Xavier de Carné de Carnavalet
Assistant Professor
Radboud University
I am an Assistant Professor at Radboud University in the Digital Security group of the Faculty of Science.
My research interests span across network security and privacy, web security, Internet measurement, passwords and authentication, software and firmware security, and applications of machine learning to security.
Not sure how to address me? Please check this tutorial on how to correctly parse my name!
📧
Current and past positions
- Since Dec. 2024 @ Radboud University: Assistant Professor, Digital Security group
- 2021–2024 @ HK PolyU: Visiting Lecturer at the Institute of Advanced Executive Education (IAEE) for the ECF Fintech training
- 2021–2024 @ HK PolyU: Research Assistant Professor and Lecturer in the Department of Computing
- 2019–2020 @ CarletonU: Postdoctoral fellow in the CCSL lab with Prof. Paul van Oorschot
- 2014–2019 @ ConcordiaU: Ph.D. at the Madiba Security Research Group with Prof. Mohammad Mannan
Office
Office 2.13, Mercator 1, Toernooiveld 212, 6525EC, Nijmegen, Netherlands
BSc/MSc/Research internship topics
For RU students looking for a thesis or internship, see if the following areas are of interest to you, and if so, send me a CV, transcript, and remind me if you attended one of my courses.
Note: I am currently full and cannot take more BSc/MSc/internship students for January 2026. New openings will be updated towards June for September 2026.
- Qualitative password collection and analysis
- Machine learning-based password guessing
- Password managers security evalution
- Privacy leakage in modern operating systems/browsers
- IoT firmware/x86 reverse-engineering
- Proprietary network protocol reverse-engineering
Cryptographic WASM/Javascript reverse-engineeringIPv6 handling in network equipment- Certificate Authorities trust stores analysis
- Bachelor thesis only:
- Automatic building environment for cryptographic software
Selected publications
See the full list of publications under the Research tab, and my profile on the following platforms:
Google Scholar
DBLP profile
ORCID
- Understanding Home Router Configuration Habits & Attitudes. J. Ye, X. de Carné de Carnavalet, L. Zhao, L. Wu, M. Zhang. ACM CHI Conference on Human Factors in Computing Systems (CHI'25), Yokohama, Japan, Apr. 26-May 1, 2025. [DOI]
- Towards Exploring Cross-Regional and Cross-Platform Differences in Login Throttling. M. Cai, X. de Carné de Carnavalet, S. Zhang, L. Zhao, M. Zhang. Nordic Conference on Secure IT systems (NordSec'24), Karlstad, Sweden, Nov. 6-7, 2024. [DOI]
- Exposed by Default: A Security Analysis of Home Router Default Settings. J. Ye, X. de Carné de Carnavalet, M. Zhang, L. Zhao, L. Wu, W. Zhang. ACM Symposium on Information, Computer and Communications Security (AsiaCCS'24), Singapore, July 1-5, 2024. [DOI]
- A survey and analysis of TLS interception mechanisms and motivations. (Pre-print version: Dec. 27, 2022). X. de Carné de Carnavalet and Paul C. van Oorschot. ACM Computing Surveys (ACM CSUR), 55(13s), 1-40, July 2023. [DOI]
- Killed by Proxy: Analyzing Client-end TLS Interception Software. X. de Carné de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS'16), San Diego, CA, USA, Dec. 21-24, 2016. [DOI]
- Challenges and Implications of Verifiable Builds for Security-Critical Open-Source Software. X. de Carné de Carnavalet and M. Mannan. Annual Computer Security Applications Conference (ACSAC'14), New Orleans, LA, USA, 2014, Dec. 8-12, 2014. [DOI]
- From Very Weak to Very Strong: Analyzing Password-Strength Meters. X. de Carné de Carnavalet and M. Mannan. Network and Distributed System Security Symposium (NDSS'14), San Diego, CA, USA, 2014, Feb. 23-26, 2014. [DOI]