[TYPES/announce] 9 PhD positions at Chalmers for web security and secure programing of IoT devices

Mon Apr 9 21:20:13 EDT 2018

Dear all,

We are starting two big projects on security at Chalmers. Both of them 
leverage programming languages technology to solve security problems. 
Details below.

Best,
/Alejandro

** Apologies for multiple copies **

The Computer Science and Engineering Department, Chalmers University of
Technology is hiring:

4 PhD students in web application security

5 PhD students in secure programming of IoT devices

* Important dates:

   April 27- Deadline for first round of selection (we encourage all
              candidates to apply early, especially those who need visa
              for visiting Sweden)
   May 21 - Deadline for second round of selection
   June 1, 4 or 5 - Tentative dates for interviews

* Expected starting date: preferably around September 2018.

For details, including employment conditions and how to apply, see:
<http://www.chalmers.se/en/about-chalmers/Working-at-Chalmers/Vacancies/Pages/default.aspx?rmpage=job&rmjob=6134>
<http://www.chalmers.se/en/about-chalmers/Working-at-Chalmers/Vacancies/Pages/default.aspx?rmpage=job&rmjob=p6138>

4 PhD students in web application security
------------------------------------------

The PhD students will join an ambitios framework project: WebSec:
Securing Web-driven Systems, conducted jointly with Uppsala
University. WebSec sets out to develop a principled security platform
for the web. WebSec will break away from temporary patches and
short-term mitigations and tackle the challenge of web security at
scale. WebSec will result in:

-Comprehensive framework for detection, mitigation, and prevention of
cross-site
  scripting (XSS) attacks, encompassing (i) Crawling 2.0 and advanced string
  constraint solving for XSS detection, (ii) flexible Content Security 
Policy
  (CSP) for XSS mitigation, and (iii) a server-side template framework
separating
  data from code for XSS prevention.

-JavaScript program analysis platform for monitoring and symbolically
executing
  JavaScript, the web's main programming language.

-Principled framework for system-wide security, enabling confinement,
tainting,
  and information-flow control mechanisms across web component boundaries,
  building on our work on JSFlow http://www.jsflow.net/

-Mechanisms for confinement and compartmentalization on the web, including
  extensions to the recently proposed COWL W3C standard
  (https://www.w3.org/TR/COWL/) and the multi-app web framework Hails
  (https://hackage.haskell.org/package/hails).

-Framework for privacy on the web, addressing user tracking while enabling
  privacy-preserving web analytics.

The PhD students will join a high-profile group of researchers on software
security. Software is often the root cause of vulnerabilities in modern
computing systems. By focusing on securing the software, we target
principled
security mechanisms that provide robust protection against large classes of
attacks.

We have a track record of successful projects with top international
partners in academia and industry, including a European project
WebSand on web application sandboxing: https://www.websand.eu/

Promotional video of Chalmers research on securing web applications:
https://vimeo.com/82206652

5 PhD students in secure programming of IoT devices
---------------------------------------------------

The PhD positions are within the recently granted project Octopi: Secure
Programming for the Internet of Things (IoT). Octopi is dedicated to
contribute
and further research on (i) utilizing high-level languages to program
constraint
devices, (ii) finding suitable programming models for IoT, and (iii)
developing
security mechanisms to obtain system-wide guarantees. The programming
language
of the project is Haskell (https://www.haskell.org/). Applicants work is
expected to range from establishing new theoretical foundations to building
mature prototypes. Octopi presents many research tracks dedicated to tackle
ambitious challenges:

- Programming model

   This track focuses on developing programming models which capture the
common
   coding patterns (and architecture) of IoT applications.

- Compilation and runtime

   Programs written in high-level languages often run in tandem with fat
runtime
   responsible to provide valuable services (e.g., safe memory
   management). Having such runtime in constraint IoT devices is simply not
   possible. This task explores mechanisms to predict resource consumption
   behavior of programs so that certain runtime services are not needed, 
thus
   reducing their size.

- Locality of data

   In data-driven IoT systems, users must be able to express and control
easily
   is the choice of whether to migrate data to functions or functions to
   data. This task focus on finding ways to provide such control without
giving
   up the benefits of programming in a high-level language.

- Hardware support

   This task is aimed at the end points of IoT system. It plans on 
creating a
   processor aimed specifically at executing functional languages
directly and
   efficiently. This entails both creating an efficient graph reduction
engine as
   well as built-in support for garbage collection.

- Penetration testing

   High-level languages prevent developers from introducing a wide class of
   security-related bugs that plague low-level ones. Nevertheless, programs
   written in a high-level language interacts, via bindings, with the
underlying
   OS. The binding code is responsible to bridge the semantic gap across 
both
   languages, which constitutes a door for security bugs. This task plans to
   provide a smart fuzzing tool to test such binding code for
vulnerabilities.

PhD students will join high-profile groups of researchers on security and
functional programming with a rich network of collaborators and visibility
across several research communities. Octopi's faculty members have a strong
tradition in successfully applying the functional programming Haskell to
different domains: protection of privacy of data
(https://hackage.haskell.org/package/lio), testing
(https://hackage.haskell.org/package/QuickCheck), SAT-solving and theorem
proving (https://github.com/nick8325/equinox), and digital signal processing
(https://hackage.haskell.org/package/feldspar-language).