- This event has passed.
CIS Seminar: “Realizing the Promise of Language-level Security in Real Systems”
February 27 at 3:30 PM - 4:30 PM
Promises are cheap. Software vendors routinely describe their offerings as “secure”, but few are based on designs that can guarantee even the most basic security properties. To address this problem, services like Cloudflare, Android, and Firefox are increasingly relying on languages like Rust and WebAssembly to provide safety by design. But these promises too can fall short: any vulnerability in the execution stack—compiler, runtime, OS, or hardware—can undermine language-level security.
In this talk, I present my research towards delivering on the promise of language-level security by building an execution stack that guarantees that these security properties are preserved. In particular, I will describe how three of my systems, VeriWasm, WaVe, and VTock, guarantee safety of the compiler, language runtime, and OS respectively. I will focus on how the designs of these systems provide formal guarantees while still adhering to production constraints that allow them to be deployed in real systems used by millions of users. I will conclude by discussing some future directions for this work, such as retrofitting formal safety guarantees to safety-critical embedded systems and clean-slate OS design using language-level isolation.
Evan Johnson
Computer Science and Engineering, University of California San Diego
Evan Johnson is a PhD candidate at UC San Diego, advised by Deian Stefan and Stefan Savage. His research sits at the intersection of security, systems, and programming languages. In particular, his research goal is to design systems that provide strong formal safety guarantees for foundational code like compilers and operating systems—while still being practical enough to deploy in production. Evan and his colleagues have won the Distinguished Paper Award at IEEE S&P ‘23 and ASPLOS ‘25, been featured in IEEE Micro Top Picks, and won runner-up for the Intel Hardware Security Academic Award. His work is deployed in production on real systems, including the Firefox browser.