I am a Senior Security Engineer at Thought Machine, an Honorary Research Fellow in the Department of Computing at Imperial College London, and an Honorary Research Fellow in the School of Computer Science at the University of Birmingham. My research interests include quantitative information flow control, web security, and programming language security.
I was awarded a BSc in Computer Science from the University of Birmingham in 2009, followed by an MSc in Advanced Computer Science in 2010.
I was awarded a PhD by the University of Birmingham in 2014, under the supervision of Tom Chothia. During my time as a PhD student, I was also a Senior Teaching Associate. My PhD was funded for four years, rather than three: 25% of my time was spent teaching.
Following my PhD, I was a Research Associate in the Department of Computing at Imperial College London from October 2014 until May 2017, working with Sergio Maffeis on the Certified Verification of Client-Side Web Programs project. I then returned to the School of Computer Science at the University of Birmingham as a Research Fellow, working with David Parker on the PRINCESS project (part of the DARPA-funded BRASS programme) from May 2017 until April 2020.
In May 2020, I moved from academia to industry. I am currently a Senior Security Engineer at Thought Machine.
My research focuses on computer security, although I'm also interested in distributed systems and security-centric aspects of usability.
I've previously investigated the web's security and privacy models, particularly with regard to the implementation of standardised security policies in major web browsers. With Charlie Hothersall-Thomas and Sergio Maffeis, I've developed BrowserAudit, a web application allowing casual users, web developers and browser developers alike to assess how well their browsers implement today's main browser security policies, such as the the same-origin policy, the Content Security Policy, and Cross-Origin Resource Sharing.
The majority of my research focuses on quantifying information leakage in complex, real-world software and systems, using both formal approaches to precisely compute information leakage and empirical approaches to accurately estimate information leakage. Along with Tom Chothia, Yusuke Kawamoto, David Parker and Rajiv Ranjan Singh, I've developed a number of automated information leakage analysis tools and their underlying theory.
My most recent research focused on side-channel analysis of probabilistic systems. David Parker and I have developed both a formal approach for quantifying the vulnerability of probabilistic models to side-channel attacks, and an implementation of this approach based on the PRISM model checker.
I've also conducted research into the monitoring of peer-to-peer networks — specifically, BitTorrent — by third parties. From 2009 to 2011, Tom Chothia, Marco Cova, Camilo González Toro and I studied the behaviour of BitTorrent peers in swarms for torrents indexed by The Pirate Bay, a famous (and copyright-infringing) file-sharing web site. We found that file-sharers are being monitored on an enormous scale by a range of organisations, including copyright enforcement agencies and market research companies. This work received a large amount of coverage in both the technical and general press.
I am a member of the Programme Committee for SEC@SAC24.
I was previously:
I was a lab demonstrator as an MSc student at Birmingham during the 2009/10 academic session. While I was a PhD student between 2010 and 2014, I spent around a quarter of my time teaching undergraduate and taught-postgraduate students as a Teaching Assistant (and later as a Senior Teaching Associate); during this time, Tom Chothia and I developed a virtual machine for use in the practical coursework component of the Computer Security and Introduction to Computer Security modules. The VM now features a storyline that interweaves with the taught content of the module; we found the storyline to have a positive impact on student attainment for those who engaged with it.
After moving to Imperial, I created the Network and Web Security course from scratch with Sergio Maffeis, combining the teaching of abstract network and web security concepts with practical tutorials using specially-designed virtual machines. This culminated in a practical exam which tested students' abstract knowledge as well as their ability to break in to a range of tailor-made vulnerable web services. I also created Answerbook, an online assessment system for the Network and Web Security course, which was eventually used to deliver coursework and exam-based assessments for several other courses at Imperial.
Together with Tom Chothia and Marco Cova, I founded the University of Birmingham Hacking Club in 2009. We regularly competed in ethical computer hacking competitions under the team name A Finite Number of Monkeys — I participated under the pseudonym csn.
If your email is confidential, you might want to encrypt it before sending it to me. My PGP public key is available on all popular key servers.