Dongseok(Don) Jang   

PhD Candidate @ Programming Systems, CSE, UC San Diego
Advisor : Sorin Lerner
Email :

I have years of experience in compilers and web browser security as a PhD student at UC San Diego. During my PhD study, I have authored 4 papers in top computer science conferences. I also acquired hands-on experience in software development practice as an intern at Google and Mozilla. One of my research papers was influential and received a lot of press coverage from Forbes, The Wall Street Journal, Slashdot, and The Huffington Post.

I'm interested in using programming language techniques to secure web browsers. I worked on an enhanced JavaScript engine for better security, retrofitting a browser architecture with formal verification, and a C++ compiler extension to mitigate damages due to low-level memory bugs.

Projects

These are the research projects I worked on at UCSD except for the last one.

Safe Dispatch is an extended C++ compiler (based on Clang) that guarantees runtime type-safety of virtual function calls via code instrumentation, without sacrificing performance. This prevents vtable hijacking attacks in C++ programs, particularly in web browser implmentations.

Quark is a multi-process browser, structured similarly to Chrome or OP, but with a browser kernel formally verified with the Coq theorem prover to make sure the absence of security bugs.

This project is to do a big scale survey of websites with a sloopy crossdomain.xml file that allows a malicious site to steal private information from other sites via Flash. This was initiated as a course project taught by Hovav Shacham

I developed a JavaScript taint tracking engine based on Chrome's JavaScript engine, by which UCSD researchers found 46 real cases of JavaScript history sniffing on top websites. This finding received lots of press coverage from Forbes, The Wall Street Journal, Slashdot, The Huffington Post, and more.

I developed a static JavaScript pointer analysis based on Mozilla's Rhino JS engine. I applied the results to remove redundant property lookups in some JS benchmarks.

Internships

I interned under Charlie Reis at Google in Summer 2013. I designed and implemented the cross-site document policy, as part of Site Isolation led by Charlie. The project goal is to minimize HTML renderers' web access capabilities so that they can't attack users in case compromised, without hurting compatibility. This feature is included in Chrome, activated behind a command-line flag.

I interned at Mozilla in Summer 2011. I prototyped Flowmonkey, a fast hybrid JavaScript taint tracking engine based on the Jaegermonkey engine, which consists of a JavaScript bytecode interpreter and a JIT engine. Flowmonkey does slow, full-fledged taint tracking only on the JS interpreter, and the jitted code is only doing fast taint detection that turns off jitting in case a taint is detected.

Papers

These academic papers are about the projects mentioned above.

Language-based Security for Web Browsers (PhD Dissertation)
    Dongseok Jang

Automating Formal Proofs for Reactive Systems (PLDI '14 / to appear)
    Daniel Ricketts and Valentin Robert and Dongseok Jang and Zachary Tatlock and Sorin Lerner

SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks (NDSS '14 / acceptance rate: 18%)
    Dongseok Jang and Zachary Tatlock and Sorin Lerner

Establishing Browser Security Guarantees through Formal Shim Verification (USENIX Security '12 / acceptance rate: 19%)
    Dongseok Jang and Zachary Tatlock and Sorin Lerner

Analyzing the Cross-domain Policies of Flash Applications (W2SP '11)
    Dongseok Jang and Aishwarya Venkataraman and G. Michael Sawka and Hovav Shacham

An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications (CCS '10 / acceptance rate: 17%)
    Dongseok Jang and Ranjit Jhala and Sorin Lerner and Hovav Shacham

Points-to Analysis for JavaScript (SAC '09 / acceptance rate: 29%)
    Dongseok Jang and Kwang-Moo Choe