Deian Stefan: 2016 Security Workshop


Monday, April 11, 2016
Location: McCaw Hall, Arrillaga Alumni Center

"Building Least Privileged Web Applications with Node.js"



Large-scale private user data theft has become a common occurrence. A huge factor in these privacy breaches we hear so much about is that developers specify and enforce data security policies by strewing checks throughout their application code. Overlooking a single check can lead to vulnerabilities. But even if developers mange to get all the checks in all the right places, web applications largely rely on third-party code which may introduce other vulnerabilities (or even be malicious).

In this talk I will describe the design and implementation of Intrinsic, a security runtime system for Node.js. Intrinsic employs software fault isolation and virtualization techniques to compartmentalize and mediate application code. This, in turn, allows developers to run unmodified web applications with least privileges. With Intrinsic, one only needs to specify high-level security policies at different levels of granularity. Intrinsic then enforces these policies on all code---including third-party libraries---to ensure security.


I am an Assistant Professor in the UCSD CSE Department, starting in Fall 2016. I am also the Chief Scientist at Intrinsic (formerly GitStar), a web security start-up I co-founded. My research interests are in building principled and practical secure systems. More broadly, I am interested in research that spans systems, security, and programming languages. I work on several systems, including COWL, a browser confinement system designed for modern web applications, Hails, a security-centric framework for building web platforms, LIO, a dynamic information flow control system, and ESpectro, a security architecture for Node.js. At Intrinsic, I am putting much of this research into practice by building systems, tools, and languages that ultimately make it easier for developers to build and deploy web applications with minimal trust. You can find more details about my vision, approach, and direction in my research statement.

I am also a member of the W3C WebAppSec Working Group, where I try to make the web a safer place primarily by serving as editor of the COWL spec.

I completed my Ph.D. in Computer Science at Stanford under "Prof." David Mazieres and Prof. John C. Mitchell and (informally) Prof. Alejandro Russo. Prior to Stanford, I obtained a B.E. and M.E. in Electrical Engineering at Cooper Union. At Cooper, I worked on GPU and FPGA crypto implementations. I am still generally interested in hardware architectures, especially in the context of security.