William H Enck

An Empirical Study on Reproducible Packaging in Open-Source Ecosystems

Benedetti, G., Solarin, O., Miller, C., Tystahl, G., Enck, W., Kästner, C., … Verderame, L. (2025, April 26). 2025 IEEE/ACM 47th International Conference on Software Engineering (ICSE).

Context Matters: Qualitative Insights into Developers’ Approaches and Challenges with Software Composition Analysis

Proceedings of the USENIX Security Symposium. https://www.usenix.org/system/files/usenixsecurity25-lin-elizabeth.pdf

ProfessorX: Detecting Silent Vulnerabilities in Policy Engine Implementations

Weintraub, B., Liu, C., Enck, W., & Nita-Rotaru, C. (2025, July 3).

Research Directions in Software Supply Chain Security

Williams, L., Benedetti, G., Hamer, S., Paramitha, R., Rahman, I., Tamanna, M., … Enck, W. (2025, January 27). ACM Transactions on Software Engineering and Methodology, Vol. 34.

Which Is Better For Reducing Outdated and Vulnerable Dependencies: Pinning or Floatingƒ

Rahman, I., Marley, J., Enck, W., & Williams, L. (2025, November 16). (Vol. 11). Vol. 11.

5GAC-Analyzer: Identifying Over-Privilege Between 5G Core Network Functions

Thorn, S., English, K. V., Butler, K. R. B., & Enck, W. (2024, May 20). PROCEEDINGS OF THE 17TH ACM CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS, WISEC 2024, pp. 66–77.

Examining Cryptography and Randomness Failures in Open-Source Cellular Cores

English, K. V., Bennett, N., Thorn, S., Butler, K. R. B., Enck, W., & Traynor, P. (2024, June 10). PROCEEDINGS OF THE FOURTEENTH ACM CONFERENCE ON DATA AND APPLICATION SECURITY AND PRIVACY, CODASPY 2024, pp. 43–54.

GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies

Polinsky, I., Datta, P., Bates, A., & Enck, W. (2024, May 8).

Pairing Security Advisories with Vulnerable Functions Using Open-Source LLMs

Dunlap, T., Meyers, J. S., Reaves, B., & Enck, W. (2024, January 1). Lecture Notes in Computer Science, Vol. 14828, pp. 350–369.

RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces

Bennett, N., Zhu, W., Simon, B., Kennedy, R., Enck, W., Traynor, P., & Butler, K. R. B. (2024, December 2).

UntrustIDE: Exploiting Weaknesses in VS Code Extensions

Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS). https://www.ndss-symposium.org/wp-content/uploads/2024-73-paper.pdf

VFCFinder: Pairing Security Advisories and Patches

Dunlap, T., Lin, E., Enck, W., & Reaves, B. (2024, June 28). PROCEEDINGS OF THE 19TH ACM ASIA CONFERENCE ON COMPUTER AND COMMUNICATIONS SECURITY, ACM ASIACCS 2024, pp. 780–794.

ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions

Proceedings of the USENIX Security Symposium, 6983–7000. https://www.usenix.org/conference/usenixsecurity23/presentation/muralee

Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis

It's like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security

2023 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, SP, pp. 1527–1544.

It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security

Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P 2023).

MSNetViews: Geographically Distributed Management of Enterprise Network Security Policy

Anjum, I., Sokal, J., Rehman, H. R., Weintraub, B., Leba, E., Enck, W., … Reaves, B. (2023, May 24). Proceedings of the 28th ACM Symposium on Access Control Models and Technologies, pp. 121–132.

PolyScope: Multi-Policy Access Control Analysis to Triage Android Scoped Storage

Lee, Y.-T., Chen, H., Enck, W., Vijayakumar, H., Li, N., Qian, Z., … Jaeger, T. (2023, August 30). IEEE Transactions on Dependable and Secure Computing.

S3C2 Summit 2023-06: Government Secure Supply Chain Summit

ArXiv Preprint ArXiv:2308.06850.

S3C2 Summit 2202-09: Industry Secure Suppy Chain Summit

ArXiv Preprint ArXiv:2307.15642.

Software Bills of Materials Are Required. Are We There Yet?

Zahan, N., Lin, E., Tamanna, M., Enck, W., & Williams, L. (2023, March 1). IEEE Security & Privacy, Vol. 21, pp. 82–88.

VFCFinder: Seamlessly Pairing Security Advisories and Patches

ArXiv Preprint ArXiv:2311.01532.

${$ALASTOR$}$: Reconstructing the Provenance of Serverless Intrusions

31st USENIX Security Symposium (USENIX Security 22), 2443–2460.

${$FReD$}$: Identifying File ${$Re-Delegation$}$ in Android System Services

31st USENIX Security Symposium (USENIX Security 22), 1525–1542.

A Study of Application Sandbox Policies in Linux

Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies, 19–30.

Analysis of Payment Service Provider SDKs in Android

Mahmud, S. Y., English, K. V., Thorn, S., Enck, W., Oest, A., & Saad, M. (2022, December 3). PROCEEDINGS OF THE 38TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, ACSAC 2022, pp. 576–590.

Optimizing Honey Traffic Using Game Theory and Adversarial Learning

In Cyber Deception: Techniques, Strategies, and Human Aspects (pp. 97–124). Springer.

Reflections on a Decade of Mobile Security Research

Enck, W. (2022, May 7). PROCEEDINGS OF THE 15TH ACM CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS (WISEC '22), pp. 2–2.

Removing the Reliance on Perimeters for Security using Network Views

Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies, 151–162.

Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations

Enck, W., & Williams, L. (2022, March 1). IEEE Security & Privacy, Vol. 20, pp. 96–100.

Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem

Lentzsch, C., Shah, S. J., Andow, B., Degeling, M., Das, A., & Enck, W. (2021, January 1). 28TH ANNUAL NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS 2021).

PolyScope: Multi-Policy Access Control Analysis to Compute Authorized Attack Operations in Android Systems

30th ${$USENIX$}$ Security Symposium (${$USENIX$}$ Security 21).

Role-Based Deception in Enterprise Networks

Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, 65–76.

SCIFFS: Enabling Secure Third-Party Security Analytics using Serverless Computing

Proceedings of the 26th ACM Symposium on Access Control Models and Technologies, 175–186.

Actions speak louder than words: Entity-sensitive privacy policy and data flow analysis with policheck

Proceedings of the 29th USENIX Security Symposium (USENIX Security'20).

Analysis of Access Control Enforcement in Android

Proceedings of the 25th ACM Symposium on Access Control Models and Technologies, 117–118.

Cardpliance: PCI DSS compliance of android applications

Proceedings of the 29th USENIX Conference on Security Symposium, 1517–1533.

Do configuration management tools make systems more secure? an empirical research plan

Proceedings of the 7th Symposium on Hot Topics in the Science of Security, 1–2.

Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS

Deshotels, L., Carabas, C., Beichler, J., Deaconescu, R., & Enck, W. (2020, May 1). 2020 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP 2020), pp. 1056–1070.

LeakyPick: IoT Audio Spy Detector

Mitev, R., Pazii, A., Miettinen, M., Enck, W., & Sadeghi, A.-R. (2020, December 7). Annual Computer Security Applications Conference, pp. 694–705.

Optimizing Vulnerability-Driven Honey Traffic Using Game Theory

ArXiv Preprint ArXiv:2002.09069.

nm-Variant Systems: Adversarial-Resistant Software Rejuvenation for Cloud-Based Web Applications

Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, 235–246.

ACMiner

Gorski, S. A., Andow, B., Nadkarni, A., Manandhar, S., Enck, W., Bodden, E., & Bartel, A. (2019, March 13). PROCEEDINGS OF THE NINTH ACM CONFERENCE ON DATA AND APPLICATION SECURITY AND PRIVACY (CODASPY '19), pp. 25–36.

ARF

Gorski, S. A., & Enck, W. (2019, May 15). PROCEEDINGS OF THE 2019 CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS (WISEC '19), pp. 151–162.

Blinded and confused

HONEYSCOPE: IoT device protection with deceptive network views

Autonomous Cyber Deception: Reasoning, Adaptive Planning, and Evaluation of HoneyThings, 167–181.

Hestia

HomeSnitch

PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play.

USENIX Security Symposium, 585–602.

Selected Papers From the 2018 USENIX Security Symposium

Enck, W., & Benzel, T. (2019, July 1). IEEE Security & Privacy, Vol. 17, pp. 7–8.

Thou Shalt Discuss Security

PivotWall

OConnor, T., Enck, W., Petullo, W. M., & Verma, A. (2018, March 23). PROCEEDINGS OF THE SYMPOSIUM ON SDN RESEARCH (SOSR'18), p. 3.

Programmable interface for extending security of application-based operating system

Enck, W. H., Nadkarni, A. P., Sadeghi, A.-R., & Heuser, S. (2018, March).

iOracle: Automated Evaluation of Access Control Policies in iOS

Proceedings of the 2018 on Asia Conference on Computer and Communications Security, 117–131.

A Study of Security Vulnerabilities on Docker Hub

Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, 269–280.

Analysis of SEAndroid Policies: Combining MAC and DAC in Android

Proceedings of the 33rd Annual Computer Security Applications Conference, 553–565.

Phonion: Practical Protection of Metadata in Telephony Networks

Proceedings on Privacy Enhancing Technologies, 2017(1), 170–187.

Policy by Example: An Approach for Security Policy Specification

ArXiv Preprint ArXiv:1707.03967.

Reliable Ad Hoc Smartphone Application Creation for End Users

In Intrusion Detection and Prevention for Mobile Ecosystems (pp. 65–98). CRC Press Taylor & Francis Group, 6000 Broken Sound Parkway NW, Suite 300 ….

SPOKE: Scalable Knowledge Collection and Attack Surface Analysis of Access Control Policy for Security Enhanced Android

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, 612–624.

The Use of Functional Data Analysis to Evaluate Activity in a Spontaneous Model of Degenerative Joint Disease Associated Pain in Cats

PLOS ONE, 12(1), e0169576.

UiRef: analysis of sensitive user inputs in Android applications

Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 23–34.

* droid: Assessment and Evaluation of Android Application Analysis Tools

ACM Computing Surveys (CSUR), 49(3), 55.

*droid

ACM Computing Surveys, 49(3), 1–30.

A Study of Grayware on Google Play

Andow, B., Nadkarni, A., Bassett, B., Enck, W., & Xie, T. (2016, May 1). 2016 IEEE SYMPOSIUM ON SECURITY AND PRIVACY WORKSHOPS (SPW 2016), pp. 224–233.

A Study of Security Isolation Techniques

Shu, R., Wang, P., Gorski, S. A., III, Andow, B., Nadkarni, A., Deshotels, L., … Gu, X. (2016, October 12). ACM Computing Surveys, Vol. 49, p. 50.

Code-Stop: Code-Reuse Prevention By Context-Aware Traffic Proxying

Proceedings of the Conference on Internet Monitoring and Protection (ICIMP), Barcelona, Spain, 22–26.

Practical ${$DIFC$}$ Enforcement on Android

25th USENIX Security Symposium (USENIX Security 16), 1119–1136.

Practical DIFC Enforcement on Android.

USENIX Security Symposium, 1119–1136.

Practical DIFC enforcement on android

Proceedings of the 25th USENIX Security Symposium, 1119–1136.

Preventing kernel code-reuse attacks through disclosure resistant code diversification

Gionta, J., Enck, W., & Larsen, P. (2016, October 1). 2016 Ieee Conference on Communications and Network Security (Cns), pp. 189–197.

SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 704–716.

Sandblaster: Reversing the apple sandbox

ArXiv Preprint ArXiv:1608.04303.

Text analytics for security: tutorial

Proceedings of the Symposium and Bootcamp on the Science of Security, 124–125.

AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context

Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., & Enck, W. (2015, May 1). 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1, pp. 303–313.

Automatic Server Hang Bug Diagnosis: Feasible Reality or Pipe Dream?

Dean, D. J., Wang, P., Gu, X., Enck, W., & Jin, G. (2015, July 1). 2015 IEEE INTERNATIONAL CONFERENCE ON AUTONOMIC COMPUTING, pp. 127–132.

EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning

Proceedings of the USENIX Security Symposium, 351–366. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/wang-ruowen

Hidem: Protecting the contents of userspace memory in the face of disclosure vulnerabilities

Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, 325–336.

Multitasking Increases Stress and Insecure Behavior on Mobile Devices

Proceedings of the Human Factors and Ergonomics Society Annual Meeting, 59(1), 1110–1114.

${$ASM$}$: A Programmable Interface for Extending Android Security

23rd USENIX Security Symposium (USENIX Security 14), 1005–1019.

ASM: A Programmable Interface for Extending Android Security.

USENIX Security Symposium, 1005–1019.

An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities

ArXiv Preprint ArXiv:1410.7745.

Dacsa: A decoupled architecture for cloud security analysis

Proceedings of the 7th Workshop on Cyber Security Experimentation and Test.

GraphAudit: Privacy Auditing for Massive Graph Mining

North Carolina State University. Dept. of Computer Science.

Guest Editors' Introduction: Special Issue on Security and Privacy in Mobile Platforms

Ahn, G.-J., Enck, W., & Shin, D. D. (2014, May 1). IEEE Transactions on Dependable and Secure Computing, Vol. 11, pp. 209–210.

Improving mobile application security via bridging user expectations and application behaviors

Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, 32.

Insecure behaviors on mobile devices under stress

Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, 31.

Modeling and sensing risky user behavior on mobile devices

Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, 33.

NativeWrap: ad hoc smartphone application creation for end users

Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks, 13–24.

PREC: practical root exploit containment for android devices

Proceedings of the 4th ACM conference on Data and application security and privacy, 187–198.

SEER: practical memory virus scanning as a service

Proceedings of the 30th Annual Computer Security Applications Conference, 186–195.

TaintDroid

Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., Jung, J., McDaniel, P., & Sheth, A. N. (2014, February 26). Communications of the ACM, Vol. 57, pp. 99–106.

TaintDroid

Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L. P., … Sheth, A. N. (2014, June 1). ACM Transactions on Computer Systems, Vol. 32, pp. 1–6.

Tutorial: Text Analytics for Security

Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 1540–1541.

AppsPlayground: automatic security analysis of smartphone applications

Proceedings of the third ACM conference on Data and application security and privacy, 209–220.

Automatic Security Analysis of Android Applications

In Android Security and Mobile Cloud Computing. Springer.

MAST: triage for market-scale mobile malware analysis

Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks, 13–24.

Preventing accidental data disclosure in modern operating systems

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 1029–1042.

WHYPER: towards automating risk assessment of mobile applications

Proceedings of the 22nd USENIX Security Symposium, Washington DC, USA, 14–16.

Abusing cloud-based browsers for fun and profit

Proceedings of the 28th Annual Computer Security Applications Conference, 219–228.

Meteor: Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems

IEEE MoST: Mobile Security Technologies Workshop.

A Study of Android Application Security.

USENIX Security Symposium.

ARP Spoofing

In Encyclopedia of Cryptography and Security (pp. 48–49). Springer US.

Analysis Techniques for Mobile Operating System Security

The Pennsylvania State University.

Android’s Security Framework--Understanding the Security of Mobile Phone Platforms

In Encyclopedia of Cryptography and Security (pp. 34–37). Springer US.

Defending Users against Smartphone Apps: Techniques and Future Directions

In Information Systems Security (pp. 49–70).

Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems

Technical report, School of Computer Science, Carleton University, http ….

Semantically rich application‐centric security in Android

Ongtang, M., McLaughlin, S., Enck, W., & McDaniel, P. (2011, August 23). Security and Communication Networks, Vol. 5, pp. 658–673.

Not so great expectations: Why application markets haven't failed security

IEEE Security & Privacy, 8(5), 76–78.

Configuration management at massive scale: system design and experience

IEEE Journal on Selected Areas in Communications, 27(3), 323–335.

Mitigating attacks on open functionality in SMS-capable cellular networks

IEEE/ACM Transactions on Networking (TON), 17(1), 40–53.

On lightweight mobile phone application certification

Proceedings of the 16th ACM conference on Computer and communications security, 235–245.

Understanding Android Security.

IEEE Security & Privacy, 7(1), 50–57.

malnets: large-scale malicious networks via compromised wireless access points

Security and Communication Networks, 3(2-3), 102–113.

Defending against attacks on main memory persistence

2008 Annual Computer Security Applications Conference (ACSAC), 65–74.

Exploiting open functionality in SMS-capable cellular networks

Journal of Computer Security, 16(6), 713–742.

Mitigating Android software misuse before it happens

Pennsylvania State University, Tech. Rep. NAS-TR-0094-2008.

Pinup: Pinning user files to known applications

2008 Annual Computer Security Applications Conference (ACSAC), 55–64.

Realizing massive-scale conditional access systems through attribute-based cryptosystems

In Proceedings of the ISOC Network & Distributed System Security Symposium (NDSS).

Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections Following Project EVEREST

Proceedings of the USENIX/ACCURATE Electronic Voting Technology (EVT) Workshop.

ASR: anonymous and secure reporting of traffic forwarding activity in mobile ad hoc networks

Wireless Networks, 15(4), 525–539.

Configuration Management at Massive Scale: System Design and Experience

Proceedings of the USENIX Annual Technical Conference, 73–86. https://www.usenix.org/legacy/events/usenix07/tech/enck.html

Grains of SANs: Building Storage Area Networks from Memory Spots

Technical Report NASTR-0060-2007, Network and Security Research Center ….

Limiting sybil attacks in structured p2p networks

INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE, 2596–2600.

Protecting users from themselves

Proceedings of the 2007 ACM workshop on Computer security architecture, 29–36.

TARP: Ticket-based address resolution protocol

Computer Networks, 51(15), 4322–4337.

Analysis of Open Functionality in SMS-capable Cellular Networks

Pennsylvania State University.

Mitigating attacks on open functionality in SMS-capable cellular networks

Proceedings of the 12th annual international conference on Mobile computing and networking, 182–193.

Password Exhaustion: Predicting the End of Password Usefulness

In Information Systems Security (pp. 37–55).

Privacy Preserving Web-Based Email

In Information Systems Security (Vol. 3, pp. 116–131).

TARP: Ticket-based Address Resolution Protocol

Presented at the 21st Annual Computer Security Applications Conference (ACSAC'05).

Exploiting open functionality in SMS-capable cellular networks

Proceedings of the 12th ACM conference on Computer and communications security, 393–404.

Limiting sybil attacks in structured peer-to-peer networks

IEEE Infocom Mini-Symposium.

Secure reporting of traffic forwarding activity in mobile ad hoc networks

Presented at the The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services.

Secure reporting of traffic forwarding activity in mobile ad hoc networks

The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services, 12–21.

ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions

Muralee, S., Koishybayev, I., Nahapetyan, A., Tystahl, G., Reaves, B., Bianchi, A., … Machiry, A.

EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning

Wang, R., Enck, W., Reeves, D., Zhang, X., Ning, P., Xu, D., … Azab, A. 24th USENIX Security Symposium (USENIX Security 15). Presented at the USENIX Association.

Securing the So ware Supply Chain: Research, Outreach, Education

Williams, L., Acar, Y., Cukier, M., Enck, W., Kapravelos, A., Kästner, C., & Wermke, D.