Andrei Sabelfeld

In brief

My research focuses on web security, software security, language-based security, IoT security, and location privacy. I lead a team of researchers, engaged in a number of EU and national projects and collaborations with industry including Google, Facebook, Microsoft, and SAP.

My (over 100) papers are published in venues that include flagships IEEE Security & Privacy, ACM CCS, USENIX Security, and NDSS. Most recent:

Practical Data Access Minimization in Trigger-Action Platforms (USENIX Security'22)

Hardening the Security Analysis of Browser Extensions (SAC'22)

DeDup.js: Discovering Malicious and Vulnerable Extensions by Detecting Duplication (ICISSP'22)

SandTrap: Securing JavaScript-driven Trigger-Action Platforms (USENIX Security'21)

Securing Node-RED Applications, (Guttman'21)

EssentialFP: Exposing the Essence of Browser Fingerprinting (SecWeb'21)

Nontransitive Policies Transpiled (EuroS&P'21)

Data Privacy in Trigger-Action Systems (S&P'21)

Black Widow: Blackbox Data-driven Web Scanning (S&P'21)

HMAC and "Secure Preferences": Revisiting Chromium-based Browsers Security (CANS'20)

Where are you Bob? Privacy-Preserving Proximity Testing with a Napping Party (ESORICS'20)

Clockwork: Tracking Remote Timing Attacks (CSF'20)

VERONICA: Expressive and Precise Concurrent Information Flow Security (CSF'20)

AutoNav: Evaluation and Automatization of Web Navigation Policies (WWW'20)

An Empirical Study of Information Flows in Real-World JavaScript (PLAS'19)

Securing IoT Apps (IEEE S&P Magazine'19)

TOPPool: Time-aware Optimized Privacy-Preserving Ridesharing (PETS'19)

Information-Flow Control for Database-backed Applications (EuroS&P'19)

On the Road with Third-Party Apps: Security Analysis of an In-Vehicle App Platform (VEHITS'19)

Latex Gloves: Protecting Browser Extensions from Probing and Revelation Attacks (NDSS'19)

More...

I serve on the steering committees of IEEE CSF (chair) and NordSec, and (over 100) program committees including IEEE Security & Privacy, ACM CCS, USENIX Security, and NDSS. Current/recent PCs:

S&P'23 (associated chair), CCS'22, CSF'22, EuroS&P'22, S&P'22 (associated chair), WWW'22, CCS'21, S&P'21, CSF'21, EuroS&P'21, WWW'21, CCS'20, CSF'20, EuroS&P'20, SecWeb'20, WWW'20, CCS'19, IDC'19, PSI'19, EuroS&P'19, S&P'19, WWW'19, POST'19, CCS'18 (area chair for Formal Methods & PL), EuroS&P'18, S&P'18, WWW'18, POST'18, ESORICS'17, USENIX Security'17, S&P'17, EuroS&P'17 (co-chair), TMPA'17, CCS'16, ESORICS'16, USENIX Security'16, CSF'16, SAC'16, EuroS&P'16, NDSS'16, ACSAC'15, RAID'15, CCS'15, AppSecEU'15, S&P'15, SAC'15, ESSoS'15,... See more under Activities.

I am recipient of the Facebook Privacy-Enhancing Technologies Research Award (2021), Facebook Research Program Gift (2021), ERC Proof of Concept (2018), Facebook Research Program Gift (2016), Google Faculty Research Award (2016), ERC Starter/Consolidator (2012), Chalmers Research Supervisor of the year (2010), and SSF Future Research Leader (2008) awards.

Check out the attacks, protocols, and tools recently designed within my team: SandTrap, Black Widow, JSFlow, AutoNav, TOPPool, FlowIT, and more!

Securing web applications from Chalmers Univ. of Technology on Vimeo.

Activities

Program committees: S&P'23 (associated chair), CCS'22, CSF'22, EuroS&P'22, S&P'22 (assoicated chair), WWW'22, CCS'21, S&P'21, CSF'21, EuroS&P'21, WWW'21, CCS'20, CSF'20, EuroS&P'20, SecWeb'20, WWW'20, CCS'19, PSI'19, EuroS&P'19, S&P'19, WWW'19, POST'19, CCS'18 (area chair for Formal Methods & PL), EuroS&P'18, S&P'18, WWW'18, POST'18, ESORICS'17, USENIX Security'17, S&P'17, EuroS&P'17 (co-chair), TMPA'17, CCS'16, ESORICS'16, USENIX Security'16, CSF'16, SAC'16, EuroS&P'16, NDSS'16, ACSAC'15, RAID'15, CCS'15, AppSecEU'15, S&P'15, SAC'15, ESSoS'15, CCS'14, NordSec'14, QASA'14, CSF'14, PSI'14, S&P'14, SAC'14, NWPT'13, NordSec'13, ESORICS'13, AppSecEU'13, ESEC/FSE'13 New Ideas Track, FCS'13, POST'13, POPL'13, NWPT'12, NordSec'12, MMM-ACNS'12, POST'12, NWPT'11, NordSec'11, SEC'11, ESOP'11, NWPT'10, MMM-ACNS'10, AppSec Research'10, PLAS'10, S&P'10, ASIACCS'10, CCS'09, CSF'09, CCS'08, CSF'08 (chair), ESOP'08, NordSec'07 (co-chair), MMM-ACNS'07, CSF'07 (chair), PLAS'07, ESOP'07, APLAS'06, ESORICS'06 (co-chair), CSFW'06, S&P'06, POPL'06, MMM-ACNS'05, SAS'05, FCS'05 (chair), CSFW'05, ESOP'05, VODCA'04, SecCo'04, SAS'04, FCS'04 (chair), FAST'03, FCS'03, CSFW'03, CSFW'02.
Steering committees: CSF (chair), NordSec, POST (2014-19), FCS (2005-13, chair: 2005-08).
Editorships: editorial board member for JCS (2012-18) and IPL (2012-13); editor for JCS special issue on verified information flow, 2017, JCS special issue on web application security 2014, special issues on CSF 2008 and CSF 2007 of JCS and issue on Language-Based Security of JFP, 2005.
Keynote invited talks: ViSP Distinguished Lecture Series'21, CASTOR Software Days'19, SSIoT'19, NWPT'18, PSI'17, HotSpot'17, e-Stockholm'16, ICICS'14, RS3'14, OWASP Gothenburg Kick-Off, MMM-ACNS'10, ASIACCS'10, Dagstuhl WebAppSec'09, OWASP Sweden Kick-off, ASIAN'07, TGC'06, Dagstuhl LBS'03, FCS'03.
PhD Summer/Winter School Lecturing: Security & Correctness in the IoT'19, WASP-AS'19, EWSCS'19, Security & Correctness in the IoT'18, IM&CTCPA'16, FOSAD'14, Aalborg'11, Marktoberdorf'11, Software Engineering and Verification'11, Marktoberdorf'09, GLOBAN'08, FOSAD'04, WSSA'03.
Dagstuhl seminar organizer: Web Application Security, 2012; Mobility, Ubiquity, and Security, 2007; Language-Based Security, 2003.
Scientific Advisory Boards: Max Planck Institute for Security and Privacy, CISPA-Stanford Center for Cybersecurity, ITU Center for Information Security and Trust (ITU CIST).

Publications

PhD students

PhD students

Ivan Oleynikov
Mohammad Ahmadpanah
Benjamin Eriksson
Iulia Bastys

Postdocs

Pablo Picazo-Sanchez (2019-)
Musard Balliu (2014-17)
Steven Van Acker (2015-18)
Daniel Hedin (2010-14)

PhD students graduated

Alexander Sjösten
Daniel Schoepe
Elena Pagnin
Daniel Hausknecht
Per Hallgren
Luciano Bello
Willard Rafnsson
Arnar Birgisson
Jonas Magazinius
Aslan Askarov
Alejandro Russo

Teaching