Deian Stefan

About Me

I am an Ass Prof in the UCSD CSE Department, starting in Fall 2016.

I am a fifth (and final) year Ph.D. student in Computer Science at Stanford, working with "Prof." David Mazières as part of the Secure Computer Systems Lab, Prof. John C. Mitchell as part of the Security Lab, and Prof. Alejandro Russo. My research interests are in building principled and practical secure systems. More broadly, I am interested in research that spans Programming Languages, Security, and Systems. I work on several systems, including COWL, a browser confinement system designed for modern web applications, Hails, a security-centric framework for building web platforms, LIO, a dynamic information flow control system, and ESpectro, a security architecture for Node.js. You can find more details in my faculty materials.

Recently, I co-founded GitStar, a company that provides an extensible platform for deploying web apps with minimal trust using my research on confinement and information flow control.

Prior to Stanford, I obtained a B.E. and M.E. in Electrical Engineering at Cooper Union. At Cooper, I worked on GPU and FPGA optimizations for crypto.



Below are several projects I have been working on. There are lots of interesting directions to take these projects, so if you are a student interest in hacking systems or semantics: contact me!

ESpectro - security architecture for Node.js

Espectro is a security architecture for server-side JavaScript applications. Today's networked applications do not run with least privilege, making them likely to cause great damage when compromised. Unfortunately, even if developers tried to compartmentalize and secure their applications, existing techniques, such as syscall interposition and containers, are not sufficient: they require developers to specify complex, low-level policies, and, worse yet, operate at the process level. While useful for defense-in-depth, this makes them unsuitable for enforcing many application specific policies. ESpectro addresses these limitations for server-side JavaScript apps, by executing code in light-weight contexts which expose virtualized versions of the core Node.js libraries. Functions in these libraries are implemented as messages to a trusted (parent) context which can perform security checks before and after executing the real Node.js function (the result of which is sent back as a message). In fact, the trusted code can provide a completely different implementation for the virtualized interface to, for instance, implement caching, transparent encryption, SQL/HTML escaping, or a light-weight reverse proxy. The generality of the architecture makes it possible to implement—as a library—different security mechanisms (including mandatory access control), web-server architectures (e.g., Hails, Passe, OKWS), policy specification engines, etc. Amongst other, we are using the system to build a production web platform (similar to that described in the OSDI'12 paper) and the module system for the Breach browser. A research paper describing the system and use cases will be available soon.

[ code ]

COWL - confinement system for the Web

COWL (Confinement with Origin Web Labels) is confinement system for modern web browsers. Web applications running in the browser are conglomerations of JavaScript written by multiple authors: developers routinely incorporate code from third-party libraries, and mashups synthesize data and code hosted at different sites. In existing browsers, both developers and users must trust third-party code not to leak the user's sensitive information from within applications. Even worse, in the status quo, the only way to implement some mashups is for the user to give her login credentials for one site to the operator of another site. COWL addresses this limitation by introducing label-based mandatory access control (MAC) to browsing contexts (pages, iframes, etc.) in a way that is fully backward-compatible with legacy web content. With COWL, developers not only can restrict with whom they share data, but also can impose restrictions on how their data is disseminated once it is shared. COWL achieves flexibility by allowing code to fetch and share data as necessary; it also achieves privacy by ensuring that once code has read sensitive data, it cannot communicating with unauthorized parties that would compromise the data privacy. The COWL site has several examples (code and screenshots) showing this in detail.

There are many MAC systems out there (some of which I built), but the key behind COWL was to figure out a design point that is suitable for the browser. In particular, we wanted a system that confines JavaScript without having to reason about the quirky semantics of the language, without modifying the JavaScript engine, without breaking or slowing down the existing Web, and without imposing too many new concepts on developers. The OSDI'14 paper explains how we did this, while the HotOS XIV gives a flavor of what we can do if we modify browsers to add MAC as the underlying mechanism. The IFC inside tech report describes the formal semantics for a somewhat simplified model of COWL.

I am very excited & to be working on a COWL FPWD as part of the W3C WebAppSec group.

[ code | spec | web site ]

Hails - secure web platform framework

Hails is a Haskell web framework designed for building extensible web platforms. Today's web platforms (e.g., Facebook and Yammer) typically expose REST-like APIs for accessing user data to external apps which, when granted access, can provide new rich functionality. Unfortunately, once granted access, these apps can do as they please with the (often sensitive) data: a malicious or buggy app can easily leak and corrupt user data. This unfortunately forces the end-user to choose between using third-party apps or give up on that functionality to preserve their privacy. To addresses this problem, Hails ties security policies to data using mandatory access control (MAC) or information flow control (IFC) labels. The Hails trusted runtime then ensures that all apps (which now run on the Hails platform) abide by these labels. This allows the platform to treat all apps as untrusted; Hails ensures that these apps cannot leak or corrupt labeled user data. Indeed, core parts of a website can be implemented as untrusted apps, making it easy to build extensible platforms without trading off privacy.

While MAC and IFC systems have been around for a while, Hails stands out as a system that is usable by average developers, today. To this end, we implemented Hails as a library, as opposed to a new language runtime or OS. Moreover, we provide developers with a way of structuring applications in a simple way: Hails just extends the Model-View-Controller architecturewith Policy. Platform developers now only have the additional task of specifying policy. And, Hails makes this an approachable task by tying in the policy with the model definition and providing a declarative, simple policy language for expressing data policies. Expressing high-level concerns in a declarative, simple fashion has been an open challenge for MAC systems. We addressed this challenge and describe the system in the OSDI'12 paper, with a high-level motivation in the POST'14 invited talk. The simple, yet expressive label model used by Hails is described in the NordSec'11 paper.

LIO - practical and expressive language-based DIFC system

LIO is a dynamic, language-level decentralized information flow control (DIFC) system. The system explores a new design point in the DIFC space: a mixed-grained DIFC system. This means that LIO typically tracks and controls the flow of information at a coarse grained level (light-weight threads), while still allowing programmers to associate policies (labels) with individual data, when necessary. This has a number of benefits: it allows for the retrofitting of a language with the security mechanism without many changes to its runtime (in Haskell: none); the mechanism can be exposed as a simple API, without changing the language semantics; and, it has a minimal impact on performance. Interestingly, this mixed-grained approach has the expressivity of fine-grained systems in allowing programmers to associate labels with individual values, and the benefit of coarse-grained DIFC OSes in not forcing programmers to understand and reason about many parts of the system: they only need to reason about the data they associate a label with.

The sequential LIO calculus, Coq proofs, and Haskell implementation are described in the JFP paper (under revision) and Haskell'11 paper. In the ICFP'12 paper we addressed the open challenge of having an expressive concurrent DIFC system that does not leak information through timing covert channels, and showed how to encode flow-sensitive references (common to fine-grained systems) in these calculi in the CSF'14 paper. The demos at PLAS'14 and Haskell'14 show how to build real systems, like Hails, with LIO.

[ code | hackage ]

λP,S- using types to soundly compute on encrypted data

λP,Sis a core, but feature-rich language for programming on encrypted data. Secure multiparty computation (SMC) and fully homomorphic encryption (FHE) are promising building blocks for protecting data from untrusted servers; they allow servers to perform computations on encrypted data without access to decryption keys. Unfortunately, existing approaches to programming on encrypted data are restricting: they require compilation to boolean garbled circuits or using APIs in general-purpose languages. The former limits the kinds of programs that can be written, while the latter allows writing programs that cannot be securely executed. λP,Sis a new programming language and runtime that addresses these cncerns. The language supports many features common to functional languages such as ML, including conditionals, mutable state, and a form of general recursion. Interestingly, programs are developed and tested using conventional means, without encryption or expert-knowledge of crypto. Using an information-flow type system, our compiler ensures that code that can compile can also run on a secure platform that uses SMC and FHE to provide strong guarantees. The CSF'12 paper and FSTTCS'11 invited talk describe this language, Haskell implementation, and several use cases.


I was an instructor and teaching assistant for several courses at Stanford and Cooper.


Fall 2014:
CS242: Programming Languages
Fall 2013:
CS242: Programming Languages
Winter 2013:
CS240: Advanced Topics in Operating Systems (assistant)
Fall 2011:
CS242: Programming Languages (assistant)

Cooper Union

Summer 2010:
Advanced Programming in Java (retraining program instructor)
Spring 2010:
Programming in Java (retraining program instructor)
Spring 2009:
ECE403: Selected Topics in Probability and Stochastic Processes (assistant)
Spring 2007:
ECE150: Digital Logic Design (assistant)
Fall 2006:
ECE150: Digital Logic Design (assistant)

Selected Publications

Below you will find a select list of academic papers. Google Scholar has a slightly more complete list.


  • Stefan Heule, Devon Rifkin, Deian Stefan, and Alejandro Russo. The Most Dangerous Code in the Browser In Proceedings of Workshop on Hot Topics in Operating Systems (HotOS), USENIX. May, 2015.
    [ paper | bibtex | slides ]
  • Stefan Heule, Deian Stefan, Edward Z. Yang, John C. Mitchell, and Alejandro Russo. IFC Inside: Retrofitting Languages with Dynamic Information Flow Control. In Proceedings of Conference on Principles of Security and Trust (POST), Springer. April, 2015.
    [ paper | bibtex | extened ]
  • Deian Stefan, Edward Z. Yang, Petr Marchenko, Alejandro Russo, Dave Herman, Brad Karp, and David Mazières. Protecting Users by Confining JavaScript with COWL. In Proceedings of Symposium on Operating Systems Design and Implementation (OSDI), USENIX. October, 2014.
    [ paper | bibtex | slides | video ]
  • Pablo Buiras, Deian Stefan, and Alejandro Russo. On Dynamic Flow-sensitive Floating-Label Systems. In Proceedings of Computer Security Foundations Symposium (CSF), IEEE. July, 2014.
    [ paper | bibtex ]
  • Deian Stefan, Pablo Buiras, Edward Z. Yang, Amit Levy, David Terei, Alejandro Russo, and David Mazières. Eliminating Cache-based Timing Attacks with Instruction-based Scheduling. In Proceedings of European Symposium on Research in Computer Security (ESORICS), Springer. September, 2013.
    [ paper | bibtex | slides ]
  • Pablo Buiras, Amit Levy, Deian Stefan, Alejandro Russo, and David Mazières. A Library for Removing Cache-Based Attacks in Concurrent Information Flow Systems. In Proceedings of Trustworthy Global Computing (TGC), Springer. August, 2013.
  • Edward Yang, Deian Stefan, John Mitchell, David Mazières, Petr Marchenko, and Brad Karp. Toward Principled Browser Security. In Proceedings of Workshop on Hot Topics in Operating Systems (HotOS), USENIX. May, 2013.
    [ paper | bibtex | slides ]
  • Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, David Mazières, John Mitchell, and Alejandro Russo. Hails: Protecting Data Privacy in Untrusted Web Applications. In Proceedings of Symposium on Operating Systems Design and Implementation (OSDI), USENIX. October, 2012.
    [ paper | bibtex | slides | video ]
  • Deian Stefan, Alejandro Russo, Pablo Buiras, Amit Levy, John C. Mitchell, and David Mazières. Addressing Covert Termination and Timing Channels in Concurrent Information Flow Systems. In Proceedings of International Conference on Functional Programming (ICFP), ACM SIGPLAN. September, 2012.
    [ paper | bibtex | slides | video ]
  • John C. Mitchell, Rahul Sharma, Deian Stefan, and Joe Zimmerman. Information-flow control for programming on encrypted data. In Proceedings of Computer Security Foundations Symposium (CSF), IEEE. June, 2012.
    [ paper | bibtex ]
  • Deian Stefan, Alejandro Russo, David Mazières, and John C. Mitchell. Disjunction Category Labels. In Proceedings of Nordic Conference on Security IT Systems (NordSec), Springer. October, 2011.
    [ paper | bibtex | slides ]
  • Deian Stefan, Alejandro Russo, John C. Mitchell, and David Mazières. Flexible Dynamic Information Flow Control in Haskell. In Proceedings of Haskell Symposium, ACM SIGPLAN. September, 2011.
    [ paper | bibtex | slides ]
  • Deian Stefan and Danfeng Yao. Keystroke-dynamics authentication against synthetic forgeries. In Proceedings of Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), IEEE. October, 2010. Best Paper Award.
    [ paper | bibtex ]
  • Joppe W. Bos and Deian Stefan. Performance analysis of the SHA-3 candidates on exotic multi-core architectures. In Proceedings of Cryptographic Hardware and Embedded Systems (CHES), Springer. August, 2010.
    [ paper | bibtex ]
  • Shahram Khazaei, Simon Knellwolf, Willi Meier, and Deian Stefan. Improved Linear Differential Attacks on CubeHash. In Proceedings of International Conference on Cryptology (AFRICACRYPT), Springer. May, 2010. Awarded the 2010.01 Prize by DJB.
    [ paper | bibtex ]
  • Dag Arne Osvik, Joppe W. Bos, Deian Stefan, and David Canright. Fast software AES encryption. In Proceedings of International Workshop on Fast Software Encryption (FSE), Springer. February, 2010.
    [ paper | bibtex ]
  • Deian Stefan. Hardware Framework for the Rabbit Stream Cipher. In Proceedings of International Conference on Information Security and Cryptology (INSCRYPT), Springer. December, 2009.
    [ paper | bibtex ]
  • Jared Harwayne-Gidansky, Deian Stefan, and Ishaan L. Dalal. FPGA-based SoC for real-time network intrusion detection using counting bloom filters. In Proceedings of SoutheastCon, IEEE. March, 2009.
    [ paper | bibtex ]
  • Ishaan L. Dalal, Deian Stefan, and Jared Harwayne-Gidansky. Low discrepancy sequences for Monte Carlo simulations on reconfigurable platforms. In Proceedings of International Conference on Application-Specific Systems, Architectures and Processors (ASAP), IEEE. July, 2008.
    [ paper | bibtex ]
  • Deian Stefan, David B. Nummey, Jared Harwayne-Gidansky, and Ishaan L. Dalal. On Parallelizing the CryptMT Stream Cipher. In Proceedings of Vehicular Technology Conference (VTC Spring), IEEE. May, 2008.
    [ paper | bibtex ]
  • Ishaan L. Dalal and Deian Stefan. A hardware framework for the fast generation of multiple long-period random number streams. In Proceedings of International Symposium on Field Programmable Gate Arrays (FPGA), ACM. February, 2008.
    [ paper | bibtex ]
  • Deian Stefan and Christopher Mitchell. On the Parallelization of the MICKEY-128 2.0 Stream Cipher. In Proceedings of The State of the Art of Stream Ciphers (SASC), Springer. February, 2008.
    [ paper | bibtex ]


  • Deian Stefan, Alejandro Russo, David Mazières, and John C. Mitchell. Flexible Dynamic Information Flow Control in the Presence of Exceptions. Journal of Functional Programming, Cambridge University Press. 2012. Under revision.
    [ paper | bibtex | code ]
  • Deian Stefan, Xiaokui Shu, and Danfeng (Daphne) Yao. Robustness of keystroke-dynamics based biometrics against synthetic forgeries. Computers & Security, Elsevier. 31(1) 2012.
    [ paper | bibtex ]
  • Kui Xu, Huijun Xiong, Chehai Wu, Deian Stefan, and Danfeng Yao. Data-Provenance Verification For Secure Hosts. Transactions on Dependable and Secure Computing, IEEE. 2012.
    [ paper | bibtex ]


  • Deian Stefan, Amit Levy, Alejandro Russo, and David Mazières. Building Secure Systems with LIO. In Proceedings of Haskell Symposium, ACM SIGPLAN. September, 2014.
    [ paper | bibtex | slides | video | code ]
  • Amit Levy, David Terei, and David Mazières. Making Web Applications -XSafe. In Proceedings of Haskell Symposium, ACM SIGPLAN. September, 2014.
    [ paper | bibtex ]
  • Deian Stefan and David Mazières. Building Secure Systems with LIO. In Proceedings of Workshop on Programming Languages and Analysis for Security (PLAS), ACM SIGPLAN. July, 2014. Invited talk.
    [ paper | bibtex | slides | code ]


  • Stefan Heule, Devon Rifkin, Alejandro Russo, and Deian Stefan. The Most Dangerous Code in the Browser: Extensions. January, 2015.
    [ paper | bibtex ]
  • Daniel B. Giffin, Stefan Heule, Amit Levy , David Mazières, John Mitchell, Alejandro Russo, Amy Shen, Deian Stefan, David Terei, and Edward Z. Yang. Security and the average programmer. In Proceedings of Conference on Principles of Security and Trust (POST), Springer. April, 2014. Invited paper.
    [ paper | bibtex ]
  • Alex Bain, John Mitchell, Rahul Sharma, Deian Stefan, and Joe Zimmerman. A Domain-Specific Language for Computing on Encrypted Data. In Proceedings of Foundations of Software Technology and Theoretical Computer Science (FSTTCS), LIPIcs. December, 2011. Invited paper.
  • Deian Stefan and John C. Mitchell. Analysing Object-Capability Patterns With Murφ. April, 2011.
    [ paper | bibtex ]


  • Deian Stefan. Analysis and Implementation of eSTREAM and SHA-3 Cryptologic Algorithms. Master's thesis, Cooper Union. May, 2011.
    [ thesis | bibtex ]

The documents distributed by this server have been provided as a means to ensure timely dissemination of scholarly and technical work on a noncommercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that the works are offered here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be distributed without the explicit permission of the copyright holder.

Application Materials

Below you can find my curriculum vitae, research statement, and teaching statement. My curriculum vitae contains the contact information for my references.

The following three papers are representative: