Hi there,

Welcome to my research page. I am Cristian, a tenure-track faculty at CISPA – Helmholtz Center for Information Security in Saarbrücken, Germany. I completed my PhD in the Software Lab group at TU Darmstadt, Germany under the supervision of Michael Pradel. Prior to that, I obtained my Master's from EIT Digital, a European double degree Master's program. Concretely, I studied one year at the University of Twente, Netherlands and one year at University of Trento, Italy. I obtained my Bachelor's degree in Computer Engineering from Politehnica University of Timișoara, Romania. You can check my complete CV here.

My core research interest is in system security, at the intersection of software/web security, software engineering and programming languages. One of the central goals of my research group is to directly contribute to the open-source ecosystem: either by building tools that can be used by practitioners or by uncovering security vulnerabilities in real systems/projects. Below are the most important themes of my research:

  1. Server-side JavaScript security: in USESEC2019 we analyze in detail the threats in the npm ecosystem, in NDSS2018 we study injection vulnerabilities in the ecosystem and propose a way to defend against them, in USESEC2018 we show that vulnerabilities in npm libraries affect real websites, and in ICSE2020 we propose automatically extracting taint specifications for npm packages.
  2. Client-side (web) security: in USESEC2019 we show how authenticated cross-origin image requests enable targeted tracking, and in TheWebConf2019 we study the prevalence of minified and obfuscated JavaScript code on the web and discuss.
  3. Lightweight program analysis for vulnerability detection: in PLAS@CCS 2019 we study the impact of considering implicit flows in information flow analysis for vulnerability detection, in NDSS2018 we use intra-procedural data flow analysis for detecting injection vulnerabilities in npm packages, in ICSE2020 we employ taint analysis for specification extraction, and in CSUR2017 we survey the main challenges for JavaScript dynamic program analysis.
  4. Novel software engineering use cases for existing unit tests: in ASE 2017 we propose using constants in existing unit tests for boosting the performance of automatic test generation, and in ICSE2020 we advocate using existing unit tests for extracting taint specifications.
  5. Applied machine learning: in TheWebConf2019 we use unsupervised machine learning for automatic source code classification, and in ASE 2017 we use more lightweight, statistical techniques for augmenting state-of-the-art automatic test generation.

Below are some worth-mentioning vulnerabilities I found during my research:
  1. vm2 issue 285, CVE-2021-21413 - sandbox breakout vulnerabilities.
  2. HackerOne report 329957 - a privacy vulnerability in Twitter that allows targeted user-tracking through cross-origin image requests.
  3. CVE-2017-16042 - a command injection vulnerability in growl, an npm package.
  4. CVE-2017-16119 - a ReDoS vulnerability in fresh, an npm package that ships with the express framework.
  5. CVE-2017-15010 - a ReDoS vulnerability in tough-cookie, a popular npm package.
  6. Several vulnerabilities in npm packages, identified during an internship at Semmle, now GitHub UK.
  7. node-sqlite issue 1450 - hard crash of the Node.js process.