José Fragoso Santos

Assistant Professor, Dept. of Computer Science and Engineering
Instituto Superior Técnico, University of Lisbon
Researcher, INESC-ID · Automated Reasoning and Software Reliability Group

My research focuses on applying formal methods to improve the security and reliability of real-world software. I develop techniques grounded in symbolic execution, program analysis, and language semantics, with a particular focus on JavaScript and WebAssembly. Previously, I was a Research Associate at Imperial College London and a PhD student at INRIA Sophia Antipolis.

Google Scholar DBLP ORCID Email

Selected Publications

2025 – 2026

ESOP'26

Specification-Driven Generation of Summaries for Symbolic Execution

R. Gonçalves, F. Ramos, P. Adão, J. Fragoso Santos

European Symposium on Programming

PLDI'25

Automated Exploit Generation for Node.js Packages

F. Marques, M. Ferreira, A. Nascimento, M.E. Coimbra, N. Santos, L. Jia, J. Fragoso Santos

ACM SIGPLAN PLDIdoi

TACAS'25

Proxy Attribute Discovery in ML Datasets via Inductive Logic Programming

R. Gonçalves, F. Gouveia, I. Lynce, J. Fragoso Santos

Tools and Algorithms for the Construction and Analysis of Systems

2023 – 2024

PLDI'24

Efficient Static Vulnerability Analysis for JavaScript with Multiversion Dependency Graphs

M. Ferreira, M. Monteiro, T. Brito, M.E. Coimbra, N. Santos, L. Jia, J. Fragoso Santos

ACM SIGPLAN PLDIdoi

S&P'23

RuleKeeper: GDPR-Aware Personal Data Compliance for Web Frameworks

M. Ferreira, T. Brito, J. Fragoso Santos, N. Santos

IEEE Symposium on Security and Privacy

ECOOP'23

Toward Tool-Independent Summaries for Symbolic Execution

F. Ramos, N. Sabino, P. Adão, D.A. Naumann, J. Fragoso Santos

European Conference on Object-Oriented Programmingdoi

ToR'23

Study of JavaScript Static Analysis Tools for Vulnerability Detection in Node.js Packages

T. Brito, M. Ferreira, M. Monteiro, P. Lopes, M. Barros, J. Fragoso Santos, N. Santos

IEEE Transactions on Reliability (Q1)

2021 – 2022

ECOOP'22

Concolic Execution for WebAssembly

F. Marques, J. Fragoso Santos, N. Santos, P. Adão

European Conference on Object-Oriented Programmingdoi

C&S'22

Wasmati: An Efficient Static Vulnerability Scanner for WebAssembly

T. Brito, P. Lopes, N. Santos, J. Fragoso Santos

Computers & Security (Q1)

CAV'21

Gillian, Part II: Real-World Verification for JavaScript and C

P. Maksimović, S.-É. Ayoun, J. Fragoso Santos, P. Gardner

International Conference on Computer Aided Verification

2018 – 2020

PLDI'20

Gillian, Part I: A Multi-language Platform for Symbolic Execution

J. Fragoso Santos, P. Maksimović, S.-É. Ayoun, P. Gardner

ACM SIGPLAN PLDIdoi

ECOOP'20

A Trusted Infrastructure for Symbolic Analysis of Event-Driven Web Applications

G. Sampaio, J. Fragoso Santos, P. Maksimović, P. Gardner

European Conference on Object-Oriented Programmingdoi

POPL'19

JaVerT 2.0: Compositional Symbolic Execution for JavaScript

J. Fragoso Santos, P. Maksimović, G. Sampaio, P. Gardner

ACM SIGPLAN POPLdoi

POPL'18

JaVerT: JavaScript Verification Toolchain

J. Fragoso Santos, P. Maksimović, D. Nauždiūnienė, P. Gardner

ACM SIGPLAN POPLdoi

SEC'14

An Information Flow Monitor-Inlining Compiler for Securing a Core of JavaScript

J. Fragoso Santos, T. Rezk

IFIP International Conference

For a complete list of publications, see Google Scholar or DBLP.

Teaching

Análise e Síntese de Algoritmos BSc · LEIC-A · Main Lecturer

Algorithm design and analysis. Five editions (19/20 – 24/25), ~240 students/year.

★ Teaching Awards 20/21, 21/22, 22/23, 24/25

Especificação de Software MSc · MEIC · Main Lecturer

Formal specification and lightweight verification. Four editions (21/22 – 24/25).

Students

PhD Students

Gabriela Sampaio Symbolic Analysis of Event-based Web APIs (Imperial) completed

Tiago Brito Code Property Graphs for Web Languages completed

Mafalda Ferreira Graph-Based Analysis for JavaScript ongoing

Filipe Marques Automatic Exploit Generation for Node.js ongoing

Frederico Ramos Summaries for Symbolic Execution ongoing

Rafael Gonçalves Prototype Pollution Gadgets (CMU-Portugal) ongoing

André Nascimento Dynamic Analysis for JavaScript ongoing

João Pereira Automatic Repair of Vulnerabilities (CMU-Portugal) ongoing

José Afonso Vulnerabilities in Electron Applications ongoing

MSc Dissertations

32 completed and 6 ongoing MSc theses supervised, including the recipient of the Naoris Award for best MSc thesis in Cybersecurity and the Jerónimo Martins Award for best MSc thesis in Computer Science and Engineering at IST. View complete list →

Research Projects

WebCAP Automatic Program Synthesis for Web Data Collection PI · 125K€ · FCT

INFOCOS Intelligent Feedback for Students PI · 169K€ · FCT

DIVINA Injection Vulnerability Detection in Node.js Applications PI · 75K€ · CMU-PT

RIGA Reasoning over Indirect Discrimination Co-PI · 50K€ · FCT

SmartRetail PRR Agenda — Smart Retail Senior · 1M€ · IAPMEI

OptiGov AI for Public Administration Efficiency Senior · 125K€ · FCT

Service & Recognition

Leadership

Executive Coordinator of the Automated Reasoning and Software Reliability group at INESC-ID (since 2025). Executive Coordinator of the MTP Section at DEI, IST (since 2025).

Program Committees

FM '26 ECOOP '26 CSF '26 POPL '25 PLDI '24 CSF '23 PLDI '21 PLDI '20 IJCAI '20 OOPSLA '20