About

Manuel Egele is an Associate Professor in the Department of Electrical and Computer Engineering at Boston University, with an affiliation as Faculty in the Department of Computer Science. He earned his PhD from Vienna University of Technology in 2011. His areas of interest include Software Security, Web Security, and Security & Privacy on Mobile Systems and Online Social Networks. His research focuses on these security domains, contributing to the understanding and development of secure systems and privacy-preserving technologies.

Research topics

• Computer Science
• Computer Security
• Embedded system
• Programming language
• Software engineering
• Operating system

Selected publications

• The Cost of Convenience: Identifying, Analyzing, and Mitigating Predatory Loan Applications on Android

  ArXiv.org · 2026-01-19

  articleOpen access

  Digital lending applications, commonly referred to as loan apps, have become a primary channel for microcredit in emerging markets. However, many of these apps demand excessive permissions and misuse sensitive user data for coercive debt-recovery practices, including harassment, blackmail, and public shaming that affect both borrowers and their contacts. This paper presents the first cross-country measurement of loan app compliance against both national regulations and Google's Financial Services Policy. We analyze 434 apps drawn from official registries and app markets from Indonesia, Kenya, Nigeria, Pakistan, and the Philippines. To operationalize policy requirements at scale, we translate policy text into testable permission checks using LLM-assisted policy-to-permission mapping and combine this with static and dynamic analyses of loan apps' code and runtime behavior. Our findings reveal pervasive non-compliance among approved apps: 141 violate national regulatory policy and 147 violate Google policy. Dynamic analysis further shows that several apps transmit sensitive data (contacts, SMS, location, media) before user signup or registration, undermining informed consent and enabling downstream harassment of borrowers and third parties. Following our disclosures, Google removed 93 flagged apps from Google Play, representing over 300M cumulative installs. We advocate for adopting our methodology as a proactive compliance-monitoring tool and offer targeted recommendations for regulators, platforms, and developers to strengthen privacy protections. Overall, our results highlight the need for coordinated enforcement and robust technical safeguards to ensure that digital lending supports financial inclusion without compromising user privacy or safety.

  PublisherOA PDFDOI

• The Cost of Convenience: Identifying, Analyzing, and Mitigating Predatory Loan Applications on Android

  arXiv (Cornell University) · 2026-01-19

  preprintOpen access

  Digital lending applications, commonly referred to as loan apps, have become a primary channel for microcredit in emerging markets. However, many of these apps demand excessive permissions and misuse sensitive user data for coercive debt-recovery practices, including harassment, blackmail, and public shaming that affect both borrowers and their contacts. This paper presents the first cross-country measurement of loan app compliance against both national regulations and Google's Financial Services Policy. We analyze 434 apps drawn from official registries and app markets from Indonesia, Kenya, Nigeria, Pakistan, and the Philippines. To operationalize policy requirements at scale, we translate policy text into testable permission checks using LLM-assisted policy-to-permission mapping and combine this with static and dynamic analyses of loan apps' code and runtime behavior. Our findings reveal pervasive non-compliance among approved apps: 141 violate national regulatory policy and 147 violate Google policy. Dynamic analysis further shows that several apps transmit sensitive data (contacts, SMS, location, media) before user signup or registration, undermining informed consent and enabling downstream harassment of borrowers and third parties. Following our disclosures, Google removed 93 flagged apps from Google Play, representing over 300M cumulative installs. We advocate for adopting our methodology as a proactive compliance-monitoring tool and offer targeted recommendations for regulators, platforms, and developers to strengthen privacy protections. Overall, our results highlight the need for coordinated enforcement and robust technical safeguards to ensure that digital lending supports financial inclusion without compromising user privacy or safety.

  PublisherDOI

• Job Grouping Based Intelligent Resource Prediction Framework

  Lecture notes in computer science · 2026-01-01

  book-chapter
  PublisherDOI

• EasyCSPeasy: A Server-Side and Language-Agnostic XSS Mitigation by Devising and Ensuring Compliance with CSP

  Lecture notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering · 2025-09-04

  book-chapter
  PublisherDOI

• ScanWars: (A Multi-network Approach to Detecting and Analyzing) The Rise of Scanning Activity

  2025-11-04

  article

  Scanning is a prevalent method used by threat actors to identify vulnerabilities in networks or systems for subsequent exploitation. Prior research has focused on signature or anomaly-based methods for detecting malicious traffic on limited datasets. However, there is a gap in the comprehensive understanding of scanning activity, particularly in the context of the Web. Our scanning detection system, DVader, leverages a unique vantage point that provides visibility over nearly 100,000 networks to monitor scanning patterns. We identify that scanning activity often causes sudden bursts in traffic that are distinct from typical user behavior. To detect scanning in mixed traffic (benign and malicious), we track unusual spikes in volume-based features, such as the total number of requests, and employ a machine learning model. We conduct the first large-scale longitudinal study of the scanning activity leveraging our multi-network approach. By analyzing the detections of our system, we provide insights into scanning activity. We detect 316 million scanning and exploiting requests between May 1, 2023 and May 1, 2024, 58% of which are directed at router vulnerabilities. We show that our system detects malicious URLs embedded in exploit requests before they were detected by VirusTotal vendors. We show that our system effectively detects emerging threats within mixed traffic through case studies of recent and notable vulnerabilities, such as those in Ivanti Connect Secure, Log4j, and Zyxel router Web UI.

  PublisherDOI

• Zeus-IoT: Comprehensive Code Signing to Prevent IoT Device Weaponization

  2025-12-08

  articleSenior author

  The explosive growth of IoT devices has not been matched by equivalent security efforts, as manufacturers often ship devices with limited built-in defenses. Existing host-based malware detection & prevention systems for IoT face three fundamental limitations. First, they depend on runtime profiling to learn normal behavior, a process that inevitably misses legitimate but infrequent code paths and can break functionality when those paths execute. Second, they ignore interpreter-level execution, meaning that both scripting engines such as Lua or Python, and the ELF interpreter (dynamic linker) can be used to run malicious payloads undetected. Third, they struggle to scale across diverse firmware platforms without per-device tuning. In this paper, we propose Zeus-IoT to address these challenges. Zeus-IoT removes the need for profiling by leveraging the insight that IoT devices run a small, fixed set of binaries and scripts that rarely change once deployed. Zeus-IoT builds an allowlist by hashing every binary, shared library, and script that exists on the firmware image the vendor has built and is ready to flash onto the device. At run time, Zeus-IoT enforces this allowlist for all executions, including native binaries, shared libraries, and scripts, closing interpreter-level gaps. By integrating Zeus-IoT directly into the manufacturer's build pipeline (as demonstrated with our OpenWrt implementation), the framework scales to any Linux-based firmware platform without per-device profiling or manual configuration. We evaluate Zeus-IoT, a prototype on OpenWrt, against 81,152 real-world IoT malware samples and achieve 100% prevention. Zeus-IoT adds virtually no memory overhead and incurs a modest CPU cost. During one-time initialization (running 220 shell scripts, loading 2,790 shared libraries, and executing 751 binaries), Zeus-IoT adds 25 seconds to setup time, paid once per boot and negligible in practice. After the device reaches steady state, it shows zero measurable overhead over a five-minute window. We also measure the performance overhead that Zeus-IoT could introduce on core IoT device functionality (e.g., routing on a router) and find the impact to be negligible. These results demonstrate that comprehensive static allowlist enforcement is both practical and highly effective for resource-constrained IoT environments.

  PublisherDOI

• Runtime Performance Anomaly Diagnosis in Production HPC Systems Using Active Learning

  IEEE Transactions on Parallel and Distributed Systems · 2024-02-14 · 14 citations

  article

  With the increasing scale and complexity of High-Performance Computing (HPC) systems, performance variations in applications caused by anomalies have become significant bottlenecks in system health and operational efficiency. As we move towards exascale systems, these variations become more prominent due to the increased sharing of resources. Such variations lead to lower energy efficiency and higher operational costs. To mitigate these problems, one must quickly and accurately diagnose the root cause of the anomalies at scale. One way to evaluate system health and identify the underlying causes is by manually examining certain performance metrics in telemetry data or using rule-based methods. Due to the daily size of telemetry data reaching terabytes and the fact that the numeric telemetry data contains thousands of metrics, manual analysis of telemetry to diagnose problems becomes challenging. Given these limitations, Machine Learning (ML)-based approaches have been gaining popularity as they have been shown to be effective and practical in diagnosing previously encountered performance anomalies. One primary challenge for supervised ML models is that they require a significant amount of labeled samples during training. However, obtaining many labels for anomalies is extremely difficult and costly, considering anomalies occur infrequently and real-world numeric system telemetry data is hard to label since it contains thousands of metrics. This paper proposes a novel active learning-based framework that diagnoses performance anomalies (i.e., identifying the type of an anomaly) in HPC systems at runtime using significantly fewer labeled samples compared to state-of-the-art ML-based approaches. We show that the proposed framework achieves the same F1-score compared to a supervised approach using much fewer labeled samples (i.e., 16x fewer samples for achieving a 0.78 F1-score, 11x fewer samples for achieving a 0.82 F1-score), even when there are previously unseen applications and application inputs in the test dataset.

  PublisherDOI

• FirmDiff: Improving the Configuration of Linux Kernels Geared Towards Firmware Re-hosting

  2024-01-01

  articleOpen accessSenior author
  PublisherDOI

• SURGEON: Performant, Flexible, and Accurate Re-Hosting via Transplantation

  2024-01-01 · 2 citations

  articleOpen access

  Dynamic analysis of microcontroller-based embedded firmware remains challenging.The general lack of source code availability for Commercial-off-the-shelf (COTS) firmware prevents powerful source-based instrumentation and prohibits compiling the firmware into an executable directly runnable by an analyst.Analyzing firmware binaries requires either acquisition and configuration of custom hardware, or configuration of extensive software stacks built around emulators.In both cases, dynamic analysis is limited in functionality by complex debugging and instrumentation interfaces and in performance by low execution speeds on Microcontroller Units (MCUs) and Instruction Set Architecture (ISA) translation overheads in emulators.SURGEON provides a performant, flexible, and accurate rehosting approach for dynamic analysis of embedded firmware.We introduce transplantation to transform binary, embedded firmware into a Linux user space process executing natively on compatible high-performance systems through static binary rewriting.In addition to the achieved performance improvements, SURGEON scales horizontally through process instantiation and provides the flexibility to apply existing dynamic analysis tooling for user space processes without requiring adaptations to firmware-specific use cases.SURGEON's key use cases include debugging binary firmware with off-the-shelf tooling for user space processes and fuzz testing.

  PublisherDOI

• A Viewpoint: Safer Heaps With Practical Architectural Security Primitives

  IEEE Security & Privacy · 2024-07-01

  articleSenior author

  In this viewpoint, we argue that architectural security primitives are a promising basis for fast and secure program heaps. We discuss MPKAlloc, a recent research effort demonstrating the concrete benefits of this approach using Intel MPK to harden a production allocator. We end by discussing promising future directions for the field.

  PublisherDOI

Recent grants

• CAREER: Toward Securing Emerging Computing Platforms via Large-Scale Dynamic Analysis

  NSF · $559k · 2020–2026

• SaTC: CORE: Medium: Collaborative: Taming Memory Corruption with Security Monitors

  NSF · $800k · 2019–2024

Frequent coauthors

• Christopher Kruegel

  University of California, Santa Barbara

  24 shared

• Gianluca Stringhini

  21 shared

• Ayse K. Coskun

  Boston University

  20 shared

• Engin Kirda

  Northeastern University

  19 shared

• Vitus J. Leung

  Sandia National Laboratories

  16 shared

• Giovanni Vigna

  University of California, Santa Barbara

  15 shared

• Ajay Joshi

  15 shared

• Jim Brandt

  14 shared

Labs

• Data Mining & Data ManagementPI

Education

• Ph.D.

  Vienna University of Technology

  2011