Protecting Persistent Data

Enforcing security policies at the storage layer to reduce attack surface of existing solutions.

Secure, Efficient In-Process Memory Isolation

Providing isolation for sensitive data and state to increase the security and robustness of applications.


Automatically Securing Linux Application Containers in Untrusted Clouds Linux Security Summit 2020, 2020.

Slides Video

ERIM: Secure, Efficient In-Process Isolation with Memory Protection Keys USENIX Security,
Distinguished Paper Award and Internet Defense Prize, 2019.

PDF Code Slides Video

Pesos: Policy Enhanced Secure Object store ACM EuroSys, 2018.


Light-Weight Contexts: An OS Abstraction for Safety and Performance USENIX OSDI, 2016.

PDF Code

Thoth : Comprehensive Policy Compliance in Data Retrieval Systems Usenix Security, 2016.


Guardat: Enforcing data policies at the storage layer ACM EuroSys, 2015.

PDF Poster Slides Video Extended technical report

Protecting Data Integrity with Storage Leases MPI-SWS Technical Report & Patent, 2011.

PDF Patent

A verifiedwireless safety critical hard real-time design IEEE WoWMoM, 2011.



Program Committee

  • Middleware’20 Doctoral Workshop
  • EuroSys’20 ShadowPC
  • SOCC’19 Posters

Artifact Evaluation

  • OSDI’20 Artifact Evaluation Co-Chair
  • USENIX Security’20
  • SOSP’19

External Reviewer

  • EuroSys’18
  • HotOS’17
  • OSDI’16
  • Organization
  • Registration for EuroSys’21