My research area is computer security. Specifically, my interests include systems security, program analysis for security, virtualization, trusted computing, and access control. I have published over 150 peer-reviewed papers on these subjects. See DBLP and Google Scholar or "See My Publications" below.

My work has been funded by the National Science Foundation ( CNS-0627551, CNS-0721579, CNS-0905343, CNS-0931914, CNS-1117692, CNS-1408880, CNS-1801534, and CNS-1816282 ), Defense Advanced Research Projects Agency, Air Force Research Lab, Army Research Lab, Office of Naval Research, Air Force Office of Scientific Research, and a number of industrial sponsors, including Google, Samsung, Cisco, and HP Labs. Their support is gratefully acknowledged.

See My Publications

Current Research Highlights

Software Security

Our NDSS 2022 paper proposes DataGuard, the first approach that fully protects safe stack objects from attacks on spatial, type, and temporal memory errors efficiently. DataGuard provides a more accurate memory safety validation analysis that extends stack protection to an average of 91.45% of all stack objects that can only be referenced safely. DataGuard reduces the overhead of using Clang’s Safe Stack defense for protection of the SPEC CPU2006 benchmarks from 11.3% to 4.3%, demonstrating that a comprehensive and accurate analysis can both increase the scope of stack data protection and reduce overheads. Also, see our other NDSS 2022 paper on incremental vulnerability detection and our2021 ACM TOPS paper on data-oriented attacks.

Mobile Security

Our USENIX Security 2021 paper proposes PolyScope, the first tool for triaging Android systems for the sources of possible filesystem access vulnerabilities comprehensively using their combination of access control policies. PolyScope is a policy analysis tool that: (1) identifies the filesystem resources that subjects are authorized to use that may be modified by their adversaries and (2) determines the specific filesystem operations that require vulnerability testing. Using PolyScope, we detect two previously unknown vulnerabilities and derive vulnerability testing requirements for nine Android and OEM versions. Also, see our 2021 IEEE S&P paper on the Android Scoped Storage defense and our 2021 IEEE Surveys paper on sensor-based threats to IoT and mobile systems.

Systems Security

Our OSDI 2022 paper on KSplit, a new framework for isolating unmodified device drivers in modern, full-featured Linux kernels. KSplit performs automated analyses on the unmodified source code of the kernel and the driver to: 1) identify the state shared between the kernel and driver and 2) to compute the synchronization requirements for this shared state to enable correct and efficient operation. KSplit generates the synchronization code for complex kernel-driver interactions, including for shared concurrency primitives, automatically or provides concrete developer guidance, largely addressing a long-standing problem. Also, see our ACM AsiaCCS paper on Linux Security Module (LSM) performance, our Lightweight Virtual Domains paper, the "Best Paper" Awardee for VEE 2020.