My research focuses on web security, software security, language-based security, IoT security, and location privacy. I lead a team of researchers, engaged in a number of EU and national projects and collaborations with industry including Google, Facebook, Amazon, Microsoft, and SAP.

My (over 100) papers are published in venues that include flagships IEEE Security & Privacy, ACM CCS, USENIX Security, and NDSS. Most recent:

• No Signal Left to Chance: Driving Browser Extension Analysis by Download Patterns (ACSAC'22)
• SecWasm: Information Flow Control for WebAssembly (SAS'22)
• Are Chrome extensions compliant with the spirit of least privilege? (IJIS'22)
• Practical Data Access Minimization in Trigger-Action Platforms (USENIX Security'22)
• CatNap: Leveraging Generic MPC for Actively Secure Privacy-Enhancing Proximity Testing with a Napping Party (SECRYPT'22)
• Outsourcing MPC Precomputation for Location Privacy (LPW'22)
• Hardening the Security Analysis of Browser Extensions (SAC'22)
• DeDup.js: Discovering Malicious and Vulnerable Extensions by Detecting Duplication (ICISSP'22)
• SandTrap: Securing JavaScript-driven Trigger-Action Platforms (USENIX Security'21)
• Securing Node-RED Applications, (Guttman'21)
• EssentialFP: Exposing the Essence of Browser Fingerprinting (SecWeb'21)
• Nontransitive Policies Transpiled (EuroS&P'21)
• Data Privacy in Trigger-Action Systems (S&P'21)
• Black Widow: Blackbox Data-driven Web Scanning (S&P'21)
• HMAC and "Secure Preferences": Revisiting Chromium-based Browsers Security (CANS'20)
• Where are you Bob? Privacy-Preserving Proximity Testing with a Napping Party (ESORICS'20)
• Clockwork: Tracking Remote Timing Attacks (CSF'20)
• VERONICA: Expressive and Precise Concurrent Information Flow Security (CSF'20)
• AutoNav: Evaluation and Automatization of Web Navigation Policies (WWW'20)
• An Empirical Study of Information Flows in Real-World JavaScript (PLAS'19)
• Securing IoT Apps (IEEE S&P Magazine'19)
• TOPPool: Time-aware Optimized Privacy-Preserving Ridesharing (PETS'19)
• Information-Flow Control for Database-backed Applications (EuroS&P'19)
• On the Road with Third-Party Apps: Security Analysis of an In-Vehicle App Platform (VEHITS'19)
• Latex Gloves: Protecting Browser Extensions from Probing and Revelation Attacks (NDSS'19)
• More...

I serve on the steering committees of IEEE CSF (chair) and NordSec, and (over 100) program committees including IEEE Security & Privacy, ACM CCS, USENIX Security, and NDSS. Current/recent PCs:

• CCS'23, USENIX Security'23, S&P'23 (Associate Chair), WWW'23, CCS'22, CSF'22, EuroS&P'22, S&P'22 (Associate Chair), WWW'22, CCS'21, S&P'21, CSF'21, EuroS&P'21, WWW'21, CCS'20, CSF'20, EuroS&P'20, SecWeb'20, WWW'20, CCS'19, IDC'19, PSI'19, EuroS&P'19, S&P'19, WWW'19, POST'19, CCS'18 (Area chair for Formal Methods & PL), EuroS&P'18, S&P'18, WWW'18, POST'18, ESORICS'17, USENIX Security'17, S&P'17, EuroS&P'17 (co-chair), TMPA'17, CCS'16, ESORICS'16, USENIX Security'16, CSF'16, SAC'16, EuroS&P'16, NDSS'16, ACSAC'15, RAID'15, CCS'15, AppSecEU'15, S&P'15, SAC'15, ESSoS'15,... See more under Activities.

I am recipient of Amazon Research Award (2022), Facebook Privacy-Enhancing Technologies Research Award (2021), Facebook Research Program Gift (2021), ERC Proof of Concept (2018), Facebook Research Program Gift (2016), Google Faculty Research Award (2016), ERC Starter/Consolidator (2012), Chalmers Research Supervisor of the year (2010), and SSF Future Research Leader (2008) awards.

Check out the attacks, protocols, and tools recently designed within my team: SandTrap, Black Widow, JSFlow, AutoNav, TOPPool, FlowIT, and more!

Securing web applications from Chalmers Univ. of Technology on Vimeo.

• Program committees: CCS'23, USENIX Security'23, S&P'23 (Associate Chair), WWW'23, CCS'22, CSF'22, EuroS&P'22, S&P'22 (Assoicate Chair), WWW'22, CCS'21, S&P'21, CSF'21, EuroS&P'21, WWW'21, CCS'20, CSF'20, EuroS&P'20, SecWeb'20, WWW'20, CCS'19, PSI'19, EuroS&P'19, S&P'19, WWW'19, POST'19, CCS'18 (Area chair for Formal Methods & PL), EuroS&P'18, S&P'18, WWW'18, POST'18, ESORICS'17, USENIX Security'17, S&P'17, EuroS&P'17 (co-chair), TMPA'17, CCS'16, ESORICS'16, USENIX Security'16, CSF'16, SAC'16, EuroS&P'16, NDSS'16, ACSAC'15, RAID'15, CCS'15, AppSecEU'15, S&P'15, SAC'15, ESSoS'15, CCS'14, NordSec'14, QASA'14, CSF'14, PSI'14, S&P'14, SAC'14, NWPT'13, NordSec'13, ESORICS'13, AppSecEU'13, ESEC/FSE'13 New Ideas Track, FCS'13, POST'13, POPL'13, NWPT'12, NordSec'12, MMM-ACNS'12, POST'12, NWPT'11, NordSec'11, SEC'11, ESOP'11, NWPT'10, MMM-ACNS'10, AppSec Research'10, PLAS'10, S&P'10, ASIACCS'10, CCS'09, CSF'09, CCS'08, CSF'08 (chair), ESOP'08, NordSec'07 (co-chair), MMM-ACNS'07, CSF'07 (chair), PLAS'07, ESOP'07, APLAS'06, ESORICS'06 (co-chair), CSFW'06, S&P'06, POPL'06, MMM-ACNS'05, SAS'05, FCS'05 (chair), CSFW'05, ESOP'05, VODCA'04, SecCo'04, SAS'04, FCS'04 (chair), FAST'03, FCS'03, CSFW'03, CSFW'02.
• Steering committees: CSF (chair), NordSec, POST (2014-19), FCS (2005-13, chair: 2005-08).
• Keynote invited talks: ViSP Distinguished Lecture Series'21, CASTOR Software Days'19, SSIoT'19, NWPT'18, PSI'17, HotSpot'17, e-Stockholm'16, ICICS'14, RS3'14, OWASP Gothenburg Kick-Off, MMM-ACNS'10, ASIACCS'10, Dagstuhl WebAppSec'09, OWASP Sweden Kick-off, ASIAN'07, TGC'06, Dagstuhl LBS'03, FCS'03.
• PhD Summer/Winter School Lecturing: Security & Correctness in the IoT'19, WASP-AS'19, EWSCS'19, Security & Correctness in the IoT'18, IM&CTCPA'16, FOSAD'14, Aalborg'11, Marktoberdorf'11, Software Engineering and Verification'11, Marktoberdorf'09, GLOBAN'08, FOSAD'04, WSSA'03.
• Editorships: editorial board member for JCS (2012-18) and IPL (2012-13); editor for JCS special issue on verified information flow, 2017, JCS special issue on web application security 2014, special issues on CSF 2008 and CSF 2007 of JCS and issue on Language-Based Security of JFP, 2005.
• Dagstuhl seminar organizer: Web Application Security, 2012; Mobility, Ubiquity, and Security, 2007; Language-Based Security, 2003.
• Scientific Advisory Boards: Max Planck Institute for Security and Privacy, ITU Center for Information Security and Trust (CISAT).

• Eric Olsson
• Ivan Oleynikov
• Mohammad Ahmadpanah
• Benjamin Eriksson
• Iulia Bastys

• Pablo Picazo-Sanchez (2019-2021)
• Musard Balliu (2014-17)
• Steven Van Acker (2015-18)
• Daniel Hedin (2010-14)

• Alexander Sjösten
• Daniel Schoepe
• Elena Pagnin
• Daniel Hausknecht
• Per Hallgren
• Luciano Bello
• Willard Rafnsson
• Arnar Birgisson
• Jonas Magazinius
• Aslan Askarov
• Alejandro Russo

• Language-Based Security 2005-
• Concurrent Programming 2004-2007
• Cryptography 1998-2001