Chris Novakovic Chris Novakovic School of Computer Science, University of Birmingham Edgbaston, Birmingham B15 2TT, United Kingdom Office: 234, Computer Science building Tel: +44 (0)121 414 4777 Email: c.novakovic@cs.bham.ac.uk (PGP public key) I am a Research Fellow in the School of Computer Science at the University of Birmingham — working on the PRINCESS project (part of the DARPA-funded BRASS programme) with David Parker — and an Honorary Research Fellow in the Department of Computing at Imperial College London. My research interests are generally computer security-related, and include quantitative information flow control, web security, and programming language security. I also teach. Background I obtained a BSc in Computer Science from the University of Birmingham in 2009, followed by an MSc in Advanced Computer Science in 2010. I obtained my PhD from the University of Birmingham in 2014, under the supervision of Tom Chothia. During my time as a PhD student, I was also a Senior Teaching Associate. My PhD was funded for four years, rather than three: 25% of my time was spent teaching. Following my PhD, I was a Research Associate in the Department of Computing at Imperial College London from October 2014 until May 2017, working with Sergio Maffeis. Research My research focuses on computer security, although I'm also interested in distributed systems and security-centric aspects of usability. I'm a member of the Centre for Cyber Security and Privacy at the University of Birmingham. During my time at Imperial College London, I was a member of the Research Institute in Automated Program Analysis and Verification, as part of the Certified Verification of Client-Side Web Programs project. I was also a member of the CryptoForma network and its successor, CryptoForma 2. Side-channel analysis My research currently focuses on side-channel analysis of probabilistic systems. David Parker and I have developed both a formal approach for quantifying the vulnerability of probabilistic models to side-channel attacks, and an implementation of this approach based on the PRISM model checker. In the context of the PRINCESS project that funds this work, verifying how likely it is that a proposed mission plan for an unmanned underwater vehicle will succeed given a specific time and power budget can be framed as a side-channel analysis problem. Chris Novakovic and David Parker. "Automated Formal Analysis of Side-Channel Attacks on Probabilistic Systems". In Proceedings of the 24th European Symposium on Research in Computer Security (ESORICS 2019), Luxembourg, September 2019. Avi Pfeffer, Curt Wu, Gerald Fry, Kenny Lu, Steve Marotta, Mike Reposa, Yuan Shi, T. K. Satish Kumar, Craig A. Knoblock, David Parker, Irfan Muhammad and Chris Novakovic. "Software Adaptation for an Unmanned Undersea Vehicle". IEEE Software 36(2), March 2019. Web security & privacy I've previously investigated the web's security and privacy models, particularly with regard to the implementation of standardised security policies in major web browsers. With Charlie Hothersall-Thomas and Sergio Maffeis, I've developed BrowserAudit, a web application allowing casual users, web developers and browser developers alike to assess how well their browsers implement today's main browser security policies, such as the the same-origin policy, the Content Security Policy, and Cross-Origin Resource Sharing. Charlie Hothersall-Thomas, Sergio Maffeis and Chris Novakovic. "BrowserAudit: Automated Testing of Browser Security Features". In Proceedings of the 2015 International Symposium on Software Testing and Analysis (ISSTA 2015), Baltimore, Maryland, USA, July 2015. How secure is your web browser? Find out with BrowserAudit! BrowserAudit on GitHub (includes source code and suite of over 400 tests) ISSTA 2015 Evaluated Artifact Invited talk in formal demo session at ISSTA 2015 Information flow control The majority of my research focuses on quantifying information leakage in complex, real-world software and systems, using both formal approaches to precisely compute information leakage and empirical approaches to accurately estimate information leakage. Along with Tom Chothia, Yusuke Kawamoto, David Parker and Rajiv Ranjan Singh, I've developed a number of automated information leakage analysis tools and their underlying theory. Tom Chothia, Chris Novakovic and Rajiv Ranjan Singh. "Calculating Quantitative Integrity and Secrecy for Imperative Programs". International Journal of Secure Software Engineering (IJSSE) 6(2), April–June 2015. Chris Novakovic. "Computing and Estimating Information Leakage with a Quantitative Point-to-Point Information Flow Model". PhD thesis, School of Computer Science, College of Engineering and Physical Sciences, University of Birmingham, October 2014. Tom Chothia, Chris Novakovic and Rajiv Ranjan Singh. "Automatically Calculating Quantitative Integrity Measures for Imperative Programs". In Proceedings of the 3rd International Workshop on Quantitative Aspects in Security Assurance (QASA 2014), Wrocław, Poland, September 2014. CH-IMP-IQ tool (including source code and example CH-IMP-IQ programs) Tom Chothia, Yusuke Kawamoto and Chris Novakovic. "LeakWatch: Estimating Information Leakage from Java Programs". In Proceedings of the 19th European Symposium on Research in Computer Security (ESORICS 2014), Wrocław, Poland, September 2014. LeakWatch tool (including source code and example Java programs) Tom Chothia, Yusuke Kawamoto and Chris Novakovic. "A Tool for Estimating Information Leakage". In Proceedings of the 25th International Conference on Computer Aided Verification (CAV 2013), St Petersburg, Russia, July 2013. leakiEst tool and Java library (including source code and example datasets) Tom Chothia, Yusuke Kawamoto, Chris Novakovic and David Parker. "Probabilistic Point-to-Point Information Leakage". In Proceedings of the IEEE 26th Computer Security Foundations Symposium (CSF 2013), New Orleans, Louisiana, USA, June 2013. CH-IMP tool (including source code and example CH-IMP programs) Monitoring of peer-to-peer file-sharing networks I've also conducted research into the monitoring of peer-to-peer networks — specifically, BitTorrent — by third parties. From 2009 to 2011, Tom Chothia, Marco Cova, Camilo González Toro and I studied the behaviour of BitTorrent peers in swarms for torrents indexed by The Pirate Bay, a famous (and copyright-infringing) file-sharing web site. We found that file-sharers are being monitored on an enormous scale by a range of organisations, including copyright enforcement agencies and market research companies. This work received a large amount of coverage in both the technical and general press. Tom Chothia, Marco Cova, Chris Novakovic and Camilo González Toro. "The Unbearable Lightness of Monitoring: Direct Monitoring in BitTorrent". In Proceedings of the 8th International Conference on Security and Privacy in Communication Networks (SecureComm 2012), Padua, Italy, September 2012. Chris Novakovic. "The Use of Monitoring in Distributed Peer-to-Peer Networks". Master's thesis, School of Computer Science, University of Birmingham, September 2010. Academic service I'm a member of the Programme Committee for SEC@SAC20, and a member of the Artifact Evaluation Committee for TACAS 2020. I was previously: a member of the Programme Committee for SEC@SAC16, SEC@SAC17, SEC@SAC18, and SEC@SAC19; a member of the Artifact Evaluation Committee for TACAS 2018 and TACAS 2019; an external reviewer for TCS-QAPL 2014, HotSpot 2015, POST 2015, PPREW-4, SSPREW-6, S&P 2017, ASE '17, JOT 17(1), and S&P 2019. Teaching I was a lab demonstrator as an MSc student at Birmingham during the 2009/10 academic session. While I was a PhD student between 2010 and 2014, I spent around a quarter of my time teaching undergraduate and taught-postgraduate students as a Teaching Assistant (and later as a Senior Teaching Associate); during this time, Tom Chothia and I developed a virtual machine for use in the practical coursework component of the Computer Security and Introduction to Computer Security modules. The VM now features a storyline that interweaves with the taught content of the module; we found the storyline to have a positive impact on student attainment for those who engaged with it. After moving to Imperial, I created the Network and Web Security course from scratch with Sergio Maffeis, combining the teaching of abstract network and web security concepts with practical tutorials using specially-designed virtual machines. This culminated in a practical exam which tested students' abstract knowledge as well as their ability to break in to a range of tailor-made vulnerable web services. Since returning to Birmingham, I have continued to support and develop the online assessment system I created for the Network and Web Security course. This system now delivers coursework and exam-based assessments for two additional courses at Imperial, with plans for further expansion. I also continue to set the practical component of the Network and Web Security exam. Tom Chothia, Chris Novakovic, Andreea-Ina Radu and Richard J. Thomas. "Choose Your Pwn Adventure: Adding Competition and Storytelling to an Introductory Cybersecurity Course". Transactions on Edutainment XV, May 2019. Tom Chothia and Chris Novakovic. "An Offline Capture The Flag-Style Virtual Machine and an Assessment of its Value for Cybersecurity Education". In Proceedings of the 2015 USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE '15), Washington, DC, USA, August 2015. Interested in using this virtual machine in your own security course? Download the VM and some sample exercise sheets. Teaching record Department of Computing, Imperial College London 2018/19: CO331 (Network and Web Security), external consultant 2017/18: CO331 (Network and Web Security), external consultant 2016/17: CO331 (Network and Web Security), Course Support Leader 2015/16: CO331 (Network and Web Security), Course Support Leader 2014/15: CO331 (Network and Web Security), Course Support Leader School of Computer Science, University of Birmingham 2013/14: Computer Security, teaching assistant Introduction to Computer Security, teaching assistant Software System Components, teaching assistant 2012/13: Computer Security, teaching assistant Network Security, teaching assistant Software System Components A, lab demonstrator Software System Components B, lab demonstrator 2011/12: Computer Security, teaching assistant Software Workshop 1, group tutor Software System Components 2, lab demonstrator 2010/11: Internet Computing Workshop: Sem1, teaching assistant Software Workshop Team Java, team supervisor Software System Components 2, lab demonstrator 2009/10: Software System Components 1, lab demonstrator Software System Components 2, lab demonstrator Software I maintain Net-SSLeay, the Perl bindings for OpenSSL and LibreSSL. Please report any bugs, feature requests or patches via RT or GitHub. Other activities Together with Tom Chothia and Marco Cova, I founded the University of Birmingham Hacking Club in 2009. We regularly compete in ethical computer hacking competitions under the team name A Finite Number of Monkeys — I participate under the pseudonym csn. From its inception, I was involved in the running of the Computer Science Society — the official student society of the School of Computer Science at the University of Birmingham — for several years, including serving as General Secretary from 2009–11. Contact Email: c.novakovic@cs.bham.ac.uk If your email is confidential, you might want to encrypt it before sending it to me. My PGP public key is available on all popular key servers. If you'd like to encrypt your email using PGP but aren't sure how, the Enigmail extension for Mozilla Thunderbird offers a quick-start guide.
