Between 2020 and 2026, I developed hardware and software architectures to mitigate memory safety exploits and subsequent data exposure. Despite the availability of memory-safe languages, slow adoption leaves systems vulnerable to persistent software exploits. Furthermore, modern microarchitectural optimizations have extended these threats to speculative execution such as speculative buffer overflows, which can bypass software-level protections. Addressing these vulnerabilities requires fundamental improvements across compilers, operating systems, and hardware abstractions.
While sandboxing is a vital defense, it remains imperfect. In-process fault isolation has gained traction for its low IPC and startup overhead, yet it remains susceptible to microarchitectural threats. In Swivel, we analyzed how Spectre vulnerabilities compromise WebAssembly (WASM) and developed compiler-level mitigations to prevent data leakage. However, as noted in our extensive study in SoK: Practical Foundations for Spectre Defenses, software-only solutions cannot realistically defend against the entire spectrum of speculative execution attacks. Consequently, in HFI, we proposed a hardware-centric design to eliminate these vulnerabilities while simultaneously improving the efficiency of in-process sandboxing.
At Google, I contributed to research efforts evaluating security instruction set architectures including ARM MTE (performance in practice), CHERI, and LFI to achieve memory safety and efficient sandboxing for real-world workloads. As part of these initiatives, I supported university collaborations and mentored PhD students.