Deian Stefan

Assistant Professor
Department of Computer Science and Engineering
University of California, San Diego
Office: CSE 3126
Email: first-name@cs.ucsd.edu
Research interests: security & privacy, programming languages, systems.
[ Twitter | Keybase.io | GitHub | CryptoSec | ProgSys | SysNet | CONIX ]

About Me

I am an Assistant Professor in the UCSD CSE Department. I am also the Chief Scientist at Intrinsic (formerly GitStar), a web security start-up I co-founded. My research interests are in building principled and practical secure systems. More broadly, I am interested in research that spans systems, security, and programming languages. My students and I work on on secure systems (from Web frameworks, to new browser designs, and runtime systems), language-based security (constant-time programming, memory safety, and information flow control), verification for security, and (static and symbolic) bug finding tools. At Intrinsic, I am putting research into practice by similarly building systems, tools, and languages that ultimately make it easier for developers to build and deploy web applications with minimal trust.

I am also a member of the W3C WebAppSec Working Group and Node.js Security Working Group.

I completed my Ph.D. in Computer Science at Stanford under David Mazières and John C. Mitchell and (informally) Alejandro Russo. Prior to Stanford, I obtained a B.E. and M.E. in Electrical Engineering at Cooper Union. At Cooper, I worked on GPU and FPGA crypto implementations. I am still generally interested in hardware architectures, especially in the context of security.

Professional Activities

I have served, or am serving, on the program committees for:

2020:
PriSC (PC co-chair), Security, S&P
2019:
SOSP, Security, S&P, PriSC, TheWebConf
2018:
S&P, PLDI, SecDev CSF, FCS
2017:
CCS, Security, Euro S&P, SEC@SAC, WWW, SecDev (Tutorial track)
2016:
SEC@SAC, POST, Security, PLAS (PC co-chair) , SecDev
2015:
FCS, HiW

Teaching

Fall 2019:
CSE 127: Computer Security
Spring 2019:
CSE 227: Graduate Computer Security (largely for PhD students)
Winter 2019:
CSE 127: Computer Security
Fall 2018:
CSE 227: Graduate Computer Security
Winter 2018:
CSE 130: Programming Languages: Principles and Paradigms
CSE 291: Language-based Security
Winter 2017:
CSE 130: Programming Languages: Principles and Paradigms
Fall 2016:
CSE 291: Building Secure Systems using Programming Languages and Analysis
CSE 290: Early Papers in Computer Security (co-taught with Hovav Shacham)

Prior to UCSD, I was also an instructor and teaching assistant for several courses at Stanford and Cooper.

Stanford

Fall 2014:
CS242: Programming Languages (co-taught with Edward Z. Yang)
Fall 2013:
CS242: Programming Languages (co-taught with Edward Z. Yang)
Winter 2013:
CS240: Advanced Topics in Operating Systems (assistant)
Fall 2011:
CS242: Programming Languages (assistant)

Cooper Union

Summer 2010:
Advanced Programming in Java (retraining program instructor)
Spring 2010:
Programming in Java (retraining program instructor)
Spring 2009:
ECE403: Selected Topics in Probability and Stochastic Processes (assistant)
Spring 2007:
ECE150: Digital Logic Design (assistant)
Fall 2006:
ECE150: Digital Logic Design (assistant)

Selected Publications

Below you will find a select list of papers. DBLP has a a slightly more complete list.

Conferences/Workshops

  • Klaus von Gleissenthall, Rami Gökhan KıcıUniversity, Deian Stefan, and Ranjit Jhala. IODINE: Verifying Constant-Time Execution of Hardware. In Proceedings of USENIX Security Symposium. August, 2019.
    [ paper | bibtex ]
  • Sunjay Cauligi, Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad S. Wahby, John Renner, Benjamin Gregoire, Gilles Barthe, Ranjit Jhala, and Deian Stefan. FaCT: A DSL for timing-sensitive computation. In Proceedings of Conference on Programming Language Design and Implementation (PLDI), ACM SIGPLAN. June, 2019.
    [ paper | bibtex ]
  • Craig Disselkoen, John Renner, Conrad Watt, Tal Garfinkel, Amit Levy, and Deian Stefan. Position Paper: Bringing Memory Safety to WebAssembly. In Proceedings of Hardware and Architectural Support for Security and Privacy (HASP). June, 2019.
    [ paper | bibtex ]
  • Marco Vassena, Gary Soeller, Peter Amidon, Matthew Chan, John Renner, and Deian Stefan. Foundations for parallel information flow control runtime systems. In Proceedings of Conference on Principles of Security and Trust (POST), Springer. April, 2019.
    [ paper | bibtex ]
  • Conrad Watt, John Renner, Natalie Popescu, Sunjay Cauligi, and Deian Stefan CT-Wasm: Type-Driven Secure Cryptography for the Web Ecosystem. In Proceedings of ACM SIGPLAN Symposium on Principles of Programming Languages (POPL). January, 2019.
    [ paper | bibtex ]
  • Klaus von Gleissenthall, Rami Gökhan KıcıUniversity, Alexander Bakst, Deian Stefan, and Ranjit Jhala. Pretend Synchrony: Synchronous Verification of Asynchronous Distributed Programs. In Proceedings of ACM SIGPLAN Symposium on Principles of Programming Languages (POPL). January, 2019.
    [ paper | bibtex ]
  • Marco Vassena, Alejandro Russo, Deepak Garg, Vineet Rajani, and Deian Stefan. From Fine- to Coarse-Grained Dynamic Information Flow Control and Back. In Proceedings of ACM SIGPLAN Symposium on Principles of Programming Languages (POPL). January, 2019. Distinguished paper award.
    [ paper | bibtex ]
  • Craig Disselkoen, Tal Garfinkel, Deian Stefan, and Conrad Watt. Trestle: Bridging the Performance and Safety Divide in WebAssembly. In Workshop on Principles of Secure Compilation (PriSC). January, 2019.
  • Marc Andrysco, Andres Nöetzli, Fraser Brown, Ranjit Jhala, and Deian Stefan. Towards Verified, Constant-time Floating Point Operations. In Proceedings of ACM Conference on Computer and Communications Security (CCS). October, 2018.
    [ paper | bibtex ]
  • Michael Smith, Craig Disselkoen, Shravan Narayan, Fraser Brown, and Deian Stefan. Browser history re:visited. In Proceedings of USENIX Workshop on Offensive Technologies (WOOT). August, 2018.
    [ paper | bibtex ]
  • John Renner, Sunjay Cauligi, and Deian Stefan. Constant-Time WebAssembly. In Workshop on Principles of Secure Compilation (PriSC). January, 2018.
    [ paper | bibtex ]
  • Sunjay Cauligi, Gary Soeller, Fraser Brown, Brian Johannesmeyer, Yunlu Huang, Ranjit Jhala, and Deian Stefan. FaCT: A Flexible, Constant-Time Programming Language. In Proceedings of Cybersecurity Development (SecDev), IEEE. September, 2017.
    [ paper | bibtex ]
  • Gary Soeller and Deian Stefan. Multi-core IFC: Securing the space-time continuum. In Workshop on Foundations of Computer Security (FCS). August, 2017.
    [ paper | bibtex ]
  • Fraser Brown, Shravan Narayan, Riad S. Wahby, Dawson Engler, Ranjit Jhala, and Deian Stefan. Finding and Preventing Bugs in JavaScript Bindings. In Proceedings of Symposium on Security and Privacy, IEEE. May, 2017.
    [ paper | bibtex ]
  • Stefan Heule, Devon Rifkin, Deian Stefan, and Alejandro Russo. The Most Dangerous Code in the Browser. In Proceedings of Workshop on Hot Topics in Operating Systems (HotOS), USENIX. May, 2015.
    [ paper | bibtex | slides ]
  • Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, and Alejandro Russo. IFC Inside: Retrofitting Languages with Dynamic Information Flow Control. In Proceedings of Conference on Principles of Security and Trust (POST), Springer. April, 2015.
  • Deian Stefan, Edward Z. Yang, Petr Marchenko, Alejandro Russo, Dave Herman, Brad Karp, and David Mazières. Protecting Users by Confining JavaScript with COWL. In Proceedings of Symposium on Operating Systems Design and Implementation (OSDI), USENIX. October, 2014.
    [ paper | bibtex | slides | video ]
  • Pablo Buiras, Deian Stefan, and Alejandro Russo. On Dynamic Flow-sensitive Floating-Label Systems. In Proceedings of Computer Security Foundations Symposium (CSF), IEEE. July, 2014.
    [ paper | bibtex ]
  • Deian Stefan, Pablo Buiras, Edward Z. Yang, Amit Levy, David Terei, Alejandro Russo, and David Mazières. Eliminating Cache-based Timing Attacks with Instruction-based Scheduling. In Proceedings of European Symposium on Research in Computer Security (ESORICS), Springer. September, 2013.
    [ paper | bibtex | slides ]
  • Pablo Buiras, Amit Levy, Deian Stefan, Alejandro Russo, and David Mazières. A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems. In Proceedings of Trustworthy Global Computing (TGC), Springer. August, 2013.
  • Edward Yang, Deian Stefan, John Mitchell, David Mazières, Petr Marchenko, and Brad Karp. Toward Principled Browser Security. In Proceedings of Workshop on Hot Topics in Operating Systems (HotOS), USENIX. May, 2013.
    [ paper | bibtex | slides ]
  • Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, David Mazières, John Mitchell, and Alejandro Russo. Hails: Protecting Data Privacy in Untrusted Web Applications. In Proceedings of Symposium on Operating Systems Design and Implementation (OSDI), USENIX. October, 2012.
    [ paper | bibtex | slides | video ]
  • Deian Stefan, Alejandro Russo, Pablo Buiras, Amit Levy, John C. Mitchell, and David Mazières. Addressing Covert Termination and Timing Channels in Concurrent Information Flow Systems. In Proceedings of International Conference on Functional Programming (ICFP), ACM SIGPLAN. September, 2012.
    [ paper | bibtex | slides | video ]
  • John C. Mitchell, Rahul Sharma, Deian Stefan, and Joe Zimmerman. Information-flow control for programming on encrypted data. In Proceedings of Computer Security Foundations Symposium (CSF), IEEE. June, 2012.
    [ paper | bibtex ]
  • Deian Stefan, Alejandro Russo, David Mazières, and John C. Mitchell. Disjunction Category Labels. In Proceedings of Nordic Conference on Security IT Systems (NordSec), Springer. October, 2011.
    [ paper | bibtex | slides ]
  • Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazières. Flexible Dynamic Information Flow Control in Haskell. In Proceedings of Haskell Symposium, ACM SIGPLAN. September, 2011.
    [ paper | bibtex | slides ]
  • Deian Stefan and Danfeng Yao. Keystroke-dynamics authentication against synthetic forgeries. In Proceedings of Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), IEEE. October, 2010. Best Paper Award.
    [ paper | bibtex ]
  • Joppe W. Bos and Deian Stefan. Performance analysis of the SHA-3 candidates on exotic multi-core architectures. In Proceedings of Cryptographic Hardware and Embedded Systems (CHES), Springer. August, 2010.
    [ paper | bibtex ]
  • Shahram Khazaei, Simon Knellwolf, Willi Meier, and Deian Stefan. Improved Linear Differential Attacks on CubeHash. In Proceedings of International Conference on Cryptology (AFRICACRYPT), Springer. May, 2010. Awarded the 2010.01 Prize by DJB.
    [ paper | bibtex ]
  • Dag Arne Osvik, Joppe W. Bos, Deian Stefan, and David Canright. Fast software AES encryption. In Proceedings of International Workshop on Fast Software Encryption (FSE), Springer. February, 2010.
    [ paper | bibtex ]
  • Deian Stefan. Hardware Framework for the Rabbit Stream Cipher. In Proceedings of International Conference on Information Security and Cryptology (INSCRYPT), Springer. December, 2009.
    [ paper | bibtex ]
  • Jared Harwayne-Gidansky, Deian Stefan, and Ishaan L. Dalal. FPGA-based SoC for real-time network intrusion detection using counting bloom filters. In Proceedings of SoutheastCon, IEEE. March, 2009.
    [ paper | bibtex ]
  • Ishaan L. Dalal, Deian Stefan, and Jared Harwayne-Gidansky. Low discrepancy sequences for Monte Carlo simulations on reconfigurable platforms. In Proceedings of International Conference on Application-Specific Systems, Architectures and Processors (ASAP), IEEE. July, 2008.
    [ paper | bibtex ]
  • Deian Stefan, David B. Nummey, Jared Harwayne-Gidansky, and Ishaan L. Dalal. On Parallelizing the CryptMT Stream Cipher. In Proceedings of Vehicular Technology Conference (VTC Spring), IEEE. May, 2008.
    [ paper | bibtex ]
  • Ishaan L. Dalal and Deian Stefan. A hardware framework for the fast generation of multiple long-period random number streams. In Proceedings of International Symposium on Field Programmable Gate Arrays (FPGA), ACM. February, 2008.
    [ paper | bibtex ]
  • Deian Stefan and Christopher Mitchell. On the Parallelization of the MICKEY-128 2.0 Stream Cipher. In Proceedings of The State of the Art of Stream Ciphers (SASC), Springer. February, 2008.
    [ paper | bibtex ]

Journals

  • Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, David Mazières, John Mitchell, and Alejandro Russo. Hails: Protecting Data Privacy in Untrusted Web Applications Journal of Computer Security, IOS Press. Volume 25, Issue 4-5, 2017.
  • Deian Stefan, Alejandro Russo, David Mazières, and John C. Mitchell. Flexible Dynamic Information Flow Control in the Presence of Exceptions. Journal of Functional Programming, Cambridge University Press. Volume 27, 2017.
  • Deian Stefan, Xiaokui Shu, and Danfeng (Daphne) Yao. Robustness of keystroke-dynamics based biometrics against synthetic forgeries. Computers & Security, Elsevier. 31(1) 2012.
    [ paper | bibtex ]
  • Kui Xu, Huijun Xiong, Chehai Wu, Deian Stefan, and Danfeng Yao. Data-Provenance Verification For Secure Hosts. Transactions on Dependable and Secure Computing, IEEE. 2012.
    [ paper | bibtex ]

Specifications

  • Deian Stefan. Confinement with Origin Web Labels. World Wide Web Consortium, First Public Working Draft WD-COWL-20151015. October, 2015.
    [ spec | bibtex ]

Demos

  • Deian Stefan, Amit Levy, Alejandro Russo, and David Mazières. Building Secure Systems with LIO. In Proceedings of Haskell Symposium, ACM SIGPLAN. September, 2014.
    [ paper | bibtex | slides | video | code ]
  • Amit Levy, David Terei, and David Mazières. Making Web Applications -XSafe. In Proceedings of Haskell Symposium, ACM SIGPLAN. September, 2014.
    [ paper | bibtex ]
  • Deian Stefan and David Mazières. Building Secure Systems with LIO. In Proceedings of Workshop on Programming Languages and Analysis for Security (PLAS), ACM SIGPLAN. July, 2014. Invited talk.
    [ paper | bibtex | slides | code ]

Non-refereed/Unpublished

  • Jean Pierre Talpin, Jean Joseph Marty, Shravan Narayan, Deian Stefan, and Rajesh Gupta. Towards verified programming of embedded devices. In Proceedings of IEEE Design, Automation and Test in Europe (DATE). March, 2019. Invited paper.
    [ paper | bibtex ]
  • Fraser Brown, Ariana Mirian, Atyansh Jaiswal, Andres Nöetzli, Deian Stefan. SPAM: a Secure Package Manager. April, 2017.
    [ paper | bibtex ]
  • Daniel B. Giffin, Stefan Heule, Amit Levy , David Mazières, John Mitchell, Alejandro Russo, Amy Shen, Deian Stefan, David Terei, and Edward Z. Yang. Security and the average programmer. In Proceedings of Conference on Principles of Security and Trust (POST), Springer. April, 2014. Invited paper.
    [ paper | bibtex ]
  • Alex Bain, John Mitchell, Rahul Sharma, Deian Stefan, and Joe Zimmerman. A Domain-Specific Language for Computing on Encrypted Data. In Proceedings of Foundations of Software Technology and Theoretical Computer Science (FSTTCS), LIPIcs. December, 2011. Invited paper.
  • Deian Stefan and John C. Mitchell. Analysing Object-Capability Patterns With Murφ. April, 2011.
    [ paper | bibtex ]

Theses

  • Deian Stefan. Principled and Practical Web Application Security. Ph.D. Thesis, Stanford University. December, 2015.
    [ thesis | bibtex ]
  • Deian Stefan. Analysis and Implementation of eSTREAM and SHA-3 Cryptologic Algorithms. M.Eng. Thesis, Cooper Union. May, 2011.
    [ thesis | bibtex ]


The documents distributed by this server have been provided as a means to ensure timely dissemination of scholarly and technical work on a noncommercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that the works are offered here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be distributed without the explicit permission of the copyright holder.

Application Materials

Below you can find my curriculum vitae, research statement, and teaching statement. My curriculum vitae contains the contact information for my references.

The following three papers are representative: