Chris Novakovic

Security Engineer

Email: chris@chrisn.me.uk (PGP public key: 92B16A1E)
GitHub: chrisnovakovic
LinkedIn: chrisnovakovic
Bibliographies: Google Scholar, DBLP, ORCID

I am a Senior Security Engineer at Thought Machine, an Honorary Research Fellow in the Department of Computing at Imperial College London, and an Honorary Research Fellow in the School of Computer Science at the University of Birmingham. My research interests include quantitative information flow control, web security, and programming language security.


Background

I was awarded a BSc in Computer Science from the University of Birmingham in 2009, followed by an MSc in Advanced Computer Science in 2010.

I was awarded a PhD by the University of Birmingham in 2014, under the supervision of Tom Chothia. During my time as a PhD student, I was also a Senior Teaching Associate. My PhD was funded for four years, rather than three: 25% of my time was spent teaching.

Following my PhD, I was a Research Associate in the Department of Computing at Imperial College London from October 2014 until May 2017, working with Sergio Maffeis on the Certified Verification of Client-Side Web Programs project. I then returned to the School of Computer Science at the University of Birmingham as a Research Fellow, working with David Parker on the PRINCESS project (part of the DARPA-funded BRASS programme) from May 2017 until April 2020.

In May 2020, I moved from academia to industry. I am currently a Senior Security Engineer at Thought Machine.


Research

My research focuses on computer security, although I'm also interested in distributed systems and security-centric aspects of usability.

Web security & privacy

I've previously investigated the web's security and privacy models, particularly with regard to the implementation of standardised security policies in major web browsers. With Charlie Hothersall-Thomas and Sergio Maffeis, I've developed BrowserAudit, a web application allowing casual users, web developers and browser developers alike to assess how well their browsers implement today's main browser security policies, such as the the same-origin policy, the Content Security Policy, and Cross-Origin Resource Sharing.

  • Charlie Hothersall-Thomas, Sergio Maffeis and Chris Novakovic. "BrowserAudit: Automated Testing of Browser Security Features". In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA 2015), Baltimore, Maryland, USA, July 2015.
    • How secure is your web browser? Find out with BrowserAudit!
    • BrowserAudit on GitHub (includes source code and suite of over 400 tests)
    • ISSTA 2015 Evaluated Artifact
    • Invited talk in formal demo session at ISSTA 2015

Information flow control

The majority of my research focuses on quantifying information leakage in complex, real-world software and systems, using both formal approaches to precisely compute information leakage and empirical approaches to accurately estimate information leakage. Along with Tom Chothia, Yusuke Kawamoto, David Parker and Rajiv Ranjan Singh, I've developed a number of automated information leakage analysis tools and their underlying theory.

  • Tom Chothia, Chris Novakovic and Rajiv Ranjan Singh. "Calculating Quantitative Integrity and Secrecy for Imperative Programs". International Journal of Secure Software Engineering (IJSSE) 6(2), April–June 2015.
  • Chris Novakovic. "Computing and Estimating Information Leakage with a Quantitative Point-to-Point Information Flow Model". PhD thesis, School of Computer Science, College of Engineering and Physical Sciences, University of Birmingham, October 2014.
  • Tom Chothia, Chris Novakovic and Rajiv Ranjan Singh. "Automatically Calculating Quantitative Integrity Measures for Imperative Programs". In Proceedings of the 3rd International Workshop on Quantitative Aspects in Security Assurance (QASA 2014), Wrocław, Poland, September 2014.
    • CH-IMP-IQ tool (including source code and example CH-IMP-IQ programs)
  • Tom Chothia, Yusuke Kawamoto and Chris Novakovic. "LeakWatch: Estimating Information Leakage from Java Programs". In Proceedings of the 19th European Symposium on Research in Computer Security (ESORICS 2014), Wrocław, Poland, September 2014.
    • LeakWatch tool (including source code and example Java programs)
  • Tom Chothia, Yusuke Kawamoto and Chris Novakovic. "A Tool for Estimating Information Leakage". In Proceedings of the 25th International Conference on Computer Aided Verification (CAV 2013), St Petersburg, Russia, July 2013.
    • leakiEst tool and Java library (including source code and example datasets)
  • Tom Chothia, Yusuke Kawamoto, Chris Novakovic and David Parker. "Probabilistic Point-to-Point Information Leakage". In Proceedings of the IEEE 26th Computer Security Foundations Symposium (CSF 2013), New Orleans, Louisiana, USA, June 2013.
    • CH-IMP tool (including source code and example CH-IMP programs)

Side-channel analysis

My most recent research focused on side-channel analysis of probabilistic systems. David Parker and I have developed both a formal approach for quantifying the vulnerability of probabilistic models to side-channel attacks, and an implementation of this approach based on the PRISM model checker.

  • Chris Novakovic and David Parker. "Automated Formal Analysis of Side-Channel Attacks on Probabilistic Systems". In Proceedings of the 24th European Symposium on Research in Computer Security (ESORICS 2019), Luxembourg, September 2019.
  • Avi Pfeffer, Curt Wu, Gerald Fry, Kenny Lu, Steve Marotta, Mike Reposa, Yuan Shi, T. K. Satish Kumar, Craig A. Knoblock, David Parker, Irfan Muhammad and Chris Novakovic. "Software Adaptation for an Unmanned Undersea Vehicle". IEEE Software 36(2), March 2019.

Monitoring of peer-to-peer file-sharing networks

I've also conducted research into the monitoring of peer-to-peer networks — specifically, BitTorrent — by third parties. From 2009 to 2011, Tom Chothia, Marco Cova, Camilo González Toro and I studied the behaviour of BitTorrent peers in swarms for torrents indexed by The Pirate Bay, a famous (and copyright-infringing) file-sharing web site. We found that file-sharers are being monitored on an enormous scale by a range of organisations, including copyright enforcement agencies and market research companies. This work received a large amount of coverage in both the technical and general press.

  • Tom Chothia, Marco Cova, Chris Novakovic and Camilo González Toro. "The Unbearable Lightness of Monitoring: Direct Monitoring in BitTorrent". In Proceedings of the 8th International Conference on Security and Privacy in Communication Networks (SecureComm 2012), Padua, Italy, September 2012.
  • Chris Novakovic. "The Use of Monitoring in Distributed Peer-to-Peer Networks". Master's thesis, School of Computer Science, University of Birmingham, September 2010.

Academic service

I am a member of the Programme Committee for SEC@SAC25.

I was previously:

  • a member of the Programme Committee for SEC@SAC16, SEC@SAC17, SEC@SAC18, SEC@SAC19, SEC@SAC20, SEC@SAC21, SEC@SAC22, SEC@SAC23, and SEC@SAC24;
  • a member of the Artifact Evaluation Committee for TACAS 2018, TACAS 2019, and TACAS 2020;
  • an external reviewer for TCS-QAPL 2014, HotSpot 2015, POST 2015, PPREW-4, SSPREW-6, S&P 2017, ASE '17, JOT 17(1), and S&P 2019.

Teaching

I was a lab demonstrator as an MSc student at Birmingham during the 2009/10 academic session. While I was a PhD student between 2010 and 2014, I spent around a quarter of my time teaching undergraduate and taught-postgraduate students as a Teaching Assistant (and later as a Senior Teaching Associate); during this time, Tom Chothia and I developed a virtual machine for use in the practical coursework component of the Computer Security and Introduction to Computer Security modules. The VM now features a storyline that interweaves with the taught content of the module; we found the storyline to have a positive impact on student attainment for those who engaged with it.

After moving to Imperial, I created the Network and Web Security course from scratch with Sergio Maffeis, combining the teaching of abstract network and web security concepts with practical tutorials using specially-designed virtual machines. This culminated in a practical exam which tested students' abstract knowledge as well as their ability to break in to a range of tailor-made vulnerable web services. I also created Answerbook, an online assessment system for the Network and Web Security course, which was eventually used to deliver coursework and exam-based assessments for several other courses at Imperial.

  • Tom Chothia, Chris Novakovic, Andreea-Ina Radu and Richard J. Thomas. "Choose Your Pwn Adventure: Adding Competition and Storytelling to an Introductory Cybersecurity Course". Transactions on Edutainment XV, May 2019.
  • Tom Chothia and Chris Novakovic. "An Offline Capture The Flag-Style Virtual Machine and an Assessment of its Value for Cybersecurity Education". In Proceedings of the 2015 USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE '15), Washington, DC, USA, August 2015.
    • Interested in using this virtual machine in your own security course? Download the VM and some sample exercise sheets.

Teaching record

Department of Computing, Imperial College London
  • 2019/20: CO331 (Network and Web Security), external consultant
  • 2018/19: CO331 (Network and Web Security), external consultant
  • 2017/18: CO331 (Network and Web Security), external consultant
  • 2016/17: CO331 (Network and Web Security), Course Support Leader
  • 2015/16: CO331 (Network and Web Security), Course Support Leader
  • 2014/15: CO331 (Network and Web Security), Course Support Leader
School of Computer Science, University of Birmingham
  • 2013/14:
    • Computer Security, teaching assistant
    • Introduction to Computer Security, teaching assistant
    • Software System Components, teaching assistant
  • 2012/13:
    • Computer Security, teaching assistant
    • Network Security, teaching assistant
    • Software System Components A, lab demonstrator
    • Software System Components B, lab demonstrator
  • 2011/12:
    • Computer Security, teaching assistant
    • Software Workshop 1, group tutor
    • Software System Components 2, lab demonstrator
  • 2010/11:
    • Internet Computing Workshop: Sem1, teaching assistant
    • Software Workshop Team Java, team supervisor
    • Software System Components 2, lab demonstrator
  • 2009/10:
    • Software System Components 1, lab demonstrator
    • Software System Components 2, lab demonstrator

Software

I maintain Net-SSLeay, the Perl bindings for OpenSSL and LibreSSL. Please report any bugs, feature requests or patches via RT or GitHub.


Other activities

Together with Tom Chothia and Marco Cova, I founded the University of Birmingham Hacking Club in 2009. We regularly competed in ethical computer hacking competitions under the team name A Finite Number of Monkeys — I participated under the pseudonym csn.


Contact

Email: chris@chrisn.me.uk

If your email is confidential, you might want to encrypt it before sending it to me. My PGP public key is available on all popular key servers.