cv

my course of life...

Basics

Name Stacey D. Son
Label Computer Security Engineer
Email stacey@son.org
Url https://stacey.son.org/
Summary A Computer Engineer (BSci/MSci) that has been building secure computing environments for over 35 years.

Work

  • 2015 - 2020

    Cupertino, CA

    Senior Security Engineer
    Apple, Inc.
    Worked on both hardware and software relating to iPhone and Macintosh security.
    • Added system call and Mach IPC filtering in the kernel application sandbox (aka, 'Seatbelt')
    • Created CHERI-Qemu to support CHERI research and development on the ARMv8 architecture (AARCH64)
    • Created an CHERI ARMv8 test suit
    • Modified QEMU to support iOS development.
    • Modified internal emulator to support CHERI.
    • Evaluation of ARM pointer authenication (PAC).
    • Evaluation of Memory Taggging Extension (MTE) and other ARM hardware proposed extensions.
  • 2013 - 2015

    Cambridge, UK

    Engineering Consultant and Researcher
    University of Cambridge
    Worked on the DARPA C.R.A.S.H. (Clean-slate design of Resilient, Adaptive, Secure, Hosts) funded CHERI (Capability Hardware Enhanced RISC Instructions) project.
    • New PMAP implementation for FreeBSD/mips64 including reference bit emulation, large pages for kernel thread stack, and Superpages.
    • Performance counters support and general feature evaluation.
    • Thread Local Storage (TLS) register support for FreeBSD/mips.
  • 2011 - 2013

    Menlo Park, CA

    Engineering Consultant and Researcher
    SRI International
    Worked on the DARPA C.R.A.S.H. (Clean-slate design of Resilient, Adaptive, Secure, Hosts) funded CHERI (Capability Hardware Enhanced RISC Instructions) project.
    • Created CHERI-QEMU, an adaptation of the popular QEMU ISA emulator to implement the CHERI-MIPS instruction set.
    • General FreeBSD/mips64 OS bring-up and kernel feature support on CHERI prototype target (FPGA based tablet implemented using Bluespec SystemVerilog).
    • Added FreeBSD user-mode support to Qemu for cross building and cross development code with machine dependent support for ARM, ARM64, Mips and Mips64.
    • Created miscellaneous binaries image activator kernel module for FreeBSD for transparent execution of target binaries on x86 host.
  • 2007 - 2011

    Cupertino, CA

    Core OS Security Engineering Consultant
    Apple, Inc.
    Worked on experimential VM subsystem in MacOS/iOS, kernel and system code for government FIPS 140.2 and common criteria certification, and Apple's 'Seatbelt' (Application sandboxing subsystem).
    • Created VM subsystem unit tests. Code signing code testing and evaluation.
    • Added common criteria auditing to Apple’s Gatekeeper policy updates.
    • Developed an OpenSSL compatible API shim for Apple’s CommonCrypto.
    • Worked on application sandboxing for Mac OS X, added debugger support for sandbox exceptions, and sandboxed iChat/Messages app.
    • Created sandbox and privilege separation example apps for WWDC.
    • Created the CommonCrypto kernel extension (“KEXT”) for MacOS/iOS.
    • Created validation suites for FIPS 140-2 certification for the CommonCrypto KEXT.
    • Updated Core OS security auditing subsystem to meet the Common Criteria for Information Technology Security Evaluation version 3.1 (CC v3.1), evaluation assurance level 3 (EAL3).
    • Added performance enhancements so minimal security auditing can be enabled by default without any measurable overhead.
    • Incorporated OpenBSM v1.1 into Mac OS X 10.6 (Snow Leopard).
    • Added Launchd integration for user level security auditing support.
    • Developed Core OS security audit session tracking for securityd and launchd including kevent(2) notifications and capability-based security.
    • Developed Abstract Machine Testing (AMT) software.
    • Added flexible storage and management features for audit record storage including aggregation of records from multiple systems, log rotation, and record expiration and deletion.
    • Developed a Python extension and framework for unit testing the audit subsystem.
    • Identified fixes and developed resolutions for Radars (Apple’s bug reports) associated with the project. Communicated with Apple engineering contacts as necessary. Worked and communicated with ADC developers.
  • 2000 - 2008

    Dallas, TX

    Cloud/Hosting Chief Architect
    NTT/Verio
    Managed R&D group that prototyped new server cloud architectures and products.
    • Developed Linux VPS/Cloud prototype
    • Help design and implement system call, disk I/O, and network rate limiting in FreeBSD.
    • Architected SAN storage system for hosting server clusters.
    • Created TCP/IP stack state “hand-off” for network load balancing between servers for FreeBSD.
  • 1998 - 2000

    Englewood, CO

    VP, Hosting Technology
    Verio, Inc.
    After successsful merger managed hosting technology development.
    • Managed the hosting technology software development group.
    • Added intrusion detection to the hosting systems by adding a setuid registration FreeBSD extension.
    • Modified the GCC compiler to detect and prevent stack buffer overruns.
    • Helped architected and implement virtlinks to increase code segment sharing between VPS’s.
    • Helped port VPS software to Solaris 2.6.
  • 1994 - 1998

    Orem, UT

    Co-Founder and CTO
    iServer and Secure.net
    Started a successful cloud computing/hosting company based process container technology.
    • Technical founder, innovator of core technology, manager of R&D group.
    • Created OS-level virtualization (VPS) using BSD/OS for web hosting (including process containers, network isolation, and resource limits).
    • Implemented a “super” inetd that started network services for each VPS on demand and allowed code segment sharing to save memory resources.
    • Helped develop X.509 management kernel module so wild card certificates can be securely shared between VPS’s.
    • Helped design and develop server power and console management hardware; help port embedded FreeBSD to embedded controller.
    • Added multi-layer quotas so quotas can be used within VPS.
    • Successfully merged iServer, Inc. with Verio, Inc. in a stock swap deal. Helped take Verio, Inc public. All the outstanding stock was then sold to NTT Communications.
  • 1990 - 1994

    Orem, UT

    Developer/Technical Consultant
    AccessData, Inc
    Part-time developer and consultant
    • Created password recovery software for WordPerfect, Norton’s Discreet, and other popular desktop/server applications with encryption features..
    • Built hardware DES encryption/decryption engine for FBI using FPGAs.
    • Was a consultant to government agencies including FBI/DoJ, Teasury Department/IRS and other law enforcement departments.
  • 1989 - 1994

    Provo, UT

    Systems Programmer, Researcher, CAEDM Lab Manager
    Brigham Young University, College of Engineering
    Part-time and full-time jobs while studying at BYU, College of Engineering.
    • Managed college’s network, computers systems & supercomputers.
    • Supervised full-time and part-time IT staff for all computer systems in college.
    • Implemented disk cache prefetching algorithm on BSD Unix System.
    • Measured overhead of Mach 3.0 syscall redirection on cache performance.
    • Developed distributed batch queuing and process checkpointing software. Published Paper: 'Efficient Utilization of Distributed Workstation Resources' in Proceedings of The Ninth Annual Conference on University Programs in Computer-Aided Engineering, Design and Manurfacturing (UPCADEM '91), May 16-18, 1991

Volunteer

  • 2004 - Present
    Kernel/System Developer
    FreeBSD and TrustedBSD Contributer
    Contributed code development for FreeBSD kernel and TrustedBSD projects.
    • Added user-mode support to Qemu for FreeBSD and kernel module for transparent binary execution to support cross building of packages for tier 2 architectures include ARM, ARM64, MIPS and MIPS64. Now being used in production on package build cluster.
    • Grand Central Dispatch (GCD) port: kevent(2) EVFILT_USER filter and thread workqueues.
    • /dev/ksyms: pseudo device for attaining kernel and module symbol table snapshot.
    • OpenBSM: Open implementation of Sun’s Basic Security Module (BSM) security audit API.
    • Mandatory Access Control (MAC).
    • •AoE (ATA over Ethernet) driver.

Education

  • 1992 - 1994

    Provo, Utah

    Masters of Science
    Brigham Young University
    Computer Engineering
    • Left PhD program to work at my startup. Settled for MS.
  • 1986 - 1992

    Provo, Utah

    Bachelor of Science
    Brigham Young University
    Electrical Engineering
    • Notable Math Courses: Number Theory, Abstract Algebra, Numerical Methods
    • Notable CS Courses: Operating Systems, Compilers, Computer Security

Awards

Publications

Skills

Computer Science
C/C++ Programming
Computer Security
Operating Systems
Computer Architecture
Computer Hardware
Computer Networking
Scripting Languages: Python, Perl, etc.
Cryptology

Interests

Hobbies
Scuba Diving
3D Printing and CNC
Virtual Pinball

References

Michael R. Anderson
I have worked with Stacey on several high profile projects. One involved the breaking of encryption used in a criminal enterprise under investigation by the federal government. Another involved a critical technology risk analysis for an international Fortune 500 corporation. Stacey has also been there as a friend when Internet-based help was needed at NTI. He always seems to be able to step up to the plate and knock the ball out of the park. The quality of Stacey's work is always over the top and he is great to work with. From a technology standpoint he has always been one of the top people in the world that government agencies and corporations could turn to when complex mission critical work was involved. Stacey is also a wonderful person with a big heart, It is my pleasure to make this recommendation concerning Stacey Son.
Lane Livingston
Stacey was the consummate professional. At a difficult time, he quickly helped us to solve our problems and get us back on track. I wholeheartedly recommend Stacey.