Hi there

My name is Marco Squarcina, I'm a Senior Scientist in the Research Unit Security and Privacy at TU Wien. My research interests focus mainly on Web and mobile security, but I'm passionate about computer security and hacking in its broadest sense. I love teaching, and I strongly support the concept of learning by doing. I play and organise CTF competitions with w0y and mhackeroni with whom I competed 3 times at the finals of DEF CON CTF. I co-organized the Italian Cyber Challenge project, trained Team Europe for the International Cybersecurity Challenge (ICC 2022), and coordinated the largest Attack/Defense CTF in the history of the European Cybersecurity Challenge (ECSC 2022) by the European Union Agency for Cybersecurity (ENISA).

The best way to get in touch with me is by e-mail. Please use my PGP key if you need to send sensitive data. You can also reach me by phone at +43 (1) 58801-192607, or in my office at Favoritenstrasse 9-11, Stiege 2, 1. Stock, 1040 Wien.

Selected Publications

• Cookie Crumbles: Breaking and Fixing Web Session Integrity. USENIX Security. 2023 (to be presented).
  M. Squarcina, P. Adao, L. Veronese, M. Maffei.
• WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms. IEEE Symposium on Security and Privacy (S&P). 2023. preprint bibtex
  L. Veronese, B. Farinier, P. Bernardo, M. Tempesta, M. Squarcina, M. Maffei.
• The Bridge between Web Applications and Mobile Platforms is Still Broken. Workshops of the IEEE Symposium on Security and Privacy (SecWeb). 2022. pdf bibtex
  P. Beer, L. Veronese, M. Squarcina, M. Lindorfer.
• Can I Take Your Subdomain? Exploring Same-Site Attacks in the Modern Web. USENIX Security. 2021. pdf bibtex website
  M. Squarcina, M. Tempesta, L. Veronese, S. Calzavara, M. Maffei.
• The Remote on the Local: Exacerbating Web Attacks Via Service Workers Caches. 15th IEEE Workshop on Offensive Technologies (WOOT 21). 2021. pdf bibtex website
  M. Squarcina, S. Calzavara, M. Maffei.
• Postcards from the Post-HTTP World: Amplification of HTTPS Vulnerabilities in the Web Ecosystem. IEEE Symposium on Security and Privacy (S&P). 2019. pdf website
  S. Calzavara, R. Focardi, M. Nemec, A. Rabitti, M. Squarcina.
• WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring. USENIX Security. 2018. arXiv pdf slides
  S. Calzavara, R. Focardi, M. Maffei, C. Schneidewind, M. Squarcina, M. Tempesta.
• Mind Your Keys? A Security Evaluation of Java Keystores. Network and Distributed System Security Symposium (NDSS 2018). 2018. pdf slides video
  R. Focardi, F. Palmarini, G. Steel, M. Squarcina, M. Tempesta.
• Surviving the Web: A Journey into Web Session Security. ACM Computing Surveys (CSUR). 2017. Pre-print version: pdf
  S. Calzavara, R. Focardi, M. Squarcina, M. Tempesta.
• Run-time Attack Detection in Cryptographic APIs. 30th Computer Security Foundations Symposium (CSF 2017). 2017. pdf slides
  R. Focardi, M. Squarcina.
• Gran: model checking grsecurity RBAC policies. 25th Computer Security Foundations Symposium (CSF 2012). 2012. pdf
  M. Bugliesi, S. Calzavara, R. Focardi, M. Squarcina.

My scholar profile.

Recent Academic Service

• IEEE S&P 2024, IEEE Symposium on Security and Privacy. PC member
• ACSAC 2023, Annual Computer Security Applications Conference (ACSAC). PC member
• WOOT 2022-2023, IEEE Workshop on Offensive Technologies, co-located with IEEE S&P. PC member and Reproducibility chair (2023)
• SecWeb 20021-2023, Workshop on Web Security, co-located with IEEE S&P. PC member
• MADWeb 2023, Workshop on Measurements, Attacks, and Defenses for the Web, co-located with NDSS 2023. PC member
• EuroSec 2022-2023, European Workshop on System Security, co-located with EuroSys. PC member, Publicity Chair (2022)
• TheWebConf 2022, The Web Conference (formerly WWW conference). PC member
• USENIX Security 2022, AEC member
• STM 2021, Workshop on Security and Trust Management co-located with ESORICS 2021. PC member
• CSR DS4CS 2021, IEEE CSR Workshop on Data Science for Cyber Security. PC member
• Frontiers in Computer Science, Springer. Review Editor for Computer Security
• The Computer Journal, Oxford University Press. Reviewer
• Journal of Cybersecurity, Oxford University Press. Reviewer
• External reviewer for USENIX Security, IEEE S&P, NDSS, CCS.

Teaching

• 2020—now (WS): lecturer, Attacks and Defenses in Computer Security (UE) [192.111], TU Wien
• 2019—now (SS): lecturer, Introduction to Security (UE) [192.082], TU Wien
• 2019—now (SS): lecturer, Introduction to Security (VU) [184.783], TU Wien
• 2020/21 (WS): lecturer, Systems and Applications Security (VU) [192.112], TU Wien
• 2019 (WS): guest lecturer, Advanced Internet Security (VU) [192.091], TU Wien
• 2019 (WS): lecturer, Capture the Flag (SE) [192.092], TU Wien
• 2015/16, 2017/18: teaching assistant, Security 1 [CM0475], Security 2 [CM0494], Ca' Foscari University of Venice
• 2013/14, 2014/15: teaching assistant, Security of Computer Systems [CM0288], Ca' Foscari University of Venice

Selected Vulns

• Vulnerability in the third-party domain connection feature on Shopify, see the paper
• SAML2.0, Login CSRF on Google
• CVE-2018-2794, Oracle Java, CVSS 3.0 Base Score 7.7 (HIGH)
• CVE-2017-10356, Oracle Java, CVSS 3.0 Base Score 6.2 (MEDIUM)
• CVE-2017-10345, Oracle Java, CVSS 3.0 Base Score 3.1 (LOW)

Music

I'm a jungle/drum'n'bass DJ, still using turntables and carrying around a 30kg record bag. You can find a selection of my old dj sets on mixcloud. More recently I've started streaming on Twitch, follow me if you want to be notified when I go live.