LockBox — LockBox is a trusted platform built right. It provides the most important security benefits of a trusted platform without restricting a user's ability to control their own computer. Our system communicates directly with the end-user to determine which applications are trusted, establish human-readable identifiers and provide assurance directly to the user that their secrets are being safely provided to an application they trust. LockBox does not rely on an operating system or hypervisor to enforce its security properties, but instead enforces them at the lowest levels of the hardware.

Fived — Fived is an attempt to bring back the Session Layer to the modern Internet. This project provides a series of features that eliminates the need for, or changes the role of: VPNs, port numbers, firewalls, port knocking, SSL, vhosts, per-daemon authentication, SRV records, load balancing, etc... A proof-of-concept RFC 1078 complaint daemon has been created to demonstrate the vision for this project.

PAM Escalate — pam_escalate is a PAM for several posix-like systems which allows tools like su or sudo to authenticate against separate escalation accounts. This allows users to use a separate set of credentials to escalate to an administrative context than they do to login to the machine.

The Need for Resilience: Maintaining Security When Your Hypervisor Contains Bugs — I was invited to give this presentation at Intel's Virtualization Security Summit. I talked with Intel about the design goals of AppSheath and explained how the features our system provides can be used within a virtualized environment to protect operating systems against buggy hypervisors.

Building a Real Session Layer — This was a presentation on fived I gave at Defcon 16. The abstract for the presentation was as follows: "It's past time for a session layer. It's time to replace port knocking with a real authentication framework. It's time to do what DNS did with IP addresses to port numbers. It's time to run services over NATs, eliminate the need for vhosts in your webserver and provide optional transparent encryption for any client who wants it. In this talk, we'll do that and a couple other tricks... within the framework of a little-known RFC that was written almost 2 decades ago."

Extending and Abusing PAM — This was a brief talk I gave at San Diego's BarCamp. It just covers the basics of PAM and then dovetails into a small brainstorming session at the end. Unfortunately all I have are a portion of the slides for this talk, so the brainstorming session and the remainder of the talk live on only in people's minds.

Virtualization: Enough Holes to Work Vegas — This was a presentation I gave on virtualization security at Defcon 15. The abstract for the presentation was as follows: "Have you tried to firewall a machine from itself? Have you ever tried to protect a machine with a multi-personality disorder? These questions are brought to us by the wonderful technology of virtualization. Though the technology is clearly sexy, security has been an afterthought. While every product claims isolation, it seems that's only when you don't have an attacker involved. Despite what the press releases say, it's not free to put all your machines on the same hardware. We'll be brushing aside the dust and trying to figure out part of the cost."

CSE 240B Project — This was the final project for my CSE 240B course, which is UCSD's graduate level parallel architectures course. I wrote up a very sparse description of an ISA I designed with the sole purpose of doing something that hadn't been done before. It is extremely irritating to program in and is remarkably incomplete but contains what I think and hope are some really interesting and thought provoking ideas.

Neat Defense — As part of UCSD's CSE 125 course, myself and six friends developed a realtime, 3-d, multiplayer, networked game. We bucked tradition for this course in three main areas: 1) We opted to use OpenGL instead of DirectX 2) We targetted and developed on three different platforms: OSX, Windows and Linux 3) We chose a co-operative game model. My main role was helping with any low-level issues, including threading, concurrency, platform consistency and release engineering. I was also responsible for the game's networking code and wrote the server.

Blender — Blender is a full-featured 3-d animation, modelling and compositing application. The project contains ~1 million lines of code and supports Windows, Linux, OS X, Solaris and IRIX. From May 2005 to March 2008, I was the project's Linux Platform Manager. I was responsible for the build and release engineering processes for the Linux platform as well as dealing with any Linux-specific issues within the application. I personally ran the release process for Linux x86 and collaborated with the release engineers working on the Linux PPC and Linux x86_64 builds. I also worked to establish closer ties with downstream Linux distributions. In March 2008, I stepped down from my role as Linux Platform Manager to focus on research.

Shibboleth Mediawiki Extension —As part of the campus security team, I developed an authentication plugin for Mediawiki to allow it to integrate with the Shibboleth Single Sign-on infrastructure. This plugin is now maintained by the community and the code that comprised it spawned several other successful authentication plugins to integrate Mediawiki with other authentication systems. While building this extension, parts of the core mediawiki code ended up being insufficient for the needs of some authentication plugins and I submitted two patches to extend the core functionality of mediawiki to improve mediawiki's interfaces for these plugins. These features became a part of mediawiki in version 1.7.