By Josh Baxt
UC San Diego Computer Science and Engineering Assistant Professor Deian Stefan has been honored with an Alfred P. Sloan Research Fellowship. Stefan will receive $75,000 during the two-year fellowship to advance his work on browser security.
Stefan is the third UC San Diego Computer Science and Engineering professor to receive a Sloan award in recent years. Nadia Polikarpova was selected in 2020 and Daniel Kane was a recipient in 2017. The fellowship supports young scientists pursuing fundamental research with great potential to impact their fields.
“This is a true honor,” said Stefan. “The researchers in my field who have gotten a Sloan Fellowship are an impressive bunch, and just being part of this is really rewarding.”
Stefan is being recognized for his work on secure systems. Programmers can inadvertently introduce bugs that allow hackers to steal information or hold systems for ransom. He believes a new generation of compilers can help solve this problem.
The key is creating secure compilers that will give programmers end-to-end guarantees that the security of their source code is preserved down to the machine code level. Stefan plans to design these compilers by building on WebAssembly, a relatively new computer language designed to enhance safety.
“By building secure compilers from high-level languages to WebAssembly, and secure compilers of WebAssembly to different hardware, we can make it easier for developers to build secure systems that have formal security guarantees,” said Stefan. With his collaborators, Stefan has been applying these ideas to make browsers safer.
Web browsers use third-party libraries to implement different features – such as rendering images, spell checking text and processing XML documents. These libraries are typically written in unsafe but fast languages, such as C, and often have unreported bugs that can be exploited by hackers to take control over computers.
To prevent attackers from exploiting these vulnerabilities, Stefan and others are modifying WebAssembly to sandbox these libraries into their own isolated worlds. This ensures the libraries cannot be used as vectors for attack.
“We’re trying to sandbox libraries so that users can browse the web safely without worrying about potentially compromised libraries harming their machines,” said Stefan. “We’re also starting to tackle this problem on the server side. We want to make it impossible for attackers to, say, upload an image and compromise servers and all the user data stored on those servers.”
Stefan has worked closely with Firefox, which has already incorporated some of his group's sandboxing work into its browser. He sees wide applications to other browsers, including Chrome and Brave, serverless cloud platforms, machine learning as service platforms and embedded systems.
The $75,000 award will give Stefan extra firepower from students and other researchers to accelerate this project and create these extra defenses. As always with computer security, it’s essential to get these new safeguards up and running quickly.
“There have been a bunch of recent, high-profile attacks on real people that could have been prevented if we had sandboxed libraries early,” said Stefan. “They have far more privileges than they need to perform their assigned tasks, and that is largely an artifact of how we build software. As we showed in Firefox, we can fundamentally shift system design towards security and eliminate this whole class of attacks.”