I am a Professor of Computer Science and Engineering at UC Riverside. My main research interests are computer and network security, particularly improving the security of operating systems and software in general.
Professor Jaeger is an Associate Editor-in-Chief for IEEE Security & Privacy Magazine and an Associate Editor for Contributions for the Communications of the ACM. Please submit columns and articles!
And my students do great work which produced the news items and highlights below. I am always looking for motivated students interested in software and systems security.
A recent focus is memory safety validation. Researchers have speculated that a large fraction of memory accesses in C/C++ programs cannot violate memory safety, but we do not yet take advantage of this hypothesis to protect memory systematically. We have built analyses for heap memory safety validation (ACM CCS 2024) and stack memory safety validation (NDSS 2022), and we examine how memory safety validation can be a path to memory safety enforcement and improved security in a variety of ways in an IEEE S&P 2024 paper. We are applying this work in a variety of ways to make memory safety in C/C++ explicit, including our SoK paper on eBPF (SP 2025) and detecting threats to driver isolation (ACSAC 2025). Also, see our papers on improving the performance of memory safety enforcement in USENIX 2024 for spatial safety and type safety.
We apply access control policy analysis to complex Android systems to find and fix vulnerabilities. The Android system now has a rich, fine-grained access control enforcement, but it is difficult to determine whether part of the file system may be prone to attack. Our analysis tool, PolyScope (USENIX 2021), identifies the file system accesses that may be exploited to launch attacks to detect vulnerabilities. We have extended PolyScope (IEEE TDSC 2023) to reason about Android's recent Scoped Storage (IEEE S&P 2021) policies as well. We have recently shown how to connect access control policy analysis to program analysis to detect zero-day vulnerabilities through the constructing and analysis of host attack graphs (IEEE SecDev 2023), unique in building attack graphs within a host from its access control policies without known vulnerabilities to assess the potential for zero-day attacks.
We have three areas of recent research on operating systems security. First, we explore techniques for automating driver isolation. We have developed the first mostly-automated approach to generate IDL for driver isolation (OSDI 2022), examined kernel isolation mechanisms using Extended Page Tables (VEE 2020, Best Paper), identified threats caused by remaining data sharing (HotOS 2023). Second, we have identified new hardware side channels, including timer-less side channels on Apple M1 processors (USENIX Security 2023) and channels to recover instruction addresses systematically (ISCA 2023). Third, we investigate file system security, including characterizing risks from combining case-sensitive and case-insensitive file systems (FAST 2023), which is happening in Linux and Windows, and developing rollback-resistant file systems (OSDI 2023) that can utilize untrusted storage securely.
My book, Operating System Security, was published by Morgan & Claypool in 2008. This book examines the concepts and techniques applied in the construction of "secure operating systems." It has been taught in security courses around the world. Also, see Morrie Gasser's book Building a Secure Computer System from 1988 for more. Please let me know if you have comments.