Transitioning from Academia to Unicorn Founder in Cybersecurity (Ronghui Gu of Certik)
Ronghui discusses blockchain security, breakthroughs in Formal Verification software and unconventional company structures
About
Welcome to the 21st installment of Foothill Ventures’ Lessons from Founders series. Every week, we publish an in-depth founder interview, ranging from early-stage entrepreneurs to successful businesses. Our conversations cover their personal journeys, the lessons that shaped them, their visions for the future, and their failures. We also learn more about their companies and about the challenges they try to solve. These insights and lessons are applicable to any entrepreneur — current or future.
Read past interviews here.
CertiK is a pioneering blockchain cybersecurity start-up founded by Computer Science professors from Yale University and Columbia University. By applying the rigor of proprietary Formal Verification technology on smart contracts and blockchain protocols, CertiK has been able to provide end-to-end security to over 700 enterprise clients and more than $30B in asset value. The research efforts of the CertiK team has received grants from IBM and the Ethereum Foundation, and some notable investors include Binance, IDG Lightspeed China, and Lenovo.
Dr. Ronghui Gu is a co-founder of CertiK and the inaugural Tang Family Assistant Professor of Computer Science at Columbia University. His thesis work on building certified OS kernels received the Yale Doctoral Dissertation Award and was nominated for the ACM Doctoral Dissertation Award. He is the primary designer and developer of CertiKOS, the first verified concurrent OS kernel, and SeKVM, the first verified commodity cloud hypervisor — major milestones toward building safe and secure systems software. For his work in systems verification, Gu received an Amazon Research Award, an SOSP Best Paper Award, and a CACM Research Highlight. He obtained his Ph.D. degree from Yale University in 2016 and a bachelor’s degree from Tsinghua University in 2011.
Why we invested in CertiK: until our investment in CertiK, we had never invested in crypto currency or blockchain. We are still not investing in crypto start-ups directly, but we do believe that security for blockchain will be an important market — hence our investment.
The CertiK team developed a highly effective way of proving the security of software systems, utilizing the founding team’s years of research in a branch of mathematics called Formal Verification. They have achieved product market fit in the fast-growing area of blockchain security. The same technology can be further applied to other hyper-secure systems, such as autonomous driving systems, cloud computing and 5G IoT systems. We believe that the market is huge and that the team is very strong in executing the product roadmap.
Ronghui introduces himself
I am a Computer Science professor at Columbia and a co-founder of CertiK. All of my research at Columbia and CertiK focuses on how to provide the highest level of security guarantees for system software.
His background: first prize in China’s national math Olympiad
I grew up in Jiangsu Province in China. In high school, I competed in the Olympiad math competition, where I won the national first prize and earned the opportunity to go to Tsinghua University. However, the interesting thing was that I didn’t actually want to become a math major — I wanted to do something more innovative and practical, so I pursued Computer Science. I didn’t learn programming prior to university, but I quickly fell in love with it.
In my last year of undergrad when I was thinking about applying to PhD programs, Professor Shao of Yale University visited Tsinghua and gave a lecture on Formal Verification of systems software. For context, Formal Verification is a technique that provides the highest level of security guarantees for hardware and for software. In short, it attempts to mathematically prove that the implementation of the software satisfies your requirements and the specifications (i.e. the developers intention or design). It aligned perfectly with my interests and expertise, so right after the lecture, I contacted Professor Shao, applied for the PhD program and was admitted.
On Formal Verification: proofs that convince computers
My interest in Formal Verification techniques arose during a time when machine learning was very hot (and of course, it still is very popular today). I didn’t find myself drawn to machine learning because I couldn’t really understand the underlying mathematical principles or foundation of the approach. Now, it definitely has a more solid theoretical foundation, but back then, it felt more like black box — and a magical black box at that.
In contrast, formal verification techniques require logical explanation at every single step in order to truly demonstrate that the software is secure. Not only did you need rigorous proofs at each stage to convince humans, but you also had to have proofs that would convince computers. I found this very beautiful. I don’t always trust manual proofs because there can be loopholes. Formal Verification doesn’t require you to trust me or anyone else because it is machine verifiable and mathematically proven.
Formal Verification doesn’t require you to trust me or anyone else because it is machine verifiable and mathematically proven.
His research breakthrough: solving a problem with infinite possibilities
Verification software is especially complex and contract software is very difficult because we need to prove and enumerate all the possibilities and conditions. You can do simple brute force enumeration for very simple sequential software and hardware, but this cannot be applied to complex software, especially for those that have concurrency or run with multiprocessors. Most of our systems (our current phones for example) are multi-core and run on multiple CPUs. They need to code on different CPUs that collaborate with each other and they may interleave because you don’t know which instruction will be executed next and there are many potential possibilities. It is very difficult — or sometimes impossible — to enumerate all possibilities. It can be infinite. That was the research challenge we faced. During my five years working with Professor Shao, we solved it and made the breakthrough. We built the world’s first fully verified concurrent OS kernel.
We built the world’s first fully verified concurrent OS kernel.
When we published our findings in 2016, we quickly received attention from the blockchain field. It coincided with the very famous DAO attack where one hacker was able to steal $60 million worth of cryptocurrency after spotting a flaw in a single line of DAO’s code. It almost destroyed Ether.
The genesis of CertiK: the creation of a “powerful hammer”
Blockchain is an unusual field, especially when compared with traditional software. First of all, pure source code manages millions of dollars in assets. People may say “in code we trust,” but unfortunately, code is not trustworthy. One single bug in code can lead to millions of dollars of financial loss. To make things worse, hackers are particularly motivated to attack smart contracts because transactions are permanent and may be anonymous. By nature, smart contracts are especially vulnerable because most of the code is open source in order to establish transparency. As a result, hackers can simply read the source code to plan their attack. Additionally, the decentralized protocol sometimes requires every single change to be done with consensus so once smart contracts get uploaded to blockchain, it’s very hard to make any changes.
People may say “in code we trust,” but unfortunately, code is not trustworthy.
There’s not much you can do to stop an attack when it happens. Unlike with the traditional software industry, where you can monitor and shut down the system in the event of an attack, this “world computer” cannot be shut down. You can’t cut off the connection or even add a patch in real time. That’s why these traditional security techniques simply do not work. Blockchain companies require the highest level of security guarantee to the code itself before deploying it and uploading it to a blockchain. That’s why our breakthrough with Formal Verification techniques was so important to this field.
Both my advisor and I always wanted to start a business from this research because it created a very powerful hammer. Everyone wants their invention to be used, but many researchers wait for someone to pick it up and commercialize it. At the beginning, we were thinking like that as well, until we realized that we should be the ones taking the action. There were many companies that reached out to us to purchase the patent, but we thought that we should utilize it ourselves because we had the passion to make it come to life.
We thought that we should utilize it ourselves because we had the passion to make it come to life.
CertiK’s competitive advantage
Firstly, our view on blockchain is what differentiates us from the rest of the industry. We were the first provider of auditing reports to smart contracts. Originally, we sold certificates, but this began to be copied by many other companies. We then changed our strategy — we still sell certificates, but we post our certificates online and make them transparent because we feel like this is more valuable to the users of these blockchain applications, as opposed to just the exchanges. If you are a user and want to interact with a blockchain application, you can conduct the research needed to protect your own assets. We are not a pure B2B business — we are 2C2B.
We are not a pure B2B business — we are 2C2B.
Our technology is key. Blockchain is all about decentralization, so independent security verification is needed for true trustworthiness. Users or companies don’t need to trust any single party — just the results from any computer that checks the proof. We post all this information publicly for anyone to check online, and we have received very positive feedback.
On being a professor & a founder: similarities and differences
I think that academia and entrepreneurship are very similar in many ways; both involve uncertainty. In research, it’s uncertain on how you can solve the problem you’re looking into and/or whether you can solve it at all. Additionally, as a professor you run research groups in a similar way to running a company from start to finish. The whole timeline includes idea generation, building a group to solve the problem, and then convincing some institute to provide you a research grant.
There is certainly a noticeable difference in research, where you stop when you deliver the prototype, and then you redo the process all over again with a different idea. The teams in companies also tend to be bigger, compared to the research labs that I have worked at which hosted at most 10 students. Now at CertiK, we have 70 employees and are growing fast. They live all across the world, and I have yet to meet some of them, but we all are working together towards the same goals.
On building a strong team: employees as “students”
Prior to founding CertiK together, my co-founder (Prof Shao) and I had been working together on hard problems for five years already. As a result, we know each other well and are very used to collaborating together. The other reason our co-founder relationship succeeds is that we have very complementary skills. He has very keen vision and the ability to understand what to prioritize for the future. On the other hand, I am someone who is more focused on execution.
The other reason our co-founder relationship succeeds is that we have very complementary skills.
As for the rest of our team, our employees always like to say that we treat them as students, rather than employees. We do a lot of internal training to help everyone grow, so that’s another way that my background as a professor influences the way I run CertiK.
Training is particularly important given the interdisciplinary nature of our company. We also do not emphasize titles and try to flatten any hierarchy as much as possible so that everyone communicates with each other. While we previously had departments in our company, we dissolved those instead to make “squads” where each team has six people from all different backgrounds (product, design, software development, etc). Since our team is global, we found that departments were inefficient because it was difficult to schedule calls around different time zones. Now with squads, execution and communication are more seamless.
We also do not emphasize titles and try to flatten any hierarchy as much as possible so that everyone communicates with each other.
On international collaboration: global by design and necessity
We have offices in the East Coast and West Coast of the United States, Europe, Asia and so on. Our clients are globally distributed, and we want as short of a reaction time as possible if something were to occur. We prioritize immediate support to our clients. Additionally, the crypto currency market is 24 hours so we have to cover all the time zones because that’s the nature of our business.
While we did have to figure out the transition to complete remote working as all other companies did, our international team was already used to this style of working. Since our team is headquartered in New York City, people used to spend a lot of time on transit, but the remote working situation has certainly improved productivity.
On CertiK’s future: a lot more than just blockchain
In the next few years, this market will rapidly grow. There’s a study by PwC which shows that in the next 10 years, the impact of blockchain on the global economy will increase by 25 times. We will continue to work in this space to serve more and more clients in a space to improve the cybersecurity of this domain. Additionally, because our technology is general and very scalable, it is not limited only to cryptocurrency or blockchain technology. It can be applied in many areas of memory, hardware, firmware, cloud computing, autonomous vehicles, and so on. We envision verified software as the bedrock for tomorrow’s computing base.
We envision verified software as the bedrock for tomorrow’s computing base.
Technology that he’s excited about
Outside of blockchain, I would say that Neuralink is an area of technology that I am interested in. It’s very innovative, and it could be very cool to see humans bridged with computers. However, with something like this, there will be significant concerns around cybersecurity and challenges with the software.
A book that he recommends
Principles by Ray Dalio
A question he would ask other founders
What do you think the world will look like in 10 years? Then the follow-up question might be what your company will look like in 10 years as well.
To get updates on this series, please follow our publication on Medium.
Follow us on LinkedIn: https://www.linkedin.com/company/foothillventures
Follow us on Twitter: @FoothillVenture
Foothill Ventures is a $150M seed-stage technology firm. We back technical founders across software, life sciences, and frontier technologies.
Questions, thoughts, reflections? Let us know in the comments below. We’re always looking for great entrepreneurs and early stage ideas, and we’re always interested in having a discussion about venture, technology, and anything related. To see more about Foothill Ventures, please visit our website: foothill.ventures.
