Stacey Son

3725 Turtlecreek Blvd

Apt D

Dallas, TX 75225

I am a former Senior Security Engineer for Apple, a FreeBSD and TrustedBSD contributer, and a co-founder of a successful cloud/hosting computing company. I like to void warranties.

I studied at Brigham Young University and received my Bachelor’s degree in Electrical Engineering in 1992. I continued on to work on my PhD while working fulltime as the manager of the College of Engineering’s computer labs (CAEDM). While completing my graduate coursework I created a lightweight virtualization environment in the BSD operating system (BSD/OS) that would group and isolate a set of processes and resources (memory, CPU, disk, etc.) into a seperate secure compartment. In short, I had created an early form of OS-level virtualization which became the foundation technology for the company iServer.com. I left my PhD program to persue the startup full time. iServer merged with the internet backbone provider Verio to become its internet server division. Verio went public on NASDAQ, trading under the symbol VRIO, with a market value exceeding $1 billion. Shortly after going public Verio was sold to Nippon Telegraph and Telephone Corpation (NTT) in a cash tender offer of $73/share or more than $5 billion, making it one of the highest grossing deals of the dotcom era.

After NTT/Verio I went into consulting. I did some consulting contracts with Apple working on getting its products certified for governement use by adding Mandatory access control (MAC) and secure event auditing in Mac OS. I also implemented a kernel module containing all Apple’s Corecrypto code as part of FIPS 140-2. This allowed Apple to achieve Common Criteria certification for their products so they could be sold to government agencies that required that level of certification.

After consulting for Apple I started consulting for SRI International and Cambridge University, working on the DARPA Clean-slate design of Resilient, Adaptive, Secure, Hosts or CRASH funded Capability Hardware Enhanced RISC Instructions or CHERI project. After the CRASH funding ended in 2015. I returned to Apple but as a fulltime employee to continue working on CHERI and other hardware and software security projects. I left Apple at the end of 2020 and I am currently semi retired.

latest posts

Apr 14, 2024	a post with pseudo code
Jan 27, 2024	a post with code diff
Jan 27, 2024	a post with advanced image components

selected publications

IEEE_SP15
CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Robert N.M. Watson , Jonathan Woodruff , Peter G. Neumann , and 12 more authors

In 2015 IEEE Symposium on Security and Privacy , 2015

Abs Bib PDF

CHERI extends a conventional RISC Instruction-Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA soft-core processor, Free BSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.
@inproceedings{2015cheri, author = {Watson, Robert N.M. and Woodruff, Jonathan and Neumann, Peter G. and Moore, Simon W. and Anderson, Jonathan and Chisnall, David and Dave, Nirav and Davis, Brooks and Gudka, Khilan and Laurie, Ben and Murdoch, Steven J. and Norton, Robert and Roe, Michael and Son, Stacey and Vadera, Munraj}, booktitle = {2015 IEEE Symposium on Security and Privacy}, title = {CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization}, year = {2015}, volume = {}, number = {}, pages = {20-37}, keywords = {Registers;Security;Kernel;Reduced instruction set computing;Libraries;Hardware;CHERI processor;capability system;software compartmentalization;computer architecture;memory protection;object capabilities}, doi = {10.1109/SP.2015.9}, dimensions = {true}, }