member image

I am a faculty at CISPA Helmholtz Center for Information Security, leading the Application Security (AppSec) research group.

These are currently our areas of interest:

  • Broad web security area (e.g., web vulnerability detection, analysis, measurements, etc.)
  • Program analysis (e.g., web application scanners, static program analysis, client and server-side code analysis, etc.)
  • Machine learning and artificial intelligence for program analysis
  • Security of immersive web applications (e.g., metaverse security and privacy, WebXR, etc.)

Research

Current interests

Web Security and Vulnerability Detection and Analysis:

  • JavaScript analyses at scale (JAW [Usenix 2021, IEEE S&P 2023])
  • Web application scanners (Black Widow [IEEE SP 2021], jAEk [RAID 2015])
  • Cross-site request forgery (Same-site Cookies [IEEE S&P 2022], client-side CSRF detection (JAW) [Usenix 2021], the state of CSRF defenses implementations [RAID 2021], CSRF detection (Deemon) [ACM CSS 2017])
  • Server-side requests (Link previews [NDSS 2020], SSR Abuse/Web Origin Laundering [RAID 2016])
  • Backdoors and hidden features [IEEE SP 2020]
  • Web API security [NDSS 2019]
  • Logic vulnerabilities [NDSS 2014]

Web Platform Security:

  • Web enclaves and trusted user I/O path (Fidelius [IEEE SP 2019])
  • Internet core services security (Who controls the Internet [WWW 2017], the Great Cannon [WOOT 2015])

ML and security:

  • Attacking perceptual ad-blocking [CCS 2019]
  • Detection of adversarial physical attacks [IEEE DLS 2020]

Service

  • Vice PC chair: USENIX Security (2023, 2024)
  • Area chair: TheWebConf (2024)
  • PC member at IEEE S&P (2024, 2023, 2022, 2021), ACM CCS (2023, 2021, 2020, 2018), USENIX Security (2022, 2021, 2020, 2019), IEEE Euro S&P (2023, 2022, 2020), ACSAC (2023, 2022, 2021, 2020, 2019, 2018, 2017), ACM AsiaCCS (2022, 2021, 2020, 2019), The Web Conference WWW (2023, 2022, 2021, 2020), DIMVA (2023, 2022, 2021, 2020), RAID (2022), SecWeb (2022, 2020), EuroSec (2022, 2021, 2020, 2019), ISC (2019), CARDS (2019), USENIX WOOT (2018), ACM CCS Poster (2016), IWCC (2016, 2015), DEPEND (2016, 2015), WTMC (2016), STAST (2014), NBiS (2014)
  • General co-chair for IEEE Euro S&P (2020)
  • PC co-chair for SECTEST2015
  • USENIX Security invited talks committee (2021, 2019)
  • Publicity chair for ACM CCS (2017)
  • Publication chair for DIMVA (2022, 2021)
  • Reviewer for ACM Computing Surveys, IEEE Transactions on Cloud Computing (TCC), and Transactions on Dependable and Secure Computing (TDSC)

Contact