I am pursuing a Ph.D. in the Department of Computer Science at the University of Illinois at Chicago with Professor Chris Kanich in the BITS Networked Systems Laboratory. I received my undergraduate degree from Lawrence University in political science, with a focus on economics. I then briefly attended Boston College Law School, then worked professionally doing web and iOS contract work.
My research focuses on the security and privacy of systems, and how the security guarantees of those systems can be improved through simplification, attack surface reduction, and by identifying seldom used features and code paths that pose more risk than benefit to their users.
Current projects include measuring the popularity, desirability and security costs of browser complexity, and investigating alternative web systems that prioritize client security and code predictability at minimal cost to web-author expressiveness.
I am also interested in better understanding and measuring the costs to users of security violations. My work in this area includes measuring the frequency and affects of doxxing, and the security risks of long term cloud storage.
Improved feature blocking in the Brave Browser
This patch improves the technique Brave was using to limit access to Web API features commonly used for tracking users online.
Previously, the project would replace tracking-related Web API methods (e.g.
This successfully prevented websites from accessing these problematic functions, but would cause issues when code tried to interact with
these now removed methods. For example, the if the
getShaderPrecisionFormat method had been replaced with
code expecting to call
getShaderPrecisionFormat and do something with the results, such as accessing the
on the returned format object, would crash.
My solution, described in our CCS,
Most Websites Don’t Need to Vibrate: A Cost–Benefit Approach to Improving Browser Security,
was to be more clever with what we replace these blocked / problematic methods with. Instead of replacing them with
we create a specially configured version of the ES6 Proxy object.
This specially configured Proxy object traps all ways that objects are interacted with in the Web API, such as being coerced into a string
String(x)), being indexed into like an array (
x[y]), being called as a function (
x()), etc. We
configured our proxy objects to return themselves on most language operations. We then replaced the problematic Web API functions with these
self-yielding proxy objects.
As a result, code like
would run in normal browsers as usual (harming users privacy). Before our patch, the Brave browser would prevent the above code from
executing, protecting users privacy, but at the cost crashing the program, and preventing later, benign parts of the program to continue running.
With our research and code, Brave users now have the best of both worlds: websites are prevented from accessing harmful functionality,
but without crashing other, benign parts of the site.
More details about our approach are available in our paper.