Experience

  1. Senior Staff Research Scientist

    Intel Labs

    My research has generated or influenced hardware and software security architectures deployed on a large proportion of computer systems in use today.

    I have contributed to shipping processor security technologies, including Control-Flow Enforcement Technology (CET) and VT-Redirect Protection (VT-rp).

    Principal Investigator for Intel’s project on Cryptographic Capability Computing (C3) in the DARPA HARDEN program.

    I designed and co-developed deterministic spatial safety support for MiraclePtr in the Chrome browser.

    My LLVM-based research on shielding stack memory from corruption helped lead to a 2022 paper in a top-tier programming languages conference covered by ZDNet.

    I also researched approaches for scalable isolation, e.g., using segmentation to accelerate WebAssembly (upstreamed in wasm2c).

Education

  1. M.S. & Ph.D. in Computer Science

    University of Illinois at Urbana-Champaign

    Advised by Prof. Carl A. Gunter.

    National Defense Science and Engineering Graduate (NDSEG) Fellow.

    M.S. Thesis: Dependable Emergency-Response Networking Based on Retaskable Network Infrastructures.

    Postdoc through May 2012.

    Ph.D. Dissertation (Compact Integrity-Aware Architectures)

  2. B.S. in Computer Science

    University of Wisconsin-Eau Claire

    UWEC Outstanding CS Senior of the Year, 2005

    Karlgaard Scholarship

    Summa cum laude

    National Merit Scholarship Finalist

Skills
Technical Skills
C/C++

App, kernel, and hypervisor development for Linux, Windows, and embedded systems with Boost and generics experience

Rust
SMT-LIB / Z3

SAT/SMT solver (completed Coursera course)

X86 Assembly

Somewhat familiar with assembly language for other architectures as well

LLVM/Clang

Compiler framework

Bluespec SystemVerilog

High-Level Synthesis (HLS) language based on Term-Rewriting Systems

Maude

Model checker based on Term-Rewriting Systems and Linear-Temporal Logic

Isabelle/HOL

Interactive theorem prover

Python
Verilog/VHDL

Experience using Intel Quartus and Xilinx Vivado FPGA toolchains. Experience using Synopsys VCS and Mentor Graphics Modelsim simulators. Experience extending and maintaining an in-house Verilog simulator during an internship with Cray, Inc.

Prolog

Logic programming language

Awards
Intel Hardware Security Academic Award Honorable Mention
Intel ∙ August 2024
For Hardware-assisted Fault Isolation (HFI)
IEEE MICRO Top Picks
Institute of Electrical and Electronics Engineers (IEEE) ∙ July 2024
For “Hardware-Assisted Fault Isolation: Going Beyond the Limits of Software-Based Sandboxing”
ASPLOS Distinguished Paper
28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems ∙ March 2023
For “Going beyond the Limits of SFI: Flexible and Secure Hardware-Assisted In-Process Isolation with HFI”
ACM Senior Member
Association for Computing Machinery (ACM) ∙ May 2022
Joined November 2011
IEEE Senior Member
Institute of Electrical and Electronics Engineers (IEEE) ∙ June 2022
Joined March 2013
HICSS Best Paper
41st Hawaii International Conference on System Sciences ∙ January 2008
For “An Integrated Architecture for Demand Response Communications and Control”
Program Committees
Mentoring
Volunteering
Issued Patents
  1. 12,093,182 (2024): Typed store buffers for hardening store forwarding
  2. 12,050,701 (2024): Cryptographic isolation of memory compartments in a computing environment
  3. 12,045,174 (2024): Tagless implicit integrity with multi-perspective pattern search
  4. 12,032,486 (2024): Transient side-channel aware architecture for cryptographic computing
  5. 12,019,733 (2024): Compartment isolation for load store forwarding
  6. 12,019,562 (2024): Cryptographic computing including enhanced cryptographic addresses
  7. 12,008,374 (2024): Cryptographic enforcement of borrow checking
  8. 11,972,126 (2024): Data relocation for inline metadata
  9. 11,960,375 (2024): Apparatus and method for pausing processor trace for efficient analysis
  10. 11,954,045 (2024): Object and cacheline granularity cryptographic memory integrity
  11. 11,940,927 (2024): Technologies for memory tagging
  12. 11,922,220 (2024): Function as a service (FaaS) system enhancements
  13. 11,841,939 (2023): Technologies for object-oriented memory management with extended segmentation
  14. 11,838,418 (2023): Protection of keys and sensitive data from attack within microprocessor architecture
  15. 11,836,094 (2023): Cryptographic data objects page conversion
  16. 11,829,488 (2023): Pointer based data encryption
  17. 11,829,299 (2023): Technologies for execute only transactional memory
  18. 11,822,644 (2023): Technologies for object-oriented memory management with extended segmentation
  19. 11,797,678 (2023): Memory scanning methods and apparatus
  20. 11,789,737 (2023): Capability-based stack protection for software fault isolation
  21. 11,784,786 (2023): Mitigating security vulnerabilities with memory allocation markers in cryptographic computing systems
  22. 11,782,826 (2023): Security check systems and methods for memory allocations
  23. 11,782,716 (2023): Hardware apparatuses, methods, and systems for individually revocable capabilities for enforcing temporal memory safety
  24. 11,768,931 (2023): Technologies for object-oriented memory management with extended segmentation
  25. 11,741,018 (2023): Apparatus and method for efficient process-based compartmentalization
  26. 11,734,199 (2023): Enforcing memory operand types using protection keys
  27. 11,711,201 (2023): Encoded stack pointers
  28. 11,704,297 (2023): Collision-free hashing for accessing cryptographic computing metadata and for cache expansion
  29. 11,681,793 (2023): Technologies for object-oriented memory management with extended segmentation
  30. 11,669,625 (2023): Data type based cryptographic computing
  31. 11,630,920 (2023): Memory tagging for side-channel defense, memory safety, and sandboxing
  32. 11,620,391 (2023): Data encryption based on immutable pointers
  33. 11,580,035 (2023): Fine-grained stack protection using cryptographic computing
  34. 11,575,504 (2023): Cryptographic computing engine for memory load and store units of a microarchitecture pipeline
  35. 11,562,063 (2023): Encoded inline capabilities
  36. 11,531,750 (2022): Installing and manipulating a secure virtual machine image through an untrusted hypervisor
  37. 11,436,161 (2022): System for address mapping and translation protection
  38. 11,429,580 (2022): Collision-free hashing for accessing cryptographic computing metadata and for cache expansion
  39. 11,416,624 (2022): Cryptographic computing using encrypted base addresses and used in multi-tenant environments
  40. 11,416,414 (2022): Technologies for execute only transactional memory
  41. 11,409,662 (2022): Apparatus and method for efficient process-based compartmentalization
  42. 11,403,234 (2022): Cryptographic computing using encrypted base addresses and used in multi-tenant environments
  43. 11,392,492 (2022): Memory management apparatus and method for compartmentalization using linear address metadata
  44. 11,360,876 (2022): Apparatus and method for pausing processor trace for efficient analysis
  45. 11,354,423 (2022): Cryptographic isolation of memory compartments in a computing environment
  46. 11,321,469 (2022): Microprocessor pipeline circuitry to support cryptographic computing
  47. 11,250,165 (2022): Binding of cryptographic operations to context or speculative execution restrictions
  48. 11,222,127 (2022): Processor hardware and instructions for SHA3 cryptographic operations
  49. 11,216,366 (2022): Security check systems and methods for memory allocations
  50. 11,188,639 (2021): System, method and apparatus for automatic program compartmentalization
  51. 11,171,983 (2021): Techniques to provide function-level isolation with capability-based security
  52. 11,163,569 (2021): Hardware apparatuses, methods, and systems for individually revocable capabilities for enforcing temporal memory safety
  53. 11,144,479 (2021): System for address mapping and translation protection
  54. 11,080,401 (2021): Memory scanning methods and apparatus
  55. 11,036,850 (2021): Technologies for object-oriented memory management with extended segmentation
  56. 11,030,113 (2021): Apparatus and method for efficient process-based compartmentalization
  57. 10,884,952 (2021): Enforcing memory operand types using protection keys
  58. 10,860,709 (2020): Encoded inline capabilities
  59. 10,795,997 (2020): Hardened safe stack for return oriented programming attack mitigation
  60. 10,785,028 (2020): Protection of keys and sensitive data from attack within microprocessor architecture
  61. 10,769,272 (2020): Technology to protect virtual machines from malicious virtual machine managers
  62. 10,706,164 (2020): Crypto-enforced capabilities for isolation
  63. 10,642,752 (2020): Auxiliary processor resources
  64. 10,558,582 (2020): Technologies for execute only transactional memory
  65. 10,515,023 (2019): System for address mapping and translation protection
  66. 10,503,664 (2019): Virtual machine manager for address mapping and translation protection
  67. 10,453,114 (2019): Selective sharing of user information based on contextual relationship information, such as to crowd-source gifts of interest to a recipient
  68. 10,452,848 (2019): Memory scanning methods and apparatus
  69. 10,324,863 (2019): Protected memory view for nested page table access by virtual machine guests
  70. 10,318,733 (2019): Techniques for detecting malware with minimal performance degradation
  71. 10,235,301 (2019): Dynamic page table edit control
  72. 10,216,522 (2019): Technologies for indirect branch target security
  73. 10,157,277 (2018): Technologies for object-oriented memory management with extended segmentation
  74. 10,152,612 (2018): Cryptographic operations for secure page mapping in a virtual machine environment
  75. 10,104,122 (2018): Verified sensor data processing
  76. 10,061,918 (2018): System, apparatus and method for filtering memory access logging in a processor
  77. 10,007,784 (2018): Technologies for control flow exploit mitigation using processor trace
  78. 9,954,950 (2018): Attestable information flow control in computer systems
  79. 9,858,411 (2018): Execution profiling mechanism
  80. 9,830,162 (2017): Technologies for indirect branch target security
  81. 9,817,976 (2017): Techniques for detecting malware with minimal performance degradation
  82. 9,805,194 (2017): Memory scanning methods and apparatus
  83. 9,792,222 (2017): Validating virtual address translation by virtual machine monitor utilizing address validation structure to validate tentative guest physical address and aborting based on flag in extended page table requiring an expected guest physical address in the address validation structure
  84. 9,710,393 (2017): Dynamic page table edit control
  85. 9,703,703 (2017): Control of entry into protected memory views
  86. 9,665,373 (2017): Protecting confidential data with transactional processing in execute-only memory
  87. 9,501,637 (2016): Hardware shadow stack support for legacy guests
  88. 9,335,943 (2016): Method and apparatus for fine grain memory protection
  89. 9,124,635 (2015): Verified sensor data processing
  90. 8,458,791 (2013): Hardware-implemented hypervisor for root-of-trust monitoring and control of computer system
  91. 7,774,411 (2010): Secure electronic message transport protocol
Published Patent Applications
  1. 18/478,882: MEMORY SAFETY USING TAG CHECKING INSTRUCTIONS AND ISLANDS OF TAGS IN LINE WITH BUCKETED DATA
  2. 18/194,553: MULTI-KEY MEMORY ENCRYPTION PROVIDING EFFICIENT ISOLATION FOR MULTITHREADED PROCESSES
  3. 18/129,822: EFFICIENT CACHING AND QUEUEING FOR PER-ALLOCATION NON-REDUNDANT METADATA
  4. 18/147,510: FAST KEY ID SWITCHING VIA EXTENDED PAGING FOR CRYPTOGRAPHIC INTRA-PROCESS ISOLATION
  5. 17/936,011: DETERMINISTIC ADJACENT OVERFLOW DETECTION FOR SLOTTED MEMORY POINTERS
  6. 17/953,186: TEMPORAL INFORMATION LEAKAGE PROTECTION MECHANISM FOR CRYPTOGRAPHIC COMPUTING
  7. 17/949,353: USER-LEVEL EXCEPTION-BASED INVOCATION OF SOFTWARE INSTRUMENTATION HANDLERS
  8. 18/499,133: POINTER BASED DATA ENCRYPTION
  9. 17/886,981: SPECULATING OBJECT-GRANULAR KEY IDENTIFIERS FOR MEMORY SAFETY
  10. 17/853,087: REDUCING INSTRUMENTATION CODE BLOAT AND PERFORMANCE OVERHEADS USING A RUNTIME CALL INSTRUCTION
  11. 17/853,087: REDUCING INSTRUMENTATION CODE BLOAT AND PERFORMANCE OVERHEADS USING A RUNTIME CALL INSTRUCTION
  12. 17/849,351: CONTROL FLOW INTEGRITY TO PREVENT POTENTIAL LEAKAGE OF SENSITIVE DATA TO ADVERSARIES
  13. 17/957,814: MEMORY SAFETY WITH SINGLE MEMORY TAG PER ALLOCATION
  14. 17/848,142: IMPLICIT MEMORY CORRUPTION DETECTION FOR CONDITIONAL DATA TYPES
  15. 17/791,000: CRYPTOGRAPHIC COMPUTING IN MULTITENANT ENVIRONMENTS
  16. 17/947,072: UPDATING ENCRYPTED SECURITY CONTEXT IN STACK POINTERS FOR EXCEPTION HANDLING AND TIGHT BOUNDING OF ON-STACK ARGUMENTS
  17. 17/357,951: ZERO-REDUNDANCY TAG STORAGE FOR BUCKETED ALLOCATORS
  18. 17/855,261: STATELESS AND LOW-OVERHEAD DOMAIN ISOLATION USING CRYPTOGRAPHIC COMPUTING
  19. 17/854,814: CRYPTOGRAPHIC COMPUTING ISOLATION FOR MULTI-TENANCY AND SECURE SOFTWARE COMPONENTS
  20. 17/357,963: REGION-BASED DETERMINISTIC MEMORY SAFETY
  21. 17/696,330: RATCHET POINTERS TO ENFORCE BYTE-GRANULAR BOUNDS CHECKS ON MULTIPLE VIEWS OF AN OBJECT
  22. 17/699,593: CRYPTOGRAPHIC DATA OBJECTS PAGE CONVERSION
  23. 17/693,748: GENERATING ENCRYPTED CAPABILITIES WITHIN BOUNDS
  24. 17/682,997: COMPILER-DIRECTED SELECTION OF OBJECTS FOR CAPABILITY PROTECTION
  25. 17/561,828: PROCESS OBJECT RE-KEYING DURING PROCESS CREATION IN CRYPTOGRAPHIC COMPUTING
  26. 17/559,385: DATA OBLIVIOUS CRYPTOGRAPHIC COMPUTING
  27. 17/314,349: TECHNOLOGY TO CONTROL SYSTEM CALL INVOCATIONS WITHIN A SINGLE ADDRESS SPACE
  28. 16/862,022: MEMORY WRITE FOR OWNERSHIP ACCESS IN A CORE
  29. 15/721,553: Installing and manipulating a secure virtual machine image through an untrusted hypervisor
  30. 15/713,573: Methods and arrangements to determine physical resource assignments
  31. 16/040,193: System, method and apparatus for automatic program compartmentalization
  32. 15/273,286: Access control
  33. 15/201,018: Regulating control transfers for execute-only code execution