Publications

This page contains the list of publications by the LangSec group at KTH.

• Sharing without Showing: Secure Cloud Analytics with Trusted Execution Environments Marcus Birgersson and Cyrille Artho. IEEE Secure Development Conference (SecDev'24), Pittsburgh, PA, USA, October 2024. Available: PDF, Code

• Towards relating hyper- and epistemic-temporal logics with Matvey Soloviev and Vineet Rajani. In the 19th Workshop on Programming Languages and Analysis for Security (PLAS'24), Salt Lake City, USA, October 2024. Available: PDF

• GHunter: Universal Prototype Pollution Gadgets in JavaScript Runtimes with Eric Cornelissen and Mikhail Shcherbakov. In 33rd USENIX Security Symposium (USENIX Security'24), Philadelphia, PA, USA, August 2024. Available: PDF, Code

• Activity Recognition Protection for IoT Trigger-Action Platforms with Mahmoud Aghvamipanah, Morteza Amini, and Cyrille Artho. Proceedings of the IEEE European Symposium on Security and Privacy, (EuroS&P'24), Vienna, Austria, July 2024. Available: PDF, Code

• Disjunctive Policies for Database-Backed Programs with Amir M. Ahmadian and Matvey Soloviev. In Proceedings of the IEEE Computer Security Foundations Symposium (CSF'24), Enschede, The Netherlands, July 2024. Available: PDF, Code

• Security Properties through the Lens of Modal Logic with Matvey Soloviev and Roberto Guanciale. In Proceedings of the IEEE Computer Security Foundations Symposium (CSF'24), Enschede, The Netherlands, July 2024. Available: PDF

• Unveiling the Invisible: Detection and Evaluation of Prototype Pollution Gadgets with Dynamic Taint Analysis with Mikhail Shcherbakov and Paul Moosbrugger. In Proceedings of the Web Conference (WWW'24), Singapore, May 2024. Available: PDF, Code

• Challenges of Producing Software Bill of Materials for Java with Benoit Baudry, Sofia Bobadilla, Mathias Ekstedt, Martin Monperrus, Javier Ron, Aman Sharma, Gabriel Skoglund, César Soto-Valero, and Martin Wittlinger. In IEEE Security & Privacy Magazine, September 2023. Available: PDF, Code

• Silent Spring: Prototype Pollution Leads to Remote Code Execution in Node.js with Mikhail Shcherbakov and Cristian-Alexandru Staicu. In 32nd USENIX Security Symposium (USENIX Security'23), Anaheim, CA, USA, August 2023 (Third place at Applied Research Competition (CSAW'23), and presented at DEF CON 2023 and BlackHat Asia 2023). Press: The Register, The Daily Swig, betanews, Techzine. Available: PDF, Code, Full version

• A Modal Framework for Security Properties with Matvey Soloviev and Roberto Guanciale. In the 17th Workshop on Programming Languages and Analysis for Security (PLAS'22), Virtual event, December 2022. Available: PDF

• Dynamic Policies Revisited with Amir M. Ahmadian. Proceedings of the IEEE European Symposium on Security and Privacy, (EuroS&P'22), Genoa, Italy, June 2022 (Distinguished Paper Award). Available: PDF, Code

• Security-Aware Multi-User Architecture for IoT with Marcus Birgersson and Cyrille Artho. 21st IEEE International Conference on Software Quality, Reliability, and Security (QRS'21), Hainan Island, China, 6-10 December 2021. Available: PDF, Code

• Vivienne: Relational Verification of Cryptographic Implementations in WebAssembly with Rodothea Myrsini Tsoupidi and Benoit Baudry. IEEE Secure Development Conference (SecDev'21), October 2021. Available: PDF, Code

• Enclave-Based Secure Programming with J_E with Aditya Oak, Amir M. Ahmadian, and Guido Salvaneschi. IEEE Secure Development Conference (SecDev'21), October 2021. Available: PDF, Code

• Securing Node-RED Applications with Mohammad M. Ahmadpanah, Daniel Hedin, Lars Eric Olsson, and Andrei Sabelfeld. Protocols, Strands, and Logic: Essays Dedicated to Joshua Guttman on the Occasion of his 66.66th Birthday, 2021. Available: PDF

• SandTrap: Securing JavaScript-driven Trigger-Action Platforms with Mohammad M. Ahmadpanah, Daniel Hedin, Lars Eric Olsson, and Andrei Sabelfeld. In 30th USENIX Security Symposium (USENIX Security'21 ), August 2021. Available: PDF, Code

• Language Support for Secure Software Development with Enclaves with Aditya Oak, Amir M. Ahmadian, and Guido Salvaneschi. In Proceedings of the IEEE Computer Security Foundations Symposium (CSF'21), June 2021. Available: PDF, Code

• SerialDetector: Principled and Practical Exploration of Object Injection Vulnerabilities for the Web with Mikhail Shcherbakov. In Network and Distributed System Security Symposium (NDSS’21), 21-24 February 2021. Available: PDF, Code

• Friendly Fire: Cross-App Interactions in IoT Platforms with Massimo Merro, Michele Pasqua and Mikhail Shcherbakov. ACM Transactions on Privacy and Security (TOPS), December 2020. Available: PDF, Code

• InSpectre: Breaking and Fixing Microarchitectural Vulnerabilities by Formal Analysis with Roberto Guanciale and Mads Dam. ACM Conference on Computer and Communication Security (CCS’20), Orlando, USA, November 2020. Available: PDF

• Clockwork: Tracking Remote Timing Attacks with Iulia Bastys, Tamara Rezk and Andrei Sabelfeld. In Proceedings of the IEEE Computer Security Foundations Symposium (CSF’20), Boston, MA, USA, June 2020. Available: PDF, Full Version

• An Empirical Study of Information Flows in Real-World JavaScript with Cristian-Alexandru Staicu, Daniel Schoepe, Michael Pradel and Andrei Sabelfeld. In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS’19), London, UK, November 2019. Available: PDF

• Securing IoT Apps with Iulia Bastys and Andrei Sabelfeld. In IEEE Security & Privacy Magazine, September 2019. Available: Early access, PDF

• Securing Cross-App Interactions in IoT Platforms with Massimo Merro and Michele Pasqua. In Proceedings of the IEEE Computer Security Foundations Symposium (CSF’19), Hoboken, NJ, USA, June 2019. Available: PDF

• Information-Flow Control for Database-backed Applications with Marco Guarnieri, Daniel Schoepe, David Basin and Andrei Sabelfeld. In Proceedings of the IEEE European Symposium on Security and Privacy, (EuroS&P’19), Stockholm, Sweden, June 2019. Available: PDF

• Special issue on Web Application Security at Security & Communication Networks with Stefano Calzzavara, Martin Johns, and Gabriele Tolomei.

• Putting Constructive Alignment to Work: A Hands-on Experience with a First-Year Programming Course. KTH Scholarship of Teaching and Learning, (SoTL’19), Stockholm, Sweden, March 2019. Available: PDF, Full Version

• Flaws in Flows: Unveiling Design Flaws via Information Flow Analysis, with Katja Tuma and Riccardo Scandariato. In Proceedings of the International Conference on Software Architecture, (ICSA’19), Hamburg, Germany, March 2019. Available: PDF, Tool + Full Version

• If This Then What? Controlling Flows in IoT Apps, with Iulia Bastys and Andrei Sabelfeld. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’18), Toronto, Canada, October 2018. Available: PDF, Tool + Dataset

• We are Family: Relating Information-Flow Trackers, with Daniel Schoepe and Andrei Sabelfeld. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’17), Oslo, Norway, September 2017. Available: PDF, Tool + Full Version

• Formalising Privacy Policies in Social Networks, with Raúl Pardo and Gerardo Schneider. In Journal of Logical and Algebraic Methods in Programming (JLAMP). Available: PDF

• Let’s Face It: Faceted Values for Taint Tracking, with Daniel Schoepe, Frank Piessens and Andrei Sabelfeld. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’16), Heraklion, Crete, Greece, September 2016. Available: PDF, Full, DroidFace tool

• JSLINQ: Building Secure Applications across Tiers, with Benjamin Liebe, Daniel Schoepe and Andrei Sabelfeld. In Proceedings of the ACM Conference on Data and Applications Security and Privacy (CODASPY’16), New Orleans, LA, March 2016. Available: PDF, Full, JSLINQ website

• Explicit Secrecy: A Policy for Taint Tracking, with Daniel Schoepe, Benjamin C. Pierce and Andrei Sabelfeld. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P’16), Saarbrücken, Germany, March 2016. Available: PDF, Full

• Logics for Information Flow Security: From Specification to Verification. PhD Thesis, October 2014. Available: PDF

• Automating Information Flow Analysis of Low Level Code, with Mads Dam and Roberto Guanciale. In Proceedings of the 21st ACM Conference on Computer and Communication Security (CCS’14) , Scottsdale, Arizona, USA, November 2014. Available: PDF

• A Logic for Information Flow Analysis of Distributed Programs. 18th Nordic Conference on Secure IT Systems, NordSec 2013, Ilulissat, Greenland, October 18-21, 2013. Available: PDF, Full Version

• ENCOVER: Symbolic Exploration for Information Flow Security, with Mads Dam and Gurvan Le Guernic. In Proceedings of the IEEE Computer Security Foundations Symposium (CSF ‘12 ). Harvard University, Cambridge MA. June 25-27, 2012. Available: PDF, EnCoVer website

• Epistemic Temporal Logic for Information Flow Security, with Mads Dam and Gurvan Le Guernic. In the Proc.of ACM SIGPLAN Programming Languages and Analysis for Security (PLAS ‘11 ). San Jose, CA, USA. June 5, 2011. Available: PDF

• A Weakest Precondition Approach to Robustness, with Isabella Mastroeni. Special issue of LNCS Transactions on Computational Science X on Security in Computing. PDF

• A weakest precondition approach to active attacks analysis, with Isabella Mastroeni. In the Proc.of ACM SIGPLAN Programming Languages and Analysis for Security (PLAS ‘09 ). Dublin, Ireland. June 15, 2009. Available: PDF