I am an Associate Professor, Teaching Stream in the Department of Computer and Mathematical Sciences at University of Toronto Scarborough. I teach courses in computer security, web development and entrepreneurship. My research interest focuses on computer security including web security and language-based security.

Prior to joining to the University of Toronto in 2017, I was 9 years at Carnegie Mellon University Qatar as a Postdoc at first and then as an Assistant Teaching Professor.

Fall'23 Courses

Undergraduate - University of Toronto Scarborough

F : Fall
W : Winter/Spring
S : Summer
CSCD90 The Startup Sandbox
W17, W18, W19, W20
F16, F17, F18, F19, F20, F21, F23
S20, W21, S21, W22
W17, W18, W19, W20, W21, W22, F23
CSCA08 Introduction to Computer Science I

Undergraduate - Carnegie Mellon University Qatar

15-437 Web Application Development
S11*, F11, F13, F14, W16
*U11 was taught at Carnegie Mellon Pittsburgh (main campus)
15-349 Introduction to Computer and Network Security
F08, F10, F12, F14
co-taught with Iliano Cervesato and Khaled Harras
15-312 Foundations of Programming Languages
W08, W09
co-taught with Iliano Cervesato
15-295 Competition Programming and Problem Solving
F14, F15
co-taught with Christos Kapoutsis
15-214 Principles of Software Construction
W13, W15, F15
15-212 Principles of Programming
W08, W09, W10, W11, W12
co-taught with Iliano Cervesato
15-150 Principles of Functional Programming
co-taught with Iliano Cervesato
15-121 Introduction to Data Structure
W13, W14
15-112 Fundamentals of Programming and Computer Science
W12, W15

Executive Education - Carnegie Mellon University Qatar

Introduction to Web Security and Web Penetration Testing

Postgraduate - Telecom-Bretagne, France

Digital Rights Management (DRM)
F05, F06
Trusted Computing
F05, F06
Linux Security
W04, W05, W06
Deployment and Administration of Network Security Policies
W04, W05, W06
Database Security
W04, W05, W06

Research Interests

  • Web security
  • Language-based security
  • Access control, usage control and information flow in distributed systems
  • Data-mining for security

Research Project

[completed] XSSCatcher: Automatic Detection of Cross-Site Scripting Vulnerabilities in Web Applications

This research project is in collaboration with the Qatar Computing Research Institute (QCRI)

[completed] A type-safe programming language to build safe and secure web applications (YSREP 1-033-1-006)

This research project is supported by the Qatar National Research Fund (QNRF)

Selected Publications

See the complete list of publications on Google Scholar.
A Decentralized Mnemonic Backup System for Non-Custodial Cryptocurrency Wallets
Thierry Sans, Ziming Liu, Kevin Oh
15th International Symposium on Foundations & Practice of Security (FPS'22).
December 2022
Substructural Meta-Theory of a Type-Safe Language for Web Programming
Iliano Cervesato, Thierry Sans
Fundamenta Informaticae
January 2014
Controlling Data Flow with a Policy-Based Programming Language for the Web
Thierry Sans, Iliano Cervesato
Nordic Conference on Secure IT Systems (NordSec'13)
Ilulissat, Greenland
October 2013
QWeSST for Type-Safe Web Programming
Thierry Sans, Iliano Cervesato
Workshop on Logics, Agents, and Mobility (LAM'10)
Edinburgh, Scotland
July 2010

Conference Organization

  • Carnegie Mellon Qatar Hackathon (CarnegieApps 2013 and 2014)
  • Publication Chair for IFIP International Information Security and Privacy (SEC'14)
  • Local Arrangement Chair for the International Conference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR'08)
  • Local Arrangement Chair for the Asian Computing Science Conference (ASIAN'07)

Program Committees

  • Modeling and Analysis of Information Security (MAIS’2014)
  • Advanced Intrusion Detection and Prevention Workshop (AIDP'14)
  • IFIP International Information Security and Privacy (SEC'16, SEC'15, SEC'14)
  • IEEE Annual Conference on Privacy, Security and Trust (PST'13, 12)
  • IEEE Conference on Risks and Security of Internet and Systems (CRISIS'13, 12, 11, 10)
  • Workshop on Autonomous and Spontaneous Security (SETOP'13, 12, 11, 10, 09)
  • Workshop on Data Privacy Management (DPM'10, 09)

Invited Speaker

  • Open Web Application Security Project (OWASP) Qatar chapter meeting in Doha, June 2012
  • 6th INTERPOL’s Group meeting – MENA Region conference in Doha, March 2012
  • Hackathon for the Social Good in the Arab World in Abu Dhabi, UAE, October 2011


  • Gulf Programming Competition (GPC) member of the Steering Committee (2012-2016)
  • Open Web Application Security Project (OWASP) Qatar chapter member (2007-2016)


Post-Doctoral Research Associate
Ph.D Fellowship
  • See the "Ph.D Overview" and "Previous Teaching" sections for more details.
Master's Internship
  • Cooperative Intrusion Detection Framework.
Operations Assistant in the Research and Development Department
Summer 1999, 2000, 2001, 2002
ACTIA, Toulouse, France
  • Management of the technical documentation
  • Development of the information system


Ph.D in Computer Science
2003 - 2007
  • See "Ph.D" section for more details
M.S. in Computer Science
2002 - 2003
Languages and Computer Theory
Cooperative Intrusion Detection Framework
  • DEA PS (Diplôme d'Etude Approfondie en Programmation et Systèmes)
B.S. in Mathematics and Computer Science
1998 - 2002
Université Paul Sabatier, Toulouse, France
  • Maitrise d'Informatique
  • License d'Informatique
  • DEUG MIAS (Diplôme D'Etude Universitaire Général en Mathématiques, Informatique et Applications aux Sciences)
Lycée Déodat de Séverac, Toulouse, France
  • Baccalauréat Série S (Scientifique)

Ph.D Thesis


Beyond Access Control - Specifying and Deploying Security Policies in Information Systems [pdf]
Defended on May 25th, 2007

Related Topics

  • Access Control Models and Architectures
  • Usage control, Provisional Authorizations and Obligations
  • Digital Rights Management, Rights Expression Languages and Trusted Computing
  • Specific Access Control Models for XML documents


An Information System (IS) is an interconnection of resources including users, data and methods organized to collect, process, and transmit these data. The evolution of IS brings new security requirements that existing access control languages and models fail to support. In this thesis, we introduce new concepts that go beyond access control and we propose a security framework able to deal with these concepts. In the first part of this work, we introduce the concepts of contextual access control, usage control and obligations. In the second part of the work, we study security requirements when IS interacts with others. In this perspective, Digital Rights Management systems (DRM) bring interesting concepts. We propose two new models called FORM and OPA that open the scope of DRM. The Federated Rights Expression Model (FORM) provides adequate mechanisms to control any kind of content such as user identities, methods and data. The Onion Policy Administration Model (OPA) is a super-distribution model that aims at controlling the distribution of a content. In the last part of the work, we study XML rights expression models. Since information is more structured with XML, it is necessary to restrict the access to some confidential information. We propose a fine-grained access control model for XML documents that focuses on preventing from non-disclosure of information carried by meta-data themselves and from the relationship between these data. This thesis opens new perspectives on the security management of digital contents in heterogeneous and highly distributed information systems.

Doctoral School

L' Ecole Nationale Supérieure des Télécommunications de Bretagne (ENST-Bretagne) in the Network, Security and Multimedia Department (RSM) and member of the Security Group (SERES).


Frédéric Cuppens, professor at ENST-Bretagne in the RSM Departement. Frédéric Cuppens is the coordinator of the SERES Security Group.


This Ph.D is supported by funding from the French Ministry for Research under “ACI Sécurité Informatique: CASC Project”.


Système de Gestion Numérique Des Droits
Thierry Sans, Frédéric Cuppens, Nora Cuppens-Boulahia
Institut National de la Propriété Industrielle (INPI)
December 2006
Système de Gestion Numérique Des Droits selon un modèle de Super-Distribution
Thierry Sans, Frédéric Cuppens, Nora Cuppens-Boulahia
Institut National de la Propriété Industrielle (INPI)
December 2006