Xavier de Carné de Carnavalet

Research

See my profile on the following platforms:
Google Scholar DBLP profile ORCID

Peer-reviewing and professional service

• TPC: IEEE Security & Privacy (S&P) 2026, SecureComm'23, FPS'22, FCS'21
• Publications Chair for SecureComm'23
• Reviewer for ACM CSUR, IEEE TDSC, IEEE TIFS, Elsevier C&S, IEEE Security & Privacy Magazine, Springer Nature
• Extenal reviewer for CLOUD S&P'19, CCS'16,18,19, USENIX Security'18, AsiaCCS'15,18, NSPW'16, SPSM'15,16, TRUST'14, ACSAC'14

Conference and journal papers

• Understanding Home Router Configuration Habits & Attitudes. J. Ye, X. de Carné de Carnavalet, L. Zhao, L. Wu, M. Zhang. ACM CHI Conference on Human Factors in Computing Systems (CHI'25), Yokohama, Japan, Apr. 26-May 1, 2025. [DOI] conference
• Exposed by Default: A Security Analysis of Home Router Default Settings and Beyond. (Pre-print version: Nov. 17, 2024). J. Ye, X. de Carné de Carnavalet, L. Zhao, M. Zhang, L. Wu, W. Zhang. IEEE Internet of Things Journal (IEEE IoT-J), 12(2), 1182-1199, Jan. 2025 [DOI] journal
• Towards Exploring Cross-Regional and Cross-Platform Differences in Login Throttling. M. Cai, X. de Carné de Carnavalet, S. Zhang, L. Zhao, M. Zhang. Nordic Conference on Secure IT systems (NordSec'24), Karlstad, Sweden, Nov. 6-7, 2024. [DOI] conference
• Detecting Command Injection Vulnerabilities in Linux-Based Embedded Firmware with LLM-based Taint Analysis of Library Functions. (Pre-print version: June 27, 2024). J. Ye, X. Fei, X. de Carné de Carnavalet, L. Zhao, L. Wu, M. Zhang. Elsevier Computers & Security, 144, 103971, Sep. 2024. [DOI] journal
• Exposed by Default: A Security Analysis of Home Router Default Settings. J. Ye, X. de Carné de Carnavalet, M. Zhang, L. Zhao, L. Wu, W. Zhang. ACM Symposium on Information, Computer and Communications Security (AsiaCCS'24), Singapore, July 1-5, 2024. [DOI] conference
• Vulnerability reporting GitHub page
• The Flaw Within: Identifying CVSS Score Discrepancies in the NVD. S. Zhang, M. Cai, M. Zhang, L. Zhao, X. de Carné de Carnavalet. IEEE International Conference on Cloud Computing Technology and Science (CloudCom'23), Napoli, Italy, Dec. 4-6, 2023. [DOI] conference
• A survey and analysis of TLS interception mechanisms and motivations. (Pre-print version: Dec. 27, 2022). X. de Carné de Carnavalet and Paul C. van Oorschot. ACM Computing Surveys (ACM CSUR), 55(13s), 1-40, July 2023. [DOI] journal
• Last-Mile TLS Interception: Analysis and Observation of the Non-Public HTTPS Ecosystem (Ph.D. thesis, July 24, 2019). thesis
• Privacy and Security Risks of "Not-a-Virus" Bundled Adware: The Wajam Case. X. de Carné de Carnavalet and M. Mannan. arXiv:1905.05224 (May 13, 2019). preprint
• Large-Scale Empirical Study of Important Features Indicative of Discovered Vulnerabilities to Assess Application Security. (Pre-print version: Feb. 4, 2019, © IEEE). M. Zhang, X. de Carné de Carnavalet, L. Wang, A. Ragab. IEEE Transactions on Information Forensics and Security (TIFS), 14(9), 2315-2330, Sep. 2019. [DOI] journal
• Face recognition using multi-class Logical Analysis of Data. A. Ragab, X. de Carné de Carnavalet, S. Yacout, M-S. Ouali. Pattern Recognition and Image Analysis, 27(2), 276-288, Apr. 2017. journal
• Killed by Proxy: Analyzing Client-end TLS Interception Software. X. de Carné de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS'16), San Diego, CA, USA, Dec. 21-24, 2016. [DOI] conference
• A Large-Scale Evaluation of High-Impact Password Strength Meters. (Pre-print version: Feb. 27, 2015, © ACM). X. de Carné de Carnavalet and M. Mannan. ACM Transactions on Information and System Security (TISSEC), 18(1), 1-32, May 2015. [DOI] journal
• Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software. X. de Carné de Carnavalet and M. Mannan. Annual Computer Security Applications Conference (ACSAC'14), New Orleans, LA, USA, Dec. 8-12, 2014. [DOI] [Extended version] conference
  • How I compiled TrueCrypt 7.1a for Win32 and matched the official binaries (Oct. 2013) tech report
  • Full-disclosure
• From Very Weak to Very Strong: Analyzing Password-Strength Meters. X. de Carné de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS'14), San Diego, CA, USA, Feb. 23-26, 2014. [DOI] [Extended version] [Project page] conference
  • A Large-scale Evaluation of High-impact Password Strength Meters (M.A.Sc. thesis, Apr. 7, 2014) thesis

Books

• Volume editor: Haixin Duan, Mourad Debbabi, Xavier de Carné de Carnavalet, Xiapu Luo, Xiaojiang Du, Man Ho Allen Au (Eds.). (2024). Security and Privacy in Communication Networks: 19th EAI International Conference, SecureComm 2023, Hong Kong, China, October 19–21, 2023, Proceedings, Part I & II. Springer Nature. https://doi.org/10.1007/978-3-031-64948-6 & https://link.springer.com/book/10.1007/978-3-031-64954-7