More is Less: Extra Features in Contactless Payments Break Security George Pavlides, Anna Clee, Ioana Boureanu and Tom Chothia, (USENIX Security 2025). We look at non-spec, proprietorial, ad-hoc extra features that companies have been adding to the EMV payment protocol and find that they are the cause of many vulnerabilities.

Who Pays Whom? Anonymous EMV-Compliant Contactless Payments Charles Olivier-Anclin, Ioana Boureanu, Liqun Chen, Chris Newton, Tom Chothia, Anna Clee, Andreas Kokkinis, Pascal Lafourcade (USENIX Security 2025). A design of an privacy protecting, backward compatible, regulation compliant EMV card payment system.

Anti-Cheat: Attacks and the Effectiveness of Client-Side Defences Sam Collins, Alex Poulopoulos, Marius Muench and Tom Chothia, Research on Offensive and Defensive Techniques in the Context of Man At The End Attacks, 2024 (CheckMATE). A look at how game anti-cheats and cheats work and how cheats are sold online.

Teaching Adversarial Thinking by Having Students Circumvent Exam Rules Matthew Bowden, Tom Chothia, Anna Clee, Sam Collins(B), Jacqueline Henes, and David Oswald, Advances in Teaching and Learning for Cyber Security Education. CSE 2024.

Symbolic modelling of remote attestation protocols for device and app integrity on Android Abdulla Aldoseri, Tom Chothia, Jose Moreira and David Oswald, The ACM ASIA Conference on Computer and Communications Security (AsiaCCS 2023). Attacks against Samsung Knox2 and Google SafetyNet found via Tamarin modelling, models and PoC code can be found here.

The Closer You Look, The More You Learn: A Grey-box Approach to Protocol State Machine Learning Chris McMahon Stone, Sam L. Thomas, Mathy Vanhoef, James Henderson, Nicolas Bailluet and Tom Chothia, The ACM Conference on Computer and Communications Security (CCS 2022). CVE-2020-17497 CVE-2021-44718. Source code and all artifacts can be found here.

Cyber Security in the Rail Sector-An Integrated Approach Richard J Thomas, Tom Chothia, Mihai Ordean, World Congress on Rail Research 2022 (WCRR).

Practical EMV Relay Protection Andreea-Ina Radu, Tom Chothia, Christopher J.P. Newton, Ioana Boureanu and Liqun Chen, IEEE Symposium on Security and Privacy (S&P 2022).

Catch Me If You Can: An In-Depth Study of CVE Discovery Time and Inconsistencies for Managing Risks in Critical Infrastructures Richard J. Thomas, Joseph Gardiner, Tom Chothia, Awais Rashid, Emmanouil Samanis and Joshua Perrett. Workshop on CPS & IoT Security and Privacy (CPSIoTSec 2020).

Security Analysis and Implementation of Relay-Resistant Contactless Payments Ioana Boureanu, Tom Chothia, Alexandre Debant and Stéphanie Delaune. The ACM Conference on Computer and Communications Security (CCS 2020).

Modelling of 802.11 4-Way Handshake Attacks and Analysis of Security Properties Rajiv Ranjan Singh, José Moreira, Tom Chothia and Mark D. Ryan. The International Workshop on Security and Trust Management (STM 2020)

Learning From Vulnerabilities - Categorising, Understanding and Detecting Weaknesses in Industrial Control Systems Richard J. Thomas and Tom Chothia. Workshop On The Security of Industrial Control Systems & of Cyber-Physical Systems (CyberICPS 2020), Dataset, CVE-2020-12524, CVE-2020-7592 , CVE-2020-24686

Time Protection: The Missing OS Abstraction Qian Ge, Yuval Yarom, Tom Chothia, and Gernot Heiser. 2019, European Conference on Computer Systems (EuroSys).

Making Contactless EMV Robust Against Rogue Readers Colluding With Relay Attackers Tom Chothia, Ioana Boureanu, and Liqun Chen. 2019, Financial Cryptography and Data Security (FC).

Choose your pwn adventure: Adding competition and storytelling to an introductory cybersecurity course Tom Chothia, Chris Novakovic, Andreea-Ina Radu, Richard J Thomas. 2019, Financial Cryptography and Data Security (Transactions on Edutainment XV).

Modelling and Analysis of a Hierarchy of Distance Bounding Attacks Tom Chothia, Joeri de Ruiter and Ben Smyth. Usenix Security 2018. More information about this work can be found here.

Extending Automated Protocol State Learning for the 802.11 4-Way Handshake Chris McMahon Stone, Tom Chothia and Joeri de Ruiter. European Symposium on Research in Computer Security (ESORICS) 2018. Software is available here.

Breaking all the Things — A Systematic Survey of Firmware Extraction Techniques for IoT Devices Sebastian Vasile, David Oswald, and Tom Chothia. 2018, Smart Card Research and Advanced Application Conference (CARDIS).

Phishing Attacks: Learning by Doing Tom Chothia, Stefan-Ioan Paiu and Michael Oultram. 2018 USENIX Workshop on Advances in Security Education (ASE 2018). Resources, demos and more infromation is avilable here.

TRAKS: A Universal Key Management Scheme for ERTMS Richard J. Thomas, Mihai Ordean, Tom Chothia and Joeri de Ruiter. Annual Computer Security Applications Conference (ACSAC 2017).

"Spinner: Semi-Automatic Detection of Pinning without Hostname Verification Chris McMahon Stone, Tom Chothia and Flavio D. Garcia. Annual Computer Security Applications Conference (ACSAC 2017).

Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and Undocumented Functionality Sam Thomas, Tom Chothia and Flavio D. Garcia. European Symposium on Research in Computer Security (ESORICS 2017). Code and sample data can be found here.

Jail, Hero or Drug Lord? Turning a Cyber Security Course Into an 11 Week Choose Your Own Adventure Story Tom Chothia, Sam Holdcroft, Andreea-Ina Radu and Richard J. Thomas. USENIX Workshop on Advances in Security Education (ASE 2017)

Types for Location and Data Security in Cloud Environments Ivan Gazeau, Tom Chothia and Dominic Duggan. Computer Security Foundations Symposium (CSF 2017).

HumIDIFy: A Tool for Hidden Functionality Detection in Firmware Sam Thomas, Flavio D. Garcia, Tom Chothia, 14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2017. Code and sample data can be found here.

An Attack Against Message Authentication in the ERTMS Train to Trackside Communication Protocols, Tom Chothia, Mihai Ordean, Joeri de Ruiter and Richard Thomas, ACM Asia Conference on Computer and Communications Security (ASIACCS) 2017.

Why banker Bob (still) can't get TLS right: Security Analysis of TLS in Leading UK Banking Apps, Tom Chothia, Flavio D. Garcia, Chris Heppel and Chris McMahon Stone, 21st International Conference on Financial Cryptography and Data Security 2017.

Towards an understanding of the Misclassification Rates of Machine Learning-Based Malware Detection Systems, Nada Alruhaily, Behzad Bordbar and Tom Chothia, 3rd International Conference on Information Systems Security and Privacy (ICISSP) 2017.

A Formal Security Analysis of ERTMS Train to Trackside Protocols, Joeri de Ruiter, Richard Thomas and Tom Chothia. International Conference on Reliability, Safety and Security of Railway Systems 2016.

On the (in)security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them, Eduard Marin, Dave Singelée, Flavio D. Garcia, Tom Chothia, Rik Willems and Bart Preneel, Annual Computer Security Applications Conference (ACSAC) 2016 CVE-2019-6538, CVE-2019-6540

Learning From Others' Mistakes: Penetration Testing IoT Devices in the Classroom, Tom Chothia, Joeri de Ruiter, USENIX Workshop on Advances in Security Education (ASE 2016)

An Offline Capture The Flag-Style Virtual Machine and an Assessment of its Value for Cybersecurity Education, with Chris Novakovic. 2015 USENIX Summit on Gaming, Games, and Gamification in Security Education (3GSE '15). More infomration about this work is available here.

Relay Cost Bounding for Contactless EMV Payments, with Flavio D. Garcia, Joeri de Ruiter, Jordi van den Breekel and Matthew Thompson. Financial Cryptography and Data Security (FC 2015). More infomration about this work is available here.

Calculating Quantitative Integrity and Secrecy for Imperative Programs, with Chris Novakovic and Rajiv Ranjan Singh. International Journal of Secure Software Engineering (IJSSE 2015).

Automatically Checking Commitment Protocols in ProVerif without False Attacks, with Ben Smyth and Chris Staite. Conference on Principles of Security and Trust (POST 2015). The models from this paper are available here.

LeakWatch: Estimating information leakage from java programs, with Chris Novakovic and Yusuke Kawamoto. European Symposium on Research in Computer Security (ESORICS 2014).

Automatically Calculating Quantitative Integrity Measures for Imperative Programs, with Chris Novakovic and Rajiv Ranjan Singh. Workshop on Quantitative Aspects in Security Assurance (QASA 2014).

Probabilistic Point-to-Point Information Leakage, with Yusuke Kawamoto, Chris Novakovic and David Parker. Computer Security Foundations Symposium (CSF 2013).

A Tool for Estimating Information Leakage, with Yusuke Kawamoto and Chris Novakovic. Computer Added Verification (CAV 2013).

SCAIL: An integrated Starcraft AI System Jay Young, Fran Smith, Christopher Atkinson, Ken Poyner and Tom Chothia (CIG2012).

The Unbearable Lightness of Monitoring: Direct Monitoring in BitTorrent with Marco Cova, Chris Novakovic, and Camilo Gonzalez Toro (SecureComm 2012).

A Statistical Test for Information Leaks Using Continuous Mutual Information, with Apratim Guha. Computer Security Foundations Symposium (CSF 2011).

Statistical Measurement of Information Leakage with Konstantinos Chatzikokolakis and Apratim Guha (TACAS 2010). There is a video of my giving a talk about this work at the 5th CREST workshop here. Slides from a presentation on this work at PLID 09 are here The full proofs for this paper are contained in Calculation of Probabilistic Anonymity from sampled Data with Konstantinos Chatzikokolakis and Apratim Guha (University of Birmingham Technical Report, 2009, CSR-09-10).

Analysing Unlinkability and Anonymity Using the Applied Pi Calculus with Myrto Arapinis, Eike Ritter and Mark Ryan. Computer Security Foundations Symposium (CSF 2010).

A Traceability Attack Against e-Passports, Tom Chothia and Vitaliy Smirnov, 14th International Conference on Financial Cryptography and Data Security 2010.

Untraceability in the Applied Pi-calculus with Myrto Arapinis, Eike Ritter and Mark Ryan. RISC09

Securing Pseudo Identities in an Anonymous Peer-to-Peer File-Sharing Network Securecomm 07. This paper improves the design of an anonymous file sharing system.

A Framework for Automatically Checking Anonymity with mCRL with Simona Orzan, Jun Pang, and Muhammad Torabi Dashti. Trustworthy Global Computing 2006, TGC06

A Survey of Anonymous Peer-to-Peer File-Sharing with Kostas Chatzikokolakis. 2005 International Conference on Embedded and Ubiquitous Computing EUC'05.

Analysing the MUTE Anonymous File-Sharing System Using the Pi-calculus , Slides. FORTE 06. Best Paper Award winner. This paper analysed an anonymous peer to peer file sharing system using the pi-calculus and found a flaw in the design.

Typed-based Access Control vs. Untyped Attackers with Dominic Duggan (FAST 05).

Type-Based Distributed Access Control with Dominic Duggan and Jan Vitek, Computer Security Foundations Symposium (CSF 04) Slides.