@article{lee_chen_enck_vijayakumar_li_qian_petracca_jaeger_2024, title={PolyScope: Multi-Policy Access Control Analysis to Triage Android Scoped Storage}, url={https://doi.org/10.1109/TDSC.2023.3310402}, DOI={10.1109/TDSC.2023.3310402}, abstractNote={Android's filesystem access control is its foundation for system integrity. It combines mandatory (e.g., SELinux) and discretionary (e.g., Unix permissions) access control with other specialized access controls (e.g., Android permissions), aiming to protect Android/OEM services from third-party applications. However, OEMs often introduce vulnerabilities when they add market-differentiating features because they fail to correctly reconfigure this complex combination of policies. In this paper, we present the POLYSCOPE tool, which triages the combination of Android filesystem access control policies to find the authorized operations that may be exploited by adversaries to escalate their privileges, called attack operations . Critically, POLYSCOPE accounts for how adversaries may modify permissions for themselves and/or their victims to uncover latent attack operations. We demonstrate the effectiveness of POLYSCOPE by assessing the impact of the recently introduced Scoped Storage defense for Android, showing that extending POLYSCOPE to analyze a new policy can be done independently if the new policy only restricts permissions, which is the case for Scoped Storage. We apply POLYSCOPE to three Google and five OEM Android releases, finding that Scoped Storage reduces the number of attack operations possible on external storage resources by over 50%. However, we also find two previously unknown vulnerabilities because OEMs only adopt Scoped Storage partially, limiting its benefit. Thus, we show how to use POLYSCOPE to assess an ideal scenario where all apps are compliant to Scoped Storage, which can reduce the number of untrusted parties that can access attack operations by over 65% on OEM systems. As a result, we find that POLYSCOPE can help Android OEMs triage complex access control policies to identify the specific attack operations worthy of further examination.}, journal={IEEE Transactions on Dependable and Secure Computing}, publisher={IEEE}, author={Lee, Yu-Tsung and Chen, Haining and Enck, William and Vijayakumar, Hayawardh and Li, Ninghui and Qian, Zhiyun and Petracca, Giuseppe and Jaeger, Trent}, year={2024} } @inproceedings{muralee_koishybayev_nahapetyan_tystahl_reaves_bianchi_enck_kapravelos_machiry_2023, title={ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions}, ISBN={9781939133373}, url={https://www.usenix.org/conference/usenixsecurity23/presentation/muralee}, booktitle={Proceedings of the USENIX Security Symposium}, author={Muralee, Siddharth and Koishybayev, Igibek and Nahapetyan, Aleksandr and Tystahl, Greg and Reaves, Brad and Bianchi, Antonio and Enck, William and Kapravelos, Alexandros and Machiry, Aravind}, year={2023}, pages={6983–7000} } @article{dunlap_thorn_enck_reaves_2023, title={Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis}, DOI={10.1109/EuroSP57164.2023.00036}, abstractNote={Software depends on upstream projects that regularly fix vulnerabilities, but the documentation of those vulnerabilities is often unreliable or unavailable. Automating the collection of existing vulnerability fixes is essential for downstream projects to reliably update their dependencies due to the sheer number of dependencies in modern software. Prior efforts rely solely on incomplete databases or imprecise or inaccurate statistical analysis of upstream repositories. In this paper, we introduce Differential Alert Analysis (DAA) to discover vulnerability fixes in software projects. In contrast to statistical analysis, DAA leverages static analysis security testing (SAST) tools, which reason over code context and semantics. We provide a language-independent implementation of DAA and show that for Python and Java based projects, DAA has high precision for a ground-truth dataset of vulnerability fixes — even with noisy and low-precision SAST tools. We then use DAA in two large-scale empirical studies covering several prominent ecosystems, finding hundreds of resolved alerts, including many never publicly disclosed. DAA thus provides a powerful, accurate primitive for software projects, code analysis tools, vulnerability databases, and researchers to characterize and enhance the security of software supply chains.}, journal={2023 IEEE 8TH EUROPEAN SYMPOSIUM ON SECURITY AND PRIVACY, EUROS&P}, author={Dunlap, Trevor and Thorn, Seaver and Enck, William and Reaves, Bradley}, year={2023}, pages={489–505} } @article{fourne_wermke_enck_fahl_acar_2023, title={It's like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security}, ISSN={["1081-6011"]}, DOI={10.1109/SP46215.2023.00187}, journal={2023 IEEE SYMPOSIUM ON SECURITY AND PRIVACY, SP}, author={Fourne, Marcel and Wermke, Dominik and Enck, William and Fahl, Sascha and Acar, Yasemin}, year={2023}, pages={1527–1544} } @inproceedings{fourné_wermke_enck_fahl_acar_2023, title={It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security}, booktitle={Proceedings of the 44th IEEE Symposium on Security and Privacy (S&P 2023)}, author={Fourné, Marcel and Wermke, Dominik and Enck, William and Fahl, Sascha and Acar, Yasemin}, year={2023} } @inproceedings{anjum_sokal_rehman_weintraub_leba_enck_nita-rotaru_reaves_2023, title={MSNetViews: Geographically Distributed Management of Enterprise Network Security Policy}, url={https://doi.org/10.1145/3589608.3593836}, DOI={10.1145/3589608.3593836}, abstractNote={Commercially-available software defined networking (SDN) technologies will play an important role in protecting the on-premises resources that remain as enterprises transition to zero trust architectures. However, existing solutions assume the entire network resides in a single geographic location, requiring organizations with multiple sites to manually ensure consistency of security policy across all sites. In this paper, we present MSNetViews, which extends a single, globally-defined and managed, enterprise network security policy to many geographically distributed sites. Each site operates independently and enforces a site-specific policy slice that is dynamically parameterized with user location as employees roam between sites. We build a prototype of MSNetViews and show that for an enterprise with globally distributed sites, the average time for policy state to settle after a user roams to a new site is well below two seconds. As such, we demonstrate that multisite organizations can efficiently protect their on-premises network-attached devices via a single global perspective.}, booktitle={Proceedings of the 28th ACM Symposium on Access Control Models and Technologies}, author={Anjum, Iffat and Sokal, Jessica and Rehman, Hafiza Ramzah and Weintraub, Ben and Leba, Ethan and Enck, William and Nita-Rotaru, Cristina and Reaves, Bradley}, year={2023}, month={May}, pages={121–132} } @article{enck_acar_cukier_kapravelos_kästner_williams_2023, title={S3C2 Summit 2023-06: Government Secure Supply Chain Summit}, journal={arXiv preprint arXiv:2308.06850}, author={Enck, William and Acar, Yasemin and Cukier, Michel and Kapravelos, Alexandros and Kästner, Christian and Williams, Laurie}, year={2023} } @article{tran_acar_cucker_enck_kapravelos_kastner_williams_2023, title={S3C2 Summit 2202-09: Industry Secure Suppy Chain Summit}, journal={arXiv preprint arXiv:2307.15642}, author={Tran, Mindy and Acar, Yasemin and Cucker, Michel and Enck, William and Kapravelos, Alexandros and Kastner, Christian and Williams, Laurie}, year={2023} } @article{zahan_lin_tamanna_enck_williams_2023, title={Software Bills of Materials Are Required. Are We There Yet?}, volume={21}, url={https://doi.org/10.1109/MSEC.2023.3237100}, DOI={10.1109/MSEC.2023.3237100}, abstractNote={Executive order 14028 on improving the nation’s cybersecurity highlights the software bill of materials (SBOM) as an essential security practice for software security. This article outlines the top five benefits and challenges of adopting SBOMs, identified by reviewing 200 Internet articles.}, number={2}, journal={IEEE Security & Privacy}, publisher={IEEE}, author={Zahan, Nusrat and Lin, Elizabeth and Tamanna, Mahzabin and Enck, William and Williams, Laurie}, year={2023}, month={Mar}, pages={82–88} } @article{dunlap_lin_enck_reaves_2023, title={VFCFinder: Seamlessly Pairing Security Advisories and Patches}, journal={arXiv preprint arXiv:2311.01532}, author={Dunlap, Trevor and Lin, Elizabeth and Enck, William and Reaves, Bradley}, year={2023} } @inproceedings{datta_polinsky_inam_bates_enck_2022, title={${$ALASTOR$}$: Reconstructing the Provenance of Serverless Intrusions}, booktitle={31st USENIX Security Symposium (USENIX Security 22)}, author={Datta, Pubali and Polinsky, Isaac and Inam, Muhammad Adil and Bates, Adam and Enck, William}, year={2022}, pages={2443–2460} } @inproceedings{gorski iii_thorn_enck_chen_2022, title={${$FReD$}$: Identifying File ${$Re-Delegation$}$ in Android System Services}, booktitle={31st USENIX Security Symposium (USENIX Security 22)}, author={Gorski III, Sigmund Albert and Thorn, Seaver and Enck, William and Chen, Haining}, year={2022}, pages={1525–1542} } @inproceedings{dunlap_enck_reaves_2022, title={A Study of Application Sandbox Policies in Linux}, booktitle={Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies}, author={Dunlap, Trevor and Enck, William and Reaves, Bradley}, year={2022}, pages={19–30} } @article{mahmud_english_thorn_enck_oest_saad_2022, title={Analysis of Payment Service Provider SDKs in Android}, url={https://doi.org/10.1145/3564625.3564641}, DOI={10.1145/3564625.3564641}, abstractNote={Payment Service Providers (PSPs) provide software development toolkits (SDKs) for integrating complex payment processing code into applications. Security weaknesses in payment SDKs can impact thousands of applications. In this work, we propose AARDroid for statically assessing payment SDKs against OWASP’s MASVS industry standard for mobile application security. In creating AARDroid, we adapted application-level requirements and program analysis tools for SDK-specific analysis, tailoring dataflow analysis for SDKs using domain-specific ontologies to infer the security semantics of application programming interfaces (APIs). We apply AARDroid to 50 payment SDKs and discover security weaknesses including saving unencrypted credit card information to files, use of insecure cryptographic primitives, insecure input methods for credit card information, and insecure use of WebViews. These results demonstrate the value of applying security analysis at the SDK granularity to prevent the widespread deployment of insecure code.}, journal={PROCEEDINGS OF THE 38TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, ACSAC 2022}, author={Mahmud, Samin Yaseer and English, K. Virgil and Thorn, Seaver and Enck, William and Oest, Adam and Saad, Muhammad}, year={2022}, pages={576–590} } @inbook{miah_zhu_granados_sharmin_anjum_ortiz_kiekintveld_enck_singh_2022, title={Optimizing Honey Traffic Using Game Theory and Adversarial Learning}, booktitle={Cyber Deception: Techniques, Strategies, and Human Aspects}, publisher={Springer}, author={Miah, Mohammad Sujan and Zhu, Mu and Granados, Alonso and Sharmin, Nazia and Anjum, Iffat and Ortiz, Anthony and Kiekintveld, Christopher and Enck, William and Singh, Munindar P}, year={2022}, pages={97–124} } @article{enck_2022, title={Reflections on a Decade of Mobile Security Research}, DOI={10.1145/3507657.3528561}, abstractNote={The emergence of the smartphone in the late 2000s occurred during a perfect storm of technology and society. Advances in embedded technologies provided a critical balance of computing power and energy consumption. The integration of accelerometers and GPS sensors provided valuable primitives for innovative applications, and 3G cellular technologies provided enough data capacity for meaningful interactions with servers. Simultaneously, social networking was taking off, giving consumers a reason to increasingly engage with computing. The mobile industry capitalized on this opportunity, opening the traditionally tightly controlled environment to third-parties and providing a streamlined way for application developers and consumers to discover and commodify computing. Today, Web traffic from smartphones exceeds that of traditional desktops and laptops. The initial reaction of the security research community was cautious, not seeing what made this form of computing different. In many ways, smartphones are the same as traditional consumer platforms. Consumers download and run third-party software that connects to servers on the Internet. However, there are key ways in which smartphones are different. Some of these differences are technical. For example, smartphones never turn off and are continually collecting information. They also present a new runtime abstraction where each application is a security principal. Other differences are rooted in how we use them. Our smartphones are always with us, and as a result they have become the transport vehicle for micro-doses of dopamine that feeds our Internet addicted society. They are the first thing we look at in the morning, the last in the evening, and means of avoiding boredom throughout the day. Despite initial reservations, the past decade has seen a boom in security research studying smartphones and mobile technologies. While this research started at the application layer, it has gradually worked its way down the stack, considering operating system frameworks, trusted execution environments, attached hardware peripherals, baseband radios, and expanding into the cellular network itself. In this talk, I will reflect on the advances and knowledge we have gained through mobile security research and what these results mean for the broader area of security research. The tables have now turned, and computing technology is adopting advances made by mobile devices.}, journal={PROCEEDINGS OF THE 15TH ACM CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS (WISEC '22)}, author={Enck, William}, year={2022}, pages={2–2} } @inproceedings{anjum_kostecki_leba_sokal_bharambe_enck_nita-rotaru_reaves_2022, title={Removing the Reliance on Perimeters for Security using Network Views}, booktitle={Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies}, author={Anjum, Iffat and Kostecki, Daniel and Leba, Ethan and Sokal, Jessica and Bharambe, Rajit and Enck, William and Nita-Rotaru, Cristina and Reaves, Bradley}, year={2022}, pages={151–162} } @article{enck_williams_2022, title={Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations}, volume={20}, ISSN={["1558-4046"]}, DOI={10.1109/MSEC.2022.3142338}, abstractNote={Software is complex, not only due to the code within a given project, but also due to the vast ecosystem of dependencies and transitive dependencies upon which each project relies. Recent years have observed a sharp uptick of attacks on the software supply chain spurring invigorated interest by industry and government alike. We held three summits with a diverse set of organizations and report on the top five challenges in software supply chain security.}, number={2}, journal={IEEE SECURITY & PRIVACY}, publisher={IEEE}, author={Enck, William and Williams, Laurie}, year={2022}, pages={96–100} } @article{lentzsch_shah_andow_degeling_das_enck_2021, title={Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem}, DOI={10.14722/ndss.2021.23111}, abstractNote={—Amazon’s voice-based assistant, Alexa, enables users to directly interact with various web services through natural language dialogues. It provides developers with the option to create third-party applications (known as Skills ) to run on top of Alexa. While such applications ease users’ interaction with smart devices and bolster a number of additional services, they also raise security and privacy concerns due to the personal setting they operate in. This paper aims to perform a systematic analysis of the Alexa skill ecosystem. We perform the first large-scale analysis of Alexa skills, obtained from seven different skill stores totaling to 90,194 unique skills. Our analysis reveals several limitations that exist in the current skill vetting process. We show that not only can a malicious user publish a skill under any arbitrary developer/company name, but she can also make backend code changes after approval to coax users into revealing unwanted information. We, next, formalize the different skill-squatting techniques and evaluate the efficacy of such techniques. We find that while certain approaches are more favorable than others, there is no substantial abuse of skill squatting in the real world. Lastly, we study the prevalence of privacy policies across different categories of skill, and more importantly the policy content of skills that use the Alexa permission model to access sensitive user data. We find that around 23.3% of such skills do not fully disclose the data types associated with the permissions requested. We conclude by providing some suggestions for strengthening the overall ecosystem, and thereby enhance transparency for end-users.}, journal={28TH ANNUAL NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS 2021)}, author={Lentzsch, Christopher and Shah, Sheel Jayesh and Andow, Benjamin and Degeling, Martin and Das, Anupam and Enck, William}, year={2021} } @inproceedings{lee_enck_chen_vijayakumar_li_qian_wang_petracca_jaeger_2021, title={PolyScope: Multi-Policy Access Control Analysis to Compute Authorized Attack Operations in Android Systems}, booktitle={30th ${$USENIX$}$ Security Symposium (${$USENIX$}$ Security 21)}, author={Lee, Yu-Tsung and Enck, William and Chen, Haining and Vijayakumar, Hayawardh and Li, Ninghui and Qian, Zhiyun and Wang, Daimeng and Petracca, Giuseppe and Jaeger, Trent}, year={2021} } @inproceedings{anjum_zhu_polinsky_enck_reiter_singh_2021, title={Role-Based Deception in Enterprise Networks}, booktitle={Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy}, author={Anjum, Iffat and Zhu, Mu and Polinsky, Isaac and Enck, William and Reiter, Michael K and Singh, Munindar P}, year={2021}, pages={65–76} } @inproceedings{polinsky_datta_bates_enck_2021, title={SCIFFS: Enabling Secure Third-Party Security Analytics using Serverless Computing}, booktitle={Proceedings of the 26th ACM Symposium on Access Control Models and Technologies}, author={Polinsky, Isaac and Datta, Pubali and Bates, Adam and Enck, William}, year={2021}, pages={175–186} } @inproceedings{andow_mahmud_whitaker_enck_reaves_singh_egelman_2020, title={Actions speak louder than words: Entity-sensitive privacy policy and data flow analysis with policheck}, booktitle={Proceedings of the 29th USENIX Security Symposium (USENIX Security'20)}, author={Andow, Benjami and Mahmud, Samin Yaseer and Whitaker, Justin and Enck, William and Reaves, Bradley and Singh, Kapil and Egelman, Serge}, year={2020} } @inproceedings{enck_2020, title={Analysis of Access Control Enforcement in Android}, booktitle={Proceedings of the 25th ACM Symposium on Access Control Models and Technologies}, author={Enck, William}, year={2020}, pages={117–118} } @inproceedings{mahmud_acharya_andow_enck_reaves_2020, title={Cardpliance: PCI DSS compliance of android applications}, booktitle={Proceedings of the 29th USENIX Conference on Security Symposium}, author={Mahmud, Samin Yaseer and Acharya, Akhil and Andow, Benjamin and Enck, William and Reaves, Bradley}, year={2020}, pages={1517–1533} } @inproceedings{rahman_enck_williams_2020, title={Do configuration management tools make systems more secure? an empirical research plan}, booktitle={Proceedings of the 7th Symposium on Hot Topics in the Science of Security}, author={Rahman, Md Rayhanur and Enck, William and Williams, Laurie}, year={2020}, pages={1–2} } @article{deshotels_carabas_beichler_deaconescu_enck_2020, title={Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS}, ISSN={["1081-6011"]}, DOI={10.1109/SP40000.2020.00023}, abstractNote={Apple uses several access control mechanisms to prevent third party applications from directly accessing security sensitive resources, including sandboxing and file access control. However, third party applications may also indirectly access these resources using inter-process communication (IPC) with system daemons. If these daemons fail to properly enforce access control on IPC, confused deputy vulnerabilities may result. Identifying such vulnerabilities begins with an enumeration of all IPC services accessible to third party applications. However, the IPC interfaces and their corresponding access control policies are unknown and must be reverse engineered at a large scale. In this paper, we present the Kobold framework to study NSXPC-based system services using a combination of static and dynamic analysis. Using Kobold, we discovered multiple NSXPC services with confused deputy vulnerabilities and daemon crashes. Our findings include the ability to activate the microphone, disable access to all websites, and leak private data stored in iOS File Providers.}, journal={2020 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP 2020)}, author={Deshotels, Luke and Carabas, Costin and Beichler, Jordan and Deaconescu, Razvan and Enck, William}, year={2020}, pages={1056–1070} } @article{mitev_pazii_miettinen_enck_sadeghi_2020, title={LeakyPick: IoT Audio Spy Detector}, ISSN={["1063-9527"]}, DOI={10.1145/3427228.3427277}, abstractNote={Manufacturers of smart home Internet of Things (IoT) devices are increasingly adding voice assistant and audio monitoring features to a wide range of devices including smart speakers, televisions, thermostats, security systems, and doorbells. Consequently, many of these devices are equipped with microphones, raising significant privacy concerns: users may not always be aware of when audio recordings are sent to the cloud, or who may gain access to the recordings. In this paper, we present the LeakyPick architecture that enables the detection of the smart home devices that stream recorded audio to the Internet in response to observing a sound. Our proof-of-concept is a LeakyPick device that is placed in a user’s smart home and periodically “probes” other devices in its environment and monitors the subsequent network traffic for statistical patterns that indicate audio transmission. Our prototype is built on a Raspberry Pi for less than USD $40 and has a measurement accuracy of 94% in detecting audio transmissions for a collection of 8 devices with voice assistant capabilities. Furthermore, we used LeakyPick to identify 89 words that an Amazon Echo Dot misinterprets as its wake-word, resulting in unexpected audio transmission. LeakyPick provides a cost effective approach to help regular consumers monitor their homes for sound-triggered devices that unexpectedly transmit audio to the cloud.}, journal={36TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE (ACSAC 2020)}, author={Mitev, Richard and Pazii, Anna and Miettinen, Markus and Enck, William and Sadeghi, Ahmad-Reza}, year={2020}, pages={694–705} } @article{anjum_miah_zhu_sharmin_kiekintveld_enck_singh_2020, title={Optimizing Vulnerability-Driven Honey Traffic Using Game Theory}, journal={arXiv preprint arXiv:2002.09069}, author={Anjum, Iffat and Miah, Mohammad Sujan and Zhu, Mu and Sharmin, Nazia and Kiekintveld, Christopher and Enck, William and Singh, Munindar P}, year={2020} } @inproceedings{polinsky_martin_enck_reiter_2020, title={nm-Variant Systems: Adversarial-Resistant Software Rejuvenation for Cloud-Based Web Applications}, booktitle={Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy}, author={Polinsky, Isaac and Martin, Kyle and Enck, William and Reiter, Michael K}, year={2020}, pages={235–246} } @article{gorski_andow_nadkarni_manandhar_enck_bodden_bartel_2019, title={ACMiner: Extraction and Analysis of Authorization Checks in Android's Middleware}, DOI={10.1145/3292006.3300023}, abstractNote={Billions of users rely on the security of the Android platform to protect phones, tablets, and many different types of consumer electronics. While Android's permission model is well studied, the enforcement of the protection policy has received relatively little attention. Much of this enforcement is spread across system services, taking the form of hard-coded checks within their implementations. In this paper, we propose Authorization Check Miner (ACMiner), a framework for evaluating the correctness of Android's access control enforcement through consistency analysis of authorization checks. ACMiner combines program and text analysis techniques to generate a rich set of authorization checks, mines the corresponding protection policy for each service entry point, and uses association rule mining at a service granularity to identify inconsistencies that may correspond to vulnerabilities. We used ACMiner to study the AOSP version of Android 7.1.1 to identify 28 vulnerabilities relating to missing authorization checks. In doing so, we demonstrate ACMiner's ability to help domain experts process thousands of authorization checks scattered across millions of lines of code.}, journal={PROCEEDINGS OF THE NINTH ACM CONFERENCE ON DATA AND APPLICATION SECURITY AND PRIVACY (CODASPY '19)}, author={Gorski, Sigmund Albert, III and Andow, Benjamin and Nadkarni, Adwait and Manandhar, Sunil and Enck, William and Bodden, Eric and Bartel, Alexandre}, year={2019}, pages={25–36} } @article{gorski_enck_2019, title={ARF: Identifying Re-Delegation Vulnerabilities in Android System Services}, DOI={10.1145/3317549.3319725}, abstractNote={Over the past decade, the security of the Android platform has undergone significant scrutiny by both academic and industrial researchers. This scrutiny has been largely directed towards third-party applications and a few critical system interfaces, leaving much of Android's middleware unstudied. Building upon recent efforts to more rigorously analyze authorization logic in Android's system services, we revisit the problem of permission re-delegation, but in the context of system service entry points. In this paper, we propose the Android Re-delegation Finder (ARF) analysis framework for helping security analysts identify permission re-delegation vulnerabilities within Android's system services. ARF analyzes an interconnected graph of entry points in system services, deriving calling dependencies, annotating permission checks, and identifying potentially vulnerable deputies that improperly expose information or functionality to third-party applications. We apply ARF to Android AOSP version 8.1.0 and find that it refines the set of 15,483 paths between entry points down to a manageable set of 490 paths. Upon manual inspection, we found that 170 paths improperly exposed information or functionality, consisting of 86 vulnerable deputies. Through this effort, we demonstrate the need for continued investigation of automated tools to analyze the authorization logic within the Android middleware.}, journal={PROCEEDINGS OF THE 2019 CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS (WISEC '19)}, author={Gorski, Sigmund Albert, III and Enck, William}, year={2019}, pages={151–162} } @article{oconnor_enck_reaves_2019, title={Blinded and Confused: Uncovering Systemic Flaws in Device Telemetry for Smart-Home Internet of Things}, DOI={10.1145/3317549.3319724}, abstractNote={The always-on, always-connected nature of smart home devices complicates Internet-of-Things (IoT) security and privacy. Unlike traditional hosts, IoT devices constantly send sensor, state, and heartbeat data to cloud-based servers. These data channels require reliable, routine communication, which is often at odds with an IoT device's storage and power constraints. Although recent efforts such as pervasive encryption have addressed protecting data intransit, there remains little insight into designing mechanisms for protecting integrity and availability for always-connected devices. This paper seeks to better understand smart home device security by studying the vendor design decisions surrounding IoT telemetry messaging protocols, specifically, the behaviors taken when an IoT device loses connectivity. To understand this, we hypothesize and evaluate sensor blinding and state confusion attacks, measuring their effectiveness against an array of smart home IoT device types. Our analysis uncovers pervasive failure in designing telemetry that reports data to the cloud, and buffering that fails to properly cache undelivered data. We uncover that 22 of 24 studied devices suffer from critical design flaws that (1) enable attacks to transparently disrupt the reporting of device status alerts or (2) prevent the uploading of content integral to the device's core functionality. We conclude by considering the implications of these findings and offer directions for future defense. While the state of the art is rife with implementation flaws, there are several countermeasures IoT vendors could take to reduce their exposure to attacks of this nature.}, journal={PROCEEDINGS OF THE 2019 CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS (WISEC '19)}, author={OConnor, T. J. and Enck, William and Reaves, Bradley}, year={2019}, pages={140–150} } @article{oconnor_mohamed_miettinen_enck_reaves_sadeghi_2019, title={HOMESNITCH: Behavior Transparency and Control for Smart Home IoT Devices}, DOI={10.1145/3317549.3323409}, abstractNote={The widespread adoption of smart home IoT devices has led to a broad and heterogeneous market with flawed security designs and privacy concerns. While the quality of IoT device software is unlikely to be fixed soon, there is great potential for a network-based solution that helps protect and inform consumers. Unfortunately, the encrypted and proprietary protocols used by devices limit the value of traditional network-based monitoring techniques. In this paper, we present HomeSnitch, a building block for enhancing smart home transparency and control by classifying IoT device communication by semantic behavior (e.g., heartbeat, firmware check, motion detection). HomeSnitch ignores payload content (which is often encrypted) and instead identifies behaviors using features of connection-oriented application data unit exchanges, which represent application-layer dialog between clients and servers. We evaluate HomeSnitch against an independent labeled corpus of IoT device network flows and correctly detect over 99% of behaviors. We further deployed HomeSnitch in a home environment and empirically evaluated its ability to correctly classify known behaviors as well as discover new behaviors. Through these efforts, we demonstrate the utility of network-level services to classify behaviors of and enforce control on smart home devices.}, journal={PROCEEDINGS OF THE 2019 CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS (WISEC '19)}, author={OConnor, T. J. and Mohamed, Reham and Miettinen, Markus and Enck, William and Reaves, Bradley and Sadeghi, Ahmad-Reza}, year={2019}, pages={128–139} } @article{mohamed_o’connor_miettinen_enck_sadeghi_2019, title={HONEYSCOPE: IoT device protection with deceptive network views}, journal={Autonomous Cyber Deception: Reasoning, Adaptive Planning, and Evaluation of HoneyThings}, publisher={Springer International Publishing}, author={Mohamed, Reham and O’Connor, Terrence and Miettinen, Markus and Enck, William and Sadeghi, Ahmad-Reza}, year={2019}, pages={167–181} } @article{goutam_enck_reaves_2019, title={Hestia: Simple Least Privilege Network Policies for Smart Homes}, DOI={10.1145/3317549.3323413}, abstractNote={The long-awaited smart home revolution has arrived, and with it comes the challenge of managing dozens of potentially vulnerable network devices by average users. While research has developed techniques to fingerprint these devices, and even provide for sophisticated network access control models, such techniques are too complex for end users to manage, require sophisticated systems or unavailable public device descriptions, and proposed network policies have not been tested against real device behaviors. As a result, none of these solutions are available to users today. In this paper, we present Hestia, a mechanism to enforce simple-but-effective network isolation policies. Hestia segments the network into just two device categories: controllers (e.g., Smart Hubs) and non-controllers (e.g., motion sensors and smart lightbulbs). The key insight (validated with a large IoT dataset) is that noncontrollers only connect to cloud endpoints and controller devices, and practically never to each other over IP networks. This means that non-controllers can be isolated from each other without preventing functionality. Perhaps more importantly, smart home owners need only specify which devices are controllers. We develop a prototype and show negligible performance overhead resulting from the increased isolation. Hestia drastically improves smart home security without complex, unwieldy policies or lengthy learning of device behaviors.}, journal={PROCEEDINGS OF THE 2019 CONFERENCE ON SECURITY AND PRIVACY IN WIRELESS AND MOBILE NETWORKS (WISEC '19)}, author={Goutam, Sanket and Enck, William and Reaves, Bradley}, year={2019}, pages={215–220} } @inproceedings{andow_mahmud_wang_whitaker_enck_reaves_singh_xie_2019, title={PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play.}, booktitle={USENIX Security Symposium}, author={Andow, Benjamin and Mahmud, Samin Yaseer and Wang, Wenyu and Whitaker, Justin and Enck, William and Reaves, Bradley and Singh, Kapil and Xie, Tao}, year={2019}, pages={585–602} } @article{enck_benzel_2019, title={Selected Papers From the 2018 USENIX Security Symposium}, volume={17}, ISSN={["1558-4046"]}, url={https://doi.org/10.1109/MSEC.2019.2915397}, DOI={10.1109/MSEC.2019.2915397}, abstractNote={The articles presented in this special section were presented at the 27th USENIX Security Symposium, that was held 15–17 August 2018 in Baltimore, Maryland.}, number={4}, journal={IEEE SECURITY & PRIVACY}, author={Enck, William and Benzel, Terry}, year={2019}, pages={7–8} } @article{whitaker_prasad_reaves_enck_2019, title={Thou Shalt Discuss Security: Quantifying the Impacts of Instructions to RFC Authors}, DOI={10.1145/3338500.3360332}, abstractNote={The importance of secure development of new technologies is unquestioned, yet the best methods to achieve this goal are far from certain. A key issue is that while significant effort is given to evaluating the outcomes of development (e.g., security of a given project), it is far more difficult to determine what organizational practices result in secure projects. In this paper, we quantitatively examine efforts to improve the consideration of security in Requests for Comments (RFCs)--- the design documents for the Internet and many related systems --- through the mandates and guidelines issued to RFC authors. We begin by identifying six metrics that quantify the quantity and quality of security informative content. We then apply these metrics longitudinally over 8,437 documents and 49 years of development to determine whether guidance to RFC authors changed these security metrics in later documents. We find that even a simply worded --- but effectively enforced --- mandate to explicitly consider security created a significant effect in increased discussion and topic coverage of security content both in and outside of a mandated security considerations section. We find that later guidelines with more detailed advice on security also improve both volume and quality of security informative content in RFCs. Our work demonstrates that even modest amounts of guidance can correlate to significant improvements in security focus in RFCs, indicating a promising approach for other network standards bodies.}, journal={PROCEEDINGS OF THE 5TH ACM WORKSHOP ON SECURITY STANDARDISATION RESEARCH WORKSHOP (SSR '19)}, author={Whitaker, Justin and Prasad, Sathvik and Reaves, Bradley and Enck, William}, year={2019}, pages={57–68} } @article{oconnor_enck_petullo_verma_2018, title={PivotWall: SDN-Based Information Flow Control}, DOI={10.1145/3185467.3185474}, abstractNote={Advanced Persistent Threats (APTs) commonly use stepping stone attacks that allow the adversary to move laterally undetected within an enterprise network towards a target. Existing network security techniques provide limited protection against such attacks, because they lack intra-network mediation and the context of information semantics. We propose PivotWall, a network security defense that extends information flow tracking on each host into network-level defenses. PivotWall uses a novel combination of information-flow tracking and Software Defined Networking (SDN) to detect a wide range of attacks used by advanced adversaries, including those that abuse both application- and network-layer protocols. It further enables a variety of attack responses including traffic steering, as well as advanced mechanisms for forensic analysis. We show that PivotWall incurs minimal impact on network throughput and latency for untainted traffic and less than 58% overhead for tainted traffic. As such, we demonstrate the utility of information flow tracking as a defense against advanced network-level attacks.}, journal={PROCEEDINGS OF THE SYMPOSIUM ON SDN RESEARCH (SOSR'18)}, author={OConnor, T. J. and Enck, William and Petullo, W. Michael and Verma, Akash}, year={2018} } @article{enck_nadkarni_sadeghi_heuser_2018, title={Programmable interface for extending security of application-based operating system}, note={US Patent 9,916,475}, author={Enck, William Harold and Nadkarni, Adwait Pravin and Sadeghi, Ahmad-Reza and Heuser, Stephan}, year={2018}, month={Mar} } @inproceedings{deshotels_deaconescu_carabas_manda_enck_chiroiu_li_sadeghi_2018, title={iOracle: Automated Evaluation of Access Control Policies in iOS}, booktitle={Proceedings of the 2018 on Asia Conference on Computer and Communications Security}, author={Deshotels, Luke and Deaconescu, Razvan and Carabas, Costin and Manda, Iulia and Enck, William and Chiroiu, Mihai and Li, Ninghui and Sadeghi, Ahmad-Reza}, year={2018}, pages={117–131} } @inproceedings{shu_gu_enck_2017, title={A Study of Security Vulnerabilities on Docker Hub}, booktitle={Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy}, author={Shu, Rui and Gu, Xiaohui and Enck, William}, year={2017}, pages={269–280} } @inproceedings{chen_li_enck_aafer_zhang_2017, title={Analysis of SEAndroid Policies: Combining MAC and DAC in Android}, booktitle={Proceedings of the 33rd Annual Computer Security Applications Conference}, author={Chen, Haining and Li, Ninghui and Enck, William and Aafer, Yousra and Zhang, Xiangyu}, year={2017}, pages={553–565} } @article{heuser_reaves_pendyala_carter_dmitrienko_enck_kiyavash_sadeghi_traynor_2017, title={Phonion: Practical Protection of Metadata in Telephony Networks}, volume={2017}, number={1}, journal={Proceedings on Privacy Enhancing Technologies}, author={Heuser, Stephan and Reaves, Bradley and Pendyala, Praveen Kumar and Carter, Henry and Dmitrienko, Alexandra and Enck, William and Kiyavash, Negar and Sadeghi, Ahmad-Reza and Traynor, Patrick}, year={2017}, pages={170–187} } @article{nadkarni_enck_jha_staddon_2017, title={Policy by Example: An Approach for Security Policy Specification}, journal={arXiv preprint arXiv:1707.03967}, author={Nadkarni, Adwait and Enck, William and Jha, Somesh and Staddon, Jessica}, year={2017} } @inbook{nadkarni_verma_tendulkar_enck_2017, title={Reliable Ad Hoc Smartphone Application Creation for End Users}, booktitle={Intrusion Detection and Prevention for Mobile Ecosystems}, publisher={CRC Press Taylor & Francis Group, 6000 Broken Sound Parkway NW, Suite 300 …}, author={Nadkarni, Adwait and Verma, Akash and Tendulkar, Vasant and Enck, William}, year={2017}, pages={65–98} } @inproceedings{wang_azab_enck_li_ning_chen_shen_cheng_2017, title={SPOKE: Scalable Knowledge Collection and Attack Surface Analysis of Access Control Policy for Security Enhanced Android}, booktitle={Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security}, author={Wang, Ruowen and Azab, Ahmed M and Enck, William and Li, Ninghui and Ning, Peng and Chen, Xun and Shen, Wenbo and Cheng, Yueqiang}, year={2017}, pages={612–624} } @article{gruen_alfaro-córdoba_thomson_worth_staicu_lascelles_2017, title={The Use of Functional Data Analysis to Evaluate Activity in a Spontaneous Model of Degenerative Joint Disease Associated Pain in Cats}, volume={12}, ISSN={1932-6203}, url={http://dx.doi.org/10.1371/journal.pone.0169576}, DOI={10.1371/journal.pone.0169576}, abstractNote={Introduction and objectives Accelerometry is used as an objective measure of physical activity in humans and veterinary species. In cats, one important use of accelerometry is in the study of therapeutics designed to treat degenerative joint disease (DJD) associated pain, where it serves as the most widely applied objective outcome measure. These analyses have commonly used summary measures, calculating the mean activity per-minute over days and comparing between treatment periods. While this technique has been effective, information about the pattern of activity in cats is lost. In this study, functional data analysis was applied to activity data from client-owned cats with (n = 83) and without (n = 15) DJD. Functional data analysis retains information about the pattern of activity over the 24-hour day, providing insight into activity over time. We hypothesized that 1) cats without DJD would have higher activity counts and intensity of activity than cats with DJD; 2) that activity counts and intensity of activity in cats with DJD would be inversely correlated with total radiographic DJD burden and total orthopedic pain score; and 3) that activity counts and intensity would have a different pattern on weekends versus weekdays. Results and conclusions Results showed marked inter-cat variability in activity. Cats exhibited a bimodal pattern of activity with a sharp peak in the morning and broader peak in the evening. Results further showed that this pattern was different on weekends than weekdays, with the morning peak being shifted to the right (later). Cats with DJD showed different patterns of activity from cats without DJD, though activity and intensity were not always lower; instead both the peaks and troughs of activity were less extreme than those of the cats without DJD. Functional data analysis provides insight into the pattern of activity in cats, and an alternative method for analyzing accelerometry data that incorporates fluctuations in activity across the day.}, number={1}, journal={PLOS ONE}, publisher={Public Library of Science (PLoS)}, author={Gruen, Margaret E. and Alfaro-Córdoba, Marcela and Thomson, Andrea E. and Worth, Alicia C. and Staicu, Ana-Maria and Lascelles, B. Duncan X.}, editor={Harezlak, JaroslawEditor}, year={2017}, month={Jan}, pages={e0169576} } @inproceedings{andow_acharya_li_enck_singh_xie_2017, title={UiRef: analysis of sensitive user inputs in Android applications}, booktitle={Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks}, author={Andow, Benjamin and Acharya, Akhil and Li, Dengfeng and Enck, William and Singh, Kapil and Xie, Tao}, year={2017}, pages={23–34} } @article{reaves_bowers_gorski iii_anise_bobhate_cho_das_hussain_karachiwala_scaife_et al._2016, title={* droid: Assessment and Evaluation of Android Application Analysis Tools}, volume={49}, number={3}, journal={ACM Computing Surveys (CSUR)}, publisher={ACM}, author={Reaves, Bradley and Bowers, Jasmine and Gorski III, Sigmund Albert and Anise, Olabode and Bobhate, Rahul and Cho, Raymond and Das, Hiranava and Hussain, Sharique and Karachiwala, Hamza and Scaife, Nolen and et al.}, year={2016}, pages={55} } @article{andow_nadkarni_bassett_enck_xie_2016, title={A Study of Grayware on Google Play}, DOI={10.1109/spw.2016.40}, abstractNote={While there have been various studies identifying and classifying Android malware, there is limited discussion of the broader class of apps that fall in a gray area. Mobile grayware is distinct from PC grayware due to differences in operating system properties. Due to mobile grayware's subjective nature, it is difficult to identify mobile grayware via program analysis alone. Instead, we hypothesize enhancing analysis with text analytics can effectively reduce human effort when triaging grayware. In this paper, we design and implement heuristics for seven main categories of grayware. We then use these heuristics to simulate grayware triage on a large set of apps from Google Play. We then present the results of our empirical study, demonstrating a clear problem of grayware. In doing so, we show how even relatively simple heuristics can quickly triage apps that take advantage of users in an undesirable way.}, journal={2016 IEEE SYMPOSIUM ON SECURITY AND PRIVACY WORKSHOPS (SPW 2016)}, author={Andow, Benjamin and Nadkarni, Adwait and Bassett, Blake and Enck, William and Xie, Tao}, year={2016}, pages={224–233} } @article{shu_wang_gorski_andow_nadkarni_deshotels_gionta_enck_gu_2016, title={A Study of Security Isolation Techniques}, volume={49}, ISSN={["1557-7341"]}, DOI={10.1145/2988545}, abstractNote={Security isolation is a foundation of computing systems that enables resilience to different forms of attacks. This article seeks to understand existing security isolation techniques by systematically classifying different approaches and analyzing their properties. We provide a hierarchical classification structure for grouping different security isolation techniques. At the top level, we consider two principal aspects: mechanism and policy. Each aspect is broken down into salient dimensions that describe key properties. We break the mechanism into two dimensions, enforcement location and isolation granularity, and break the policy aspect down into three dimensions: policy generation, policy configurability, and policy lifetime. We apply our classification to a set of representative articles that cover a breadth of security isolation techniques and discuss tradeoffs among different design choices and limitations of existing approaches.}, number={3}, journal={ACM COMPUTING SURVEYS}, publisher={ACM}, author={Shu, Rui and Wang, Peipei and Gorski, Sigmund A. and Andow, Benjamin and Nadkarni, Adwait and Deshotels, Luke and Gionta, Jason and Enck, William and Gu, Xiaohui}, year={2016}, month={Dec} } @inproceedings{oconnor_enck_2016, title={Code-Stop: Code-Reuse Prevention By Context-Aware Traffic Proxying}, booktitle={Proceedings of the Conference on Internet Monitoring and Protection (ICIMP), Barcelona, Spain}, author={OConnor, Terrence and Enck, William}, year={2016}, pages={22–26} } @inproceedings{nadkarni_andow_enck_jha_2016, title={Practical ${$DIFC$}$ Enforcement on Android}, booktitle={25th USENIX Security Symposium (USENIX Security 16)}, author={Nadkarni, Adwait and Andow, Benjamin and Enck, William and Jha, Somesh}, year={2016}, pages={1119–1136} } @inproceedings{nadkarni_andow_enck_jha_2016, title={Practical DIFC Enforcement on Android.}, booktitle={USENIX Security Symposium}, author={Nadkarni, Adwait and Andow, Benjamin and Enck, William and Jha, Somesh}, year={2016}, pages={1119–1136} } @inproceedings{nadkarni_andow_enck_jha_2016, title={Practical DIFC enforcement on android}, booktitle={Proceedings of the 25th USENIX Security Symposium}, author={Nadkarni, A. and Andow, B. and Enck, W. and Jha, S.}, year={2016}, pages={1119–1136} } @inproceedings{gionta_enck_larsen_2016, title={Preventing kernel code-reuse attacks through disclosure resistant code diversification}, DOI={10.1109/cns.2016.7860485}, abstractNote={Software diversity has been applied to operating system kernels to protect against code-reuse attacks. However, the security of fine-grained software diversification relies on ensuring that the code layout remains secret. Unfortunately, memory disclosure vulnerabilities assist adversaries in bypassing software diversity protections by leaking the code layout. In this paper, we propose KHide, a system that thwarts kernel code-reuse attacks by combining fine-grained software diversity techniques and memory disclosure protection. First, we apply multiple fine-grained software diversity techniques to kernel code at compile time. Next, we propose a technique to protect diversified kernel code against memory disclosure at runtime. As a result, an attacker cannot predict or identify gadgets in memory to launch code-reuse attacks. We implement KHide for the Linux kernel. Our evaluation shows that KHide disclosure protection has negligible performance impact in comparison to fine-grained software diversity. We provide a security analysis of KHide calculating the survivability of gadgets across diversified versions. Our results show that KHide provides comprehensive protection against the threat of kernel code-reuse with acceptable performance impact.}, booktitle={2016 ieee conference on communications and network security (cns)}, author={Gionta, J. and Enck, William and Larsen, P.}, year={2016}, pages={189–197} } @inproceedings{deshotels_deaconescu_chiroiu_davi_enck_sadeghi_2016, title={SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles}, booktitle={Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security}, author={Deshotels, Luke and Deaconescu, Razvan and Chiroiu, Mihai and Davi, Lucas and Enck, William and Sadeghi, Ahmad-Reza}, year={2016}, pages={704–716} } @article{deaconescu_deshotels_bucicoiu_enck_davi_sadeghi_2016, title={Sandblaster: Reversing the apple sandbox}, journal={arXiv preprint arXiv:1608.04303}, author={Deaconescu, Răzvan and Deshotels, Luke and Bucicoiu, Mihai and Enck, William and Davi, Lucas and Sadeghi, Ahmad-Reza}, year={2016} } @inproceedings{xie_enck_2016, title={Text analytics for security: tutorial}, booktitle={Proceedings of the Symposium and Bootcamp on the Science of Security}, author={Xie, Tao and Enck, William}, year={2016}, pages={124–125} } @article{reaves_bowers_gorski_anise_bobhate_cho_das_hussain_karachiwala_scaife_et al._2016, title={droid: Assessment and Evaluation of Android Application Analysis Tools}, volume={49}, ISSN={["1557-7341"]}, DOI={10.1145/2996358}, abstractNote={The security research community has invested significant effort in improving the security of Android applications over the past half decade. This effort has addressed a wide range of problems and resulted in the creation of many tools for application analysis. In this article, we perform the first systematization of Android security research that analyzes applications, characterizing the work published in more than 17 top venues since 2010. We categorize each paper by the types of problems they solve, highlight areas that have received the most attention, and note whether tools were ever publicly released for each effort. Of the released tools, we then evaluate a representative sample to determine how well application developers can apply the results of our community’s efforts to improve their products. We find not only that significant work remains to be done in terms of research coverage but also that the tools suffer from significant issues ranging from lack of maintenance to the inability to produce functional output for applications with known vulnerabilities. We close by offering suggestions on how the community can more successfully move forward.}, number={3}, journal={ACM COMPUTING SURVEYS}, author={Reaves, Bradley and Bowers, Jasmine and Gorski, Sigmund Albert, III and Anise, Olabode and Bobhate, Rahul and Cho, Raymond and Das, Hiranava and Hussain, Sharique and Karachiwala, Hamza and Scaife, Nolen and et al.}, year={2016}, month={Dec} } @article{yang_xiao_andow_li_xie_enck_2015, title={AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context}, volume={1}, DOI={10.1109/icse.2015.50}, abstractNote={Mobile malware attempts to evade detection during app analysis by mimicking security-sensitive behaviors of benign apps that provide similar functionality (e.g., sending SMS messages), and suppressing their payload to reduce the chance of being observed (e.g., executing only its payload at night). Since current approaches focus their analyses on the types of security-sensitive resources being accessed (e.g., network), these evasive techniques in malware make differentiating between malicious and benign app behaviors a difficult task during app analysis. We propose that the malicious and benign behaviors within apps can be differentiated based on the contexts that trigger security-sensitive behaviors, i.e., the events and conditions that cause the security-sensitive behaviors to occur. In this work, we introduce AppContext, an approach of static program analysis that extracts the contexts of security-sensitive behaviors to assist app analysis in differentiating between malicious and benign behaviors. We implement a prototype of AppContext and evaluate AppContext on 202 malicious apps from various malware datasets, and 633 benign apps from the Google Play Store. AppContext correctly identifies 192 malicious apps with 87.7% precision and 95% recall. Our evaluation results suggest that the maliciousness of a security-sensitive behavior is more closely related to the intention of the behavior (reflected via contexts) than the type of the security-sensitive resources that the behavior accesses.}, journal={2015 IEEE/ACM 37TH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING, VOL 1}, author={Yang, Wei and Xiao, Xusheng and Andow, Benjamin and Li, Sihan and Xie, Tao and Enck, William}, year={2015}, pages={303–313} } @article{dean_wang_gu_enck_jin_2015, title={Automatic Server Hang Bug Diagnosis: Feasible Reality or Pipe Dream?}, DOI={10.1109/icac.2015.52}, abstractNote={It is notoriously difficult to diagnose server hang bugs as they often generate little diagnostic information and are difficult to reproduce offline. In this paper, we present a characteristic study of 177 real software hang bugs from 8 common open source server systems (i.e., Apache, Lighttpd, My SQL, Squid, HDFS, Hadoop Mapreduce, Tomcat, Cassandra). We identify three major root cause categories (i.e., Programmer errors, mishandled values, concurrency issues). We then describe two major problems (i.e., False positives and false negatives) while applying existing rule-based bug detection techniques to those bugs.}, journal={2015 IEEE INTERNATIONAL CONFERENCE ON AUTONOMIC COMPUTING}, author={Dean, Daniel J. and Wang, Peipei and Gu, Xiaohui and Enck, William and Jin, Guoliang}, year={2015}, pages={127–132} } @inproceedings{wang_enck_reeves_zhang_ning_xu_zhou_azab_2015, place={Washington, DC}, title={EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning}, ISBN={9781939133113}, url={https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/wang-ruowen}, booktitle={Proceedings of the USENIX Security Symposium}, author={Wang, Ruowen and Enck, William and Reeves, Douglas and Zhang, Xinwen and Ning, Peng and Xu, Dingbang and Zhou, Wu and Azab, Ahmed}, year={2015}, pages={351–366} } @inproceedings{gionta_enck_ning_2015, title={Hidem: Protecting the contents of userspace memory in the face of disclosure vulnerabilities}, booktitle={Proceedings of the 5th ACM Conference on Data and Application Security and Privacy}, author={Gionta, Jason and Enck, William and Ning, Peng}, year={2015}, pages={325–336} } @inproceedings{liu_mclaughlin_watson_enck_davis_2015, title={Multitasking Increases Stress and Insecure Behavior on Mobile Devices}, volume={59}, number={1}, booktitle={Proceedings of the Human Factors and Ergonomics Society Annual Meeting}, author={Liu, Qian and McLaughlin, Anne Collins and Watson, Benjamin and Enck, William and Davis, Agnes}, year={2015}, pages={1110–1114} } @inproceedings{heuser_nadkarni_enck_sadeghi_2014, title={${$ASM$}$: A Programmable Interface for Extending Android Security}, booktitle={23rd USENIX Security Symposium (USENIX Security 14)}, author={Heuser, Stephan and Nadkarni, Adwait and Enck, William and Sadeghi, Ahmad-Reza}, year={2014}, pages={1005–1019} } @inproceedings{heuser_nadkarni_enck_sadeghi_2014, title={ASM: A Programmable Interface for Extending Android Security.}, booktitle={USENIX Security Symposium}, author={Heuser, Stephan and Nadkarni, Adwait and Enck, William and Sadeghi, Ahmad-Reza}, year={2014}, pages={1005–1019} } @article{tendulkar_enck_2014, title={An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities}, journal={arXiv preprint arXiv:1410.7745}, author={Tendulkar, Vasant and Enck, William}, year={2014} } @inproceedings{gionta_azab_enck_ning_zhang_2014, title={Dacsa: A decoupled architecture for cloud security analysis}, booktitle={Proceedings of the 7th Workshop on Cyber Security Experimentation and Test}, author={Gionta, Jason and Azab, Ahmed and Enck, William and Ning, Peng and Zhang, Xiaolan}, year={2014} } @book{nadkarni_sheth_weinsberg_taft_enck_2014, title={GraphAudit: Privacy Auditing for Massive Graph Mining}, institution={North Carolina State University. Dept. of Computer Science}, author={Nadkarni, Adwait and Sheth, A and Weinsberg, U and Taft, N and Enck, W}, year={2014} } @article{ahn_enck_shin_2014, title={Guest Editors' Introduction: Special Issue on Security and Privacy in Mobile Platforms}, volume={11}, ISSN={["1941-0018"]}, DOI={10.1109/tdsc.2014.2312738}, abstractNote={The articles in this special issue focus on the use of computer security and privacy applications in mobile communication platforms.}, number={3}, journal={IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING}, publisher={IEEE}, author={Ahn, Gail-Joon and Enck, William and Shin, Dongwan}, year={2014}, pages={209–210} } @inproceedings{yang_xiao_pandita_enck_xie_2014, title={Improving mobile application security via bridging user expectations and application behaviors}, booktitle={Proceedings of the 2014 Symposium and Bootcamp on the Science of Security}, author={Yang, Wei and Xiao, Xusheng and Pandita, Rahul and Enck, William and Xie, Tao}, year={2014}, pages={32} } @inproceedings{davis_shashidharan_liu_enck_mclaughlin_watson_2014, title={Insecure behaviors on mobile devices under stress}, booktitle={Proceedings of the 2014 Symposium and Bootcamp on the Science of Security}, author={Davis, Agnes and Shashidharan, Ashwin and Liu, Qian and Enck, William and McLaughlin, Anne and Watson, Benjamin}, year={2014}, pages={31} } @inproceedings{liu_bae_watson_mclaughhlin_enck_2014, title={Modeling and sensing risky user behavior on mobile devices}, booktitle={Proceedings of the 2014 Symposium and Bootcamp on the Science of Security}, author={Liu, Qian and Bae, Juhee and Watson, Benjamin and McLaughhlin, Anne and Enck, William}, year={2014}, pages={33} } @inproceedings{nadkarni_tendulkar_enck_2014, title={NativeWrap: ad hoc smartphone application creation for end users}, booktitle={Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks}, author={Nadkarni, Adwait and Tendulkar, Vasant and Enck, William}, year={2014}, pages={13–24} } @inproceedings{ho_dean_gu_enck_2014, title={PREC: practical root exploit containment for android devices}, booktitle={Proceedings of the 4th ACM conference on Data and application security and privacy}, author={Ho, Tsung-Hsuan and Dean, Daniel and Gu, Xiaohui and Enck, William}, year={2014}, pages={187–198} } @inproceedings{gionta_azab_enck_ning_zhang_2014, title={SEER: practical memory virus scanning as a service}, booktitle={Proceedings of the 30th Annual Computer Security Applications Conference}, author={Gionta, Jason and Azab, Ahmed and Enck, William and Ning, Peng and Zhang, Xiaolan}, year={2014}, pages={186–195} } @article{enck_gilbert_chun_cox_jung_mcdaniel_sheth_2014, title={TaintDroid: An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones}, volume={57}, ISSN={["1557-7317"]}, DOI={10.1145/2494522}, abstractNote={Today's smartphone operating systems frequently fail to provide users with adequate control over and visibility into how third-party applications use their privacy-sensitive data. We address these shortcomings with TaintDroid, an efficient, systemwide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid provides real-time analysis by leveraging Android's virtualized execution environment. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of misappropriation of users' location and device identification information across 20 applications. Monitoring sensitive data with TaintDroid provides informed use of third-party applications for phone users and valuable input for smartphone security service firms seeking to identify misbehaving applications.}, number={3}, journal={COMMUNICATIONS OF THE ACM}, author={Enck, William and Gilbert, Peter and Chun, Byung-Gon and Cox, Landon P. and Jung, Jaeyeon and McDaniel, Patrick and Sheth, Anmol N.}, year={2014}, month={Mar}, pages={99–106} } @article{enck_gilbert_han_tendulkar_chun_cox_jung_mcdaniel_sheth_2014, title={TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones}, volume={32}, ISSN={["1557-7333"]}, DOI={10.1145/2619091}, abstractNote={Today’s smartphone operating systems frequently fail to provide users with visibility into how third-party applications collect and share their private data. We address these shortcomings with TaintDroid, an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid enables realtime analysis by leveraging Android’s virtualized execution environment. TaintDroid incurs only 32% performance overhead on a CPU-bound microbenchmark and imposes negligible overhead on interactive third-party applications. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, in our 2010 study we found 20 applications potentially misused users’ private information; so did a similar fraction of the tested applications in our 2012 study. Monitoring the flow of privacy-sensitive data with TaintDroid provides valuable input for smartphone users and security service firms seeking to identify misbehaving applications.}, number={2}, journal={ACM TRANSACTIONS ON COMPUTER SYSTEMS}, author={Enck, William and Gilbert, Peter and Han, Seungyeop and Tendulkar, Vasant and Chun, Byung-Gon and Cox, Landon P. and Jung, Jaeyeon and McDaniel, Patrick and Sheth, Anmol N.}, year={2014}, month={Jun} } @inproceedings{enck_xie_2014, title={Tutorial: Text Analytics for Security}, booktitle={Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security}, author={Enck, William and Xie, Tao}, year={2014}, pages={1540–1541} } @inproceedings{rastogi_chen_enck_2013, title={AppsPlayground: automatic security analysis of smartphone applications}, booktitle={Proceedings of the third ACM conference on Data and application security and privacy}, author={Rastogi, Vaibhav and Chen, Yan and Enck, William}, year={2013}, pages={209–220} } @inbook{rastogi_chen_enck_2013, title={Automatic Security Analysis of Android Applications}, booktitle={Android Security and Mobile Cloud Computing}, publisher={Springer}, author={Rastogi, Vaibhav and Chen, Yan and Enck, William}, year={2013} } @inproceedings{chakradeo_reaves_traynor_enck_2013, title={MAST: triage for market-scale mobile malware analysis}, booktitle={Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks}, author={Chakradeo, Saurabh and Reaves, Bradley and Traynor, Patrick and Enck, William}, year={2013}, pages={13–24} } @inproceedings{nadkarni_enck_2013, title={Preventing accidental data disclosure in modern operating systems}, booktitle={Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security}, author={Nadkarni, Adwait and Enck, William}, year={2013}, pages={1029–1042} } @inproceedings{pandita_xiao_yang_enck_xie_2013, title={WHYPER: towards automating risk assessment of mobile applications}, booktitle={Proceedings of the 22nd USENIX Security Symposium, Washington DC, USA}, author={Pandita, Rahul and Xiao, Xusheng and Yang, Wei and Enck, William and Xie, Tao}, year={2013}, pages={14–16} } @inproceedings{tendulkar_snyder_pletcher_butler_shashidharan_enck_2012, title={Abusing cloud-based browsers for fun and profit}, booktitle={Proceedings of the 28th Annual Computer Security Applications Conference}, author={Tendulkar, Vasant and Snyder, Ryan and Pletcher, Joe and Butler, Kevin and Shashidharan, Ashwin and Enck, William}, year={2012}, pages={219–228} } @inproceedings{barrera_enck_oorschot_2012, title={Meteor: Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems}, booktitle={IEEE MoST: Mobile Security Technologies Workshop}, author={Barrera, David and Enck, William and Oorschot, Paul C}, year={2012} } @article{ongtang_mclaughlin_enck_mcdaniel_2012, title={Semantically rich application-centric security in Android}, volume={5}, ISSN={["1939-0122"]}, DOI={10.1002/sec.360}, abstractNote={ABSTRACT}, number={6}, journal={SECURITY AND COMMUNICATION NETWORKS}, author={Ongtang, Machigar and McLaughlin, Stephen and Enck, William and McDaniel, Patrick}, year={2012}, month={Jun}, pages={658–673} } @inproceedings{enck_octeau_mcdaniel_chaudhuri_2011, title={A Study of Android Application Security.}, booktitle={USENIX Security Symposium}, author={Enck, William and Octeau, Damien and McDaniel, Patrick and Chaudhuri, Swarat}, year={2011} } @inbook{enck_2011, title={ARP Spoofing}, booktitle={Encyclopedia of Cryptography and Security}, publisher={Springer US}, author={Enck, William}, year={2011}, pages={48–49} } @phdthesis{enck_2011, title={Analysis Techniques for Mobile Operating System Security}, school={The Pennsylvania State University}, author={Enck, William Harold}, year={2011} } @inbook{enck_2011, title={Android’s Security Framework--Understanding the Security of Mobile Phone Platforms}, booktitle={Encyclopedia of Cryptography and Security}, publisher={Springer US}, author={Enck, William}, year={2011}, pages={34–37} } @inbook{enck_2011, title={Defending Users against Smartphone Apps: Techniques and Future Directions}, ISBN={9783642255595 9783642255601}, ISSN={0302-9743 1611-3349}, url={http://dx.doi.org/10.1007/978-3-642-25560-1_3}, DOI={10.1007/978-3-642-25560-1_3}, abstractNote={Smartphone security research has become very popular in response to the rapid, worldwide adoption of new platforms such as Android and iOS. Smartphones are characterized by their ability to run third-party applications, and Android and iOS take this concept to the extreme, offering hundreds of thousands of “apps” through application markets. In response, smartphone security research has focused on protecting users from apps. In this paper, we discuss the current state of smartphone research, including efforts in designing new OS protection mechanisms, as well as performing security analysis of real apps. We offer insight into what works, what has clear limitations, and promising directions for future research.}, booktitle={Information Systems Security}, publisher={Springer Berlin Heidelberg}, author={Enck, William}, year={2011}, pages={49–70} } @book{barrera_enck_oorschot_2011, title={Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems}, institution={Technical report, School of Computer Science, Carleton University, http …}, author={Barrera, David and Enck, William and Oorschot, Paul C}, year={2011} } @article{mcdaniel_enck_2010, title={Not so great expectations: Why application markets haven't failed security}, volume={8}, number={5}, journal={IEEE Security & Privacy}, publisher={IEEE}, author={McDaniel, Patrick and Enck, William}, year={2010}, pages={76–78} } @article{traynor_butler_enck_mcdaniel_borders_2010, title={malnets: large-scale malicious networks via compromised wireless access points}, volume={3}, ISSN={1939-0114 1939-0122}, url={http://dx.doi.org/10.1002/sec.149}, DOI={10.1002/sec.149}, abstractNote={Abstract}, number={2-3}, journal={Security and Communication Networks}, publisher={Wiley}, author={Traynor, Patrick and Butler, Kevin and Enck, William and McDaniel, Patrick and Borders, Kevin}, year={2010}, month={Mar}, pages={102–113} } @article{choi_enck_shin_mcdaniel_la porta_2009, title={ASR: anonymous and secure reporting of traffic forwarding activity in mobile ad hoc networks}, volume={15}, ISSN={1022-0038 1572-8196}, url={http://dx.doi.org/10.1007/S11276-007-0067-0}, DOI={10.1007/S11276-007-0067-0}, number={4}, journal={Wireless Networks}, publisher={Springer Science and Business Media LLC}, author={Choi, Heesook and Enck, William and Shin, Jaesheung and McDaniel, Patrick D. and La Porta, Thomas F.}, year={2009}, month={May}, pages={525–539} } @article{enck_moyer_mcdaniel_sen_sebos_spoerel_greenberg_sung_rao_aiello_2009, title={Configuration management at massive scale: system design and experience}, volume={27}, number={3}, journal={IEEE Journal on Selected Areas in Communications}, publisher={IEEE}, author={Enck, William and Moyer, Thomas and McDaniel, Patrick and Sen, Subhabrata and Sebos, Panagiotis and Spoerel, Sylke and Greenberg, Albert and Sung, Yu-Wei Eric and Rao, Sanjay and Aiello, William}, year={2009}, pages={323–335} } @article{traynor_enck_mcdaniel_porta_2009, title={Mitigating attacks on open functionality in SMS-capable cellular networks}, volume={17}, number={1}, journal={IEEE/ACM Transactions on Networking (TON)}, publisher={IEEE Press}, author={Traynor, Patrick and Enck, William and McDaniel, Patrick and Porta, Thomas La}, year={2009}, pages={40–53} } @inproceedings{enck_ongtang_mcdaniel_2009, title={On lightweight mobile phone application certification}, booktitle={Proceedings of the 16th ACM conference on Computer and communications security}, author={Enck, William and Ongtang, Machigar and McDaniel, Patrick}, year={2009}, pages={235–245} } @article{enck_ongtang_mcdaniel_others_2009, title={Understanding Android Security.}, volume={7}, number={1}, journal={IEEE Security & Privacy}, author={Enck, William and Ongtang, Machigar and McDaniel, Patrick Drew and others}, year={2009}, pages={50–57} } @inproceedings{enck_butler_richardson_mcdaniel_smith_2008, title={Defending against attacks on main memory persistence}, booktitle={2008 Annual Computer Security Applications Conference (ACSAC)}, author={Enck, William and Butler, Kevin and Richardson, Thomas and McDaniel, Patrick and Smith, Adam}, year={2008}, pages={65–74} } @article{traynor_enck_mcdaniel_la porta_2008, title={Exploiting open functionality in SMS-capable cellular networks}, volume={16}, number={6}, journal={Journal of Computer Security}, publisher={IOS Press}, author={Traynor, Patrick and Enck, William and Mcdaniel, Patrick and La Porta, Thomas}, year={2008}, pages={713–742} } @article{enck_ongtang_mcdaniel_2008, title={Mitigating Android software misuse before it happens}, journal={Pennsylvania State University, Tech. Rep. NAS-TR-0094-2008}, author={Enck, William and Ongtang, Machigar and McDaniel, Patrick}, year={2008} } @inproceedings{enck_mcdaniel_jaeger_2008, title={Pinup: Pinning user files to known applications}, booktitle={2008 Annual Computer Security Applications Conference (ACSAC)}, author={Enck, William and McDaniel, Patrick and Jaeger, Trent}, year={2008}, pages={55–64} } @inproceedings{traynor_butler_enck_mcdaniel_2008, title={Realizing massive-scale conditional access systems through attribute-based cryptosystems}, booktitle={In Proceedings of the ISOC Network & Distributed System Security Symposium (NDSS)}, author={Traynor, Patrick and Butler, Kevin and Enck, William and McDaniel, Patrick}, year={2008} } @inproceedings{butler_enck_hursti_mclaughlin_traynor_mcdaniel_2008, title={Systemic Issues in the Hart InterCivic and Premier Voting Systems: Reflections Following Project EVEREST}, booktitle={Proceedings of the USENIX/ACCURATE Electronic Voting Technology (EVT) Workshop}, author={Butler, Kevin and Enck, William and Hursti, Harri and McLaughlin, Stephen and Traynor, Patrick and McDaniel, Patrick}, year={2008} } @inproceedings{enck_mcdaniel_sen_sebos_spoerel_greenberg_rao_aiello_2007, title={Configuration Management at Massive Scale: System Design and Experience}, url={https://www.usenix.org/legacy/events/usenix07/tech/enck.html}, booktitle={Proceedings of the USENIX Annual Technical Conference}, author={Enck, William and McDaniel, Patrick and Sen, Subhabrata and Sebos, Panagiotis and Spoerel, Sylke and Greenberg, Albert and Rao, Sanjay and Aiello, William}, year={2007}, pages={73–86} } @book{johansen_butler_enck_traynor_mcdaniel_2007, title={Grains of SANs: Building Storage Area Networks from Memory Spots}, institution={Technical Report NASTR-0060-2007, Network and Security Research Center …}, author={Johansen, Lisa and Butler, Kevin and Enck, William and Traynor, Patrick and McDaniel, Patrick}, year={2007} } @inproceedings{rowaihy_enck_mcdaniel_la porta_2007, title={Limiting sybil attacks in structured p2p networks}, booktitle={INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE}, author={Rowaihy, Hosam and Enck, William and McDaniel, Patrick and La Porta, Thomas}, year={2007}, pages={2596–2600} } @inproceedings{enck_rueda_schiffman_sreenivasan_st clair_jaeger_mcdaniel_2007, title={Protecting users from themselves}, booktitle={Proceedings of the 2007 ACM workshop on Computer security architecture}, author={Enck, William and Rueda, Sandra and Schiffman, Joshua and Sreenivasan, Yogesh and St Clair, Luke and Jaeger, Trent and McDaniel, Patrick}, year={2007}, pages={29–36} } @article{lootah_enck_mcdaniel_2007, title={TARP: Ticket-based address resolution protocol}, volume={51}, ISSN={1389-1286}, url={http://dx.doi.org/10.1016/j.comnet.2007.05.007}, DOI={10.1016/j.comnet.2007.05.007}, abstractNote={IP networks fundamentally rely on the Address Resolution Protocol (ARP) for proper operation. Unfortunately, vulnerabilities in ARP enable a raft of Internet Protocol (IP)-based impersonation, man-in-the-middle, or Denial of Service (DoS) attacks. Proposed countermeasures to these vulnerabilities have yet to simultaneously address backward compatibility and cost requirements. This paper introduces the Ticket-based Address Resolution Protocol (TARP). TARP implements security by distributing centrally issued secure IP/Medium Access Control (MAC) address mapping attestations through existing ARP messages. We detail TARP and its implementation within the Linux operating system. We also detail the integration of TARP with the Dynamic Host Configuration Protocol (DHCP) for dynamic ticket distribution. Our experimental analysis shows that TARP improves the costs of implementing ARP security by as much as two orders of magnitude over existing protocols. We conclude by exploring a range of operational issues associated with deploying and administering ARP security.}, number={15}, journal={Computer Networks}, publisher={Elsevier BV}, author={Lootah, Wesam and Enck, William and McDaniel, Patrick}, year={2007}, month={Oct}, pages={4322–4337} } @phdthesis{enck_2006, title={Analysis of Open Functionality in SMS-capable Cellular Networks}, school={Pennsylvania State University}, author={Enck, William Harold}, year={2006} } @inproceedings{traynor_enck_mcdaniel_la porta_2006, title={Mitigating attacks on open functionality in SMS-capable cellular networks}, booktitle={Proceedings of the 12th annual international conference on Mobile computing and networking}, author={Traynor, Patrick and Enck, William and McDaniel, Patrick and La Porta, Thomas}, year={2006}, pages={182–193} } @inbook{clair_johansen_enck_pirretti_traynor_mcdaniel_jaeger_2006, title={Password Exhaustion: Predicting the End of Password Usefulness}, ISBN={9783540689621 9783540689638}, ISSN={0302-9743 1611-3349}, url={http://dx.doi.org/10.1007/11961635_3}, DOI={10.1007/11961635_3}, abstractNote={Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.}, booktitle={Information Systems Security}, publisher={Springer Berlin Heidelberg}, author={Clair, Luke St. and Johansen, Lisa and Enck, William and Pirretti, Matthew and Traynor, Patrick and McDaniel, Patrick and Jaeger, Trent}, year={2006}, pages={37–55} } @inbook{butler_enck_plasterr_traynor_mcdaniel_2006, title={Privacy Preserving Web-Based Email}, volume={3}, ISBN={9783540689621 9783540689638}, ISSN={0302-9743 1611-3349}, url={http://dx.doi.org/10.1007/11961635_8}, DOI={10.1007/11961635_8}, abstractNote={Recent web-based applications offer users free service in exchange for access to personal communication, such as on-line email services and instant messaging. The inspection and retention of user communication is generally intended to enable targeted marketing. However, unless specifically stated otherwise by the collecting service’s privacy policy, such records have an indefinite lifetime and may be later used or sold without restriction. In this paper, we show that it is possible to protect a user’s privacy from these risks by exploiting mutually oblivious, competing communication channels. We create virtual channels over online services (e.g., Google’s Gmail, Microsoft’s Hotmail) through which messages and cryptographic keys are delivered. The message recipient uses a shared secret to identify the shares and ultimately recover the original plaintext. In so doing, we create a wired “spread-spectrum” mechanism for protecting the privacy of web-based communication. We discuss the design and implementation of our open-source Java applet, Aquinas, and consider ways that the myriad of communication channels present on the Internet can be exploited to preserve privacy.}, booktitle={Information Systems Security}, publisher={Springer Berlin Heidelberg}, author={Butler, Kevin and Enck, William and Plasterr, Jennifer and Traynor, Patrick and McDaniel, Patrick}, year={2006}, pages={116–131} } @misc{lootah_enck_mcdaniel_2006, title={TARP: Ticket-based Address Resolution Protocol}, url={http://dx.doi.org/10.1109/csac.2005.55}, DOI={10.1109/csac.2005.55}, abstractNote={IP networks fundamentally rely on the address resolution protocol (ARP) for proper operation. Unfortunately, vulnerabilities in the ARP protocol enable a raft of IP-based impersonation, man-in-the-middle, or DoS attacks. Proposed countermeasures to these vulnerabilities have yet to simultaneously address backward compatibility and cost requirements. This paper introduces the ticket-based address resolution protocol (TARP). TARP implements security by distributing centrally issued secure MAC/IP address mapping attestations through existing ARP messages. We detail the TARP protocol and its implementation within the Linux operating system. Our experimental analysis shows that TARP improves the costs of implementing ARP security by as much as two orders of magnitude over existing protocols. We conclude by exploring a range of operational issues associated with deploying and administering ARP security}, journal={21st Annual Computer Security Applications Conference (ACSAC'05)}, publisher={IEEE}, author={Lootah, W. and Enck, W. and McDaniel, P.}, year={2006}, month={Jan} } @inproceedings{enck_traynor_mcdaniel_la porta_2005, title={Exploiting open functionality in SMS-capable cellular networks}, booktitle={Proceedings of the 12th ACM conference on Computer and communications security}, author={Enck, William and Traynor, Patrick and McDaniel, Patrick and La Porta, Thomas}, year={2005}, pages={393–404} } @inproceedings{rowaihy_enck_mcdaniel_la porta_2005, title={Limiting sybil attacks in structured peer-to-peer networks}, booktitle={IEEE Infocom Mini-Symposium}, author={Rowaihy, Hosam and Enck, William and McDaniel, Patrick and La Porta, Thomas}, year={2005} } @misc{choi_enck_shin_mcdaniel_la porta_2005, title={Secure reporting of traffic forwarding activity in mobile ad hoc networks}, url={http://dx.doi.org/10.1109/mobiquitous.2005.53}, DOI={10.1109/mobiquitous.2005.53}, abstractNote={Nodes forward data on behalf of each other in mobile ad hoc networks. In a civilian application, nodes are assumed to be selfish and rational, i.e., they pursue their own self-interest. Hence, the ability to accurately measure traffic forwarding is critical to ensure proper network operation. These measurements are often used to credit nodes based on their level of participation, or to detect loss. Past solutions employ neighbor monitoring and reporting on node forwarding traffic. These methods are not applicable in civilian networks where neighbor nodes lack the desire or ability to perform the monitoring function. Such environments occur frequently in which neighbor hosts are resource constrained, or in networks where directional antennas are used and reliable monitoring is difficult or impossible. In this paper, we propose a protocol that uses nodes on the data path to securely produce packet forwarding reports. Reporting nodes are chosen randomly and secretly so that malicious nodes cannot modify their behavior based upon the monitoring point. The integrity and authenticity of reports are preserved through the use of secure link layer acknowledgments and monitoring reports. The robustness of the reporting mechanism is strengthened by forwarding the report to multiple destinations (source and destination). We explore the security, cost, and accuracy of our protocol.}, journal={The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services}, publisher={IEEE}, author={Choi, H. and Enck, W. and Shin, J. and McDaniel, P. and La Porta, T.F.}, year={2005} } @inproceedings{choi_enck_shin_mcdaniel_la porta_2005, title={Secure reporting of traffic forwarding activity in mobile ad hoc networks}, booktitle={The Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services}, author={Choi, Heesook and Enck, William and Shin, Jaesheung and McDaniel, Patrick and La Porta, Thomas F}, year={2005}, pages={12–21} } @article{muralee_koishybayev_nahapetyan_tystahl_reaves_bianchi_enck_kapravelos_machiry, title={ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions}, author={Muralee, Siddharth and Koishybayev, Igibek and Nahapetyan, Aleksandr and Tystahl, Greg and Reaves, Brad and Bianchi, Antonio and Enck, William and Kapravelos, Alexandros and Machiry, Aravind} } @inproceedings{wang_enck_reeves_zhang_ning_xu_zhou_azab, title={EASEAndroid: Automatic Policy Analysis and Refinement for Security Enhanced Android via Large-Scale Semi-Supervised Learning}, booktitle={24th USENIX Security Symposium (USENIX Security 15)}, author={Wang, Ruowen and Enck, William and Reeves, Douglas and Zhang, Xinwen and Ning, Peng and Xu, Dingbang and Zhou, Wu and Azab, A} } @article{williams_acar_cukier_enck_kapravelos_kästner_wermke, title={Securing the So ware Supply Chain: Research, Outreach, Education}, author={Williams, Laurie and Acar, Yasemin and Cukier, Michel and Enck, William and Kapravelos, Alexandros and Kästner, Christian and Wermke, Dominik} } @article{butler_enck_hursti_mclaughlin_traynor_mcdaniel, title={Systemic Issues in the Hart InterCivic Voting System: Reflections Following Project EVEREST}, author={Butler, Kevin and Enck, William and Hursti, Harri and McLaughlin, Stephen and Traynor, Patrick and McDaniel, Patrick} } @article{enck_deaconescu_chiroiu_deshotels, title={iOS Security Framework: Understanding the Security of Mobile Phone Platforms}, author={Enck, William and Deaconescu, Razvan and Chiroiu, Mihai and Deshotels, Luke} }