I work at the intersection of embedded security, trusted execution, and compiler instrumentation. I build things that run close to the metal — firmware, secure enclaves, attestation systems — in environments where getting it wrong has real consequences.
Currently finishing my M.Tech in Cyber Security at IIT Delhi, where my thesis builds a hardware-rooted attestation system for UAV flight controllers using ARM TrustZone and OP-TEE. My research involves implementing and empirically comparing three control-flow attestation systems (C-FLAT, OAT, BLAST) on AArch64 using LLVM instrumentation — the first unified comparison of these systems on 64-bit ARM with OP-TEE. Before this, I spent two years deploying and securing mission-critical SCADA networks for a power grid operator, and interned with the Army Cyber Group (Ministry of Defence) doing security testing on hardened systems.
Security that's enforced — not assumed.
I've implemented and empirically compared three control-flow attestation (CFA) systems on AArch64 with ARM TrustZone / OP-TEE — the first known LLVM-based implementations of all three on 64-bit ARM:
| System | Paper | World Switches (syringe pump) | Verified Against Paper? |
|---|---|---|---|
| C-FLAT | CCS 2016 | ~7,516 | ✅ Exact iteration counts |
| OAT | IEEE S&P 2020 | ~1,946 TEE calls | ✅ Table III (488 branches, 1946 returns) |
| BLAST | CCS 2023 | ~4–8 | ✅ Table 3 within 0.001% (5 benchmarks) |
Key result: BLAST achieves a 1000–2000× reduction in TEE world switches vs C-FLAT on identical hardware and benchmarks.
All implementations use LLVM IR compile-time instrumentation and the OP-TEE TEEC Client API on Raspberry Pi 3 (Cortex-A53).
|
🔐 Trusted Execution & Attestation
⚙️ Embedded Systems & Firmware
|
🔧 Compiler & Instrumentation
🌐 Network & Security Engineering
|
Defense-in-depth attestation for UAV flight controllers: Pixhawk fmuv2 (Cortex-M4, ChibiOS/ArduPilot) as the untrusted edge node, NVIDIA Jetson running OP-TEE as the secure verifier. SHA-256 hash-attests mission commands; BLAST (CCS 2023) attests control-flow via Ball-Larus path profiling.
| Metric | Value |
|---|---|
| End-to-end attestation latency | ~104 ms |
| Jetson OP-TEE TA round-trip | 75.2 ms (72.3% of total) |
| CFA overhead on Cortex-M4 | 170 µs per mission emit |
| Flash footprint (instrumentation) | +2,940 B (0.30% of budget) |
| Net RAM increase | 0 |
First LLVM-based implementation of BLAST (CCS 2023) on AArch64 with OP-TEE. Register-based path accumulation using reserved AArch64 registers (x28/w20) with guard-page double buffering — reducing TEE world switches from ~7,516 (C-FLAT) to ~4–8 per operation.
| Metric | Value |
|---|---|
| World switches vs C-FLAT | ~1000–2000× reduction |
| Log count accuracy (5 Embench benchmarks) | < 0.001% error vs paper Table 3 |
| Optimization level required | -O0 (inlining breaks instrumentation) |
LLVM IR implementation of C-FLAT (CCS 2016) on Raspberry Pi 3 with OP-TEE — ported from ARMv7 binary hooks to AArch64 compile-time instrumentation. Includes shadow call stack, loop record tracking, and a syringe pump case study with exact iteration verification.
| Syringe Command | Expected Steps | Measured |
|---|---|---|
| 10 µL bolus | 68 | ✅ 68 |
| 20 µL bolus | 136 | ✅ 136 |
| 100 µL bolus | 682 | ✅ 682 |
LLVM IR implementation of OAT (IEEE S&P 2020) on Raspberry Pi 3 with OP-TEE. Includes shadow stack for ROP detection, SHA-256 hash chain over all control-flow events, and a Python verifier for offline attestation proof verification. Demonstrated live ROP attack detection on a drone controller test case.
| Metric | Value |
|---|---|
| Syringe pump branches | 488 ✅ matches paper Table III |
| Syringe pump returns | 1946 ✅ matches paper Table III |
| ROP detection | ✅ Shadow stack mismatch → TEE_ERROR_SECURITY |
SHA-256 inside OP-TEE Secure World on RPi3. Custom cycle-accurate benchmarking using inline ARM64 assembly (cntpct_el0) to isolate World Switch latency, memory copy cost, and algorithm time. Diagnosed and patched a TEE Core kernel panic (0xdeadbeef) by setting PMUSERENR_EL0 at S-EL1 to enable PMU access from S-EL0.
| Metric | Value |
|---|---|
| Throughput (Secure World) | ~11 MB/s |
| World Switch Latency | ~131 µs |
| Overhead vs native sha256sum | 1.4× (38%) |
65× speedup on sequence alignment using cache-aware tiling, wavefront parallelism, and AVX2 SIMD.
| Metric | Before | After |
|---|---|---|
| Throughput | 0.11 GCUPS | 7.10 GCUPS |
| L1 Cache Misses | baseline | −99.4% |
| Branch Mispredictions | baseline | −99.5% |
| 🎓 IIT Delhi | M.Tech Cyber Security · 2024–Present · GPA 8.06 |
| 🏛️ Army Cyber Group, MoD | Security Testing Intern · May–Jul 2025 |
| ⚡ TGTRANSCO | Sub Engineer (Network & SCADA Security) · 2022–2024 |
Open to roles in embedded security, TEE/firmware engineering, and systems security research.