Homepage of Erik Poll I am associate professor in the Digital Security (DiS) research group of ICIS (Institute for Computing and Information Science) at the Faculty of Science of Radboud University in Nijmegen. Address and contact information

(photo by Sjoerd van der Hucht)

Research

• My papers, and also reachable via Google scholar and the Radboud university repository
• Slides of some of my talks and pointers to media attention.

My core research interest is software security: most cybersecurity problems originate in software and my research aims to address some of the root causes of these problems through the use of formal methods and, more generally, rigorous and systematic approaches in software engineering, such as formal specification and verification, type systems, model-based testing, protocol state fuzzing to analyse protocol and the LangSec approach to secure input handling.

Case studies in the use of formal methods for improve security include analysis of EMV and state machine inference (aka active learning) for various security protocols, incl. EMV bank cards, TLS, SSH and internet banking.

Earlier I worked on program specification and verification, in particular for Java and Java Card using the specification language JML. Research into Java Card in our group resulted in some smartcard software and RFID tools.

In more applied security research I have investigated security and privacy issues across many applications domains, such as smartcards, RFID tags, TEEs, e-passports, payment cards, internet banking, smart grids (incl. smart meters and charging of electric cars) and automotive systems.

Some outliers, topic-wise: with Tommy Koens I wrote a couple of papers analysing the (usually flawed) reasons for thinking that blockchain might be a sensible solution and my former PhD student Alex Serban looked at adversarial attacks.

My current PhD students are Seyed Benham Andarzian, Cristian Daniele, Job Doesburg and Patrick Lodeweegs.

Teaching

• Web Security (IPC026)
• Software Security (ISOFSE) - for this course I wrote lecture notes on Language-Based Security and Secure Input Handling and made some demo webpages to ilustrate to complexity of encoding (or sanitising) data in web applications.
• Security Protocol Project (IMC066), formerly part of Hardware Security (NWI-IMC001)
• Research internship (IMC047)
• Hacking in C (IPC025)

Master courses I teach are part of the Cyber Security specialisation in our Computing Science Master

Other teaching-related stuff:

• Join our local CTF student team, follow them on Discord or take part in the next edition HackNijmegen aka NYMACON
• Topics for research internships and thesis projects. Before handing in any draft versions of a thesis or internship report, check my writing checklist
• Onderwijsmateriaal over cybersecurity voor middelbare scholen (in Dutch)
• Introductory exercises using Uppaal: model checking for dummies
• Exercises using JML and ESC/Java2
• Security Course at Federal University of Rio de Janeiro (UFRJ), 2014
• Introduction to theorem proving with PVS for IPA, 2008

Organisations and projects

• I am confidential contact person for PhD students in the Software Science and Data Science groups of ICIS.
• NOLAI, Nationaal Onderwijslab AI
• ACCSS, the Dutch ACademic Cyber Security Society, for which we operate the ACCSS mailing list and where we started an ACCSS Working Group on Software Security.
• INTERSECT (Internet of Secure Things), funded by NWO as part of the NWA programme. For this project we collect information about IoT devices we investigated
• Secure Software Development (SSD) group of CIP-overheid
• Challenge the Cyber, the foundation that organises the national Dutch CTF as qualifier for the annual European Cyber Security Challenge
• OWASP Netherlands, the Dutch chapter of OWASP (Open Web Application Security Project)
• I'm co-author of Dutch National Cyber Security Research Agenda (NSCRA III)
• Thema center Security of Next Generation Infrastructure

Conferences, workshops and other events

• Workshop on Analysis of Network Protocols, Sept 2024
• Second Dutch AFFECT.NL workshop on Automated Finding, Fixing or Exploiting of seCuriTy vulnerabilities, June 2024
• LangSec 2025 will be held at IEEE Security & Privacy in San Francisco in May 2025
• Fuse5G, the Forum for Uniting Security Experts in 5G, at TNO in Utrecht, January 2024
• INTERSCT conference on Cyber Security of Internet-of-Things, Eindhoven, 2024
• I used to co-organise the FTfJP (Formal Techniques for Java-like Programs) workshop, until 2015. The workshop is still going strong, but I'm no longer involved.

Some older projects

• iCAVE (Integrated cooperative automated vehicles), 2017-2020, Perspectief project funded by NWO TTW
• Charge & Go, 2017-2020, funded by EFRO
• Betuwse Energie Samenwerking, 2017-2020, funded by EFRO
• C-DAX (Cyber-secure Data and Control Cloud for Power Grids), 2013-1016, funded by EU FP7
• DASDIP, 2010-2014, funded by NWO
• CHARTER, 2009-2012, funded by EU Artemis
• ESF COST Network 'Formal Verification of Object-Oriented Software', 2008-2012
• SOJOURN, Marie Curie fellowship for Aleksy Schubert
• ROBIN, 2006-2008, funded by EU Preparatory Action for Security Research
• MOBIUS, 2005-2009, funded by EU FP6
• PINPAS JC, 2005-2008, funded by STW
• SAMASC, 2002-2006, funded by NWO
• CardSpec, 2001-2004, funded by NWO
• VerifiCard, 2000-2003, funded by EU FP5