My research interests span across network security and privacy, web security, Internet measurement, passwords and authentication, software and firmware security, and applications of machine learning to security.
Mailing address:
PQ806, Mong Man Wai building, The Hong Kong Polytechnic University
11 Yuk Choi Rd, Hung Hom, Kowloon, Hong Kong
About me
My most popular work includes a comparison of TrueCrypt's sources against the official binaries, my evaluation of popular password strength meters, and my study of how badly antivirus and parental control applications break TLS connections to filter content.
Please check my tutorial on how to correctly parse my name to make my day brighter, thanks!
Publications
2024
- Towards Exploring Cross-Regional and Cross-Platform Differences in Login Throttling. M. Cai, X. de Carné de Carnavalet, S. Zhang, L. Zhao, M. Zhang. Accepted at NordSec'24, Karlstad, Sweden, 2024. conference
- Detecting Command Injection Vulnerabilities in Linux-Based Embedded Firmware with LLM-based Taint Analysis of Library Functions. (Pre-print version: June 27, 2024). J. Ye, X. Fei, X. de Carné de Carnavalet, L. Zhao, L. Wu, M. Zhang. Elsevier Computers & Security, 144, 103971, September 2024. journal
- Exposed by Default: A Security Analysis of Home Router Default Settings. J. Ye, X. de Carné de Carnavalet, M. Zhang, L. Zhao, L. Wu, W. Zhang. AsiaCCS'24, Singapore, 2024. conference
2023
- The Flaw Within: Identifying CVSS Score Discrepancies in the NVD. S. Zhang, M. Cai, M. Zhang, L. Zhao, X. de Carné de Carnavalet. CloudCom'23, Napoli, Italy, 2023. conference
- A survey and analysis of TLS interception mechanisms and motivations. (Pre-print version: Dec. 27, 2022). X. de Carné de Carnavalet and Paul C. van Oorschot. ACM Computing Surveys, 55(13s), 1-40, July 2023. journal
2019
- Last-Mile TLS Interception: Analysis and Observation of the Non-Public HTTPS Ecosystem (Ph.D. thesis, July 24, 2019). thesis
- Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case. X. de Carné de Carnavalet and M. Mannan. arXiv:1905.05224 (May 13, 2019). preprint
- Large-Scale Empirical Study of Important Features Indicative of Discovered Vulnerabilities to Assess Application Security. (Pre-print version: Feb. 4, 2019, © IEEE). M. Zhang, X. de Carné de Carnavalet, L. Wang, A. Ragab. IEEE Transactions on Information Forensics and Security (TIFS), 14(9): 2315-2330 (September 2019). journal
2017
- Face recognition using multi-class Logical Analysis of Data. A. Ragab, X. de Carné de Carnavalet, S. Yacout, M-S. Ouali. Pattern Recognition and Image Analysis, volume 27, no. 2 (2017), pages 276-288. journal
2016
- Killed by Proxy: Analyzing Client-end TLS Interception Software. X. de Carné de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS'16), San Diego, CA, USA, 2016. conference
2015
- A Large-Scale Evaluation of High-Impact Password Strength Meters. (Pre-print version: Feb. 27, 2015, © ACM). X. de Carné de Carnavalet and M. Mannan. ACM Transactions on Information and System Security (TISSEC), 18(1): 1-32 (May 2015). journal
2014
-
Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software. X. de Carné de Carnavalet and M. Mannan. Annual Computer Security Applications Conference (ACSAC'14), New Orleans, LA, USA, 2014. conference
- Extended version (Dec. 10, 2014) tech report
- How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries (Oct. 2013) tech report
-
From Very Weak to Very Strong: Analyzing Password-Strength Meters. X. de Carné de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS'14), San Diego, CA, USA, 2014. conference
- Extended version (Dec. 26, 2013) tech report
- Project page with resources from this project (data + source code) project
- M.A.Sc. thesis: A Large-scale Evaluation of High-impact Password Strength Meters (Apr. 7, 2014) thesis