Sebastian Roth



I am a PhD student at Saarland University, working as a PhD Candidate at the CISPA Helmholtz Center for Information Security. My research interest is focused on client-side Web security as well as usable security for developers. In addition to that I have taught other students as a tutor and teaching assistant in several different lectures.
During leisure time, I regularly organize and participate in information security competitions called Capture the Flag (CTF) together with our team saarsec (saarsec|steg1) located at Saarland University. Moreover, I am also interested in sports, in particular Jugger. Currently I am playing for our university team Keulen Eulen.

Educational Curriculum Vitae

PhD Student @ CISPA / Saarland University

Thesis: <Work In Progress>
Supervised by: Dr.-Ing. Ben Stock
March 2019 - today

Master Computer Science @ Saarland University

Thesis: "Content Security Policy – A Shapeshifter’s Tale"
Supervised by: Dr.-Ing. Ben Stock
March 2017 – March 2019

Bachelor Cybersecurity @ Saarland University

Thesis: "A Platform to Recruit GitHub Users for Developer Studies"
Supervised by: Prof. Dr. Sascha Fahl
October 2013 – March 2017

High School

Intensive Courses: Computer Science, Electrical Engineering, English
Balthasar Neumann Technical College Trier
August 2010 – June 2013

Secondary School

Erich Kästner Realschule Hermeskeil
August 2004 – June 2010

Working Curriculum Vitae

Researcher @ CISPA Helmholtz Center for Information Security

Supervised by: Dr.-Ing. Ben Stock
March 2019 – today

Internship @ Hardenize Limited

Supervised by: Ivan Ristić
July 2021 – October 2021

Research Assistant @ CISPA Helmholtz Center for Information Security

Supervised by: Dr.-Ing. Ben Stock (Dec. 2017 – Mar. 2019)
Supervised by: Prof. Dr. Sascha Fahl (Oct. 2015 – Dec. 2017)
October 2015 – March 2019

Scientific Publications

The Security Lottery: Measuring Client-Side Web Security Inconsistencies

Sebastian Roth, Stefano Calzavara, Moritz Wilhelm, Alvise Rabitti, and Ben Stock
USENIX Security Symposium 2022 (USENIX '22)
TBD

To hash or not to hash: A security assessment of CSP's unsafe-hashes expression

Peter Stolz, Sebastian Roth, and Ben Stock
SecWeb Workshop co-located with IEEE S&P 2022 (SecWeb '22)
TBD

12 Angry Developers – A Qualitative Study on Developers’ Struggles with CSP

Sebastian Roth, Lea Gröber, Michael Backes, Katharina Krombholz, and Ben Stock
Conference on Computer and Communications Security (CCS '21)
[PDF]

A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web

Stefano Calzavara, Sebastian Roth, Alvise Rabitti, Michael Backes, and Ben Stock
USENIX Security Symposium (USENIX '20)
[PDF]

Assessing the Impact of Script Gadgets on CSP at Scale

Sebastian Roth, Michael Backes and Ben Stock
Asia Conference on Computer and Communications Security (AsiaCCS '20)
[PDF]

Complex Security Policy? – A Longitudinal Analysis of Deployed Content Security Policies

Sebastian Roth, Timothy Barron, Stefano Calzavara, Nick Nikiforakis, and Ben Stock
Network and Distributed System Security Symposium (NDSS '20)
[PDF]

ScriptProtect: Mitigating Unsafe Third-Party JavaScript Practices

Marius Musch, Marius Steffens, Sebastian Roth, Ben Stock, and Martin Johns
Asia Conference on Computer and Communications Security (AsiaCCS '19)
[PDF]

Talks

I wanna deploy you, but my senses tell me to stop! – CSP's past, present and future?

RuhrSec - IT Security Conference 2022 (RuhrSec '22)
TBD

A Tale of Two Headers: A Formal Analysis of Inconsistent Click-Jacking Protection on the Web

USENIX Security Symposium 2020 (USENIX '20)
[Slides] [Video]

Restricting The Scripts, You're To Blame, You Give CSP A Bad Name

RuhrSec - IT Security Conference 2020 (RuhrSec '20)
[Slides] [Video]

OWASP - Global AppSec 2019 (AppSec '19)
[Slides] [Video]

Complex Security Policy? – A Longitudinal Analysis of Deployed Content Security Policies

Network and Distributed System Security Symposium 2020 (NDSS '20)
[Slides] [Video]

Community Services

Program Committee

SecWeb Workshop co-located with IEEE S&P 2022 (SecWeb '22)
SecWeb Workshop co-located with IEEE Euro S&P 2021 (SecWeb '21)

Artifact Committee

Annual Computer Security Applications Conference 2020 (ACSAC '20)