About me

Sr. Applied Scientist at Amazon Web Services (AWS), working with the AWS Automated Reasoning Group. At AWS I work on Amazon Verified Permissions and more specifically its Cedar policy language. More generally, I'm interested in making computers more secure by automatically finding, fixing, and preventing vulnerabilities through language-based tools and systems at scale, most recently using formal methods and automated reasoning.

I completed my PhD in computer security at UC San Diego, defending in April 2022. I was co-advised by Deian Stefan and Dean Tullsen, and as a PhD student I interned with Qualcomm, Mozilla, and Correct Computation.

Open Source

I am the author and maintainer of a few Rust crates (libraries), most notably:

  • the Haybale symbolic execution engine for LLVM IR
  • the llvm-ir high-level safe API for interacting with LLVM IR
  • the boolector crate, which provides safe high-level bindings for the Boolector SMT solver


SoK: Practical Foundations for Spectre Defenses

Sunjay Cauligi, Craig Disselkoen, Daniel Moghimi, Gilles Barthe, Deian Stefan

To appear at IEEE Symposium on Security and Privacy (S&P) 2022

[Full Text (arXiv preprint)]

Swivel: Hardening WebAssembly against Spectre

Shravan Narayan, Craig Disselkoen, Daniel Moghimi, Sunjay Cauligi, Evan Johnson, Zhao Gang, Anjo Vahldiek-Oberwagner, Ravi Sahita, Hovav Shacham, Dean Tullsen, Deian Stefan

USENIX Security Symposium 2021

[Full Text (pdf)]
[Full Talk (video)]
[Source Code]

Automatically Eliminating Speculative Leaks from Cryptographic Code with Blade

Marco Vassena, Craig Disselkoen, Klaus v. Gleissenthall, Sunjay Cauligi, Rami Gökhan Kıcı, Ranjit Jhala, Dean Tullsen, Deian Stefan

Principles of Programming Languages (POPL) 2021

Distinguished Paper Award winner!
[Full Text (pdf)]
[Full Talk (video)] - my portion begins at about 10:15
[Source Code]
[Blog post in PL Perspectives]

Finding and Eliminating Timing Side-Channels in Crypto Code with Pitchfork

Craig Disselkoen, Sunjay Cauligi, Dean Tullsen, Deian Stefan


[Full Text (pdf)]
[Source Code]

Constant-Time Foundations for the New Spectre Era

Sunjay Cauligi, Craig Disselkoen, Klaus v. Gleissenthall, Dean Tullsen, Deian Stefan, Tamara Rezk, Gilles Barthe

Programming Language Design and Implementation (PLDI) 2020

[Full Text (pdf)]
[Video Abstract]
[Full Talk (video)]
[Source Code]

Retrofitting Fine Grain Isolation in the Firefox Renderer

Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Sorin Lerner, Hovav Shacham, Deian Stefan

USENIX Security Symposium 2020

Distinguished Paper Award winner!
[Full Text (extended version) (pdf)]
[RLBox framework: Code Docs]
[Mozilla blog post on using RLBox in Firefox]
[Article in USENIX ;login: magazine]

Position Paper: Progressive Memory Safety for WebAssembly

Craig Disselkoen, John Renner, Conrad Watt, Tal Garfinkel, Amit Levy, Deian Stefan

Workshop on Hardware and Architectural Support for Security and Privacy (HASP) 2019

[Full Text (pdf)]

I gave a talk on an early version of this work at the Workshop on Principles of Secure Compilation (PriSC) in January 2019.

Code That Never Ran: Modeling Attacks on Speculative Evaluation

Craig Disselkoen, Radha Jagadeesan, Alan Jeffrey, James Riely

Authors listed alphabetically for this paper.

IEEE Symposium on Security and Privacy (S&P) 2019

[Full Text (pdf)]
[Talk (video)]
[Source Code]

Browser history re:visited

Michael Smith, Craig Disselkoen, Shravan Narayan, Fraser Brown, Deian Stefan

USENIX Workshop on Offensive Technologies (WOOT) 2018

[Full Text (pdf)]

Prime+Abort: A Timer-Free High-Precision L3 Cache Attack using Intel TSX

Craig Disselkoen, David Kohlbrenner, Leo Porter, Dean Tullsen

USENIX Security Symposium 2017

[Full Text (pdf)]
[Talk (video)]

Other Interests

I love making music; I play piano, drums, and concert percussion, and I also sing. I was in this parody music video produced by several UCSD CSE grad students for the 2019 department holiday party. During my time at UCSD I was also a part of the La Jolla Symphony Chorus.

I ride a Onewheel self-balancing electric skateboard, and I briefly blogged about my learning experience.

In January 2016 I was part of a trip to Nicaragua focused on computer science education in K-12 schools. We connected with a local group of Nicaraguan K-12 computer science teachers, introducing them to an affordable, low-maintenance, and low-power computer called the Raspberry Pi as a solution for school computer labs. I remain interested in ways to improve education (at all levels) and combat poverty around the world.

Contact / More Info

Find me on LinkedIn, Twitter, or by email.