Senior Researcher Stefan Saroiu
“Growing up, my mom was a programmer with a computer science degree at a time when there was no computer science department in Romania,” remembers Microsoft senior researcher Stefan Saroiu (opens in new tab) with a smile that is palpable over the telephone. As a child in late 1970s – early 1980s Bucharest, accompanying his mother to her job gave him hands-on access to an assortment of what at the time were cutting-edge minicomputers. “She inspired me and I just fell in love with computers early on,” he said. This led to him getting admitted to Bucharest’s prestigious Computer Science High School (opens in new tab) (the alma mater of more than a few well-known Romanian-born computer scientists) and the path that eventually would lead him to Redmond, Washington and directing his life’s passion toward innovating security systems and building technology with novel aspects for Microsoft Research.
Following high school years imbued with happy memories of the advent of home computers like the Sinclair ZX81 and the Commodore 64, as well as quality time on the school’s DEC PDP-11 minicomputer, Saroiu’s family moved to Canada where he was accepted into the highly respected computer science program at the University of Waterloo (opens in new tab). It was also a school that was on the radar of a certain software company, one that would offer him his first internship: Microsoft.
Microsoft research podcast
Abstracts: August 15, 2024
Advanced AI may make it easier for bad actors to deceive others online. A multidisciplinary research team is exploring one solution: a credential that allows people to show they’re not bots without sharing identifying information. Shrey Jain and Zoë Hitzig explain.
“Many kids don’t know what they should become when they grow up. That dilemma never crossed my mind.” – Stefan Saroiu
Today, Saroiu is living his dream, doing what he loves, not only advancing groundbreaking research on secure systems but innovating new ways of using existing research to solve practical problems that cover everything from data security to online privacy. Saroiu strives to go beyond the research experience and to take the results of his research to product innovation across multiple areas of impact, not only from a technological and user experience aspect but involving legal, business and public perception realms as well. This makes him a deeply valuable researcher at Microsoft Research, one who works closely with other teams to make sure that all success factors are diligently considered. It’s a part of his job that he enjoys.
The projects Saroiu has embraced over the years, from his time as a doctoral student at the University of Washington (opens in new tab), through a professorship stint at the University of Toronto (opens in new tab) and finally to the lightspeed world of industry within mobility and networking research at Microsoft (he considers it a true homecoming), are permeated with parallel themes of systems and security, protection and empowerment of the mobile user. Indeed, Saroiu attributes his passion for secure systems to his early work at the University of Washington in finding innovative ways to non-intrusively monitor network traffic; for Saroiu, the research encompassed all the aspects of technology he found fascinating – designing practical systems that delivered information but that also protected people – their privacy, their business models (ISPs in particular), as well as reducing security and legal vulnerabilities.
While at the University of Toronto, he and his students envisioned a network monitoring and reporting system (opens in new tab) able to discern the shape, size and general nature of traffic on a robust and dynamic university network while still preserving users’ anonymity even in the face of subpoenas or accidental disclosures made by the ISP. The key to this strong level of protection stemmed from a simple property: any system reboot of the locked-down system would make the system forget everything previously seen. Such a system reduced the liability of an ISP while still allowing it to measure and learn from its traffic. The solution had not so much relied on invention as on innovation and Saroiu’s first foray into system security was a eureka experience for him. He had always been interested in playing with technology; now he realized he was just as interested in how technology played in the world.
In the middle of the action
“I’m a systems researcher, and I always felt that you have to be in the middle of the action to do systems research,” said Saroiu. After joining Microsoft Research, he immediately embraced projects that improve the security of mobile systems. One, trusted sensors, was devoted to protecting the integrity and authenticity of sensor-based data, such as cloud-based photos or GPS data relied on by mobile users. Trusted Sensors (opens in new tab) made altering of images and much of other mobile device sensor-based data extremely difficult (malicious photo altering comes immediately to mind.) This dovetailed into work (opens in new tab) that enabled the distribution of data in cloud systems according to a pre-defined policy, relying on a combination of modern cryptography techniques and distributed system design.
“Microsoft is a company that cares about security deeply; in that sense, I feel that my work is appreciated.”
But Saroiu realized that stopping at research prototypes is not enough; to be practical, any secure system (not just Trusted Sensors) requires a hardware root of trust, a secure chip often present on servers and desktops, but absent on smartphones and tablets. Together with his colleagues, Saroiu envisioned building the chip in software as part of the firmware running on mobile devices. This early vision led to the firmware Trusted Platform Module (fTPM) (opens in new tab) project that involved over 40 people across three different divisions at Microsoft. Ultimately, fTPM shipped in Windows 8 and became the reference implementation of a software TPM chip used on tens of millions of mobile devices.
With fTPM successfully shipped, Saroiu went on to design several research extensions of the fTPM. One had the fTPM work in a scenario in which people carry more than one mobile device, for example a smartphone and a tablet. Such a cross-device fTPM (opens in new tab) can make security seamless and fluid protecting the data on all devices a user owns. Another extension (opens in new tab) made the fTPM protect its secrets from cold boot attacks where the phone memory can be read even when the device is powered down. Indeed, Saroiu appreciates the flexibility of starting with a research idea and then going beyond the research experience to ship a product while further innovating new research directions based on the shipped product.
Saroiu published much of this work at various top systems and security academic conferences and he currently is serving as the technical program committee co-chair of MobiSys 2018 (opens in new tab) taking place in Munich, Germany in June.
Bringing Microsoft Research ideas to 20 million people
Saroiu set the next bar even higher – he wanted to see Microsoft Research single-handedly build, ship, and operate a product used by millions of people. He didn’t have to wait long for such an opportunity to reveal itself – another aspect he likes about working at Microsoft Research. They decided to call it Embedded Social.
Mobile app developers had been facing a dilemma. On one hand, they wanted to increase app engagement by letting their users like, comment, reply, and follow others. For example, users of a wine app may want to share impressions of wines they have tasted within the app. Such conversations would not be relevant to most of their Facebook friends; that kind of conversation makes total sense in the wine app, among fellow wine enthusiasts. On the other hand, app developers find it very difficult to adopt and incorporate a social networking platform into their apps. Building one from scratch is a difficult and expensive engineering task, whereas pre-built external social platforms (think Facebook, Twitter) steal the app users by making them leave the app.
Sensing opportunity, Saroiu and his colleagues at Microsoft Research embarked on building Microsoft Embedded Social, an open source platform offering that helps mobile application developers substantially increase user engagement within their applications. Adding Embedded Social to an existing application is trivial – in less than an hour an app developer can add a full-featured social experience to an existing mobile application. To date, Embedded Social has served over 20 million users, with Windows 10’s Remix 3D (opens in new tab) as its main customer and it’s enjoyed by several Android and iOS mobile apps including OneBusAway (opens in new tab) and the Microsoft Academic (opens in new tab) website. In OneBusAway, for example, in the event of a bus having mechanical issues, interested riders who also happened to be work colleagues or classmates could communicate and find alternative plans of transportation. Even better, Embedded Social brings Cortana’s integrated bots to offer ridesharing alternatives to stranded passengers without leaving the OneBusAway app at all!
Across all these projects, the theme that resonates is the philosophy of going beyond the research experience. That ferries Saroiu through the creative space and inspires him to pursue his work. His thoughtful appreciation of the dynamics of technology and its impact is encouraging to all who work with him, from colleagues at Microsoft Research to his research collaborators across the world.
Where does Saroiu see all this technological innovation and research taking us – or perhaps, where would he like to see it taking us? “Today’s technology is the dawn of tomorrow’s civilization. Look, the 20th century brought us the second industrial revolution. It brought us automobiles, plastics, radio, TV, electronics. These are the cornerstones of our society today; we take them all for granted. They are everywhere around us. In the same way, today’s technology is the cornerstone of tomorrow’s society. I bet the next generations will look at cloud computing and datacenters the same way we look at automobiles and highways. They will look at mobile and wearable computing the same way we look at plastics. It is thus our responsibility or, should I say our duty, to make these technologies trustworthy and secure. This is what makes me excited about my job every single day.”
Microsoft wasn’t the only company to extend an internship offer to Saroiu when he was an undergrad at University of Waterloo; in addition to Microsoft, he’d received a second offer from a company in the Cayman Islands and he laughed, remembering he’d briefly pictured Caribbean beaches before accepting the offer from Microsoft.
“Microsoft Research is the place that I always belonged,” said Saroiu, again with that smile that can be heard over the phone.
Systems and networking