Tegan Bernnan

Tegan Brennan

Tegan Brennan

University of California, Santa Barbara.

PhD Candidate

Tegan Brennan is a PhD candidate at the University of California, Santa Barbara where she is a member of the Verification Lab advised by Tevfik Bultan. Her research interests lie in the intersection of program analysis and security. For the past few years, she has been focused on the area of side-channel analysis, developing tools and techniques for the detection and quantification of side-channel vulnerabilities. Most recently, she has been studying the interaction between just-in-time compilation and timing side channels.
Tegan received an IGERT Fellowship in Network Science and has previously collaborated very successfully with neuroscience researchers to develop analytic techniques for brain tractography. She is also an aerialist and competitive ballroom dancer.

Research Abstract:

Cyber-attacks stealing confidential information are becoming increasingly frequent and devastating as modern software systems store and manipulate greater amounts of sensitive data. Many software development practices, such as the encryption of packages sent over a network, aim to protect the confidentiality of private data by ensuring that an observer is unable to learn anything meaningful about a program’s secret input from its public output.
However, many software systems still contain serious security vulnerabilities. Through observing non-functional side effects of software systems, a class of information leaks, referred to as side-channels, can capture secret information. Potential side-channels include those in execution time, memory usage, size and timings of network packets that are sent, and power consumption.

My research has explored static analysis techniques for the detection and quantification of side channel vulnerabilities in software. Recently, I have been exploring how dynamic, runtime behavior impacts side channels. I have demonstrated that just-in-time (JIT) compilation, crucial to the performance of modern programming languages such as Java and Javascript, can introduce timing side channels into deceptively secure-looking code fragments when it attempts to optimize paths it deems “hot”. I have successfully induced JIT-based side-channels in the Apache Shiro security framework and the GraphHopper route planning server that are large enough in magnitude to be observable over the public internet.