Willard Rafnsson

Associate Professor
IT University of Copenhagen

Research Interests

My goal is to enable developers to write, at scale, trustworthy software that satisfies high-level security requirements.

My research is on language-based security. I build foundations for computer security by advancing and applying techniques and tools from programming-language theory and formal methods, such as program analysis and program transformation.

Bio

I am an Associate Professor at the IT University of Copenhagen (ITU). I am a member of the Center for Information Security and Trust (CISAT) , as well as the Programming, Logic and Semantics (PLS) and Software Quality Research (SQUARE) groups.

I was a visiting researcher at Carnegie Mellon University (CMU) in the School of Computer Science in the summer of 2022, hosted by Stephanie Balzer.

I was a Postdoc at Max Planck Institute for Software Systems (MPI-SWS), hosted by Deepak Garg, and at Carnegie Mellon University (CMU) CyLab, hosted by Limin Jia and Lujo Bauer. I did my PhD at Chalmers in the security lab, supervised by Andrei Sabelfeld.

Projects

My projects, in reverse-chronological order:

Decentralised Transactions for Open Digital Markets
400.000 DKK, funded by Copenhagen Fintech.

My role: co-PI. Duration: 1. January 2024 - 31. December 2024.
GAMification and Education for Secure Software (GAMESS)
2.400.000 DKK, funded by Danish Ministry of Higher Education and Science.

My role: Contributor (Information-Flow Security). Duration: 1. April 2023 - 31 October 2024.
Practical Static Analysis for Information-Flow Control of JavaScript.
300.000 DKK, funded by Danish Hub for Cybersecurity (Cyber Hub, now Digital Lead).

My role: PI, coordinator. Duration: 1. July 2022 - 30. June 2023.
Assessing Reidentification Risk with Bayesian Probabilistic Programming
$ 1.000.000 NZ, funded by New Zealand MBIE Endeavor Fund - Smart Ideas.

My role: Key researcher. Duration: 1. October 2019 - 30. September 2022.

Publications

My publications, in reverse-chronological order:

Privacy with Good Taste: A Case Study in Quantifying Privacy Risks in Genetic Scores
Raúl Pardo, Willard Rafnsson, Gregor Steinhorn, Denis Lavrov, Thomas Lumley, Christian Probst, Ilze Ziedins, Andrzej Wasowski.

DPM 2022
"So I Sold My Soul": Effects of Dark Patterns in Cookie Notices on End-User Behavior and Perceptions
Ida Borberg, René Pedersen, Willard Rafnsson, Oksana Kulyk.

USEC 2022
How Attacker Knowledge Affects Privacy Risks: An Analysis Using Probabilistic Programming
Louise Halvorsen, Siv Steffensen, Willard Rafnsson, Oksana Kulyk, Raúl Pardo.

IWSPA 2022
Privug: Quantifying Leakage using Probabilistic Programming for Privacy Risk Analysis
Raúl Pardo, Willard Rafnsson, Christian Probst, Andrzej Wąsowski.

ESORICS 2021
Fixing Vulnerabilities Automatically with Linters
Willard Rafnsson, Rosario Giustolisi, Mark Kragerup, Mathias Høyrup.

NSS 2020
Timing-Sensitive Noninterference through Composition
Willard Rafnsson, Limin Jia, Lujo Bauer.

POST 2017 . (appendix)
Type Systems for Information-Flow Control: The Question of Granularity
Vineet Rajani, Iulia Bastys, Willard Rafnsson, Deepak Garg.

ACM SIGLOG News (vol. 4, nr. 1) 2017
Progress-Sensitive Security for SPARK
Willard Rafnsson, Deepak Garg, Andrei Sabelfeld.

ESSoS 2016 . (appendix )
Secure Multi-Execution: Fine-grained, Declassification-aware, and Transparent
Willard Rafnsson, Andrei Sabelfeld.

JCS (vol. 24, no. 1) 2016 (special issue of CSF 2012-2013)
Compositional Information-flow Security for Interactive Systems
Willard Rafnsson, Andrei Sabelfeld.

CSF 2014 .
Secure Multi-Execution: Fine-grained, Declassification-aware, and Transparent
Willard Rafnsson, Andrei Sabelfeld.

CSF 2013 .
Securing Class Initialization in Java-like Languages
Willard Rafnsson, Keiko Nakata, Andrei Sabelfeld.

TDSC (vol. 10, no. 1) 2013 . (appendix )
Securing Interactive Programs
Willard Rafnsson, Daniel Hedin, Andrei Sabelfeld.

CSF 2012 .
Limiting Information Leakage in Event-based Communication
Willard Rafnsson, Andrei Sabelfeld.

PLAS 2011 . (appendix)

Service

I serve on program committees. I have served on the following events.

IEEE Secure Development Conference (IEEE SecDev 2022) (PC member)
24th Nordic Conference on Secure IT Systems (NordSec 2019) (PC member, Poster chair)
39th International Conference on Formal Techniques for Distributed Objects, Components, and Systems (FORTE 2019) (PC member)

5th International Conference on Principles of Security and Trust (POST 2016) (PC member)
Workshop on Foundations of Computer Security (FCS 2015) (PC member)
19th Nordic Conference on Secure IT Systems (NordSec 2014), poster session (PC member)

I regularly peer-review research papers for CCS, S&P, CSF, NDSS, USENIX Security, ESORICS, POST, NordSec, FCS, MMM-ACNS, TOPLAS, and JLAMP.

Outreach

I appear in public media:

Hackers lure in victims with false Minecraft games
(Danish: Hackere lokker med falske Minecraft spil)
Interview for magazine article. Børneavisen, September 2022.
DIREC supports young researchers
(Danish: DIREC støtter unge forskere)
Interview for online news article. DIREC, 2021-09-29.
Cybercrime
(Danish: It-kriminalitet)
Interview for magazine article. Electra, November 2020.

WhatsApp hack
Interview for radio show (in Danish). Radio24syv, Datolinjen, 2019-05-14.
Securing Web Applications
Actor for educational video. Chalmers University of Technology, 2013-12-18.

I create material for a free online learning course on cybersecurity, SikkerCyber, aimed at employees in small- and medium-sized enterprises. (funded by Industriens Fond). I am the creator of the offensive security module.

Teaching

I teach at the IT University of Copenhagen. Samples: 1, 2, 3.

Current

Operating Systems and C in autumn
Program Verification in spring (automated theorem proving module)

Past

Applied Information Security in summer (course creator)
Advanced Security (Information Flow Control module)

I created courses on Introductory Programming , Information Theory , and Functional Programming, have been course manager of an Algorithms course, and been TA in Cryptography, Concurrent Programming, Testing & Verification, Computability & Complexity, Formal Languages & Automata, Discrete Mathematics, Computer Organization, and Object-Oriented Programming.

I am appointed external examiner ("censor"), by the Danish Ministry for Education and Research ("Uddannelses- og Forskningsministeriet"), in the following censor corps:

Computer Science Censor Corps ("Censorkorpset i Datalogi"). Here is my page.
Bachelor and Master of Engineering Censor Corps ("Diplomingeniøruddannelsernes Censorkorps" and "Civilingeniøruddannelsernes Censorkorps") within Mathematics, Physics, and Social Sciences.

Supervision

I supervise student research- and thesis-projects.

I only supervise projects which I am highly enthusiastic about, and which will likely lead to a research paper. Are you a student interested in writing a project with me? Make sure my research agenda overlaps with your interest, then set up a meet.

Current Supervision

Gianmarco Murru
Automating Server Hardening
Ryan Michael Williams
Formal Verification of Security Properties for CubeSat Satellites
Line Dejgaard
Binary Analysis for Detecting Buffer Overflow Vulnerabilities
Fabian Harlang and Rares-Ionut Mocanu
Finding and Automatically Fixing Vulnerable Uses of JavaScript Libraries
Andreas Just Petersen
GameBoy Emulator in WebAssembly

Past Supervision

Andreas Ørregaard Klingenbrunn
Privacy risk analysis in Excel
Jacob Buchholz Bech
Finding Vulnerabilities in the Linux Kernel with CodeQL.
Lasse Agersten , and Oliver Madsen
Fixing Vulnerabilities Automatically with ESLint.
Louise Christine Lykke Ma , and Bjørn Mikkelsen
Fixing Vulnerabilities Automatically in Infrastructure-as-Code.
Astrid Machholm , and Diba Sadat Afzali
Visualizing and Communicating Privacy Risk: An Evaluation of Privacy Mechanisms with Privugger.
Mads Lomholt Tvede , Kristoffer Claussen Boesen , and Johan Emil Hardon
The Security of MIFARE Classic 1K in Physical Access Control Systems.
Helene Burghoff , and Ibrahim Mohammad
Post-Quantum Cryptography for Web Servers.
Niclas Hedam
Mitigation of Timing Attacks on the Kernel Level. paper in progress
Dennis Riget Hansen
angrIFlow: Testing Information-Flow Properties with angr.
Kristoffer Astrup , and Sebastian Olsen
Finding Vulnerabilities in UNIX Binaries with angr.
Idem Lykkesfeldt
Program Synthesis for Information-Flow Security.
Louise Chiang Halvorsen and Siv Louise Steffensen
How Attacker Knowledge Affects Privacy Risks: An Analysis using Probabilistic Programming. published
Mark Kragerup and Mathias Høyrup
Fixing Vulnerabilities Automatically with Linters. published
Ida Marie Borberg and René Hougaard Pedersen
Dark Patterns in Cookie Disclaimers. published
Yonathan Volpin
Type System for Information-Flow Control of JavaScript.
Ashley Parsons-Trew
Modeling Dynamical Systems with Functional Reactive Programming.
Jonas Andersen and Hugo Brito
Domain-Specific Languages for Contracts.
Andreas Kløve Thystrup and Nicolai Dørfler
Remote Timing Attacks on Shared Platforms.
Ans Uddin
Information-Flow Secure Programming on Matrix.