At a coffee shop in Chiang Mai, Thailand

I’m a terminal year Computer Science PhD student at Stanford University. I work with David Mazières in the Secure Computer Systems group and Phil Levis in the Stanford Information Networks Group.

My partner-in-crime, Kaitlin Morrison, is doing a fellowship at the National Resource Defense Council in New York. So, while I’m still a student at Stanford, I live and sometimes work in New York.

I’m currently working on a new secure operating system for embedded devices called TockOS. I also work on Hails, a framework for building secure web platforms and Beetle, a network architecture for Bluetooth Low Energy.

I’m generally interested in distributed systems, operating systems, security, privacy, programming languages and good will towards people.

In another life, I work on MemCachier - memcache-as-a-service for web applications hosted on platforms like Heroku, cloudControl or directly on EC2. I do not generally recommended starting a business while in grad school, but if you have to – and sometimes you have to – I highly recommend doing it with someone pleasant, like my co-conspirator David Terei.

If you want a job that involves interacting with human begins, programming in Go and Haskell, running a distributed storage system and relatively little work, please contact me.


In December 2010 I graduated from the University of Washington with an MSc in Computer Science and a BSc in Computer Science and Economics.

On the computer science side of things, I worked with Roxana Geambasu, Hank Levy, Tadayoshi Kohno and Arvind Krishnamurthy on web privacy and distributed systems. On the economics side of things I worked on writing exams with as little preparation as possible. In hind sight I should have taken classes in something useful, like history, instead.

Between UW and Stanford I sat at StartPad, a co-working space in Seattle, where I worked on projects with my friend Courty Stanton for fun and profit.

I’ve interned at Google (a popular surveillance system and search engine), once developing distributed testing tools and again building tools to help developers schedule their cluster jobs. Before that I worked at the Grameen Foundation as an intern on the MIFOS (Micros Finance Open Source) project. Before that, I spent my summers as a day-camp counselor at a performing arts camp.

Once, I met Eben Moglen and he asked me if I worked for Mossad, which seems like a silly question to ask someone you think works for Mossad.

Current Projects

Tock OS

Embedded operating systems have traditionally been limited to libraries that abstract hardware and implement common utilities. These systems provide only limited mechanisms, if any, to ensure the safety of drivers or isolate applications. Instead, developers must assume that all code is equally trustworthy and bug free. As embedded systems strive to provide additional features, developers draw on third-party source code for libraries, drivers and applications. Incorporating this external code safely is difficult in memory constrained, low power embedded microcontrollers that lack virtual memory. Processes, for example, require per-component stacks. On a 16-64 kB microcontroller, this can be prohibitive.

Tock is a safe, multitasking operating system for memory constrained devices. Tock is written in Rust, a type-safe systems language with no runtime or garbage collector. Tock uses the Rust type system to enforce safety of components, called capsules, in a single-threaded event-driven kernel. In addition, Tock uses remaining memory to support processes written in any language. To support safe event-driven code that responds to requests from processes, Tock introduces two new abstractions: memory containers and memory grants.


The next generation of computing peripherals will be low-power ubiquitous computing devices such as door locks, smart watches, and heart rate monitors. Bluetooth Low Energy is a primary protocol for connecting such peripherals to mobile and gateway devices. Current operating system support for Bluetooth Low Energy forces peripherals into vertical application silos. As a result, simple, intuitive applications such as opening a door with a smart watch or simultaneously logging and viewing heart rate data are impossible. Beetle is a new hardware interface that virtualizes peripherals at the application layer, allowing safe access by multiple programs without requiring the operating system to understand hardware functionality, fine-grained access control to peripheral device resources, and transparent access to peripherals connected over the network.


Hails is a web platform framework that obviates the traditional trade-off in extensible web applications between privacy/confidentiality and extensibility. Hails leverages language-level information flow control in Haskell to enable feature rich applications to share data while ensuring that security policies are carried over and enforced along with the data. Traditionally, web applications allow extensibility by exposing an API. “Blessed” third-party apps that granted access to the API (or a subset of the API) are entrusted with (often sensitive) user data to do what they please. This is problematic not only because third-party app developers may be malicious, but more practically because it reduces the trustworthiness of a platform to the least trustworthy third-party developers (who is often incentivized to prioritize features over security). Hails addresses this problem by tying security policies to data using information-flow-control labels. In Hails, a common, trusted, platform ensures that apps that have seen sensitive data may communicate with users, files, database etc, that are not privileged to see that data. Moreover, as opposed to traditional platforms where there is a host application that has more access to data than third-party apps, in Hails all apps have the same access to data. This enables developers to build complete alternatives to applications without requiring users to migrate their data or give up network effects.

Previous Projects


Comet extended the distributed key-value storage abstraction to facilitate the sharing of a single storage system by applications with diverse needs, allowing them to reap the consolidation benefits inherent in today’s massive clouds. Distributed key-value storage systems are widely used in corporations and across the Internet. We wanted to greatly expand the application space for these systems through application-specific customization. We designed and implemented Comet, an extensible, distributed key-value store. Each Comet node stores a collection of active storage objects (ASOs) that consist of a key, a value, and a set of handlers. Comet handlers run as a result of timers or storage operations, such as get or put, allowing an ASO to take dynamic, application-specific actions to customize its behavior. Handlers are written in a simple sandboxed extension language, providing safety and isolation properties. We implemented a Comet prototype for the Vuze distributed hash table, deployed Comet nodes on Vuze from PlanetLab, and built and evaluated over a dozen Comet applications.


Today’s technical and legal landscape presents formidable challenges to personal data privacy. First, our increasing reliance on Web services causes personal data to be cached, copied, and archived by third parties, often without our knowledge or control. Second, the disclosure of private data has become commonplace due to carelessness, theft, or legal actions. In Vanish our goal was to protect the privacy of past, archived data - such as copies of e-mails maintained by an email provider - against accidental, malicious, and legal attacks. Specifically, we wanted to ensure that all copies of data become unreadable after a user-specified time, without any specific action on the part of a user, and even if an attacker obtains both a cached copy of that data and the user’s cryptographic keys and passwords. Vanish achieved this by integrating cryptographic techniques with global-scale, peer-to-peer, distributed hash tables.

Workload Characterization

During summer 2010, I worked with Joseph L. Hellerstein at Google. We targeted a set of key questions that developers scheduling jobs on a cluster care about, but are hard or impossible to answer with existing tools: Will a job schedule? What changes to a job would make it more likely to schedule? Which resources can a job consume more of without impacting the ability to schedule it? Our challenge was to define metrics that accurately and predictively describe a job given the cluster it was scheduled on, and to compute those metrics efficiently enough to allow for interactive exploration of job configuration. We chose to estimate the number of scheduling slots available to a job over the past two weeks. However, computing the actual count is too expensive to do interactively. Our approach was to perform continuous statistical characterization of machine loads, and to compute an estimate of the number of slots based on that characterization. As a result we were able to build tools that give developers a meaningful way to compare different job configurations.






Graduate Coursework


Functional Systems in Haskell (CS 240H): Autumn 2011, instructor David Mazières Project: FriendStar: Extensible Web Applications with Information Flow Control. Paper [PDF], Code [GitHub]

University of Washington

Implementation of Programming Languages (CSE 501): Autumn 2010, instructor Michael Ernst
Project: Faster Real-Time Classification Using Compilation. Materials forthcoming.

Molecular Programming (CSE 505): Spring 2010, instructor Georg Seeling

Human Computer Interaction (CSE 510): Spring 2010, instructor James Fogarty
Project: Community detection in Social Networks. Presentation [PPTX, PDF], Paper [PDF]

Operating Systems and the Web (CSE 599W): Winter 2010, instructor Steve Gribble

Design and Analysis of Algorithms (CSE 521): Winter 2010, instructor Paul Beame

Computer Systems Research (CSE 551): Autumn 2009, instructor Tom Anderson.
Project: Distribued Queue. Presentation [PDF], Paper [PDF]

Selected Undergraduate Coursework

Design & Implementation of Large Scale Clusters (CSE 490H):
Autumn 2009, instructor Ed Lazowska.
Project: Distributed Hash Table. Website (contains paper and presentation links)


I have been a teaching assistant for three courses over seven quarters

  • CSE 143 (Intro II) - Spring, Summer, Fall 07, Winter 08
  • CSE 190M (Web Programming) - Spring 08
  • CSE 341 (Programming Languages) - Fall 08, Winter 09



  • Safely and Efficiently Multiprogramming a 64kB Computer. Secure Internet of Things Project Retreat 2017. Slides: [PDF]


  • Beetle: Sharing, flexibility and access control for Bluetooth Low Energy. Mobisys 2016
    Slides: [PDF]

  • Tock: A Safe Multi-tasking Operating System for Microcontrollers. Intel, Google.
    Slides: [PDF]

  • Tock: A Secure OS for Embedded Platforms. Analog Devices Inc.
    Slides: [PDF]


  • Ownership is Theft: Experiences Building an Embedded OS in Rust..
    Programming Languages and Operating Systems (PLOS).
    Slides: [PDF]

  • Microcontrollers Deserve Protection Too. Stanford Security Forum.
    Slides: [PDF]

  • Are Security and Low Energy Incompatible? Stanford Security Lunch.
    Slides: [PDF]

  • Beetle: Many-to-Many Bluetooth Communication. Stanford Secure Internet of Things Project Seminar.
    Slides: [PDF] Video: [YouTube]


  • Making Web Applications -XSafe. Haskell Symposium.
    Video: [YouTube]

  • CDNs Considered Harmful. Stanford Security Lunch.
    Slides: [PDF]


  • Bridging the Security Gap with Decentralized Information Flow Control. UW CSE Systems Seminar.
    Slides: [PDF]

  • Reigning in the Memory Manager. San Francisco Go Meetup.
    Slides: [HTML]

  • Simple. A functional web framework in Haskell. Heroku.
    Slides: [HTML]


  • Bridging the Security Gap with Decentralized Information Flow Control. CRASH PI Meeting.
    Slides: [PDF]

  • Hails: Protecting Data Privacy in Untrusted Web Apps. Stanford Security Forum.
    Slides: [PDF]

  • Scaling Web Applications with MemCachier. PivotalLabs.
    Video: [Vimeo]


  • Experiences Leveraging DHTs for a Security Applications. Stanford Security Lunch.
    Slides: [PDF]


Source: GitHub Package: Hackage Website:

Simple is “framework-less” web framework for Haskell web applications. Unlike many other frameworks, Simple does not enforce a particular structure or paradigm for web applications. Rather, Simple provides enough infrastructure to help you create your own patterns (or re-create existing ones). Simple is minimalist, providing a lightweight base. Everything else (e.g. sessions, controllers, persistence, caching) is provided in composable units, so you can include only the ones you need in your app, and easily replace with your own components.


Source: GitHub Package: Hackage

An ORM (Object Relational Mapping) and migrations DSL for PostgreSQL. See Database.PostgreSQL.ORM for documentation.


Source: GitHub Packge: npm Documentation: WWW

MemJS is a pure Node.js client library for accessing the MemCachier service and other memcache servers. It uses the binary protocol and support SASL authentication. It is currently my most popular project, with nearly 2000 downloads a day from npm (it is used extensively by Heroku app-developers, and Heroku recompiles app dependencies once a day, so this probably accounts for most of the downloads).


Source: GitHub

A simple tool that uses the great powers of daemon tools to give a simple way to manage a long-lived process on a remote server. Think of it like a cheap and cheerful Heroku interface to your server for running and deploying simple applications.


Source: GitHub Gem: RubyGems

Coypond is a semantic grep-like tool for Ruby. You can use coypond to search through ruby code for class, module, or method definitions. It indexes the class, module and method names in a Ruby code base, noting the files they were found in and the locations within those files. It can search through specific files, source code directory trees, or through locally installed gems.

Coypond uses ripper (a built in library as of Ruby 1.9) to generate parse trees from Ruby source files. These parse trees are then use to create an inverted index of the code, annotated with semantic information like whether the definition is a class, module or method.

Jsss - JavaScript Secret Sharing

Source: GitHub

A Shamir Secret Sharing library in JavaScript. Shamir Secret Sharing splits data into n shares, such that only k (<=n) are needed to reconstruct the original data. Possession of any fewer than k shares discloses nothing about the original data. The algorithm generates shares by evaluating a k-1 polynomial, based on the data, at n arbitrary points. We get the data back by performing polynomial interpolation over k of the shares.

Javascript uses variable length numbers natively but breaks arbitrarily when computing large numbers. To mitigate this, the library uses Matthew Crumley‘s BigInteger library and a rational number class that uses fractions under the hood to compute arbitrarily complex numbers accurately. This reduces the speed of generating and recombining shares, but it computation is not feasible and pretty low values of k otherwise.

Source: GitHub

I built the first version of this when I was in Central America in Winter 2011, used it to put up a bunch of content for that trip and my visits to grad schools - it was great. Later, I rebuilt it to use Rails 3.1, lost all of my data and started using the new version for my trip to Berlin with Courty.

The only real benefit over any other CMS is that checking into a location (like a city somewhere in Nicaragua) is a built in feature and pretty easy. It means that I can update my blog without writing anything, and have to checkin with my family a little less often. Checkins are strung together into trips, and posts can be tied to those trips, or even specific checkins. This means that getting an overview of where/how someone has traveled and what they did along the way is easy. Unfortunately, it is highly feature incomplete…

Some Friends’ Websites:

Books That Have Stayed with Me


  • The Giver
  • 1984
  • The Jungle
  • Kindred
  • The Bell Jar
  • Jesus’ Son


  • A Brief History of Time (Stephen Hawking)
  • Feminism is for everyone (bell hooks)
  • Normal Life (Dean Spade)
  • Fermat’s Last Theorm (Amir Azcel)
  • No Logo (Naomi Klein)
  • In the Garden of Beasts (Erik Larson)
  • On Writing Well (William Zinser)

A Partial List of Awesome Movies…

  • Do the right thing
  • Y tu mamá también
  • The Diving Bell & The Butterfly
  • Eternal Sunshine of the Spotless Mind
  • Volver
  • Slackers
  • I Heart Huckabees
  • The Life Aquatic, The Royal Tenenbaums, Fantastic Mr. Fox, and everything else Wes Anderson…
  • The Bubble
  • Le Placard

Special Category: The Room

Places I’ve Traveled

I try to travel as much as possible - usually alone, but sometimes with friends. I don’t normally take pictures or keep a journal or anything, so this is mostly for me to remember where I’ve been. Alphabetically by region, then country, I’ve been to:

  • Americas:
    • Brazil: Manaus
    • Canada: Gabriola Island, Nanaimo, Vancouver, Victoria, Montreal, Jasper, Lake Louise
    • Costa Rica: San Jose, Alajuale, Monteverde, Tamarindo, Samara
    • El Salvador: San Salvador, Los Cobanos, Morazan
    • Guatemala: Antigua
    • Honduras: San Pedro Sula, Utila
    • Mexico: Cancun, Chichen Itza, Mexico City, Tulum, Valladolid, Playa del Carmen, Cozumel
    • Nicaragua: Leon, San Juan Del Sur
    • Peru: Lima
  • Asia:
    • India: Mumbai, Udaipur
    • Japan: Tokyo, Kyoto, Nara, Mount Koya
    • Thailand: Bangkok, Chiang Mai, Ko Tao
    • Singapore
  • Europe:
    • Belgium: Bruges
    • Denmark: Copenhagen
    • France: Chamonix, La Plagne, Paris, La Plagne
    • Germany: Berlin, Cologn, Frankfurt, Lübeck
    • Hungary: Budapest
    • Italy: Rome, Florence, Bologna, Milan, Venice, Padua, Treviso, Trieste, Ischia
    • Netherlands: Amsterdam
    • Spain: Barcelona, Granada, Seville
    • Switzerland: Geneva, Zurich, Gimmelwald
    • Sweden: Gothenburg
    • UK: London, Edinburgh
  • Middle East:
    • Jordan: Petra
    • Palestine: Bethlehem