Willy R. Vasquez


CV || Mastodon || GitHub || LinkedIn

I am a Ph.D. student at The University of Texas at Austin advised by Prof. Hovav Shacham and in the SPARK Research Lab. My research currently focuses on the security of hardware video decoders and building out zero-knowledge proof technologies. My interests lie in privacy, systems security, cryptosystems, and formal methods.

I am a Strauss Center Brumley Next Generation Fellow since Fall 2019 mentored by Prof. Bobby Chesney working on applications of zero-knowledge proofs to national security.

I was an M.Eng. student at the MIT Media Lab's Digital Currency Initiative advised by Neha Narula. My thesis was on the privacy and auditability of distributed ledgers, and part of it was later published at NSDI. You can read my thesis here.

I also did my undergrad at MIT where I lived in Spanish House and had research opportunities on combining attribute-based encryption with proof-of-work under Prof. Shafi Goldwasser, and on improving SMT solver performance with program synthesis under Prof. Armando Solar-Lezama.

I have worked full time at Raytheon BBN Technologies, and interned at Trail of Bits (Winter '23), Cirrus Logic (Fall '21), Samsung Austin R&D Center (SARC) (Summer '19), Microsoft Research (Summer '18), Symantec (Summers '13 and '14), Secunetics (IAP '14), and Lockheed Martin (Summer '12).


Yingchen Wang, Riccardo Paccagnella, Zhao Gang, Willy R. Vasquez, David Kohlbrenner, Hovav Shacham, and Christopher W. Fletcher. GPU.zip: On the Side-Channel Implications of Hardware-Based Graphical Data Compression. In P. Traynor and W. Enck, eds., Proceedings of IEEE Security and Privacy (“Oakland”) 2024. IEEE Computer Society, May 2024. To appear. [website]
Associated CVE: CVE-2023-44216.

Willy R. Vasquez, Stephen Checkoway, and Hovav Shacham. The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders. In Usenix Security. Anaheim, California, 2023. [pdf] [code]
Associated CVEs: CVE-2024-27793, CVE-2022-48434, CVE-2022-42850, CVE-2022-42846, CVE-2022-32939, and CVE-2022-3266.

Neha Narula, Willy Vasquez, and Madars Virza. Privacy-preserving Auditing on Distributed Ledgers. In NSDI. Renton, Washington, 2018. [pdf]

Recent Adventures

CVE-2024-27793 was addressed in iTunes 12.13.2 for Windows.

I was a TA for UT's CS 361s: Computer Security. Such a fun class where we showed students how to do browser exploitation, sandbox escapes, and implement control flow integrity into toolchains.

I volunteered at Ringzer0 Bootstrap as a TA for the Android Malware Reverse Engineering course and the main conference.

[H26Forge Tour] I presented H26Forge at BSidesDFW 2023! I describe how we found and exploited CVE-2022-32939, and provide details on how RLBox can be used to protect media parsing libraries. [Talk (TBD)] [Slides]

[H26Forge Tour] I presented H26Forge at Demuxed 2023! I describe Luma/Chroma Thief, Datamoshing, and other potential use cases for H26Forge. [Talk] [Slides]

I volunteered at The 2023 CMD-IT/ACM Richard Tapia Celebration of Diversity in Computing Conference!

My sandboxing code contributions were incorporated into Firefox 117!

[H26Forge Tour] I presented H26Forge at USENIX Security 2023! I describe how we found and exploited CVE-2022-42846, an iOS Kernel DoS. [Talk] [Slides]

[H26Forge Tour] I presented H26Forge at Black Hat 2023! I describe how we found and exploited CVE-2022-32939, a controlled skip-then-write iOS kernel heap vulnerability. [Talk] [Slides and demo]

[H26Forge Tour] I presented H26Forge at REcon 2023! I discuss how to get a heap overflow for the in-the-wild exploited CVE-2022-22675. [Talk] [Slides and demo]

My team Inject;Pwn;Repeat was a semi-finalist in the 2023 Austin Cyber 9/12 Competition. We won best Decision Document!

CVE-2022-42850 and CVE-2022-42846 were addressed in iOS and iPadOS 15.7.2 and iOS and iPadOS 16.2.

CVE-2022-32939 was addressed in iOS and iPadOS 15.7.1 and iOS 16.1 and iPadOS 16.

My team Global SXSW was a finalist in the 2022 MIT Policy Hackathon. Check out our presentation here!

I got my first CVE: CVE-2022-3266. Be sure to update your Firefox!

My team {alg:none} was a finalist in the 2021 MIT Policy Hackathon. Check out our presentation here!

My 2020-2021 Atlantic Council Cyber 9/12 Competition adventures have been detailed by UT Strauss Center and The Manuscript Podcast.

I wrote a review of Spice for the MIT DCI Cryptocurrency Research Review.

I have participated in the Atlantic Council Cyber 9/12 Competition as Longhorn APT, Longhorn Command, and Deep State Machine 5 (DSM5)!

I attended Real World Crypto '19. Write up of my experience.

I attended NSDI '18.

I attended Real World Crypto '18.

I attended the DeepSpec Summer School '17 where I participated in the Coq Intensive and learned about formally verified systems

I attended PLMW@POPL '17 in Paris!

I attended Real World Crypto '17. It was awesome! Write up of my experience.

I participated in the 2014 Battelle CyberAuto Challenge



H26Forge: Domain-specific infrastructure for analyzing, generating, and manipulating syntactically correct but semantically spec-non-compliant video files.

FyreBox - Encrypted File System

Bulletproofs Implementation in Go


I was Vice President of the MAES Boston Professional Chapter.

Steganography Challenge for High Schoolers

Consejera: A platform for parents to help their children succeed


MIT ECCSF Winter 2015: Latinos in Entrepreneurship Conference


I am co-founder of GraduatE ECE (GREECE) @ UT whose mission is to interact with ECE graduate students across labs and tracks and foster a sense of community within the UT Graduate ECE department. We host social events, industry events, and provide a voice to the administration on behalf of students' needs.

I am an MIT Arts Scholar interested in visualizing privacy leakages in everyday interactions, and exploring ways to visualize binary executions to get insights, similar to ..cantor.dust.. or DARPA's Cyber Grand Challenge.

More to come...