I'm a PhD student at Stanford University advised by Dawson Engler (and working with Deian Stefan at UCSD). I'm interested in using techniques from programming languages to make systems more secure. Lately, I've been focusing on web browsers, trying to (1) verify existing parts of browser JITs with minimal developer interaction and (2) find bugs using symbolic execution. I graduated from Stanford in 2016 with a BA in English Literature, advised by Elaine Treharne.

Publications

Unifying compilers for SNARKs, SMT, and more.
Alex Ozdemir, Fraser Brown, Riad S. Wahby.
In submission. [pdf]

High-level, high-speed, high-assurance crypto.
Jonathan Cogan, Fraser Brown, Alex Ozdemir, Riad S. Wahby.
To appear, PriSC 2021.

Trust but verify: SFI safety for native-compiled Wasm.
Evan Johnson, David Thien, Youssef Alessi, Shravan Narayan, Fraser Brown, Stefan Savage, Deian Stefan.
To appear, NDSS 2021.

Sys: a static/symbolic tool for finding good bugs in good (browser) code.
Fraser Brown, Deian Stefan, Dawson Engler.
Usenix Sec 2020. [pdf]

Towards a verified range analysis for JavaScript JITs.
Fraser Brown, John Renner, Andres Nötzli, Sorin Lerner, Hovav Shacham, Deian Stefan.
PLDI 2020. [pdf]

FaCT: a DSL for timing-sensitive computation.
Sunjay Cauligi, Gary Soeller, Brian Johannesmeyer, Fraser Brown, Riad S. Wahby, John Renner, Benjamin Grégoire, Gilles Barthe, Ranjit Jhala, Deian Stefan.
PLDI 2019. [pdf]

Browser history re:visited.
Michael Smith, Craig Disselkoen, Shravan Narayan, Fraser Brown, Deian Stefan.
WOOT 2018. [pdf]

Towards verified, constant-time floating-point operations.
Marc Andrysco, Andres Nötzli, Fraser Brown, Ranjit Jhala, Deian Stefan.
CCS 2018. [pdf]

FaCT: A flexible, constant-time programming language.
Sunjay Cauligi, Gary Soeller, Fraser Brown, Brian Johannesmeyer, Yunlu Huang, Ranjit Jhala, Deian Stefan.
SecDev 2017. [pdf].

Finding and preventing bugs in JavaScript bindings.
Fraser Brown, Shravan Narayan, Riad S. Wahby, Dawson Engler, Ranjit Jhala, Deian Stefan.
Oakland 2017. [pdf]

Superhacks: Exploring and preventing vulnerabilities in browser binding code.
Fraser Brown.
PLAS 2016. [pdf]

Lifejacket: Verifying precise floating-point optimizations in LLVM.
Andres Nötzli, Fraser Brown.
SOAP 2016. [pdf]

How to find bugs using orders of magnitude less code.
Fraser Brown, Andres Nötzli, Dawson Engler.
ASPLOS 2016. [pdf]
(Conference version available here.)

Talks

Towards a verified range analysis for JavaScript JITs. Full talk, lightning talk.

Finding and preventing bugs in JavaScript bindings. Full talk.

Browser Bugs

Some of these bugs may be blocked for security reasons. They will unblock over time!

My current favorite bug: logic error in the Firefox JIT's range analysis

Browser CVEs:

• 2020-26960 (use-after-free)
• 2020-12417 (assertion failure)
• 2020-6822 (out-of-bounds access)
• 2020-6444 (uninit memory)
• 2019-5827 (out-of-bounds access)
• 2019-9805 (uninit memory)
• 2018-6137 (history sniffing)

Browser bounties:

• use-after-free in Firefox
• assertion failure in Firefox
• uninit memory in Firefox's Prio (set of 3)
• out-of-bounds access in SQLite as exposed by Chrome (set of 13)
• out-of-bounds access in Chrome audio codec
• history sniffing in Chrome
• use-after-free in Chrome's PDFium
• use-after-free in Chrome's PDFium