EMPIRICAL AND BEHAVIORAL SECURITY
We need solutions that work in both theory and practice. However, as truth is stranger than fiction, this means that to attain this grand goal we cannot simply retreat to our study but will need to draw insight from empirical data. That is, unless a tool is easy to use properly, although it may be secure in theory, it can still prove a liability in practice – which goes for both end-users and developers.
An essential aspect of our research is the empirical understanding of potential attacks and the threat landscape. This ranges from attacks on critically important Web applications all the way to adversaries aiming to phish users' credentials. In this research area, we focus on measuring threats at scale in the wild and identifying threats to users at an early stage. To this end, we develop novel methods for detecting vulnerabilities at Internet-scale, with a specific focus on Web applications. By combining large-scale measurements with methods from the social sciences, we also explore how technologies can be designed to be used in a secure and private way by both lay users and developers. A key strength of the research area is the strong connection between automated tools for detection and usability aspects of novel solutions to prevent attacks before they can happen, e.g., through developer-centric security tooling.
ACM Conference on Computer and Communications Security (CCS)
Reflection, Education, Consistency: Towards Best Ethics Practices At Security And Privacy Conferences
Proceedings of the ACM on Human-Computer Interaction Enabling Sensitive Conversations with Consent Boundaries: Moa, a Platform for Discussing PhD Advising Relationships
Symposium on Usable Privacy and Security (SOUPS)
An Analysis of the Security, Usability, and Automation Capabilities of Password Update Processes on Top-Ranked Websites
Symposium on Usable Privacy and Security (SOUPS)
“I didn’t know I would be this excited not to be scammed.” Exploring Emotional and Behavioral Responses During Phishing Attacks
Usenix Security Symposium (USENIX-Security)
FRAGJAM: DoS Attacks Using IP Reassembly Congestion
ACM Conference on Computer and Communications Security (CCS)
PyFEX: Uncovering Evasive Python-based Threats via Resilient and Exhaustive Path Exploration
Usenix Security Symposium (USENIX-Security)
Trust Nothing: RTOS Security without Run-Time Software TCB
Usenix Security Symposium (USENIX-Security)
SoK: Capability Operating Systems: Is the Future Finally Here?