Research Areas

My current research focus is on (1) the security of the software supply chain and (2) analysing the security of 5G cellular infrastructure and implementations. I primarily use static and dynamic program analysis and machine learning (when appropriate) to build automated tools that improve security and discover vulnerabilities. I also use systems building to design novel defenses to attacks. I have studied a wide range of topics in the past, including mobile platforms, Internet of Things (IoT), networks, and cloud infrastructure. In particular, my work in mobile application security has led to significant consumer awareness and changes to platforms, as well as a SIGOPS Hall of Fame Award.

Software Supply Chain

Digital innovation has accelerated substantially as software is increasingly built on top of many layers of reusable abstractions, including libraries, frameworks, cloud infrastructure, artificial intelligence (AI) modules, and others, giving rise to software supply chains where software projects depend on and build upon other software projects. My research on software supply chain security has two primary thrusts: (1) code dependencies and (2) build infrastructure.

My research on code dependencies primarily focuses on how to improve vulnerability information using automated analysis to help project maintainers more effectively determine when a vulnerable dependency needs to be updated. In this vein, my efforts have included automated discovery of silent vulnerability fixes and enriching vulnerability databases with vital information such as patch links and vulnerable functions.

My research on build infrastructure seeks to secure build processes against attacks. For example, my work on Argus models GitHub Actions workflows and uses static dataflow analysis to discover code injection vulnerabilities deep within the workflow. I am also interested in Reproducible-Builds (R-Bs), which can be used provide a strong guarantee that a build process has not been tampered with.

Selected Publications

1. Trevor Dunlap, John Speed Meyers, Brad Reaves, and William Enck, Pairing Security Advisories with Vulnerable Functions Using Open-Source LLMs, in Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2024.
   
2. Trevor Dunlap, Elizabeth Lin, William Enck, and Bradley Reaves, VFCFinder: Pairing Security Advisories and Patches, in Proceedings of the ACM ASIA Conference on Computer and Communications Security (AsiaCCS), 2024.
   (acceptance rate=19.4%)
3. Elizabeth Lin, Igibek Koishybayev, Trevor Dunlap, William Enck, and Alexandros Kapravelos, UntrustIDE: Exploiting Weaknesses in VS Code Extensions, in Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS), 2024. (distinguished paper).
   [PDF]
4. Siddharth Muralee, Igibek Koishybayev, Aleksandr Nahapetyan, Greg Tystahl, Brad Reaves, Antonio Bianchi, William Enck, Alexandros Kapravelos, and Aravind Machiry, ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions, in Proceedings of the USENIX Security Symposium, 2023, pp. 6983–7000.
   [PDF] (acceptance rate=29%)
5. Trevor Dunlap, Seaver Thorn, William Enck, and Bradley Reaves, Finding Fixed Vulnerabilities with Off-the-Shelf Static Analysis, in Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P), 2023, pp. 489–505.
   [PDF] (acceptance rate=35.0%)
6. Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, and Yasemin Acar, It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security, in Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2023, pp. 1527–1544.
   [PDF] (acceptance rate=17%)
7. William Enck and Laurie Williams, Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations, IEEE Security and Privacy Magazine, vol. 20, no. 2, pp. 96–100, Mar. 2022. (column, best paper).
   [PDF]

Cellular Infrastructure

The cellular network is the world’s most important communication system. More people globally access the Internet from mobile devices than from laptop or desktop computers, and the ubiquity of cellular connectivity is a crucial reason why. In the mid 2000’s, my research discovered vulnerabilities with the way in which SMS messages were delivered to phones, allowing an attacker to deny voice service to large metropolitan areas. I have recently combined this prior research interest in cellular security with my current interest in applying program analysis to address security problems. Specifically, my recent work uses static and dynamic analysis to study 4G and 5G open-source cellular cores, studying the use of cryptography, access control, and cellular-specific functionality.

Selected Publications

1. Nathaniel Bennett, Weidong Zhu, Benjamin Simon, Ryon Kennedy, William Enck, Patrick Traynor, and Kevin Butler, RANsacked: A Domain-Informed Approach for Fuzzing LTE and 5G RAN-Core Interfaces, in Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2024.
   
2. K. Virgil English and Nathaniel Bennett and Seaver Thorn and Kevin Butler and William Enck and Patrick Traynor, Examining Cryptography and Randomness Failures in Open-Source Cellular Cores, in Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY), 2024.
   [PDF] (acceptance rate=21.25%)
3. Seaver Thorn, K. Virgil English, Kevin Butler, and William Enck, 5GAC-Analyzer: Identifying Over-Privilege Between 5G Core Network Functions, in Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2024.
   [PDF] (acceptance rate=21.1%)

Discovered Vulnerabilities

GSMA CVD-2022-0060, CVD-2022-0061, CVD-2022-0062

Mobile App and Text Analysis

My research uses static and dynamic analysis of software applications and their artifacts to better understand the need for and expressiveness of access control. Much of my application analysis research as focused on mobile platforms such as Android and iOS. As these platforms were emerging, my research built novel application analysis tools to explore the types of platform functionality being used by application developers. For example, my TaintDroid framework adds find-grained dynamic taint analysis to the Android platform. It is primarily used as a dynamic application analysis tool to discover privacy infringements and malicious functionality. TaintDroid enabled the first study that identified Android applications commonly leak geographic location information and phone identifiers to third-parties without the users knowledge. My research has also explored the need for access control through the novel use of natural language processing (NLP). For example, my Whyper framework was the first analysis tool to use NLP of the textual descriptions of applications in the Google Play Store. This work determines which, if any, of the sentences in the description suggest the need for the different permissions requested by the application. In doing so, Whyper helps bridge the gap between program analysis and end user expectations.

Selected Publications

1. Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Tao Xie, PolicyLint: Investigating Internal Privacy Policy Contradictions on Google Play, in Proceedings of the USENIX Security Symposium, Santa Clara, CA, 2019, pp. 585–602.
   [PDF] (acceptance rate=16%)
2. Benjamin Andow, Akhil Acharya, Dengfeng Li, William Enck, Kapil Singh, and Tao Xie, UiRef: Analysis of Sensitive User Inputs in Android Applications, in Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2017.
   [PDF] (acceptance rate=22.3%)
3. Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie, WHYPER: Towards Automating Risk Assessment of Mobile Applications, in Proceedings of the USENIX Security Symposium, Washington, D.C., 2013.
   [PDF] (acceptance rate=16.2%)
4. William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri, A Study of Android Application Security, in Proceedings of the 20th USENIX Security Symposium, San Francisco, CA, 2011.
   [PDF] (acceptance rate=17.2%) (supercedes NAS-0144)
5. William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth, TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, in Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Vancouver, BC, 2010.
   [PDF] (acceptance rate=16.1%) (supercedes NAS-0120)

Correctness of Enforcement and Policy

My research studies the correctness of access control enforcement by analysing both code and policy. Much of my research on this topic has focused on mobile platforms such as Android and iOS. Android and iOS have fundamentally changed access control for commodity computing. Most significantly, these platforms have changed the underlying security principal from the user to the application. This change was primarily necessitated by the introduction of feature-rich runtime environments where not all applications should be trusted with the user’s authority. The corresponding new burden on the operating system access control was significant, leading to the incorporation of over a hundred new permissions. Frequently, system daemons must have hard-coded checks to ensure the accessing application has sufficient privilege.

I have studied the correctness of these access control policy in both Android and iOS. For Android, my research has created a collection of static program analysis tools for investigating the Android middleware. It has uncovered dozens of missing or incorrect access control checks that have been reported to Google. For iOS, my research has reverse engineered and formally modeled the different mandatory and discretionary access control policies. It has uncovered many flaws in the policy that have been addressed by Apple.

Selected Publications

1. Sigmund Albert Gorski III, Seaver Thorn, William Enck, and Haining Chen, FReD: Identifying File Re-Delegation in Android System Services, in Proceedings of the USENIX Security Symposium, 2022, pp. 1526–1542.
   [PDF] (acceptance rate=18%)
2. Luke Deshotels, Costin Carabas, Jordan Beichler, Razvan Deaconescu, and William Enck, Kobold: Evaluating Decentralized Access Control for Remote NSXPC Methods on iOS, in Proceedings of the IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, 2020, pp. 1056–1070.
   [PDF] (acceptance rate=12.3%)
3. Sigmund Albert Gorski III and William Enck, ARF: Identifying Re-Delegation Vulnerabilities in Android System Services, in Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), Miami, FL, 2019, pp. 151–161.
   [PDF] (acceptance rate=25.6%)
4. Luke Deshotels, Razvan Deaconescu, Costin Carabas, Iulia Manda, William Enck, Mihai Chiroiu, Ninghui Li, and Ahmad-Reza Sadeghi, iOracle: Automated Evaluation of Access Control Policies in iOS, in Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIACCS), Songdo, Incheon, Korea, 2018, pp. 117–131.
   [PDF] (acceptance rate=20.0%)
5. Luke Deshotels, Razvan Deaconescu, Mihai Chiroiu, Lucas Davi, William Enck, and Ahmad-Reza Sadeghi, SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles, in Proceedings of the ACM Conference on Computer and Communications Security (CCS), Vienna, Austria, 2016.
   [PDF] (acceptance rate=16.5%)

Discovered Vulnerabilities

• SandScout (iOS): CVE-2015-7001, CVE-2016-4719, CVE-2016-4620, CVE-2016-4686, CVE-2016-4664, CVE-2016-4665
• Kobold (iOS): CVE-2018-4446, CVE-2019-8502, CVE-2019-8698
• FReD (Android): CVE-2020-0208, CVE-2020-0209, CVE-2020-0210, CVE-2021-25459, CVE2021-25460
• ARF (Android): CVE-2019-2098, CVE-2019-2092, CVE-2019-2091, CVE-2019-2090
• ACMiner (Android): CVE-2019-9351, CVE-2019-9377, CVE-2019-9438

New Access Control Primitives

My research investigates new access control primitives for computing platforms. For example, I have explored how information flow control (IFC) can be practically incorporated into systems to provide enhanced security guarantees. IFC controls not only which security principal can access information, but also what it may do with information once it has been accessed. My Aquifer and Weir frameworks have demonstrated how Android’s runtime environment is amenable to decentralized information flow control (DIFC) in ways that traditional platforms are not. Similarly, my SCIFFS framework extends DIFC into serverless computing, also known as Function-as-a-Service (FaaS). I have also explored how Software Defined Networking (SDN) can form the foundation for Zero Trust frameworks. In NetViews, my research showed how to use NIST’s Next Generation Access Control (NGAC) to manage fine-grained policy between hosts in an on-premises enterprise network. MSNetViews extends this model to support multiple geographic areas.

Selected Publications

1. Iffat Anjum, Jessica Sokal, Hafiza Ramzah Rehman, Ben Weintraub, Ethan Leba, William Enck, Cristina Nitarotaru, and Bradley Reaves, MSNetViews: Geographically Distributed Management of Enterprise Network Security Policy, in Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), 2023, pp. 121–132.
   [PDF] (acceptance rate=20.4%)
2. Iffat Anjum, Daniel Kostecki, Ethan Leba, Jessica Sokal, Rajit Bharambe, William Enck, Cristina Nita-Rotaru, and Bradley Reaves, Removing the Reliance on Perimeters for Security using Network Views, in Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), 2022, pp. 151–162. (best student paper).
   [PDF]
3. Isaac Polinsky, Pubali Datta, Adam Bates, and William Enck, SCIFFS: Enabling Secure Third-Party Security Analytics using Serverless Computing, in Proceedings of the ACM Symposium on Access Control Models and Technologies (SACMAT), 2021, pp. 175–186.
   [PDF]
4. Adwait Nadkarni, Benjamin Andow, William Enck, and Somesh Jha, Practical DIFC Enforcement on Android, in Proceedings of the USENIX Security Symposium, Austin, TX, 2016.
   [PDF] (acceptance rate=15.6%)
5. Adwait Nadkarni and William Enck, Preventing Accidental Data Disclosure in Modern Operating Systems, in Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), Berlin, Germany, 2013.
   [PDF] (acceptance rate=19.8%)