• Publications
  • Influence
A Hardware Design Language for Timing-Sensitive Information-Flow Security
By building a secure MIPS processor and its caches, it is demonstrated that SecVerilog makes it possible to build complex hardware designs with verified security, yet with low overhead in time, space, and HW designer effort. Expand
Ironclad Apps: End-to-End Security via Automated Full-System Verification
This work provides complete, low-level software verification of a full stack of verified software, which includes a verified kernel; verified drivers; verified system and crypto libraries including SHA, HMAC, and RSA; and four Ironclad Apps. Expand
Predictive black-box mitigation of timing channels
A general class of timing mitigators are introduced that can achieve any given bound on timing channel leakage, with a tradeoff in system performance. Expand
Language-based control and mitigation of timing channels
We propose a new language-based approach to mitigating timing channels. In this language, well-typed programs provably leak only a bounded amount of information over time through external timingExpand
Detecting Violations of Differential Privacy
The problem of producing counterexamples for incorrect algorithms that make them violate their claimed privacy is considered and an evaluation on a variety of incorrect published algorithms validates the usefulness of the approach. Expand
CacheD: Identifying Cache-Based Timing Channels in Production Software
This work proposes a novel technique to help software developers identify potential vulnerabilities that can lead to cache-based timing attacks, and implements the proposed technique as a practical tool named CacheD (Cache Difference), and evaluated it towards multiple real-world cryptosystems. Expand
Toward general diagnosis of static errors
A general way to locate programmer mistakes that are detected by static analyses such as type checking, and the results show that the general technique identifies the location of programmer errors significantly more accurately. Expand
LightDP: towards automating differential privacy proofs
It is shown that LightDP verifies sophisticated algorithms with little manual effort, a novel relational type system that separates relational reasoning from privacy budget calculations that is powerful enough to verify sophisticated algorithms where the composition theorem falls short. Expand
Predictive mitigation of timing channels in interactive systems
This paper generalizes predictive mitigation to a larger and important class of systems: systems that receive input requests from multiple clients and deliver responses, finding that timing predictions may be a function of any public information, rather than being a function simply of output events. Expand
SecDCP: Secure dynamic cache partitioning for efficient timing channel protection
The proposed SecDCP scheme changes the size of cache partitions at run time for better performance while preventing insecure information leakage between processes, and improves performance by up to 43% and by an average of 12.5% over static cache partitioning. Expand