My research focuses on web security, software security, language-based security, IoT security, and location privacy. I lead a team of researchers, engaged in a number of EU and national projects and collaborations with industry including Google, Facebook, Microsoft, and SAP.

My (over 100) papers are published in venues that include conference flagships IEEE Security & Privacy, ACM CCS, and PETS, and journal flagships IEEE TDSC and ACM TISSEC. Most recent:

• SandTrap: Securing JavaScript-driven Trigger-Action Platforms (USENIX Security'21)
• Securing Node-RED Applications, (Guttman'21)
• EssentialFP: Exposing the Essence of Browser Fingerprinting (SecWeb'21)
• Nontransitive Policies Transpiled (EuroS&P'21)
• Data Privacy in Trigger-Action Systems (S&P'21)
• Black Widow: Blackbox Data-driven Web Scanning (S&P'21)
• HMAC and "Secure Preferences": Revisiting Chromium-based Browsers Security (CANS'20)
• Where are you Bob? Privacy-Preserving Proximity Testing with a Napping Party (ESORICS'20)
• Clockwork: Tracking Remote Timing Attacks (CSF'20)
• VERONICA: Expressive and Precise Concurrent Information Flow Security (CSF'20)
• AutoNav: Evaluation and Automatization of Web Navigation Policies (WWW'20)
• An Empirical Study of Information Flows in Real-World JavaScript (PLAS'19)
• Securing IoT Apps (IEEE S&P Magazine'19)
• TOPPool: Time-aware Optimized Privacy-Preserving Ridesharing (PETS'19)
• Information-Flow Control for Database-backed Applications (EuroS&P'19)
• On the Road with Third-Party Apps: Security Analysis of an In-Vehicle App Platform (VEHITS'19)
• Latex Gloves: Protecting Browser Extensions from Probing and Revelation Attacks (NDSS'19)
• Raising the Bar: Evaluating Origin-wide Security Manifests (ACSAC'18)
• Tracking Information Flow via Delayed Output: Addressing Privacy in IoT and Emailing Apps (NordSec'18)
• If This Then What? Controlling Flows in IoT Apps (CCS'18)
• Prudent Design Principles for Information Flow Control (PLAS'18)
• Assuring BetterTimes: Private Arithmetic Formulas (JCS'18)
• Information Flow Tracking for Side-effectful Libraries (FORTE'18)
• More...

I serve on the steering committees of IEEE CSF (chair) and NordSec, and (over 100) program committees including IEEE Security & Privacy and ACM CCS. Current/recent PCs:

• CSF'22, EuroS&P'22, S&P'22, WWW'22, CCS'21, S&P'21, CSF'21, EuroS&P'21, WWW'21, CCS'20, CSF'20, EuroS&P'20, SecWeb'20, WWW'20, CCS'19, IDC'19, PSI'19, EuroS&P'19, S&P'19, WWW'19, POST'19, CCS'18 (area chair for Formal Methods & PL), EuroS&P'18, S&P'18, WWW'18, POST'18, ESORICS'17, USENIX Security'17, S&P'17, EuroS&P'17 (co-chair), TMPA'17, CCS'16, ESORICS'16, USENIX Security'16, CSF'16, SAC'16, EuroS&P'16, NDSS'16, ACSAC'15, RAID'15, CCS'15, AppSecEU'15, S&P'15, SAC'15, ESSoS'15,... See more under Activities.

I am recipient of the Facebook Privacy-Enhancing Technologies Research Award (2021), ERC Proof of Concept (2018), Facebook Research and Academic Relations Program Gift (2016), Google Faculty Research Award (2016), ERC Starter/Consolidator (2012), Chalmers Research Supervisor of the year (2010), and SSF Future Research Leader (2008) awards.

Check out the attacks, protocols, and tools recently designed within my team: SandTrap, Black Widow, JSFlow, AutoNav, TOPPool, FlowIT, and more!

Securing web applications from Chalmers Univ. of Technology on Vimeo.

• Program committees: CSF'22, EuroS&P'22, S&P'22, WWW'22, CCS'21, S&P'21, CSF'21, EuroS&P'21, WWW'21, CCS'20, CSF'20, EuroS&P'20, SecWeb'20, WWW'20, CCS'19, PSI'19, EuroS&P'19, S&P'19, WWW'19, POST'19, CCS'18 (area chair for Formal Methods & PL), EuroS&P'18, S&P'18, WWW'18, POST'18, ESORICS'17, USENIX Security'17, S&P'17, EuroS&P'17 (co-chair), TMPA'17, CCS'16, ESORICS'16, USENIX Security'16, CSF'16, SAC'16, EuroS&P'16, NDSS'16, ACSAC'15, RAID'15, CCS'15, AppSecEU'15, S&P'15, SAC'15, ESSoS'15, CCS'14, NordSec'14, QASA'14, CSF'14, PSI'14, S&P'14, SAC'14, NWPT'13, NordSec'13, ESORICS'13, AppSecEU'13, ESEC/FSE'13 New Ideas Track, FCS'13, POST'13, POPL'13, NWPT'12, NordSec'12, MMM-ACNS'12, POST'12, NWPT'11, NordSec'11, SEC'11, ESOP'11, NWPT'10, MMM-ACNS'10, AppSec Research'10, PLAS'10, S&P'10, ASIACCS'10, CCS'09, CSF'09, CCS'08, CSF'08 (chair), ESOP'08, NordSec'07 (co-chair), MMM-ACNS'07, CSF'07 (chair), PLAS'07, ESOP'07, APLAS'06, ESORICS'06 (co-chair), CSFW'06, S&P'06, POPL'06, MMM-ACNS'05, SAS'05, FCS'05 (chair), CSFW'05, ESOP'05, VODCA'04, SecCo'04, SAS'04, FCS'04 (chair), FAST'03, FCS'03, CSFW'03, CSFW'02.
• Steering committees: CSF (chair), NordSec, POST (2014-19), FCS (2005-13, chair: 2005-08).
• Editorships: editorial board member for JCS (2012-18) and IPL (2012-13); editor for JCS special issue on verified information flow, 2017, JCS special issue on web application security 2014, special issues on CSF 2008 and CSF 2007 of JCS and issue on Language-Based Security of JFP, 2005.
• Keynote invited talks: ViSP Distinguished Lecture Series'21, CASTOR Software Days'19, SSIoT'19, NWPT'18, PSI'17, HotSpot'17, e-Stockholm'16, ICICS'14, RS3'14, OWASP Gothenburg Kick-Off, MMM-ACNS'10, ASIACCS'10, Dagstuhl WebAppSec'09, OWASP Sweden Kick-off, ASIAN'07, TGC'06, Dagstuhl LBS'03, FCS'03.
• PhD Summer/Winter School Lecturing: Security & Correctness in the IoT'19, WASP-AS'19, EWSCS'19, Security & Correctness in the IoT'18, IM&CTCPA'16, FOSAD'14, Aalborg'11, Marktoberdorf'11, Software Engineering and Verification'11, Marktoberdorf'09, GLOBAN'08, FOSAD'04, WSSA'03.
• Dagstuhl seminar organizer: Web Application Security, 2012; Mobility, Ubiquity, and Security, 2007; Language-Based Security, 2003.
• Scientific Advisory Boards: Max Planck Institute for Security and Privacy, CISPA-Stanford Center for Cybersecurity, ITU Center for Information Security and Trust (ITU CIST).

• Ivan Oleynikov
• Mohammad Ahmadpanah
• Benjamin Eriksson
• Iulia Bastys

• Pablo Picazo-Sanchez (2019-)
• Musard Balliu (2014-17)
• Steven Van Acker (2015-18)
• Daniel Hedin (2010-14)

• Alexander Sjösten
• Daniel Schoepe
• Elena Pagnin
• Daniel Hausknecht
• Per Hallgren
• Luciano Bello
• Willard Rafnsson
• Arnar Birgisson
• Jonas Magazinius
• Aslan Askarov
• Alejandro Russo

• Language-Based Security 2005-2017
• Concurrent Programming 2004-2007
• Cryptography 1998-2001