Welcome to Ethan Cecchetti, Assistant Professor focusing on language-based security

Ethan CecchettiEthan Cecchetti comes to Madison from a postdoctoral position at the University of Maryland. He has one word to describe his first visit to campus: “Cold.” It’s not his first time in a cold place, though, and he feels like he made the right choice in coming here. He says he was attracted to UW-Madison because of the people: “Professionally, the Computer Sciences department here is full of extremely smart and motivated people at every level—undergraduates, grad students, and faculty,” he says, and “the other faculty and grad students I met with before accepting the offer were universally wonderful people.” He hopes students will come away from his classes incorporating “security questions and concerns into their regular thinking.” 

Hometown: Lexington, MA

Educational/professional background: I have a bachelors in Mathematics – Computer Science from Brown (2012) and both a masters and PhD in Computer Science from Cornell (2019 and 2021, respectively). Before joining UW-Madison, I was a post-doc for two years (2021 – 2023) at the University of Maryland. I also spent three years (2012 – 2015) between undergrad and grad school as a software engineer at TripAdvisor.

How did you get into your field of research? It was half on purpose, half by accident. I spent a few years as a software engineer after undergrad, and after a little while, I realized I missed doing math, and I wanted to work on something I really cared about. Research seemed like a good way to do both, so I went back to grad school. I knew I was interested in something related to cybersecurity, but that’s where the intentional part ends.

When I first got to grad school, I thought I wanted to do cryptography, but I started working with Ari Juels, who is more interested in using cryptography to building secure systems than in developing new math underlying cryptography, and I got really excited about it. I also wanted to try working with a few different people before I settled on a topic (which I highly recommend to all new grad students!), and I ended up working with Andrew Myers, who uses programming languages ideas and techniques to solve problems in security and distributed systems. I loved it, and I’ve mostly kept working in that area.

What are your areas of focus? My primary area right now is Language-Based Security: using programming languages ideas and techniques to solve problems in computer security. Many security problems arise from the fact that it’s difficult to analyze and understand how programs behave, and, especially, how different pieces of a larger system interact with each other. Programming languages techniques are particularly good at addressing these exact concerns, but they often reveal mathematical imprecisions in how we even define security and struggle to combine with common security techniques like cryptography. That’s where my research comes in.

What main issue do you address or problem do you seek to solve in your work?  I primarily develop tools and techniques that can provide precise mathematical definitions of certain kinds of security and prove that programs are secure according to those definitions. That might be something like “this program doesn’t leak secret data to unauthorized users.” The goal is to allow developers to build, modify, and extend applications in a way that we know is secure against a wide range of general attacks, even before deploying anything.

How would you explain your work to people who are not computer scientists? Almost everything these days is made of multiple different computer systems talking to each other. Securing these sorts of systems presents a uniquely difficult challenge. First, every piece of the system has different security concerns. I have different concerns from you, and we both have different concerns than a bank or a healthcare provider. Second, different pieces of the system interact in complicated and often unexpected ways, making it very difficult to understand exactly what will happen if a hacker tries to break in. Third, many different parts of the system are doing things at the same time. That makes it hard to know exactly what order things will happen in, and even harder to understand the whole system’s behavior.

One of my big projects right now is to build tools and ideas to better understand and control the security of these kinds of systems. The security, distributed systems, programming languages, and cryptography communities have all developed great techniques for solving pieces of the problem, but the fundamental challenge is that the whole of these systems is more complicated and less secure than its individual parts. Along with some collaborators, I’m trying to figure out how to combine those techniques into a more cohesive solution that can hopefully help developers build these systems more securely in the future.

What’s one thing you hope students who take a class with you will come away with? I want students to incorporate security questions and concerns into their regular thinking. Computer security is a very unusual field in that it focuses more on what problems we solve and less on how we solve them. That means that anyone who works in computer science, as a researcher, software engineer, or even product manager, is likely to run into cybersecurity questions. I hope my students become more aware of those issues and learn how to think about them in their day-to-day work.

What attracted you to UW-Madison?  Mostly the people. Professionally, the Computer Sciences department here is full of extremely smart and motivated people at every level—undergraduates, grad students, and faculty. There’s a reason UW-Madison has one of the best departments in the country. Personally, the other faculty and grad students I met with before accepting the offer were universally wonderful people. It seemed like an environment and a group of people that tries really hard to set everyone up for success.

What was your first visit to campus like? Cold. I was here for an interview in mid-February. I had some time before my flight the next day, so I decided to explore Madison. Unfortunately, it was 15°F outside, cloudy, characteristically windy, and I’d forgotten my scarf at home. I made it for a couple hours (with some breaks ducking into shops), but I had to stop. I’m not worried, though. I’ve lived in cold places for most of my life. I just needed a scarf (and maybe some long underwear).

What are you looking forward to doing or experiencing in Madison? I’ve never lived in a city this size before, only much bigger (2+ million) and much smaller (50,000). So far it feels like the best of both worlds: lots of things to do and places to go, but it’s still quick and easy to get around town or leave town to find nature.

Do you feel your work relates in any way to the Wisconsin Idea? If so, please describe how. I think my work absolutely fits with the Wisconsin Idea. My research aims to better understand the security of complex computer systems and how we can more easily and effectively build new systems securely. My teaching aims to help students understand and think about security in an increasingly digital and connected world.

As more and more devices and tools become computerized and even internet-connected, computer security has quickly come to impact nearly everyone, whether they like it or not. By helping to make those systems more secure, both directly and indirectly, my work has the potential to impact everyone.

Hobbies/other interests: Ultimate Frisbee, cycling, hiking, and board games. So far it feels like I came to the right place.