I am a postdoctoral researcher at Boston University and the Massachusetts Institute of Technology hosted by Prof. Sharon Goldberg and Prof. Nickolai Zeldovich. I am also an affiliated researcher with the cybersecurity research center at the Hebrew University of Jerusalem. I completed my Ph.D at the CS department in Bar-Ilan University, where I was a part of the network security research group led by Prof. Amir Herzberg. Following my studies I continued working on network and system security as a research staff member at IBM and a postdoctoral researcher at the Hebrew University hosted by Prof. Michael Schapira. I am truly fortunate to have had great mentors.
My PhD studies included fun and educating experiences in academia and industry. I interened at Google Cambridge MA, where I worked on SPDY. Prior to that, I worked at IBM Research Zurich laboratory on improving password based authentication. I also spent one semester as a research scholar at Boston University, where I worked with Prof. Ari Trachtenberg on design and implementation of a secure platform for mobile device applications. Prior to all these travels, I was a software architect at Marvell's Switching Division.I enjoy teaching! I created and taught, together with Dr. Oded Margalit, the ``Advanced Topics in Software Security'' course, given at Ben-Gurion University in Spring 2015.
Research Interests. I am interested in security and privacy aspects of networks, operating systems, and applications. My research combines analysis, implementation, and extensive empirical and experimental evaluations, to produce practical solutions for real-world problems.
Honors and Awards
Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two complementary mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon. This is due to inherent, possibly insurmountable, obstacles, including the need to replace today’s routing infrastructure, meagre benefits in partial deployment and online cryptography.
Our work seeks to design deployable security protocols that do not require changes to today's routing hardware, yet provide significant security benefits even if partially deployed. We propose path-end validation, a modest extension to RPKI that provides security benefits comparable to BGPsec while circumventing its deployment challenges. Path-end validation was presented in HotNets'15 and SIGCOMM'16. We provide an opensource prototype implementation for Cisco routers.
We further measure the deployment of RPKI, identify the main challenges en-route to deployment and propose mechanisms to circumvent these challenges.
Our study on the hurdles to enforcing RPKI-based policies was accepted to NDSS'17. See our presentation.
We argue that many problems with using the RPKI are rooted in incorrectly using the maxLength parameter, and suggest an alternative. See online report and our implementation.
Checkout our RPKI alert and transparency system: ROAlert.
Private communication over the Internet continues to be a challenging problem. Even if messages are encrypted,
it is hard to deliver them without revealing metadata about which pairs of users are communicating. Scalable
communication systems, such as Tor, are susceptible to traffic analysis. In contrast, the largest-scale systems with
metadata privacy require passing all messages through each server, capping their throughput and scalability.
We design and build Stadium, the first system to provide metadata and data privacy while being able to scale its work
efficiently across many servers.
Preliminary version available on eprint.
CDN-on-Demand is a software-based defense that administrators of small to medium websites install to resist powerful DDoS attacks, with a fraction of the cost of comparable commercial CDN services. Upon excessive load, CDN-on-Demand serves clients from a scalable set of proxies that it automatically deploys on multiple IaaS cloud providers. CDN-on-Demand can use less expensive, and less trusted, clouds to minimize costs. This is facilitated by the clientless secure-objects, which is a new mechanism that we present. The clientless secure-objects mechanism avoids trusting the hosts with private keys or user-data, yet does not require installing new client programs. CDN-on-Demand also introduces an origin-connectivity mechanism, which ensures that essential communication with the content-origin is possible, even in case of severe DoS attacks.
A critical feature of CDN-on-Demand is in facilitating easy deployment. We introduce the origin-gateway module, which deploys CDN-on-Demand automatically and transparently, i.e., without introducing changes to web-server configuration or website content. We provide an open-source implementation of CDN-on-Demand, which we use to evaluate each component separately as well as the complete system.
CDN-on-Demand was presented in NDSS'16. We keep improving the system's opensource code base.