2024
WRIT: Web Request Integrity and Attestation Against Malicious Browser Extensions.
IEEE Trans. Dependable Secur. Comput., 2024
4.5 Million (Suspected) Fake Stars in GitHub: A Growing Spiral of Popularity Contests, Scams, and Malware.
CoRR, 2024
S3C2 Summit 2023-11: Industry Secure Supply Chain Summit.
CoRR, 2024
S3C2 Summit 2024-03: Industry Secure Supply Chain Summit.
CoRR, 2024
Manifest V3 Unveiled: Navigating the New Era of Browser Extensions.
CoRR, 2024
FV8: A Forced Execution JavaScript Engine for Detecting Evasive Techniques.
Proceedings of the 33rd USENIX Security Symposium, 2024
On SMS Phishing Tactics and Infrastructure.
Proceedings of the IEEE Symposium on Security and Privacy, 2024
UntrustIDE: Exploiting Weaknesses in VS Code Extensions.
Proceedings of the 31st Annual Network and Distributed System Security Symposium, 2024
JSHint: Revealing API Usage to Improve Detection of Malicious JavaScript.
Proceedings of the Information Security - 27th International Conference, 2024
Automated Generation of Behavioral Signatures for Malicious Web Campaigns.
Proceedings of the Information Security - 27th International Conference, 2024
2023
S3C2 Summit 2023-06: Government Secure Supply Chain Summit.
CoRR, 2023
S3C2 Summit 2023-02: Industry Secure Supply Chain Summit.
CoRR, 2023
S3C2 Summit 2202-09: Industry Secure Suppy Chain Summit.
CoRR, 2023
Automatic Discovery of Emerging Browser Fingerprinting Techniques.
Proceedings of the ACM Web Conference 2023, 2023
ARGUS: A Framework for Staged Static Taint Analysis of GitHub Workflows and Actions.
Proceedings of the 32nd USENIX Security Symposium, 2023
2022
CrawlPhish: Large-Scale Analysis of Client-Side Cloaking Techniques in Phishing.
,
,
,
,
,
,
,
,
,
,
,
,
IEEE Secur. Priv., 2022
Measuring the Privacy vs. Compatibility Trade-off in Preventing Third-Party Stateful Tracking.
Proceedings of the WWW '22: The ACM Web Conference 2022, Virtual Event, Lyon, France, April 25, 2022
Characterizing the Security of Github CI Workflows.
Proceedings of the 31st USENIX Security Symposium, 2022
yoU aRe a Liar: //A Unified Framework for Cross-Testing URL Parsers.
Proceedings of the 43rd IEEE Security and Privacy, 2022
SoK: Workerounds - Categorizing Service Worker Attacks and Mitigations.
Proceedings of the 7th IEEE European Symposium on Security and Privacy, 2022
2021
Introduction to the ACSAC'19 Special Issue - Vol. 2.
DTRAP, 2021
Categorizing Service Worker Attacks and Mitigations.
CoRR, 2021
Towards Realistic and ReproducibleWeb Crawl Measurements.
Proceedings of the WWW '21: The Web Conference 2021, 2021
Cookie Swap Party: Abusing First-Party Cookies for Web Tracking.
Proceedings of the WWW '21: The Web Conference 2021, 2021
Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets.
Proceedings of the 30th USENIX Security Symposium, 2021
Detecting Filter List Evasion with Event-Loop-Turn Granularity JavaScript Signatures.
Proceedings of the 42nd IEEE Symposium on Security and Privacy, 2021
Favocado: Fuzzing the Binding Code of JavaScript Engines Using Semantically Correct Test Cases.
,
,
,
,
,
,
,
,
,
,
Proceedings of the 28th Annual Network and Distributed System Security Symposium, 2021
Browserprint: an Analysis of the Impact of Browser Features on Fingerprintability and Web Privacy.
Proceedings of the Information Security - 24th International Conference, 2021
2020
Introduction to the ACSAC'19 Special Issue - Part 1.
DTRAP, 2020
There's No Trick, Its Just a Simple Trick: A Web-Compat and Privacy Improving Approach to Third-party Web Storage.
CoRR, 2020
Improving Web Content Blocking With Event-Loop-Turn Granularity JavaScript Signatures.
CoRR, 2020
Mininode: Reducing the Attack Surface of Node.js Applications.
Proceedings of the 23rd International Symposium on Research in Attacks, 2020
Hiding in Plain Site: Detecting JavaScript Obfuscation through Concealed Browser API Usage.
Proceedings of the IMC '20: ACM Internet Measurement Conference, 2020
You've Changed: Detecting Malicious Browser Extensions through their Update Deltas.
Proceedings of the CCS '20: 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020
2019
The Blind Men and the Internet: Multi-Vantage Point Web Measurements.
CoRR, 2019
Unnecessarily Identifiable: Quantifying the fingerprintability of browser extensions due to bloat.
Proceedings of the World Wide Web Conference, 2019
Everyone is Different: Client-side Diversification for Defending Against Extension Fingerprinting.
Proceedings of the 28th USENIX Security Symposium, 2019
VisibleV8: In-browser Monitoring of JavaScript in the Wild.
Proceedings of the Internet Measurement Conference, 2019
Wild Extensions: Discovering and Analyzing Unlisted Chrome Extensions.
Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment, 2019
2018
Mystique: Uncovering Information Leakage from Browser Extensions.
Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018
2016
Cloak of Visibility: Detecting When Machines Browse a Different Web.
Proceedings of the IEEE Symposium on Security and Privacy, 2016
2015
Analyzing and Defending Against Evolving Web Threats.
PhD thesis, 2015
Ad Injection at Scale: Assessing Deceptive Advertisement Modifications.
,
,
,
,
,
,
,
,
,
,
,
Proceedings of the 2015 IEEE Symposium on Security and Privacy, 2015
2014
On the Workings and Current Practices of Web-Based Device Fingerprinting.
IEEE Secur. Priv., 2014
Hulk: Eliciting Malicious Behavior in Browser Extensions.
Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, USA, August 20-22, 2014., 2014
The Dark Alleys of Madison Avenue: Understanding Malicious Advertisements.
Proceedings of the 2014 Internet Measurement Conference, 2014
PExy: The Other Side of Exploit Kits.
Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment, 2014
2013
Revolver: An Automated Approach to the Detection of Evasive Web-based Malware.
Proceedings of the 22th USENIX Security Symposium, Washington, DC, USA, August 14-16, 2013, 2013
Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting.
Proceedings of the 2013 IEEE Symposium on Security and Privacy, 2013
2012
You are what you include: large-scale evaluation of remote javascript inclusions.
Proceedings of the ACM Conference on Computer and Communications Security, 2012
2011
Escape from Monkey Island: Evading High-Interaction Honeyclients.
Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment, 2011
2010
D(e|i)aling with VoIP: Robust Prevention of DIAL Attacks.
Proceedings of the Computer Security, 2010
2009
FleXConf: A Flexible Conference Assistant Using Context-Aware Notification Services.
,
,
,
,
,
,
,
,
,
,
,
Proceedings of the On the Move to Meaningful Internet Systems: OTM 2009 Workshops, 2009
Realistic Passive Packet Loss Measurement for High-Speed Networks.
Proceedings of the Traffic Monitoring and Analysis, First International Workshop, 2009