Research themes

My Ph.D. work explored static and runtime analysis of Java applications for finding security vulnerabilities. Since then, the space of my research interests has expanded quit a bit.


Security is in the limelight a lot these days. One of my key interests is web application security as well as mobile security. Much of my research takes a language-based approach to enforcing desirable security properties via a combination of static analysis, runtime enforcement, and so forth. A lot of my work focuses on detecting malware, especially drive-by downloads that take advantage of browser vulnerabilities. Some of my efforts are more systems-y in nature, others are rooted in compilers and runtime systems, while yet others involve the use of type theory and cryptography such as zero-knowledge proofs.

[DSN 2016] [Usenix Security 2014] [PLDI 2014] [PLDI 2013] [POPL 2013] [POPL 2013] [Oakland Security 2012] [Usenix Security 2011] [Usenix Security 2011] [CCS 2011] [Oakland 2011] [Oakland 2010]


Privacy is increasingly important in today's connected society. Over the last several years one observes a shift to cloud-based services that entice the user to move their data into the cloud, where the issues of data governance are often not well understood. Much of my work in this space has focused on creating attractive browser-based and mobile mechanisms that give the user a more attractive level of privacy without compromising the functionality. In fact, in some cases, it is entirely possible to design services that are both more privacy-preserving and are more capable in terms of functionality. I also study the impact of some of the privacy-enhancing technologies on end-users.

[Oakland 2015] [CHI 2014] [Usenix Security 2013] [Usenix Security 2013] [PETS 2012] [Oakland 2011]

Program Analysis

I have a broad interest in analyzing programs to discover bugs and propose fixes. The need for program analysis, as well as static, and runtime reasoning arises in a number of settings, such as checking apps that are submitted to an app store (e.g. Apple's App Store or Windows Marketplace). I have developed static analyzers for languages including C, C++, Java, C#, and, most recently, JavaScript. We have explored the tradeoffs between fully sound analysis and less sound, yet practical analysis, coining the term soundy. Most recently, I am interested in analyzing really large programs, making analysis probabilistic, taking advantage of statistical knowledge contained in Big Code, and studying how analysis tools interact with developers.

[CACM'15] [OOPSLA 2014] [POPL 2012] [FSE 2013] [APPROX'14] [WebApps 2010] [WebApps 2010] [SOCC 2010]


Given that we are no longer getting significantly faster hardware every year, optimizations are important again. Optimizing programs in a meaningful way is a difficult task. In some domains, such as browsers and their JavaScript runtimes, the competition for performance between runtime vendors is extremely keen. Over the years, we have studied where execution time goes, how to make representative performance benchmarks, how to make programs run faster, and even how to do effective code compression. We have applied optimization ideas and techniques to areas such as optimizing web sites, client-side JavaScript code, dataflow programs in the cloud or programming large scale surveys. I am interested in making web and mobile applications run faster, without consuming too much energy.

[POPL 2015] [OOPSLA 2014] [Usenix Security 2014] [SOCC 2010] [TWEB 2010]


Some tasks are better done by machines, while others are better relegated to humans. Today, one has access to a wide on-demand audience of workers through services such as Amazon's Mechanical Turk. I am interested in clever ways of combining human and machine computation to leverage the best features of both. We have used crowd-sourcing for creating large-scale surveys. We used crowds to automate the process of program synthesis -- creating programs automatically. I am interested in using crowd-sourcing for program testing and other software development tasks.

[POPL'15] [SNAPL'15] [HCOMP'14]

Augmented reality

Over the past several years we have explored how to build augmented reality platform and applications. These include the first 3D web browser, languages for programming with gestures that interact with the Kinect sensor, and other topics. In the context of augmented reality, user privacy is an important issue, especially for always-on sensors such as Kinect or Amazon Echo. I am interested in defining programming models that balance functionality and privacy. This is especially important given the current explosion in the Internet of Things space.

[Oakland 2016] [Oakland 2015] [Usenix Security 2013] [HotOS 2013] [MSR-TR-2014-146]