Contact info

  • Office: 04.144
  • Address:
    Dept. Computer Science
    Celestijnenlaan 200A
    B-3001 Heverlee
    BELGIUM
  • Tel: +3216326259
  • Fax: +3216327996
  • Email: Lieven Desmet
  • Personal homepage
Lieven Desmet

Lieven Desmet

I'm the Research Manager on Secure Software in the iMinds-DistriNet Research Group at the Katholieke Universiteit Leuven (Belgium), where I outline and implement the research strategy, coach junior researchers in (web) application security, and participate in dissemination and valorisation activities.

I'm also involved in the Open Web Application Security Project (OWASP) as a board member of the Belgium OWASP Chapter, and part of the organization team of the upcoming OWASP AppSec EU 2015 conference in Amsterdam.

Moreover, as program director of SecAppDev.org, I'm responsible for putting together the widely acclaimed 'secure software development' training programme, to closely align this programme with trends and challenges in research and industry, and to attract top instructors from all over the world.

 

LinkedInMy up-to-date CV can be found at https://www.linkedin.com/in/lievendesmet

 

PGP Key fingerprint: 9597 45EE 3E23 E79C 614B D7BB DC30 0E62 3D26 C255

Research collaborations

To implement and execute the research strategy of our group, I contribute to the inception, submission and execution of various research projects. For instance, I successfully contributed to multiple EU-FP7 projects (a.o. WebSand, NESSoS, STREWS), iMinds ICON projects (a.o. CUSTOMSS, PUMA, DREAMaaS) and the IWT-SBO project SEC SODA, and I have setup several direct research collaborations with industry partners (contract research). 

As iMinds ICON coordinator, I coordinate and supervise the submission of ICON project proposals for the iMinds Security Department. ICON projects are demand-driven and interdisciplinary research projects, executed by a consortium of iMinds labs and local industry partners, funded by IBBT and IWT.

More information about the upcoming iMinds ICON call can be found here. Please feel free to contact me if you have an interesting idea to pursue, or if you want to discuss opportunties to join a project consortium!

Research interests

The most recent activities of my team of researchers drill down on the security of (web) applications in a multi-tenant, multiple domain context.

With CsFire, we propose a novel client-side mitigation technique against Cross-Site Request Forgery, based on the fine-grained identification of malicious cross-domain requests as well as the stripping of implicit credentials as proposed in RequestRodeo. With the most recent trusted delegation policy, presented at ESORICS 2011, our solution securily protects the user against CSRF, while preserving important scenarios such as third-party payment (e.g. paypal) and third-party authentication (SSO). CsFire is available as a extension for Firefox 3.5 and higher, and we are working on a Chrome version as well.

In addition, we are exploring the security impact of client-side and server-side mashups. With WebJail (presented at ACSAC 2011), we are securily integrating third-party JavaScript content according to a least-privilege security policy. This secure composition policy is inspired by a recent HTML5 security study our team conducted on 13 emerging W3C web specification (HTML5 and friends), commissioned by the European Network and Information Security Agency (ENISA).

Finally, we have contributed to security middleware solutions. We have developed middleware to provide complex security services (such as non-repudiation) in multi-tier web environments, as well as a scalable authorization architecture to enable XACML authorization in SOA environments. To also support the dynamic reconfiguration of policy enforcement in such a distributed authorization system, we have proposed a runtime management tool (presented at Middleware 2011) to satisfy both security and performance needs.

Key publications:

  1. Pieter Agten, Steven Van Acker, Yoran Brondsema, Phu H. Phung, Lieven Desmet, Frank Piessens, JSand: Complete client-side sandboxing of third-party JavaScript without browser modifications, Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC 2012), pages 1-10, Orlando, Florida, USA, 3-7 December 2012 download0 360451bibtex
  2. Steven Van Acker, Nick Nikiforakis, Lieven Desmet, Wouter Joosen, Frank Piessens, FlashOver: Automated discovery of cross-site scripting vulnerabilities in rich internet applications, AsiaCCS, Seoul, 2-4 May 2012 download0 download1 344207bibtex
  3. Philippe De Ryck, Lieven Desmet, Wouter Joosen, Frank Piessens, Automatic and precise client-side protection against CSRF attacks, European Symposium on Research in Computer Security (ESORICS 2011), Lecture Notes in Computer Science, volume 6879, pages 100-116, Leuven, Belgium, 12-14 September 2011 download0 311551bibtex
  4. Philippe De Ryck, Lieven Desmet, Pieter Philippaerts, Frank Piessens, A security analysis of next generation web standards, Technical Report, European Network and Information Security Agency (ENISA), 31 July 2011 download0 317385bibtex
  5. Philippe De Ryck, Lieven Desmet, Thomas Heyman, Frank Piessens, Wouter Joosen, CsFire: Transparent client-side mitigation of malicious cross-domain requests, Engineering Secure Software and Systems, Lecture Notes in Computer Science, volume 5965, pages 18-34, Pisa, Italy, 3-4 February 2010 download0 260893bibtex
[More...]

Software verification

During my PhD, I worked on a broad variety of topics, including static software verification, run-time monitoring, dynamic software architectures and web service security. The main topic of my PhD dissertation is the combination of static and dynamic software verification to guarantee the absence of broken data dependencies in data-centered component-based applications. My most recent publication on this topic is published in IEEE Transactions on Software Engineering: Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies

In 2008, I went abroad to Aachen (Germany) for a six months research visit at the European Microsoft Innovation Center (EMIC). At EMIC, I worked together with Microsoft Research and the Universität des Saarlandes on the formal verification of the Microsoft Viridian HyperVisor, which is part of Windows Server 2008. This research was done in the context of the Verisoft XT project.