Open positions
My group’s research revolves around designing practical approaches to protect the security and privacy of Web users. We build systems to proactively detect malicious JavaScript code and suspicious browser extensions. We analyze data to understand how people spend time on the Web and how to prioritize defense strategies.
1) Uncovering and preventing JavaScript-based attacks
Our prior work focused on detecting malicious JavaScript code by means of static analysis combined with machine learning algorithms. (JaSt-DIMVA18, JStap-ACSAC19). In fact, benign and malicious JavaScript samples tend to have different syntactic patters (DSN21). However, we showed that most static detectors are not robust in presence of an adversary who can camouflage their malicious code with a benign syntax to evade detection (HideNoSeek-CCS19).
2) Securing the browser extension ecosystem
By design, browser extensions have access to security- and privacy-critical APIs to perform tasks that web pages cannot traditionally do. Our prior work focused on detecting vulnerable extensions. We developed a static analyzer to track and detect suspicious data flows between an attacker and sensitive APIs in extensions (DoubleX-CCS21). In addition, we developed a dynamic analysis pipeline to detect fingerprintable extensions based on execution traces and JavaScript-observable side effects (Raider-CCS24). Besides vulnerable and fingerprintable extensions, we uncovered several classes of what we call “Security-Noteworthy Extensions” (SNE). In our AsiaCCS24 paper, we show that SNE are a significant issue: they affect hundreds of millions of users and stay in the Chrome Web Store for years. This last paper received a large media coverage. Our ongoing projects include automatically detecting malicious browser extensions and further SNE.
3) Understanding how to prioritize defense strategies through Web measurements
To effectively protect user security and privacy online, we first need to understand how people use the Web, as well as the types of websites they frequent and spend the most time on (IMC21).
PhD Positions
I am looking for PhD candidates with research interests in Web Security & Privacy and Web Measurements, in line with the 3 directions discussed above. However, I also welcome new research directions, and it is a plus when a student brings their own ideas.
Note that the open positions are not project-bound and that you are free to choose your research projects.
I am looking for motivated students with solid programming skills in python and (at least) a basic background in Web security. Proficiency in spoken and written English is a must; German knowledge is not necessary. I expect students to be curious, creative, and have a strong willingness to learn & improve.
In return, we offer an excellent research environment in Sankt Ingbert, with close individual supervision, worldwide collaborations, competitive salary according to TVöD, and with significant funding for travel and equipment.
If you are interested, apply for a position in my group on the CISPA web page. Only applications received in our system will be considered. Applications sent over emails will be ignored. Make sure that your cover letter mentions my research group and why you would be a good fit for my group and for CISPA. To avoid unspecific applications, please add a PS in your cover letter with the full name of the conference where my last paper was published. Application materials written by ChatGPT will be ignored.
Bachelor / Master Theses
I offer theses in the areas discussed above, but I also welcome new research directions if you already have a specific idea for your thesis. I highly recommend you have good programming skills in python and (at least) a basic background in Web security. Having attended a seminar is a plus. Proficiency in spoken and written English is a must; German knowledge is not necessary. I expect students to be curious, creative, and have a strong willingness to learn. Note that theses in this group are typically high-effort / high-reward, meaning that good theses are meant to be submitted as papers to major security conferences.
If you are interested in doing your thesis with me, first read this page on how to contact me and then send me an email accordingly.