Working With Me

I work at the intersection of computer security and public policy. My core group tackles problems where technical advances can reshape a policy debate, or where the policy environment demands new technical approaches. I expect my students to be cognizant of the “full stack” of a problem, ranging from technical details to the broader policy context. I also expect my students to communicate effectively with both technical and non-technical audiences.

Public Policy and Computer Science

This typically does not mean addressing a policy need by building a straightforward technical system—that is too close to engineering rather than research for my group.

Rather, the problems I’m interested in tend to fall into one of a few categories:

I also have some theme areas that I am particularly interested in:

Impact-Driven Research

A core feature of my research philosophy is that I want my research to have real-world impact. This means that I want my students to think about how their research can be used in practice, and to take steps to ensure that it does. This might include:

Automated Software Testing (Fuzzing) and Vulnerability Discovery

This is my secondary area of interest, and I am open to taking on students here.

Van Thuan Pham and Toby Murray at the University of Melbourne and I jointly run a research group addressing this topic.

Our theme has been “testing what is hard to test” — we have built a number of tools (EDEFuzz, TrailBlazer, and others) that are designed to test software systems that are difficult to test with traditional fuzzing techniques.

In the past, we have targeted IoT devices and web applications, but we are open to exploring other areas as well.

If you are interested in working with me on this topic, you should have a strong background in systems and programming, as well as some experience with web technologies (JavaScript, HTML, etc.). Advising on this topic is co-supervised with Thuan or Toby, and we advise as a group (e.g., meetings are scheduled with all of us, though more often than not one of us will not be present for a given meeting).

The co-advising arrangement allows us to take on more students, to benefit from our different perspectives, and also allows us to handle workloads and time zones. Each of us frequently travels or has outside commitments, so this arrangement allows us to be more flexible.

Other Research Areas

I occasionally take on students working in other areas of security/privacy research, particularly if they are tangentially related to my core interests. I have worked with students on topics including:

Methodologies

I am open to a broad variety of research methodologies, but my most significant personal expertise has been in reverse engineering, measurement, and human-subjects research. While I am not a lawyer, I also bring a legal perspective to my research, and have co-authored work with lawyers and law professors.

If you are my student, you should expect to bring to the table a mix of technical and non-technical skills, though depending on what stage you’re at, you will likely learn how to think about the “other side” of problems as you go (e.g., technical for my less technical students or non-technical for my more technically oriented students). You should also not expect that I will be able to help you with all aspects of your research—I hire students hoping that they will teach me something new as well!

My students have used a variety of research methodologies, including:

Which scientific community would you join?

Academia functions as a set of overlapping communities, where researchers who publish in and attend similar venues tend to know each other and work together. Becoming a known member of a community is critically important for your career as it will be a major factor in securing jobs, collaborations, service opportunities, and eventually maybe tenure. It is not uncommon for works on similar topics to be unknown to each other if they are published in venues that belong to different communities.

Each community also has its own culture, norms, and expectations. These often determine how a paper needs to be written to be accepted, what kind of contributions are valued, and how research is evaluated.

I am primarily a computer security researcher, and my students typically publish in top-tier security conferences (e.g., IEEE S&P, USENIX Security, ACM CCS, NDSS, PETS, Financial Cryptography). I am open to other venues as well, particularly if they are more policy-oriented (e.g., SOUPS, CHI, WWW, etc.). This constitutes a community unto itself, but as the field has grown large, there are now many, many sub-communities within it.

This means that the network of researchers you would join is primarily in the computer security community, but with strong ties to the broader computer science and public policy communities as well.

There is also a nascent community of researchers working on public policy issues, law, trust and safety, who have largely emerged from the security community, but are now starting to form their own identity. I expect this community to grow significantly in the coming years, and I would hope for my students to be at the forefront of this growth.

What career paths are viable after working with you?

I have prepared students for a variety of career paths, including:

Students earlier in their careers often have a hard time envisioning what they want to do after graduation. I encourage my students to think broadly about their career options, and to consider a variety of paths. I work with my students to build a portfolio that can be used to pursue a variety of career paths, but depending on your interests, some paths may be more viable than others and we will work to optimize for those.

Towards the end of your program, we will work together to identify specific career paths and opportunities that align with your interests and goals.

How PhD Funding Works

Research students are expensive. How expensive varies by country, but in Australia/the US you should expect costs of between 40k (Australia) and 100k (US) per year to fund a PhD student. This includes tuition, stipend, healthcare (US), and other costs. This is in addition to the cost of time for supervision (which is on the order of a few hundred hours a year).

What this means is that for a Professor to take on a PhD student, they have to see a clear path to funding that student and to see value in taking them on. Therefore, when you approach a potential supervisor, consider it in the way you would approach a potential employer. You are asking them to make a significant investment in you, and you need to demonstrate that you are worth that investment.

For a professor, ROI looks like a few things:

This does not mean that you will be valued only for your ROI, but it is a useful framing to think about during the application process.

What is the difference between joining a more junior vs. more senior faculty member’s lab?

Professors’ actions are shaped by incentives, just like anyone else’s. For more junior faculty, a significant portion of their career advancement is based on research output. Therefore, their stress levels are often tied to how well their students are doing. For more senior faculty, the incentives may be more varied, but research output is still a significant factor. Senior faculty often also have more “service” obligations (e.g., serving on university committees, running degree programs) that take up more of their time.

This means that more junior faculty are often more hands-on, more involved in the day-to-day work of their students, but may also apply greater pressure to individual students. Research is also more often genuinely collaborative, with the professor working closely with students on research projects.

More senior faculty may be more hands-off, but may have a broader range of interests and skills. They can at times be less involved in the day-to-day work of their students, may be harder to reach, and may have less time to devote to individual students. However, they may also have a broader network of contacts and collaborators that can be beneficial for students.

Are you a more junior or a more senior faculty member?

I am a mid-career faculty member. I have tenure, but I am more “junior” with respect to my time in the field. Simultaneously, I currently hold a major administrative role (Deputy Head of School) that takes up a significant portion of my time, meaning that I have less time for day-to-day supervision than a typical faculty member at my career stage.

What is your advising style?

Much to my chagrin, I find I function better with fewer pre-scheduled meetings but frequent ad hoc check-ins. Where I work with Toby and Thuan, this is facilitated by the fact that though we have a regular meeting, it is supplemented by ad hoc meetings as needed, with scheduling flexibility for all of us.

I am “very online” and typically respond to emails and messages within a few hours or a day or two at most. I am also happy to meet outside of scheduled meetings, and encourage my students to reach out as needed.

I am also a more “managerial” advisor, meaning that I expect my students to be responsible for acquiring the skills they need to do their own research, even where those have not been explicitly taught. That said, I also enjoy getting down in the weeds sometimes, both with writing and technical details. I quite enjoy systems administration and debugging, so you might find me helping you with that sort of thing.

I expect my students to come to meetings prepared, with a short agenda including what they worked on since the last meeting, why it is important to their overall PhD, what current challenges they are facing, and what they plan to work on next. I also expect my students to be proactive in seeking help when they need it, and to be honest about their progress and challenges.

I believe in work-life balance, but generally expect my students to be reachable given the nature of research—some aspects of research are inherently unpredictable and may require bursts of work at less convenient times. I do not expect my students to be working 24/7, but I do expect them to be responsive and engaged.

What traits do you look for in a student?

I look for students with:

How do I join your lab?

First read all of the above and make sure that our interests align. If you email me because you wish to join my institution, we are not aligned, and you have not read the above, I will likely not respond to your inquiry.

Otherwise, email me with a brief description of your background, your research interests, and why you think you would be a good fit for my lab. Include the word banana. This should include an explicit reference to my past work, with arguments outlining how your interests match. Noting that you enjoyed prior work and referencing it by title would not be sufficient to demonstrate that you have read my work or understand it.

If you have a CV or resume, include that as well.

Using AI to help draft your email

I am generally a proponent of using AI tools to help with writing and learning. However, in this case, I expect you to draft your own email. This is partially a warning, as I receive a number of emails that are clearly AI-generated, and I do not respond to those—this includes those that have been translated from another language. Writing your own email helps me understand your communication skills, and typically comes across better.

Undergraduate Research Resources

If you’re interested in undergraduate research, the following resources may help:

Should I do a JD/PhD?

Jonathan Mayer drafted some advice that I contributed to on this topic, which you can find here. This is where I would start in answering this question.

I personally obtained a Master in Law during my PhD, which contributed a significant amount to my research. I did also apply to JD programs during my PhD, but ultimately decided against it. I have also advised a student who did a JD prior to their PhD, where their legal background significantly contributed to their research. That said, a JD is a significant investment in time and money, and you should carefully consider whether it is the right path for you.

Other Advice Pages I Recommend