My research focuses on web security, software security, language-based security, IoT security, and location privacy. I lead a team of researchers, engaged in a number of EU and national projects and collaborations with industry including Google, Facebook, Amazon, Microsoft, OpenAI, and SAP.
My (over 100) papers are
published in venues that include flagships
IEEE Security & Privacy,
ACM CCS,
USENIX Security, and
NDSS.
Most recent:
- CodeX: Contextual Flow Tracking for Browser Extensions (CODASPY'25)
- Spider-Scents: Grey-box Database-aware Web Scanning for Stored XSS (USENIX Security'24)
- FakeX: A Framework for Detecting Fake Reviews of Browser Extensions (ASIACCS'24)
- Black Ostrich: Web Application Scanning with String Solvers (CCS'23)
- LazyTAP: On-Demand Data Minimization for Trigger-Action Applications (S&P'23)
- No Signal Left to Chance: Driving Browser Extension Analysis by Download Patterns (ACSAC'22)
- SecWasm: Information Flow Control for WebAssembly (SAS'22)
- Are Chrome extensions compliant with the spirit of least privilege? (IJIS'22)
- Practical Data Access Minimization in Trigger-Action Platforms (USENIX Security'22)
- CatNap: Leveraging Generic MPC for Actively Secure Privacy-Enhancing Proximity Testing with a Napping Party (SECRYPT'22)
- Outsourcing MPC Precomputation for Location Privacy (LPW'22)
- Hardening the Security Analysis of Browser Extensions (SAC'22)
- DeDup.js: Discovering Malicious and Vulnerable Extensions by Detecting Duplication (ICISSP'22)
- SandTrap: Securing JavaScript-driven Trigger-Action Platforms (USENIX Security'21)
- Securing Node-RED Applications (Guttman'21)
- EssentialFP: Exposing the Essence of Browser Fingerprinting (SecWeb'21)
- Nontransitive Policies Transpiled (EuroS&P'21)
- Data Privacy in Trigger-Action Systems (S&P'21)
- Black Widow: Blackbox Data-driven Web Scanning (S&P'21)
- More...
I serve on the steering committee of IEEE CSF and (over 100) program committees including IEEE Security & Privacy, ACM CCS, USENIX Security, and NDSS. Current/recent PCs:
- S&P'26, USENIX Security'25, WWW'25, S&P'25, USENIX Security'24 (Distinguished Reviewer Award, Top 8% PC members), S&P'24, WWW'24, CCS'23, USENIX Security'23, S&P'23 (Associate Chair), WWW'23, CCS'22, CSF'22, EuroS&P'22, S&P'22 (Associate Chair), WWW'22, CCS'21, S&P'21, CSF'21, EuroS&P'21, WWW'21, CCS'20, CSF'20, EuroS&P'20, SecWeb'20, WWW'20, CCS'19, IDC'19, PSI'19, EuroS&P'19, S&P'19, WWW'19, POST'19, CCS'18 (Area chair for Formal Methods & PL), EuroS&P'18, S&P'18, WWW'18, POST'18, ESORICS'17, USENIX Security'17, S&P'17, EuroS&P'17 (co-chair), TMPA'17, CCS'16, ESORICS'16, USENIX Security'16, CSF'16, SAC'16, EuroS&P'16, NDSS'16, ACSAC'15, RAID'15, CCS'15, AppSecEU'15, S&P'15, SAC'15, ESSoS'15,... See more under Activities.
I am recipient of Wallenberg Scholar (2024), Amazon Research Award (2022), Facebook Privacy-Enhancing Technologies Research Award (2021), Facebook Research Program Gift (2021), ERC Proof of Concept (2018), Facebook Research Program Gift (2016), Google Faculty Research Award (2016), ERC Starter/Consolidator (2012), Chalmers Research Supervisor of the year (2010), and SSF Future Research Leader (2008) awards.
Check out the security tools recently designed within my team: Spider-Scents, Black Widow, Input Validation Challenge, SandTrap, JSFlow, IFC Challenge, AutoNav, TOPPool, FlowIT, and more!
Check out our video on Securing Web Applications: