local environment variables and external secret management services are the most widely recommended mitigations.
-
Characterizing the Security of GitHub CI Workflows
Proceedings of the USENIX Security Symposium
Igibek Koishybayev, Aleksandr Nahapetyan, Raima Zachariah, Siddharth Muralee, Bradley Reaves, Alexandros Kapravelos, and Aravind Machiry
99.8% of 447,238 GitHub CI workflows are overprivileged and 97% of repositories execute Actions from unverified creators, exposing systemic supply chain attack vectors.
-
Removing the Reliance on Perimeters for Security Using Network Views
Proceedings of the ACM Symposium on Access Control Models and Technologies
Iffat Anjum, Daniel Kostecki, Ethan Leba, Jessica Sokal, Rajit Bharambe, William Enck, Cristina Nita-Rotaru, and Bradley Reaves
SDNs can provide least-privilege, zero-trust networking by implementing a concept we call “network views.”
-
A Study of Application Sandbox Policies in Linux
Proceedings of the ACM Symposium on Access Control Models and Technologies
Trevor Dunlap, William Enck, and Bradley Reaves
Flatpak and Snap sandbox policies improve Linux security, but frequent privilege mismatches between the two platforms for the same application reveal that defining least-privilege policy remains error-prone.
2021
-
Investigating Web Service Account Remediation Advice
Symposium on Usable Privacy and Security
Lorenzo Neil, Elijah Bouma-Sims, Evan Lafontaine, Yasemin Acar, and Bradley Reaves
Only 39% of 57 popular web services provide guidance covering all five phases of compromised account recovery, leaving most users without adequate remediation support.
-
Anonymous device authorization for cellular networks
Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks
Abida Haque, Varun Madathil, Bradley Reaves, and Alessandra Scafuro
RSA accumulators enable 5G devices to prove they aren’t stolen without revealing their permanent equipment identifier with only modest overhead.
-
Characterizing the Security of Endogenous and Exogenous Desktop Application Network Flows
Proceedings of the Passive and Active Measurement Conference
Matthew McNiece, Ruidan Li, and Bradley Reaves
Measuring network security of MacOS applications requires on-device flow collection and distinguishing app activity from user activity.
-
A First Look at Scams on YouTube
Proceedings of the Workshop on Measurements, Attacks, and Defenses for the Web
Elijah Bouma-Sims, and Bradley Reaves
Scam videos persist on YouTube for a median of nine months, and metadata alone cannot reliably distinguish scams from legitimate content.
2020
-
Does ignoring robocalls make them stop? Here's what we learned from getting 1.5 million calls on 66,000 phone lines
The Conversation
Sathvik Prasad, and Bradley Reaves
Research overview of “Who’s Calling” for The Conversation.
-
Who's Calling? Characterizing Robocalls through Audio and Metadata Analysis
Proceedings of the USENIX Security Symposium
Sathvik Prasad, Elijah Bouma-Sims, Athishay Kiran Mylappan, and Bradley Reaves
A 66,000 line phone honeypot finds no evidence that answering robocalls increases future call volume, overturning popular wisdom.
-
Cardpliance: PCI-DSS Compliance of Android Applications
Proceedings of the USENIX Security Symposium
Samin Yaseer Mahmud, Akhil Acharya, Benjamin Andow, William Enck, and Bradley Reaves
Static analysis can automatically check PCI-DSS compliance of Android apps; 1.67% of 358 popular apps improperly store card numbers or verification codes.
-
Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Dataflow Analysis with PoliCheck
Proceedings of the USENIX Security Symposium
Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman
Up to 42% of Android apps incorrectly disclose or omit privacy-sensitive data flows in their policy policy.
2019
-
Thou Shalt Discuss Security: Quantifying the Impacts of Instructions to RFC Authors
Proceedings of the Security Standardisation Research Conference
Justin Whitaker, Sathvik Prasad, Bradley Reaves, and William Enck
Mandating security consideration sections in RFCs measurably increased security content volume and breadth across decades of Internet standards.
-
PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play
Proceedings of the USENIX Security Symposium
Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Tao Xie
Automated analysis found that 14% of 11,430 app privacy policies contradict themselves, indicating misleading data practices.
-
HomeSnitch: Behavior Transparency and Control for Smart Home IoT Devices
Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks
TJ O'Connor, Reham Mohamed, Markus Miettinen, William Enck, Bradley Reaves, and Ahmad-Reza Sadeghi
A network-level system classifies encrypted smart home IoT traffic into semantic behaviors with over 99% accuracy, enabling transparency without payload inspection.
-
Hestia: Simple Least Privilege Network Policies for Smart Homes
Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks
Sanket Goutam, William Enck, and Bradley Reaves
Classifies smart home devices as controllers or non-controllers to generate least-privilege network policies that isolate compromised IoT devices.
-
Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-home Internet of Things
Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks
TJ O'Connor, William Enck, and Bradley Reaves
Sensor blinding and state confusion attacks exploit telemetry flaws in 22 of 24 smart home devices, silently suppressing alerts and disrupting functionality.
-
How Bad Can It Git? Characterizing Secret Leakage in Public GitHub Repositories
Proceedings of the Network and Distributed System Security Symposium
Michael Meli, Matthew McNiece, and Bradley Reaves
Modest resources can rapidly identify the thousands of new API keys and cryptographic secrets leaked daily on GitHub.
2018
-
Characterizing the Security of the SMS Ecosystem with Public Gateways
ACM Transactions on Privacy and Security
Bradley Reaves, Luis Vargas, Nolen Scaife, Dave Tian, Logan Blue, Patrick Traynor, and Kevin R. B. Butler
A 28-month study of 900,000 public SMS gateway messages shows persistent insecure practices and widespread phone-verified account fraud evasion.
-
A Large Scale Investigation of Obfuscation Use in Google Play
Proceedings of the Annual Computer Security Applications Conference
Dominik Wermke, Nicolas Huaman, Yasemin Acar, Bradley Reaves, Patrick Traynor, and Sascha Fahl
Only 25% of 1.7 million Google Play apps use obfuscation, and most developer attempts to apply it fail.
-
Sonar: Detecting SS7 Redirection Attacks Via Call Audio-Based Distance Bounding
Proceedings of the IEEE Symposium on Security and Privacy
Christian Peeters, Hadi Abdullah, Nolen Scaife, Jasmine Bowers, Patrick Traynor, Bradley Reaves, and Kevin Butler
Detects SS7 call redirection attacks by measuring audio round-trip times, catching 100% of real-world redirections in live network tests.
2017
-
Regulators, Mount Up? Analysis of Privacy Policies for Mobile Money Applications
Symposium on Usable Privacy and Security
Jasmine Bowers, Bradley Reaves, Imani N. Sherman, Patrick Traynor, and Kevin Butler
Nearly half of mobile money services lack any privacy policy, and those that exist are often incomplete, unreadable, or unavailable in users’ primary languages.
-
AuthentiCall: Efficient identity and content authentication for phone calls
Proceedings of the USENIX Security Symposium
Bradley Reaves, Logan Blue, Hadi Abdullah, Luis Vargas, Patrick Traynor, and Tom Shrimpton
Provides cryptographic caller-ID verification and conversation integrity for phone calls with minimal overhead.
-
Transparent Web Service Auditing via Network Provenance Functions
Proceedings of the International World Wide Web Conference
Adam Bates, Wajih Ul Hassan, Kevin Butler, Alin Dobra, Bradley Reaves, Patrick Cable, Thomas Moyer, and Nabil Schear
Network provenance functions trace attacks across distributed web service components with application-layer awareness and no software modifications.
-
Phonion: Practical protection of metadata in telephony networks
Proceedings on Privacy Enhancing Technologies
Stephan Heuser, Bradley Reaves, Praveen Kumar Pendyala, Henry Carter, Alexandra Dmitrienko, William Enck, Negar Kiyavash, Ahmad-Reza Sadeghi, and Patrick Traynor
Phonion routes traditional voice calls across multiple carriers to provide unlinkable communication with good voice quality.
-
Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World
ACM Transactions on Privacy and Security
Bradley Reaves, Jasmine Bowers, Nolen Scaife, Adam Bates, Arnav Bhartiya, Patrick Traynor, and Kevin R.B. Butler
A security analysis of all 46 Android mobile money apps reveals pervasive vulnerabilities and negligible improvement one year after our first study on the topic.
-
FinTechSec: Addressing the Security Challenges of Digital Financial Services
IEEE Security & Privacy Magazine
Patrick Traynor, Kevin Butler, Jasmine Bowers, and Bradley Reaves
Identifies security challenges unique to mobile money, SMS transactions, and emerging digital financial platforms.
2016
-
*droid: Assessment and evaluation of Android application analysis tools
ACM Computing Surveys
Bradley Reaves, Jasmine Bowers, Sigmond A. Gorski III, Olabode Anise, Rahul Bobhate, Raymond Cho, Hiranava Das, Sharique Hussain, Hamza Karachiwala, Nolen Scaife, Byron Wright, Kevin Butler, William Enck, and Patrick Traynor
Systematically evaluates published Android security analysis tools, finding most suffer from poor maintenance and fail on apps with known vulnerabilities.
-
Authloop: Practical end-to-end cryptographic authentication for telephony over voice channels
Proceedings of the USENIX Security Symposium
Bradley Reaves, Logan Blue, and Patrick Traynor
A TLS-inspired authentication protocol sent over the voice audio channel verifies caller identity without network changes or a data connection.
-
Detecting SMS spam in the age of legitimate bulk messaging
Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks
Bradley Reaves, Logan Blue, Dave Tian, Patrick Traynor, and Kevin R. B. Butler
Shows legitimate bulk messages like verification codes collapse SMS spam filter recall to 23%, and releases the largest public SMS spam dataset to date.
-
Sending Out an SMS: Characterizing the Security of the SMS Ecosystem with Public Gateways
Proceedings of the IEEE Symposium on Security and Privacy
Bradley Reaves, Nolen Scaife, Dave Tian, Logan Blue, Patrick Traynor, and Kevin Butler
A 14-month analysis of 400,000 messages to public SMS gateways reveals widespread plaintext data leakage and phone-verified account evasion.
2015
-
Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World
Proceedings of the USENIX Security Symposium
Bradley Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, and Kevin R.B. Butler
The first generation of mobile money applications had pervasive vulnerabilities that allow transaction modification and account impersonation.
-
Boxed Out: Blocking Cellular Interconnect Bypass Fraud at the Network Edge
Proceedings of the USENIX Security Symposium
Bradley Reaves, Ethan Shernan, Adam Bates, Henry Carter, and Patrick Traynor
Audio degradation signatures left by VoIP-to-GSM gateways enable network-edge detection of SIMbox interconnect bypass fraud, which costs operators over $2 billion annually.
-
Uncovering Use-After-Free Conditions In Compiled Code
Proceedings of the International Conference on Availability, Reliability, and Security
David Dewey, Bradley Reaves, and Patrick Traynor
Static analysis detects use-after-free vulnerabilities directly in compiled binaries without requiring source code access.
2013
-
MAST: Triage for Market-scale Mobile Malware Analysis
Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks
Saurabh Chakradeo, Bradley Reaves, Patrick Traynor, and William Enck
App markets can scale malicious code detection by triaging on app package metadata to find 95% of malware while examining only 13% of benign apps.
-
The Core of the Matter: Analyzing Malicious Traffic in Cellular Carriers
Proceedings of the Network and Distributed System Security Symposium
Charles Lever, Manos Antonakakis, Brad Reaves, Patrick Traynor, and Wenke Lee
Carrier DNS traffic reveals that mobile malware is rare — fewer than 0.0009% of devices contact known malicious infrastructure.
2012
-
Analysis and mitigation of vulnerabilities in short-range wireless communications for industrial control systems
International Journal of Critical Infrastructure Protection
Bradley Reaves, and Thomas Morris
Surveys vulnerabilities and defenses in short-range wireless protocols deployed in industrial control systems.
-
An open virtual testbed for industrial control system security research
International Journal of Information Security
Bradley Reaves, and Thomas Morris
A virtual testbed replaces costly physical hardware for reproducible industrial control system security experiments.
2011
-
A Control System Testbed to Validate Critical Infrastructure Protection Concepts
International Journal of Critical Infrastructure Protection
Thomas Morris, Anurag Srivastava, Bradley Reaves, Wei Gao, Kalyan Pavurapu, and Ram Reddi
A multi-industry SCADA testbed with commercial hardware and functional physical processes enables realistic critical infrastructure security research and education.
2010
-
On SCADA Control System Command and Response Injection and Intrusion Detection
IEEE eCrime Researchers Summit
Wei Gao, Thomas Morris, Bradley Reaves, and Drew Richey
Develops a neural network IDS that detects command and response injection attacks on SCADA systems by monitoring physical process behavior.
2009
-
Engineering Future cyber-physical Energy Systems: Challenges, Research Needs, and Roadmap
IEEE North American Power Symposium
Thomas Morris, Anurag Srivastava, Bradley Reaves, Kalyan Pavurapu, Sharif Abdelwahed, Rayford Vaughn, Wesley McGrew, and Yoginder Dandass
A position paper identifying key research challenges and engineering needs for securing future cyber-physical energy systems.
-
Discovery, Infiltration, and Denial of Service in a Process Control System Wireless Network
IEEE eCrime Researchers Summit
Bradley Reaves, and Thomas Morris
Examination of a proprietary industrial control wireless radio system demonstrated serious vulnerabilities claimed impossible by the manufacturer.