Research

• I previously worked on security topics within the GraalVM at Oracle Labs. The GraalVM is an ambitious project that provides efficient just-in-time (JIT) and native compilation for Java programs and also a framework for implementing programming languages on top of the Java Virtual Machine (JVM).

• I completed my PhD in Computer Science at Boston University where I was supervised by Manuel Egele and Hongwei Xi. At BU, I was a member of the Secure Systems Lab and Principles of Programming and Verification (POPV) research group.

  During my PhD, I researched language-based security techniques to protect cloud services. I had the opportunity to investigate this cloud security topic while interning with the Cyber Security Intelligence (CSI) team at IBM Research where I participated in the DARPA Cyber-Hunting at Scale (CHASE) program. I also worked on defenses that use memory protection keys (MPKs) available on recent Intel CPUs to improve applications' memory safety. This architectural security work was done as a part of the NSF Secure and Trustworthy Cyberspace (SaTC) Taming Memory Corruption with Security Monitors program.

  I also worked on a novel fuzz testing technique called micro-fuzzing to detect algorithmic complexity (AC) vulnerabilities in Java programs and libraries. This was done in collaboration with researchers from Boston University, Northeastern University, and UC Santa Barbara under the DARPA Space and Time Analysis for Cybersecurity (STAC) program. In addition to being used on challenges designed by defense contractors throughout the STAC program, our micro-fuzzing prototype, HotFuzz, has discovered AC bugs in widely used production Java libraries.

• I am also interested in how advanced type systems can be used to improve the reliability and security of systems software. To test this idea, I periodically work on ATSFlight, a firmware for first person view (FPV) drones implemented in ATS, a statically typed functional programming language that features both dependent and linear types. This work grew out of my experience using ATS on embedded microcontrollers during graduate school, and was influenced by the Fox Project.

• PhD in Computer Science
  Boston University 2023
• MS in Computer Science
  Boston University 2014
• BA in Computer Science
  Boston University 2012

• BinSweep: Reliably Restricting Untrusted Instruction Streams with Static Binary Analysis and Control-Flow Integrity [cite]
  Matteo Oldani, William Blair, Lukas Stadler, Zybněk Šlachrt, Matthias Neugschwandtner.
  In Proceedings of the ACM Cloud Computing Security Workshop (CCSW) 2024
• Automated Synthesis of Effect Graph Policies for Microservice-Aware Stateful System Call Specialization [article][post][talk][cite]
  William Blair, Frederico Araujo, Teryl Taylor, Jiyong Jang.
  In Proceedings of the IEEE Symposium on Security and Privacy (Oakland) 2024
• A Dependently Typed Language with Dynamic Equality [article][pdf][cite]
  Mark Lemay, Qiancheng Fu, William Blair, Cheng Zhang, Hongwei Xi.
  In Proceedings of the ACM SIGPLAN International Workshop on Type-Driven Development (TyDe) 2023
• ThreadLock: Native Principal Isolation Through Memory Protection Keys [article][pdf][cite]
  William Blair, William Robertson, Manuel Egele.
  In Proceedings of the ACM ASIA Conference on Computer and Communications Security (ASIACCS) 2023
• MPKAlloc: Efficient Heap Meta-Data Integrity Through Hardware Memory Protection Keys [article][pdf][slides][code][cite]
  William Blair, William Robertson, Manuel Egele.
  In Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2022
• HotFuzz: Discovering Temporal and Spatial Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing [pdf][cite]
  William Blair, Andrea Mambretti, Sajjad Arshad, Michael Weissbacher, William Robertson, Engin Kirda, Manuel Egele.
  In ACM Transactions on Privacy and Security (TOPS) 2022
• FlexFilt: Towards Flexible Instruction Filtering for Security [pdf][cite]
  Leila Delshadtehrani, Sadullah Canakci, William Blair, Manuel Egele, Ajay Joshi.
  In Proceedings of the Annual Computer Security Applications Conference (ACSAC) 2021
• HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing [pdf][post][slides][talk][cite]
  William Blair, Andrea Mambretti, Sajjad Arshad, Michael Weissbacher, William Robertson, Engin Kirda, Manuel Egele.
  In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS) 2020
• Dependent Types for Multi-Rate Data Flows in Synchronous Programming [pdf][code][cite]
  William Blair, Hongwei Xi.
  In Post-Proceedings of the ACM Workshop on ML 2015

• Method for Control Flow Isolation with Protection Keys and Indirect Branch Tracking [doc]
  Matthias Neugschwandtner, William Blair.
  US Patent 11,977,889 2024
• Guided Micro-Fuzzing Through Hybrid Program Analysis [doc]
  Frederico Araujo, William Blair, Sanjeev Das, Jiyong Jang.
  US Patent 11,822,673 2023
• Stateful Microservice-Aware Intrusion Detection [doc]
  Frederico Araujo, William Blair, Teryl Paul Taylor.
  US Patent 11,720,667 2023
• Intrusion Detection in Micro-Services Through Container Telemetry and Behavior Modeling [doc]
  Frederico Araujo, Teryl Paul Taylor, Jiyong Jang, William Blair.
  US Patent 11,748,473 2023
• Automated Synthesis of Reference Policies for Runtime Microservice Protection [doc]
  Frederico Araujo, William Blair, Teryl Paul Taylor.
  US Patent Application US17/390,881 2023

• Symbolic Modeling of Micro Services for Intrusion Detection
  Poster Session: IEEE Symposium on Security and Privacy, May 2021.
  
• Microservice-Aware Reference Monitoring Through Hybrid Program Analysis [talk]
  FloCon, CMU Software Engineering Institute (SEI), January 2021.
  
• HotFuzz: Fuzzing for Space and Time Vulnerabilities in Java Programs
  DARPA Space and Time Analysis for Cybersecurity P.I. Meeting, Apogee Research, February 2019.
• Continuum: Finding Space and Time Vulnerabilities in Java Programs
  DARPA Space and Time Analysis for Cybersecurity P.I. Meeting, August 2016.
• Side Channels and Worst Case Behavior in Java
  Northeastern-WPI Seminar on Systems Security, June 2016.
• Using a Portfolio of SMT Solvers in Software Development
  New England Programming Languages Symposium (NEPLS), Tufts University, November 2015.
• Dependent Types for Real-Time Constraints [talk]
  ACM SIGPLAN ML Family Workshop at The International Conference on Functional Programming (ICFP)
  Vancouver, Canada, September 2015.
• Integrating SMT into Software Development
  New England Programming Languages Symposium (NEPLS), Wesleyan University, June 2015.
• Debugging with Types in ATS[talk]
  Boston Haskell Meetup, December 2014.

• CS210: Computer Systems (Spring 2021)
• CS630: Graduate Design and Analysis of Algorithms (Fall 2020)
• CS530: Graduate Design and Analysis of Algorithms (Fall 2019)
• CS111: Introduction to Computer Science (Spring 2015)
• CS111: Introduction to Computer Science (Fall 2014)
• CS211: iOS Application Development (Spring 2014)

• Expander Graphs [notes]
• Quicksort in ATS [animation][code]