Dr. Christoph Kerschbaumer has over two decades of experience in software engineering and computer security.
His work ranges from designing secure systems with fail-safe defaults to fighting cross-site scripting to preventing man-in-the-middle attacks.
Currently he is managing the Firefox Security Engineering team at Mozilla and is mentoring software engineers around the world to reach their full potential.
He received his PhD in Computer Science from the University of California, Irvine, where he focused his research on information flow tracking techniques within web browsers.
Prior to being a graduate research scholar, he received a M.Sc. and B.Sc. in Computer Science from the Technical University Graz, Austria.
Currently he is managing the Firefox Security Engineering team at Mozilla and is mentoring software engineers around the world to reach their full potential.
He received his PhD in Computer Science from the University of California, Irvine, where he focused his research on information flow tracking techniques within web browsers.
Prior to being a graduate research scholar, he received a M.Sc. and B.Sc. in Computer Science from the Technical University Graz, Austria.
⇧ Books
-
Beyond the Code - Setting You up for Success as a Software Engineer; 234 pages; ISBN: 979-8875904974; Published February 2024; Available as paperback, hardcover and eBook.
For detailed information about the book visit:
➜ https://bytc.info
⇧ Publications
Peer Reviewed
SoK: All or Nothing - A Postmortem of Solutions to the Third-Party Script Inclusion Permission Model and a Path Forward;
Steven Sprecher, Christoph Kerschbaumer, Engin Kirda; European Symposium on Security and Privacy; Genoa, Italy, June 2022
➜ Download PDF
HTTPS-Only: Upgrading all connections to https in Web Browsers; Christoph Kerschbaumer, Julian Gaibler, Arthur Edelstein, Thyla van der Merwe; MadWeb - Measurements, Attacks, and Defenses for the Web; San Diego, California, February 2021 (Best Paper Award)
➜ Download PDF
Hardening Firefox against Injection Attacks; Christoph Kerschbaumer, Tom Ritter, Frederik Braun; SecWeb - Designing Security for the Web; Genova, Italy, September 2020
➜ Download PDF
Extending the Same Origin Policy with Origin Attributes; Tanvi Vyas, Andrea Marchesini, Christoph Kerschbaumer; International Conference on Information Systems Security and Privacy; Porto, Portugal, February 2017
➜ Download PDF
Enforcing Content Security by Default within Web Browsers; Christoph Kerschbaumer; International Conference on Cybersecurity Development; Boston, Massachusetts, November 2016
➜ Download PDF
Injecting CSP for Fun and Security; Christoph Kerschbaumer, Sid Stamm, Stefan Brunthaler; International Conference on Information Systems Security and Privacy; Rome, Italy, February 2016 (Best Paper Award)
➜ Download PDF
Information Flow Tracking meets Just-In-Time Compilation; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; ACM Transactions on Architecture and Code Optimization, Volume 10, Issue 4, December 2013. Invited to present at the International Conference on High-Performance and Embedded Architectures and Compilers; Vienna, Austria; January 2014
➜ Download PDF
CrowdFlow: Efficient Information Flow Security; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; Information Security Conference; Dallas, Texas; November 2013
➜ Download PDF
Towards Precise and Efficient Information Flow Control in Web Browsers; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; International Conference on Trust & Trustworthy Computing; London, United Kingdom; June 2013
➜ Download PDF
First-Class Labels: Using Information Flow to Debug Security Holes; Eric Hennigan, Christoph Kerschbaumer, Per Larsen, Stefan Brunthaler, Michael Franz; International Conference on Trust & Trustworthy Computing; London, United Kingdom; June 2013
➜ Download PDF
SlimVM: A Small Footprint Java Virtual Machine for Connected Embedded Systems; Christoph Kerschbaumer, Gregor Wagner, Christian Wimmer, Andreas Gal, Christian Steger, Michael Franz; Conference on the Principles and Practice of Programming in Java; Calgary, Alberta, Canada; August 2009
➜ Download PDF
➜ Download PDF
HTTPS-Only: Upgrading all connections to https in Web Browsers; Christoph Kerschbaumer, Julian Gaibler, Arthur Edelstein, Thyla van der Merwe; MadWeb - Measurements, Attacks, and Defenses for the Web; San Diego, California, February 2021 (Best Paper Award)
➜ Download PDF
Hardening Firefox against Injection Attacks; Christoph Kerschbaumer, Tom Ritter, Frederik Braun; SecWeb - Designing Security for the Web; Genova, Italy, September 2020
➜ Download PDF
Extending the Same Origin Policy with Origin Attributes; Tanvi Vyas, Andrea Marchesini, Christoph Kerschbaumer; International Conference on Information Systems Security and Privacy; Porto, Portugal, February 2017
➜ Download PDF
Enforcing Content Security by Default within Web Browsers; Christoph Kerschbaumer; International Conference on Cybersecurity Development; Boston, Massachusetts, November 2016
➜ Download PDF
Injecting CSP for Fun and Security; Christoph Kerschbaumer, Sid Stamm, Stefan Brunthaler; International Conference on Information Systems Security and Privacy; Rome, Italy, February 2016 (Best Paper Award)
➜ Download PDF
Information Flow Tracking meets Just-In-Time Compilation; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; ACM Transactions on Architecture and Code Optimization, Volume 10, Issue 4, December 2013. Invited to present at the International Conference on High-Performance and Embedded Architectures and Compilers; Vienna, Austria; January 2014
➜ Download PDF
CrowdFlow: Efficient Information Flow Security; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; Information Security Conference; Dallas, Texas; November 2013
➜ Download PDF
Towards Precise and Efficient Information Flow Control in Web Browsers; Christoph Kerschbaumer, Eric Hennigan, Per Larsen, Stefan Brunthaler, Michael Franz; International Conference on Trust & Trustworthy Computing; London, United Kingdom; June 2013
➜ Download PDF
First-Class Labels: Using Information Flow to Debug Security Holes; Eric Hennigan, Christoph Kerschbaumer, Per Larsen, Stefan Brunthaler, Michael Franz; International Conference on Trust & Trustworthy Computing; London, United Kingdom; June 2013
➜ Download PDF
SlimVM: A Small Footprint Java Virtual Machine for Connected Embedded Systems; Christoph Kerschbaumer, Gregor Wagner, Christian Wimmer, Andreas Gal, Christian Steger, Michael Franz; Conference on the Principles and Practice of Programming in Java; Calgary, Alberta, Canada; August 2009
➜ Download PDF
Magazines
Can we build a Privacy-Preserving Web Browser we all deserve?;
Christoph Kerschbaumer, Luke Crouch, Tom Ritter, Tanvi Vyas; ACM
XRDS Magazine, Summer 2018, Volume 24, No. 4
⇧ Invited Talks, Workshops, Seminars
Towards a Secure and Privacy-Respecting Web;
Rose-Hulman Institute of Technology; Terre Haute, Indiana; April 2024
Towards a Secure and Privacy-Respecting Web; Indiana University; Bloomington, Indiana; April 2024
Towards a Secure and Privacy-Respecting Web; Northeastern University; Boston, Massachusetts; April 2024
Hardening the Firefox Web Browser; NII Shonan Meeting on Web Application Security; Tokyo, Japan; March 2024
The Road to a secure Web; Keynote @ SecWeb - Designing Security for the Web; Virtual Event; September 2021
Hardening the Content Security Landscape of Firefox; Keynote @ German OWASP Day; Karlsruhe, Germany; December 2019
Hardening the Content Security Landscape of Firefox; Mozilla Security Research Summit; Vienna, Austria; November 2019
Preventing Data Exfiltration in the Browser; Mozilla Security Research Summit; San Francisco, California; May 2019
Preventing Data Exfiltration Attempts in the Browser; Mozilla Security Research Summit; London, United Kingdom; November 2018
Enforcing Content Security by Default in Firefox; INRIA; Sophia Antipolis, France; October 2018
Could we use Information Flow Tracking to generate more sophisticated blacklists?; Web Application Security Seminar, Schloss Dagstuhl; Germany; August 2018
Enforcing Security in Firefox; SBA Research; Vienna, Austria; May 2017
Are We Secure Yet? Adversarial thinking to build Secure Systems; Linux Days Graz; Graz, Austria; April 2017
Probabilistic Information Flow Control in Modern Web Browsers; Microsoft Research; Redmond, Washington; January 2015
Information Flow Control in Modern Web Browsers; University of Stanford; California; December 2014
Information Flow in Web Browsers; The SoCal Programing Languages and Systems Workshop; University of California, Santa Barbara, May 2013
Information Flow in Web Browsers; The SoCal Programing Languages and Systems Workshop; University of California, San Diego, December 2011
Bytecode-Based Security for JavaScript; International Conference on Architectural Support for Programming Languages and Operating Systems; Newport Beach, California, March 2011
Bytecode-Based Security for JavaScript; The SoCal Programing Languages and Systems Workshop; University of California, Los Angeles, December 2010
Towards a Secure and Privacy-Respecting Web; Indiana University; Bloomington, Indiana; April 2024
Towards a Secure and Privacy-Respecting Web; Northeastern University; Boston, Massachusetts; April 2024
Hardening the Firefox Web Browser; NII Shonan Meeting on Web Application Security; Tokyo, Japan; March 2024
The Road to a secure Web; Keynote @ SecWeb - Designing Security for the Web; Virtual Event; September 2021
Hardening the Content Security Landscape of Firefox; Keynote @ German OWASP Day; Karlsruhe, Germany; December 2019
Hardening the Content Security Landscape of Firefox; Mozilla Security Research Summit; Vienna, Austria; November 2019
Preventing Data Exfiltration in the Browser; Mozilla Security Research Summit; San Francisco, California; May 2019
Preventing Data Exfiltration Attempts in the Browser; Mozilla Security Research Summit; London, United Kingdom; November 2018
Enforcing Content Security by Default in Firefox; INRIA; Sophia Antipolis, France; October 2018
Could we use Information Flow Tracking to generate more sophisticated blacklists?; Web Application Security Seminar, Schloss Dagstuhl; Germany; August 2018
Enforcing Security in Firefox; SBA Research; Vienna, Austria; May 2017
Are We Secure Yet? Adversarial thinking to build Secure Systems; Linux Days Graz; Graz, Austria; April 2017
Probabilistic Information Flow Control in Modern Web Browsers; Microsoft Research; Redmond, Washington; January 2015
Information Flow Control in Modern Web Browsers; University of Stanford; California; December 2014
Information Flow in Web Browsers; The SoCal Programing Languages and Systems Workshop; University of California, Santa Barbara, May 2013
Information Flow in Web Browsers; The SoCal Programing Languages and Systems Workshop; University of California, San Diego, December 2011
Bytecode-Based Security for JavaScript; International Conference on Architectural Support for Programming Languages and Operating Systems; Newport Beach, California, March 2011
Bytecode-Based Security for JavaScript; The SoCal Programing Languages and Systems Workshop; University of California, Los Angeles, December 2010
⇧ Blogposts, Press and Media
- Firefox will upgrade more Mixed Content in Version 127
- Firefox 93 protects against Insecure Downloads
- Firefox 91 introduces HTTPS by Default in Private Browsing
- Stopping FTP support in Firefox 90
- Firefox 90 supports Fetch Metadata Request Headers
- Firefox 87 trims HTTP Referrers by default to protect user privacy
- Insights into HTTPS-Only Mode
- Effectively Fuzzing the IPC Layer in Firefox
- Firefox 83 introduces HTTPS-Only Mode
- Understanding Web Security Checks in Firefox (Part 2)
- Hardening Firefox against Injection Attacks – The Technical Details
- Understanding Web Security Checks in Firefox (Part 1)
- Firefox 75 will respect ‘nosniff’ for Page Loads
- Hardening Firefox against Injection Attacks
- Supporting Referrer Policy for CSS in Firefox 64
- Blocking FTP subresource loads within non-FTP documents in Firefox 61
- Supporting Same-Site Cookies in Firefox 60
- Blocking Top-Level Navigations to data URLs for Firefox 58
- Treating data URLs as unique origins for Firefox 57
- Enforcing Content Security By Default within Firefox
- Mitigating MIME Confusion Attacks in Firefox
- Inspecting Security and Privacy Settings of a Website
- A Faster Content Security Policy (CSP)
⇧ Professional
- Manager, Firefox Security & (interim) Privacy Engineering (Mozilla), since 2022
- Manager, Firefox Security Engineering (Mozilla), since 2021
- Manager, Firefox Security Infrastracture Engineering (Mozilla), since 2020
- Content Security Tech Lead (Mozilla), since 2017
- Security and Privacy Engineer (Mozilla), since 2013
- Graduate Program Firefox OS (Mozilla), 2012
- Graduate Research Program (Qualcomm), 2011
- Graduate Research Assistant (UC Irvine), 2010
- Software Engineer (Bravestone), 2009
- Software Engineer (TU Graz), 2005
- Web Developer (Freelance), 2000
⇧ Teaching
Invited Lecture (video) in the class Browser Security (Prof. Limin Jia) at Carnegie Mellon University, Pittsburgh, Pennsylvania, October 2024
Invited Lecture at Technical High School Leoben (class of Dr. Christian Schindler), Austria, March 2024
Invited Lecture (video) in the class Introduction to Software Security (Prof. Engin Kirda) at Northeastern University, Boston, Massachusetts, November 2023
Invited Lecture (video) in the class Foundations of Computer Security & Privacy: Breakthroughs and Research at Northeastern University, Boston, Massachusetts, March 2023
Invited Lecture (video) in the class Cybersecurity Seminar (Prof. Sid Stamm) at Rose Hulman Institue of Technology, Terre Haute, Indiana, March 2023
Invited Lecture (video) in the class Cybersecurity Seminar (Prof. Sid Stamm) at Rose Hulman Institue of Technology, Terre Haute, Indiana, October 2022
Invited Lecture (video) in the class Language-Based Security (Prof. Andrei Sabelfeld) at Chalmers University of Technology, Gothenburg, Sweden, March 2022
Invited Lecture (video) in the class Software Vulnerabilities and Security (Prof. Engin Kirda) at Northeastern University, Boston, Massachusetts, November 2021
Invited Lecture (video) in the class Language-Based Security (Prof. Andrei Sabelfeld) at Chalmers University of Technology, Gothenburg, Sweden, March 2021
Invited Lecture (video) in the class Language-Based Security (Prof. Andrei Sabelfeld) at Chalmers University of Technology, Gothenburg, Sweden, May 2020
Invited Lecture in the class Applied Programming at my former High School Commercial & Digitial Business Academy, Liezen, Austria, February 2020
Introduction to Computer Science II, Teaching Assistant, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Winter 2012
Compilers and Interpreters, Teaching Assistant/Reader, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Fall 2011
Compilers and Interpreters, Teaching Assistant/Reader, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Spring 2011
Invited Lecture at Technical High School Leoben (class of Dr. Christian Schindler), Austria, March 2024
Invited Lecture (video) in the class Introduction to Software Security (Prof. Engin Kirda) at Northeastern University, Boston, Massachusetts, November 2023
Invited Lecture (video) in the class Foundations of Computer Security & Privacy: Breakthroughs and Research at Northeastern University, Boston, Massachusetts, March 2023
Invited Lecture (video) in the class Cybersecurity Seminar (Prof. Sid Stamm) at Rose Hulman Institue of Technology, Terre Haute, Indiana, March 2023
Invited Lecture (video) in the class Cybersecurity Seminar (Prof. Sid Stamm) at Rose Hulman Institue of Technology, Terre Haute, Indiana, October 2022
Invited Lecture (video) in the class Language-Based Security (Prof. Andrei Sabelfeld) at Chalmers University of Technology, Gothenburg, Sweden, March 2022
Invited Lecture (video) in the class Software Vulnerabilities and Security (Prof. Engin Kirda) at Northeastern University, Boston, Massachusetts, November 2021
Invited Lecture (video) in the class Language-Based Security (Prof. Andrei Sabelfeld) at Chalmers University of Technology, Gothenburg, Sweden, March 2021
Invited Lecture (video) in the class Language-Based Security (Prof. Andrei Sabelfeld) at Chalmers University of Technology, Gothenburg, Sweden, May 2020
Invited Lecture in the class Applied Programming at my former High School Commercial & Digitial Business Academy, Liezen, Austria, February 2020
Introduction to Computer Science II, Teaching Assistant, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Winter 2012
Compilers and Interpreters, Teaching Assistant/Reader, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Fall 2011
Compilers and Interpreters, Teaching Assistant/Reader, Donald Bren School of Information & Computer Sciences, University of California, Irvine, Spring 2011
⇧ Theses
Probabilistic Information Flow Control in Modern Web Browsers;
PhD Thesis, Secure Systems and Software Laboratory, Donald Bren
School of Information & Computer Sciences, University of
Califorina, Irvine, 2014 (Advisor: Prof. Michael Franz)
SlimVM: A Small Footprint Java Virtual Machine for Connected Embedded Systems; Masters Thesis, Institute for Technical Informatics, Technical University Graz, Austria, 2009
SlimVM: A Small Footprint Java Virtual Machine for Connected Embedded Systems; Masters Thesis, Institute for Technical Informatics, Technical University Graz, Austria, 2009
⇧ Awards and Honors
Best Paper Award:
MadWeb - Measurements, Attacks, and Defenses for the Web, 2021
Best Paper Award: International Conference on Information Systems Security and Privacy, 2016
Roberto Padovani Scholarship Award, Qualcomm, Inc. ($5.000), 2011
Graduate Student Fellowship, Donald Bren School of Information and Computer Science ($90,000+), 2010
Fellowship for Excellent Students Abroad, Rudolf Chaudoire Foundation ($5,000), 2008
Scholarship for Short Time Academic Research and Expert Courses Abroad, TU Graz ($1,000), 2008
Fellowship for Excellent Students, Julius Raab Foundation ($5,000), 2003
Study Grant, Austrian Federal Ministry of Education, Science and Research($50,000+), 2002-2009
Best Paper Award: International Conference on Information Systems Security and Privacy, 2016
Roberto Padovani Scholarship Award, Qualcomm, Inc. ($5.000), 2011
Graduate Student Fellowship, Donald Bren School of Information and Computer Science ($90,000+), 2010
Fellowship for Excellent Students Abroad, Rudolf Chaudoire Foundation ($5,000), 2008
Scholarship for Short Time Academic Research and Expert Courses Abroad, TU Graz ($1,000), 2008
Fellowship for Excellent Students, Julius Raab Foundation ($5,000), 2003
Study Grant, Austrian Federal Ministry of Education, Science and Research($50,000+), 2002-2009
⇧ Affiliations
⇧ Contact
contact (at) firstname lastname (dot) com