Protecting Persistent Data

Enforcing security policies at the storage layer to reduce attack surface of existing solutions.

Secure, Efficient In-Process Memory Isolation

Providing isolation for sensitive data and state to increase the security and robustness of applications.

Shielding Applications in an untrusted Cloud

Lift and shift unmodified applications into Intel SGX enclaves to shield them in an untrusted cloud.

Selected Publications

More Publications

The Endokernel: Fast, Secure, and Programmable Subprocess Virtualization arXiv, 2021.


Swivel: Hardening WebAssembly against Spectre USENIX Security, 2021.


Privacy-Preserving Machine Learning in Untrusted Clouds Made Simple arXiv, 2020.


Automatically Securing Linux Application Containers in Untrusted Clouds Linux Security Summit, 2020.

Slides Video

ERIM: Secure, Efficient In-Process Isolation with Memory Protection Keys USENIX Security,
Distinguished Paper Award and Internet Defense Prize, 2019.

PDF Code Slides Video

Pesos: Policy Enhanced Secure Object store ACM EuroSys, 2018.


Light-Weight Contexts: An OS Abstraction for Safety and Performance USENIX OSDI, 2016.

PDF Code

Thoth : Comprehensive Policy Compliance in Data Retrieval Systems Usenix Security, 2016.


Guardat: Enforcing data policies at the storage layer ACM EuroSys, 2015.

PDF Poster Slides Video Extended technical report


Program Committee

  • Usenix Security: 2021, 2022
  • Middleware Doctoral Workshop: 2020
  • Intel Software Professionals Conference - Security Track: 2020
  • EuroSys ShadowPC: 2020
  • SOCC Posters: 2020

Artifact Evaluation

External Reviewer

  • EuroSys: 2018
  • HotOS: 2017
  • OSDI: 2016


  • DTRAP External Reviewer: 2021



  • Intel High-5 Patent Award 2021
  • Intel Labs 2021 Gordy Award Honorable Mention in “Excelence in Risk Taking” for our continued work on the Graphene Library OS (in collaboration with Dmitrii Kuvaiskii, Mona Vij, Sudha Krishnakumar, Isaku Yamahata)
  • Facebook and USENIX Internet Defense Prize 2019
  • Distinguished Paper Award at USENIX Security 2019