Experienced Security Researcher and Software developer with a passion for digging into, understanding and solving problems in complex systems.
LinkedIn / GitHub / Google Scholar
Research Expert @ SAP SE (Feb 2019 - Present)
- Industrial research into novel techniques in the field of vulnerability detection, active defense and threat monitoring for web applications.
- Developed methods for the detection and prevention of cybersecurity vulnerabilties for interpreted languages (e.g. JavaScript, Java).
- Applied techniques to privacy use-cases such as automating GDPR compliance for legacy applications, and high-accuracy detection of browser fingerprinting.
- Publication of results in top security conferences and transfer of prototypes into SAP Lines of Business.
- Active involvement in public funded projects: Principle investigator @ ENCOPIA and researcher @ TESTABLE.
- Supervision of PhD and Master's students and international collaboration with external partners from industry and academia.
Senior Software Developer @ Intel (May 2014 - Feb 2019)
- Designed security software for next-generation automotive infotainment and software-defined cockpit platforms.
- Developed key storage solutions in trusted execution environments such as the Linux kernel and Intel SGX.
- Digital Rights Management solutions such as Widevine and HDCP.
- Security Champion for the Transportation Solutions Division.
- Scrum master for the Automotive Security team.
Software Developer @ Vector (Jan 2013 - Apr 2014)
- Automotive firmware developer with a focus on the XCP remote calibration protocol over ethernet.
- Designed and implemented an automated continuous regression test system to provide continuous integration of new features.
Postdoctoral Researcher @ University of Freiburg (Nov 2010 - Dec 2012)
- Analysed the first particle collision data from the ATLAS experiment at CERN to search for new Supersymmetric particles beyond the current Standard Model.
- Engaged in Research and Development activities for the next generation of silicon-based particle detectors, including novel radiation detection systems.
- Lead developer and maintainer of Project Foxhound, an instrumented fork of the Firefox browser for security testing (Listen to the podcast!).
- Developer of Fontus, a bytecode rewriting engine for security and privacy policy enforcement.
- Lead developer of the Sanitizer Checker, a symbolic string analysis framework to evaluate the security of sanitization functions.
PhD Experimental Particle Physics @ University of Cambridge (2006-2010)
- Topic: New physics searches in the ZZ sector with the ATLAS experiment
- Wrote C++/Python algorithms to process and analyze data from the LHC @ CERN
- Development of embedded readout software for the Data Acquistion System of the ATLAS Semiconductor Tracker
MSc. Natural Sciences @ University of Cambridge (2001-2005)
- Subjects: Maths, Advanced Physics
- Result: First (Outstanding)
GCE A-Levels @ King Edward VI Grammar School (1994-2001)
- Maths, Physics, Chemistry, Music, General Studies
- Results: All grade A (Outstanding)
- Taint tracking via non-intrusive bytecode instrumentation: US11526600B2
- Security Vulnerability Detection: US20230177166A1
- String Sanitizer Modeling: US20230252159A1
A selected list of publications is shown below. A full list is available on Google Scholar.
- FP-tracer: Fine-grained Browser Fingerprinting Detection via Taint-tracking and Entropy-based Thresholds, Soumaya Boussaha et al. Proceedings on Privacy Enhancing Technologies, 2024 (PoPETS '24) (pdf)
- The Great Request Robbery: An Empirical Study of Client-side Request Hijacking Vulnerabilities on the Web, Soheil Khodayari, Thomas Barber and Giancarlo Pellegrino. Proceedings of 45th IEEE Symposium on Security and Privacy, 2024 (S&P '24) (pdf, video)
- General Data Protection Runtime: Enforcing Transparent GDPR Compliance for Existing Applications, David Klein, Benny Rolle, Thomas Barber, Manuel Karl, and Martin Johns. Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security (CCS '23) (pdf)
- Hand Sanitizers in the Wild: A Large-scale Study of Custom JavaScript Sanitizer Functions, David Klein, Thomas Barber, Souphiane Bensalim, Ben Stock, Martin Johns, 7th IEEE European Symposium on Security and Privacy (EuroS&P 2022) (pdf)
- Programming Skills: C/C++, Python, Java, JavaScript, C#
- Enviornments: Linux, Windows, Docker, Git, Jenkins
- Languages: English (native), German (working proficiency), French (basic)
- Distinguished Paper Award @ IEEE S&P (2024) for our paper on Client-Side Request Hijacking
- Spot Awards @ SAP (2020, 2021, 2023) for outstanding performance.
- Divisional Recognition Awards @ Intel (2018) for designing and implementing a software solution to meet strict customer deadlines.
- Doncaster Prize @ Univesity of Cambridge (2005) for exam results in Natural Sciences.
- Cormack Scholarship @ University of Edinburgh (2004) for best summer student project in astrophysics.
- Triathlon (Running, Cycling, Swimming)
- Music (Singer @ Bachchor, Piano)
An online version of this resume is available as HTML / PDF / Markdown