I'm General Chair of CANS 2024. We are now open for registrations -- make sure you register before the early bird rate ends.


I am Professor of Computer Security and Head of the Department of Computer Science and Technology, often informally called The Computer Laboratory. I am also the Robin Walker Fellow in Computer Science at Queens' College, Cambridge.

My research work examines the security and privacy of large-scale distributed computer systems. Within this broad area, I am currently interested in the security and privacy of networked mobile devices, such as smartphones, tablets and laptops. I examine the security of the devices themselves as well as the security and privacy problems induced by the interaction between mobile devices and cloud-based Internet services. I approach this through the critical evaluation of existing products, by designing and building novel prototype technologies, and by measuring human behaviour.

Recent research paper highlights

  • Daniel Hugenroth and I co-supervised fourth-year undergraduate Jacky Kung in 2023-24. Jacky built a testbed to explore the new keystroke timing obfuscation technique in OpenSSH 9.5. We found that this new feature was ineffective and also broke a long-standing timing attack mitigation first deployed in OpenSSH 2.9.9. This resulted in CVE-2024-39894 which has been fixed in OpenSSH 9.8. Look out for the forthcoming paper.
  • We designed a new user discovery service for anonymity networks. Current networks require users to exchange long, unique identifiers with others in order to connect online. Examples include the .onion address on Tor, or a long user identifier on Nym. We know from previous work that manually exchanging identifiers makes using encryption challenging. Our protocol, Pudding, allows users to find friends on anonymity networks using friendly names such as email addresses while ensuring the network does not learn who is friends with who, nor allow users to determine whether any particular person is a member of the network. Our approach also means that a communication app can automate the lookup of friends on anonymity networks as friendly names (e.g. email) are often in contract address books. Our paper appeared in IEEE Security & Privacy (Oakland) 2024 and Ceren provides an excellent presentation.
  • We took a look at whether anonymity networks such as Tor and Nym can be used continuously on modern smartphones, or whether the power demands of these networks are too significant to be practical. We found Tor was suprisingly efficient, while the cover traffic requirements of systems such as Nym mean it is unusable continuously. Our paper is due to appear in Usenix Security 2023.
  • We worked with journalists and news organisations to design a more usable means of establishing initial contact between a potential whistleblower and a journalist. Our design looks like a messaging feature embedded in the news organisation's news app and is easy to use. However, behind the scenes, our solution provides strong guarantees against powerful adversaries who can monitor all network connections between smartphones and news organisation servers. More information can be found in the paper which appeared at PETS 2022 and won the Andreas Pfitzmann Best Student Paper Award.
  • We designed a novel key agreement scheme for decentralised group messaging which achieves forward secrecy and post-compromised security without central coordination. The paper appeared at CCS 2021.
  • We designed a new means of supporting efficient group-multicast in mix networks, reducing the delivery time of messages to a group of m members from O(m) to O(log m). This is particularly important for collaborative applications such as Google Docs where multiple participants update shared state concurrently and want to see the work of others in a timely fashion. The paper appeared at Usenix Security 2021.
  • We developed a new class of fingerprinting attacks against modern electronic sensors which contain calibration data such as the accelerometers, gyros and magnatometers. These devices are found in many places including modern smartphones. Our attack is able to extract the underlying calibration embedded in such devices and we demonstrated our approach was likely to produce a fixed, globally unique identifier in iOS devices as well as recent Google Pixel handsets. Our attack takes less than a second and can be conducted by an app installed on the handset or a website the user visits in the web browser without further intervention. Apple applied the fixes we proposed in iOS 12.2 (CVE-2019-8541) and watchOS 5.2 (CVE-2019-8541); Google made updates to Android 11. More details can be found in our conference paper at IEEE Security & Privacy (Oakland) 2019 as well as our follow-on paper in IEEE Transactions on Information Forensics and Security 2020.

Current research activities

I work closely with many colleagues across the department and beyond on large-scale, collaborative research activities.

Centre for Mobile, Wearable Systems and Augmented Intelligence

Prof Cecilia Mascolo and I are the directors of the Centre for Mobile, Wearable Systems and Augmented Intelligence. We focus on next-generation mobile and wearable technology and applications, including new system architectures, novel sensor and machine learning techniques, challenging security and privacy issues as well as wearable materials and devices and geographical data analytics. Application areas range from mobile health to novel methods of secure, anonymous communication.

Cambridge Cybercrime Centre

The Cambridge Cybercrime Centre is a multi-disciplinary initiative combining expertise from computer science, criminology and law. We take a data-driven approach to improve our understanding of criminal activity and develop robust identifiers and evidence of criminal behaviour. An important goal of the centre is to provide data to other academics and therefore drive a step change in the amount of research conducted into cybercrime. To date we have suported 278 researchers in 57 universities from 26 countries. Our data collection and sharing regime builds on prior work in the Device Analyzer project (see below).

Raspberry Pi Computing Education Research Centre

The Raspberry Pi Computing Education Research Centre is a joint initiative between the University of Cambridge and the Raspberry Pi Foundation. The primary aim of the Centre is to investigate how to engage all young people in computing, computer science, and associated subjects. Our focus is on collaborative work with schools and educators to ensure that research can readily inform practice.

Isaac Learning Platform

The Isaac Learning Platform uses recent developments in web technology and computer-based educational techniques to improve the teaching of maths, physics, computer science, chemistry and biology in secondary schools. We work in partnership with teachers and educators. We have supported over 500,000 users make over 120 million question attempts on our platform since 2015. At peak times, we see over 800,000 question attempts a week. I am the technical director of platform development. We write the software and operate the infrastructure in-house and release our work as open source software. Our platform has two offerings: IsaacPhysics.org, in collaboration with the Department of Physics; and AdaComputerScience.org, in collaboration with the Raspberry Pi Foundation. The Isaac Learning Platform is also the core assessment technology used by the University of Cambridge to operate the STEM SMART programme, which offers free, complementary teaching and support to UK non-fee paying school pupils who have experienced educational disadantage or belong to a group that is statistically less likely to progress to higher education.

Completed research activities

  • The Device Analyzer project collected statistical usage data from over 30,000 Android mobile devices across the world, pre-processing data on the mobile device to remove direct personal identifiers and reduce the privacy risk of sharing the data with the university. If our study participants agreed, we shared a subset of the data with over 200 partner research labs.
  • The Trve Data project developed better security fundamentals to support collaborative applications such as Google Docs, Evernote and Trello. Our approach did not require users to trust service providers with the contents of your shared documents, todo lists, calendar appointments or notes but offered the same easy-to-use paradigm.
  • Computing for the Future of the Planet explored how computers can help solve some of the world's most pressing problems arising from climate change and the need to build sustainable systems.
  • The TIME-EACM project explored how sensor networks and distributed systems can be used to improve traffic and transport in the 21st century.
  • The Cambridge Mobile Urban Sensing Project which measured and monitored air quality, particularly urban pollution generated by motor vehicles.

I have published some of my research work in various conferences, journals and books. A complete list of my publications are available in my curriculum vitae.