I am the Firefox Security Infrastructure Engineering Manager at Mozilla with over a decade of
experience in Secure Systems Development. My work ranges from
designing secure systems with fail safe defaults to fighting cross site
scripting as well as preventing man-in-the-middle attacks.
I received my PhD in Computer Science from the University of California, Irvine where I based my research on information flow tracking techniques within web browsers.
Prior to being a graduate research scholar, I received a M.Sc. and B.Sc. in Computer Science from the Technical University Graz, Austria.
⇧ Publications
Peer Reviewed
HTTPS-Only: Upgrading all connections to https in Web Browsers;
Christoph Kerschbaumer, Julian Gaibler, Arthur Edelstein, Thyla van der Merwe; MadWeb - Measurements, Attacks, and Defenses for the Web; San Diego, California, February 2021
[Download PDF]
(Best Paper Award)
Hardening Firefox against Injection Attacks; Christoph Kerschbaumer, Tom Ritter, Frederik Braun; SecWeb - Designing Security for the Web; Genova, Italy, September 2020 [Download PDF]
Extending the Same Origin Policy with Origin Attributes; Tanvi Vyas, Andrea Marchesini, Christoph Kerschbaumer; International Conference on Information Systems Security and Privacy; Porto, Portugal, February 2017
Enforcing Content Security by Default within Web Browsers; Christoph Kerschbaumer; International Conference on Cybersecurity Development; Boston, Massachusetts, November 2016
Injecting CSP for Fun and Security; Christoph Kerschbaumer, Sid Stamm, Stefan Brunthaler; International Conference on Information Systems Security and Privacy; Rome, Italy, February 2016 (Best Paper Award)
Information Flow Tracking meets Just-In-Time Compilation; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; ACM Transactions on Architecture and Code Optimization, Volume 10, Issue 4, December 2013. Invited to present at the International Conference on High-Performance and Embedded Architectures and Compilers; Vienna, Austria; January 2014
CrowdFlow: Efficient Information Flow Security; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; Information Security Conference; Dallas, Texas; November 2013
Towards Precise and Efficient Information Flow Control in Web Browsers; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; International Conference on Trust & Trustworthy Computing; London, United Kingdom; June 2013
First-Class Labels: Using Information Flow to Debug Security Holes; Eric Hennigan, Christoph Kerschbaumer, Per Larsen, Stefan Brunthaler, Michael Franz; International Conference on Trust & Trustworthy Computing; London, United Kingdom; June 2013
SlimVM: A Small Footprint Java Virtual Machine for Connected Embedded Systems; Christoph Kerschbaumer, Gregor Wagner, Christian Wimmer, Andreas Gal, Christian Steger, Michael Franz; Conference on the Principles and Practice of Programming in Java; Calgary, Alberta, Canada; August 2009
Hardening Firefox against Injection Attacks; Christoph Kerschbaumer, Tom Ritter, Frederik Braun; SecWeb - Designing Security for the Web; Genova, Italy, September 2020 [Download PDF]
Extending the Same Origin Policy with Origin Attributes; Tanvi Vyas, Andrea Marchesini, Christoph Kerschbaumer; International Conference on Information Systems Security and Privacy; Porto, Portugal, February 2017
Enforcing Content Security by Default within Web Browsers; Christoph Kerschbaumer; International Conference on Cybersecurity Development; Boston, Massachusetts, November 2016
Injecting CSP for Fun and Security; Christoph Kerschbaumer, Sid Stamm, Stefan Brunthaler; International Conference on Information Systems Security and Privacy; Rome, Italy, February 2016 (Best Paper Award)
Information Flow Tracking meets Just-In-Time Compilation; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; ACM Transactions on Architecture and Code Optimization, Volume 10, Issue 4, December 2013. Invited to present at the International Conference on High-Performance and Embedded Architectures and Compilers; Vienna, Austria; January 2014
CrowdFlow: Efficient Information Flow Security; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; Information Security Conference; Dallas, Texas; November 2013
Towards Precise and Efficient Information Flow Control in Web Browsers; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; International Conference on Trust & Trustworthy Computing; London, United Kingdom; June 2013
First-Class Labels: Using Information Flow to Debug Security Holes; Eric Hennigan, Christoph Kerschbaumer, Per Larsen, Stefan Brunthaler, Michael Franz; International Conference on Trust & Trustworthy Computing; London, United Kingdom; June 2013
SlimVM: A Small Footprint Java Virtual Machine for Connected Embedded Systems; Christoph Kerschbaumer, Gregor Wagner, Christian Wimmer, Andreas Gal, Christian Steger, Michael Franz; Conference on the Principles and Practice of Programming in Java; Calgary, Alberta, Canada; August 2009
Magazines
Can we build a Privacy-Preserving Web Browser we all deserve?;
Christoph Kerschbaumer, Luke Crouch, Tom Ritter, Tanvi Vyas; ACM
XRDS Magazine, Summer 2018, Volume 24, No. 4
⇧ Theses
Probabilistic Information Flow Control in Modern Web Browsers;
PhD Thesis, Secure Systems and Software Laboratory, Donald Bren
School of Information & Computer Sciences, University of
Califorina, Irvine, 2014 (Advisor: Prof. Michael Franz)
SlimVM: A Small Footprint Java Virtual Machine for Connected Embedded Systems; Masters Thesis, Institute for Technical Informatics, Technical University Graz, Austria, 2009
SlimVM: A Small Footprint Java Virtual Machine for Connected Embedded Systems; Masters Thesis, Institute for Technical Informatics, Technical University Graz, Austria, 2009
⇧ Invited Talks, Workshops, Seminars
Hardening the Content Security Landscape of Firefox;
Keynote @ German OWASP Day; Karlsruhe, Germany; December 2019
Hardening the Content Security Landscape of Firefox; Mozilla Security Research Summit; Vienna, Austria; November 2019
Preventing Data Exfiltration in the Browser; Mozilla Security Research Summit; San Francisco, California; May 2019
Preventing Data Exfiltration Attempts in the Browser; Mozilla Security Research Summit; London, United Kingdom; November 2018
Enforcing Content Security by Default in Firefox; INRIA; Sophia Antipolis, France; October 2018
Could we use Information Flow Tracking to generate more sophisticated blacklists?; Web Application Security Seminar, Schloss Dagstuhl; Germany; August 2018
Enforcing Security in Firefox; SBA Research; Vienna, Austria; May 2017
Are We Secure Yet? Adversarial thinking to build Secure Systems; Linux Days Graz; Graz, Austria; April 2017
Probabilistic Information Flow Control in Modern Web Browsers; Microsoft Research; Redmond, Washington; January 2015
Information Flow Control in Modern Web Browsers; University of Stanford; California; December 2014
Information Flow in Web Browsers; The SoCal Programing Languages and Systems Workshop; University of California, Santa Barbara, May 2013
Information Flow in Web Browsers; The SoCal Programing Languages and Systems Workshop; University of California, San Diego, December 2011
Bytecode-Based Security for JavaScript; International Conference on Architectural Support for Programming Languages and Operating Systems; Newport Beach, California, March 2011
Bytecode-Based Security for JavaScript; The SoCal Programing Languages and Systems Workshop; University of California, Los Angeles, December 2010
Hardening the Content Security Landscape of Firefox; Mozilla Security Research Summit; Vienna, Austria; November 2019
Preventing Data Exfiltration in the Browser; Mozilla Security Research Summit; San Francisco, California; May 2019
Preventing Data Exfiltration Attempts in the Browser; Mozilla Security Research Summit; London, United Kingdom; November 2018
Enforcing Content Security by Default in Firefox; INRIA; Sophia Antipolis, France; October 2018
Could we use Information Flow Tracking to generate more sophisticated blacklists?; Web Application Security Seminar, Schloss Dagstuhl; Germany; August 2018
Enforcing Security in Firefox; SBA Research; Vienna, Austria; May 2017
Are We Secure Yet? Adversarial thinking to build Secure Systems; Linux Days Graz; Graz, Austria; April 2017
Probabilistic Information Flow Control in Modern Web Browsers; Microsoft Research; Redmond, Washington; January 2015
Information Flow Control in Modern Web Browsers; University of Stanford; California; December 2014
Information Flow in Web Browsers; The SoCal Programing Languages and Systems Workshop; University of California, Santa Barbara, May 2013
Information Flow in Web Browsers; The SoCal Programing Languages and Systems Workshop; University of California, San Diego, December 2011
Bytecode-Based Security for JavaScript; International Conference on Architectural Support for Programming Languages and Operating Systems; Newport Beach, California, March 2011
Bytecode-Based Security for JavaScript; The SoCal Programing Languages and Systems Workshop; University of California, Los Angeles, December 2010
⇧ Blogposts, Press and Media
- Firefox 87 trims HTTP Referrers by default to protect user privacy
- Insights into HTTPS-Only Mode
- Effectively Fuzzing the IPC Layer in Firefox
- Firefox 83 introduces HTTPS-Only Mode
- Understanding Web Security Checks in Firefox (Part 2)
- Hardening Firefox against Injection Attacks – The Technical Details
- Understanding Web Security Checks in Firefox (Part 1)
- Firefox 75 will respect ‘nosniff’ for Page Loads
- Hardening Firefox against Injection Attacks
- Supporting Referrer Policy for CSS in Firefox 64
- Blocking FTP subresource loads within non-FTP documents in Firefox 61
- Supporting Same-Site Cookies in Firefox 60
- Blocking Top-Level Navigations to data URLs for Firefox 58
- Treating data URLs as unique origins for Firefox 57
- Enforcing Content Security By Default within Firefox
- Mitigating MIME Confusion Attacks in Firefox
- A Faster Content Security Policy (CSP)
⇧ Professional
- Manager of the Firefox Security Infrastracture Team (Mozilla), since 2020
- Content Security Tech Lead (Mozilla), since 2017
- Security and Privacy Engineer (Mozilla), since 2013
- Graduate Program Firefox OS (Mozilla), 2012
- Graduate Research Program (Qualcomm), 2011
- Graduate Research Assistant (UC Irvine), 2010
- Software Engineer (Bravestone), 2009
- Software Engineer (TU Graz), 2005
⇧ Teaching
Guest Lecture (video) in the class of Language-Based Security at Chalmers University of Technology, Gothenburg, Sweden, March 2021
Guest Lecture (video) in the class of Language-Based Security at Chalmers University of Technology, Gothenburg, Sweden, May 2020
Guest Lecture in the class of Applied Programming at my former High School Commercial & Digitial Business Academy, Liezen, Austria, February 2020
Introduction to Computer Science II, Teaching Assistant, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Winter 2012
Compilers and Interpreters, Teaching Assistant/Reader, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Fall 2011
Compilers and Interpreters, Teaching Assistant/Reader, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Spring 2011
Guest Lecture (video) in the class of Language-Based Security at Chalmers University of Technology, Gothenburg, Sweden, May 2020
Guest Lecture in the class of Applied Programming at my former High School Commercial & Digitial Business Academy, Liezen, Austria, February 2020
Introduction to Computer Science II, Teaching Assistant, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Winter 2012
Compilers and Interpreters, Teaching Assistant/Reader, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Fall 2011
Compilers and Interpreters, Teaching Assistant/Reader, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Spring 2011
⇧ Awards and Honors
Best Paper Award:
MadWeb - Measurements, Attacks, and Defenses for the Web, 2021
Best Paper Award: International Conference on Information Systems Security and Privacy, 2016
Roberto Padovani Scholarship Award, Qualcomm, Inc. ($5.000), 2011
Graduate Student Fellowship, Donald Bren School of Information and Computer Science ($90,000+), 2010
Fellowship for Excellent Students Abroad, Rudolf Chaudoire Foundation ($5,000), 2008
Scholarship for Short Time Academic Research and Expert Courses Abroad, TU Graz ($1,000), 2008
Fellowship for Excellent Students, Julius Raab Foundation ($5,000), 2003
Study Grant, Austrian Federal Ministry of Education, Science and Research($50,000+), 2002-2009
Best Paper Award: International Conference on Information Systems Security and Privacy, 2016
Roberto Padovani Scholarship Award, Qualcomm, Inc. ($5.000), 2011
Graduate Student Fellowship, Donald Bren School of Information and Computer Science ($90,000+), 2010
Fellowship for Excellent Students Abroad, Rudolf Chaudoire Foundation ($5,000), 2008
Scholarship for Short Time Academic Research and Expert Courses Abroad, TU Graz ($1,000), 2008
Fellowship for Excellent Students, Julius Raab Foundation ($5,000), 2003
Study Grant, Austrian Federal Ministry of Education, Science and Research($50,000+), 2002-2009
⇧ Program Committees
SecWeb, Designing Security for the Web, 2020
Information Systems Security and Privacy 2021, 2020, 2019, 2018
Information Systems Security and Privacy 2021, 2020, 2019, 2018
⇧ Affiliations
⇧ Contact
contact (at) firstname lastname (dot) com