Protecting Persistent Data

Enforcing security policies at the storage layer to reduce attack surface of existing solutions.

Secure, Efficient In-Process Memory Isolation

Providing isolation for sensitive data and state to increase the security and robustness of applications.

Shielding Applications in an untrusted Cloud

Lift and shift unmodified applications into Intel SGX enclaves to shield them in an untrusted cloud.

Selected Publications

More Publications

Privacy-Preserving Machine Learning in Untrusted Clouds Made Simple arXiv, 2020.


Automatically Securing Linux Application Containers in Untrusted Clouds Linux Security Summit, 2020.

Slides Video

ERIM: Secure, Efficient In-Process Isolation with Memory Protection Keys USENIX Security,
Distinguished Paper Award and Internet Defense Prize, 2019.

PDF Code Slides Video

Pesos: Policy Enhanced Secure Object store ACM EuroSys, 2018.


Light-Weight Contexts: An OS Abstraction for Safety and Performance USENIX OSDI, 2016.

PDF Code

Thoth : Comprehensive Policy Compliance in Data Retrieval Systems Usenix Security, 2016.


Guardat: Enforcing data policies at the storage layer ACM EuroSys, 2015.

PDF Poster Slides Video Extended technical report


Program Committee

Artifact Evaluation

External Reviewer

  • EuroSys’18
  • HotOS’17
  • OSDI’16