Future Students

I am recruiting PhD students for Fall 2026. Before contacting me, please read the following.

Logistics

If you are not currently a student at NC State, you need to apply to the Department of Computer Science. Please see the graduate application instructions for more information. You are welcome to email me, but do not be discouraged if I do not respond. I prefer to consider applications as a whole, and I will do my best to look at all applications that specify me as the primary or secondary faculty of interest.

Note: I do not make admissions decisions. I provide a short, rank-ordered list of my preferences, and the department’s PhD admissions process takes it from there.

Gaining My Interest

I am looking for talented and motivated students with an interest in systems security research that has real-world impact. The most important quality is intellectual curiosity and the ability to be a self-starter. Evidence of research aptitude (projects, publications, or even just well-formed thoughts about your research interests) will strengthen your application substantially.

I’ve found the most success working with students who like to tinker with technology. This often manifests in Linux users, as the desire to tinker often leads one to Linux. My research often involves running and modifying real code on real systems. Getting code to work is hard. Understanding why it fails requires insights and experiences that often come from tinkering with technology.

Research Areas

I see the world of research as “application domains” and “tools and methodologies.” Always work from a place of strength while growing the other. For example, apply tools and methodologies you are familiar with to a new application domain, or learn new tools and methodologies while applying them to an application domain you know well. When you are starting a PhD, you may have to develop both, but having interests in at least one is a good start.

Here are my current interests:

• Application domains: My primary focus is securing the software supply chain (see S3C2). I’m particularly interested in dealing with risks in component dependencies (e.g., PyPI, npm) and the security of build systems (e.g., GitHub Actions, Reproducible Builds). I also consider problems related to general software and systems security.
• Tools and Methodologies: I primarily use program analysis and empirical studies (often combining the two) to study different application domains (e.g., software supply chain, cellular systems, mobile platforms and applications, and Linux) for vulnerability discovery, extraction of access control policy, and detection of malicious software. I use AI/ML techniques where warranted. I’m interested in developing more expertise in formal methods.

If you are primarily interested in learning how to apply AI/ML to security problems and currently do not already have strong AI/ML skills, I’m likely not the right advisor for you.

Current NC State Students

I primarily work with PhD students in the Department of Computer Science; however, I have advised a number of MS Computer Science students in the past. The best way to start working with me is to take CSC 574 (Computer and Network Security) and impress me on both the optional research project and exams. If I’m not teaching CSC 574 in a given semester, impress whoever is teaching it. We talk.

If you have not taken CSC 574, you may still reach out via email, but read the above carefully before we meet.