Willard Rafnsson

My goal is to enable developers to write, at scale, trustworthy software that satisfies high-level security requirements.

My research is on language-based security. I build foundations for computer security by advancing and applying techniques and tools from programming-language theory and formal methods, such as program analysis and program transformation.

I am an Assistant Professor at the IT University of Copenhagen (ITU). I am a member of the Center for Information Security and Trust (CISAT) , as well as the Programming, Logic and Semantics (PLS) and Software Quality Research (SQUARE) groups.

I was a visiting researcher at Carnegie Mellon University (CMU) in the School of Computer Science in the summer of 2022, hosted by Stephanie Balzer.

I was a Postdoc at Max Planck Institute for Software Systems (MPI-SWS), hosted by Deepak Garg, and at Carnegie Mellon University (CMU) CyLab, hosted by Limin Jia and Lujo Bauer. I did my PhD at Chalmers in the security lab, supervised by Andrei Sabelfeld.

My publications, in reverse-chronological order:

• Privacy with Good Taste: A Case Study in Quantifying Privacy Risks in Genetic Scores
  Raúl Pardo, Willard Rafnsson, Gregor Steinhorn, Denis Lavrov, Thomas Lumley, Christian Probst, Ilze Ziedins, Andrzej Wasowski.
  DPM 2022 (to appear)
• "So I Sold My Soul": Effects of Dark Patterns in Cookie Notices on End-User Behavior and Perceptions
  Ida Borberg, René Pedersen, Willard Rafnsson, Oksana Kulyk.
  USEC 2022
• How Attacker Knowledge Affects Privacy Risks: An Analysis Using Probabilistic Programming
  Louise Halvorsen, Siv Steffensen, Willard Rafnsson, Oksana Kulyk, Raúl Pardo.
  IWSPA 2022
• Privug: Quantifying Leakage using Probabilistic Programming for Privacy Risk Analysis
  Raúl Pardo, Willard Rafnsson, Christian Probst, Andrzej Wąsowski.
  ESORICS 2021
• Fixing Vulnerabilities Automatically with Linters
  Willard Rafnsson, Rosario Giustolisi, Mark Kragerup, Mathias Høyrup.
  NSS 2020
• Timing-Sensitive Noninterference through Composition
  Willard Rafnsson, Limin Jia, Lujo Bauer.
  POST 2017 . (appendix)
• Type Systems for Information-Flow Control: The Question of Granularity
  Vineet Rajani, Iulia Bastys, Willard Rafnsson, Deepak Garg.
  ACM SIGLOG News (vol. 4, nr. 1) 2017
• Progress-Sensitive Security for SPARK
  Willard Rafnsson, Deepak Garg, Andrei Sabelfeld.
  ESSoS 2016 . (appendix )
• Secure Multi-Execution: Fine-grained, Declassification-aware, and Transparent
  Willard Rafnsson, Andrei Sabelfeld.
  JCS (vol. 24, no. 1) 2016 (special issue of CSF 2012-2013)
• Compositional Information-flow Security for Interactive Systems
  Willard Rafnsson, Andrei Sabelfeld.
  CSF 2014 .
• Secure Multi-Execution: Fine-grained, Declassification-aware, and Transparent
  Willard Rafnsson, Andrei Sabelfeld.
  CSF 2013 .
• Securing Class Initialization in Java-like Languages
  Willard Rafnsson, Keiko Nakata, Andrei Sabelfeld.
  TDSC (vol. 10, no. 1) 2013 . (appendix )
• Securing Interactive Programs
  Willard Rafnsson, Daniel Hedin, Andrei Sabelfeld.
  CSF 2012 .
• Limiting Information Leakage in Event-based Communication
  Willard Rafnsson, Andrei Sabelfeld.
  PLAS 2011 . (appendix)

I serve on the program committees of the following events.

• IEEE Secure Development Conference (IEEE SecDev 2022) (PC member)
• 24th Nordic Conference on Secure IT Systems (NordSec 2019) (PC member, Poster chair)
• 39th International Conference on Formal Techniques for Distributed Objects, Components, and Systems (FORTE 2019) (PC member)
• 5th International Conference on Principles of Security and Trust (POST 2016) (PC member)
• Workshop on Foundations of Computer Security (FCS 2015) (PC member)
• 19th Nordic Conference on Secure IT Systems (NordSec 2014), poster session (PC member)

I regularly peer-review research papers for CCS, S&P, CSF, NDSS, USENIX Security, ESORICS, POST, NordSec, FCS, MMM-ACNS, TOPLAS, and JLAMP.

I appear in public media:

• Hackere lokker med falske Minecraft spil
  (in English: Hackers lure in victims with false Minecraft games)
  Interview for magazine article.
  Børneavisen, September 2022.
• DIREC støtter unge forskere
  (in English: DIREC supports young researchers)
  Interview for online news article.
  DIREC, 2021-09-29.
• It-kriminalitet
  (in English: Cybercrime)
  Interview for magazine article.
  Electra, November 2020.
• WhatsApp hack
  Interview for radio show (in Danish).
  Radio24syv, Datolinjen, 2019-05-14.
• Securing Web Applications
  Actor for educational video.
  Chalmers University of Technology, 2013-12-18.

I create course material for SikkerCyber, a free online learning course on cybersecurity, aimed at employees in small- and medium-sized enterprises. (funded by Industriens Fond).

I teach at the IT University of Copenhagen. Demonstration: 1, 2.

Current

• Operating Systems and C in autumn
• Applied Information Security in summer (course creator, examiner)
• Program Verification in spring (the SPARK Ada module)

Past

I created an Information Flow module in Advanced Security , created courses on Security , Introductory Programming , Information Theory , and Functional Programming, been course manager of an Algorithms course, and been TA in Cryptography, Concurrent Programming, Testing & Verification, Computability & Complexity, Formal Languages & Automata, Discrete Mathematics, Computer Organization, and Object-Oriented Programming.

I am appointed external examiner ("censor") for the Computer Science Censor Core ("Censorkorpset i Datalogi"), by the Danish Ministry for Education and Research ("Uddannelses- og Forskningsministeriet"). Here is my page.

I supervise student research- and thesis-projects.

I only supervise projects which I am highly enthusiastic about, and which will likely lead to a research paper. Are you a student interested in writing a project with me? Make sure my research agenda overlaps with your interest, then set up a meet.

Current

• Katrine Christensen
  TBA (Information-Flow Control)
• Andreas Ørregaard Klingenbrunn
  Privacy risk analysis in Excel
• Selim Yetkin
  TBA (Access Control Systems)
• Fabian August Clement Harlang and Rares-Ionut Mocanu
  TBA (Vulnerabilities in JavaScript)
• Babavaraprasad Reddy Pingili
  TBA (Vulnerabilities in JavaScript)

Past

• Jacob Buchholz Bech
  Finding Vulnerabilities in the Linux Kernel with CodeQL.
• Lasse Agersten , and Oliver Madsen
  Fixing Vulnerabilities Automatically with ESLint.
• Louise Christine Lykke Ma , and Bjørn Mikkelsen
  Fixing Vulnerabilities Automatically in Infrastructure-as-Code.
• Astrid Machholm , and Diba Sadat Afzali
  Visualizing and Communicating Privacy Risk: An Evaluation of Privacy Mechanisms with Privugger.
• Mads Lomholt Tvede , Kristoffer Claussen Boesen , and Johan Emil Hardon
  The Security of MIFARE Classic 1K in Physical Access Control Systems.
• Helene Burghoff , and Ibrahim Mohammad
  Post-Quantum Cryptography for Web Servers.
• Niclas Hedam
  Mitigation of Timing Attacks on the Kernel Level. paper in progress
• Dennis Riget Hansen
  angrIFlow: Testing Information-Flow Properties with angr.
• Kristoffer Astrup , and Sebastian Olsen
  Finding Vulnerabilities in UNIX Binaries with angr.
• Idem Lykkesfeldt
  Program Synthesis for Information-Flow Security.
• Louise Chiang Halvorsen and Siv Louise Steffensen
  How Attacker Knowledge Affects Privacy Risks: An Analysis using Probabilistic Programming. published
• Mark Kragerup and Mathias Høyrup
  Fixing Vulnerabilities Automatically with Linters. published
• Ida Marie Borberg and René Hougaard Pedersen
  Dark Patterns in Cookie Disclaimers. published
• Yonathan Volpin
  Type System for Information-Flow Control of JavaScript.
• Ashley Parsons-Trew
  Modeling Dynamical Systems with Functional Reactive Programming.
• Jonas Andersen and Hugo Brito
  Domain-Specific Languages for Contracts.
• Andreas Kløve Thystrup and Nicolai Dørfler
  Remote Timing Attacks on Shared Platforms.
• Ans Uddin
  Information-Flow Secure Programming on Matrix.