Meet Our Team: 10 questions for Jon Stephens
“Meet Our Team” is a blog series where we introduce you to the people behind Veridise. Today, we sit down with our CEO & Co-founder, Jon Stephens.
Jon is a PhD candidate at UT Austin and co-founded Veridise in 2022. To date, Jon has published papers related to Smart Contract security, ZK security, malware analysis and obfuscation.
1. Tell us a bit about yourself. Who is Jon Stephens?
I’m just a person who is paranoid about computer security and has been fortunate enough to learn about tools that can be used to make software more resilient. Growing up, my parents had a certain way of doing things because they were worried that if they didn’t, their private information would be stolen. While some of their practices are still ridiculous, they also instilled a certain amount of paranoia in myself and my brothers. Ultimately, my goal is to help progress towards a world where end-users like my parents don’t feel like they have to take security into their own hands.
2. Before co-founding Veridise, you participated in several academic projects. Can you tell us about your experience in academia and what led you to researching blockchain security?
Before joining the Utopia group at UT, I conducted security research at the University of Arizona under Saumya Debray. There, my research focused on malware analysis as well as obfuscation and deobfuscation techniques. While I enjoyed this line of work, much of it had to rely on heuristics that worked well in practice due to the complexity of the system. I found myself becoming concerned about the guarantees of our systems and how our heuristics could be broken. This led me to formal methods and Isil at UT Austin.
At UT Austin, I worked together with Isil and Kostas Ferles on projects related to formal verification. Our attention eventually fell on smart contracts because they have some interesting properties that can be leveraged to make the verification process more scalable. This observation led to the creation of SmartPulse, a tool to verify liveness properties in smart contracts. While working on SmartPulse we observed how useful it was at evaluating the security of a project even in cases where verification failed. This is because it was capable of generating counterexamples that corresponded to realistic attacks such as integer overflow, access control and reentrancy attacks.
3. What is your personal approach in auditing?
It varies by project, but usually I prefer to manually audit top-down. By this I mean I mean the following:
I first take a quick pass over the project to understand the high-level behavior and design of the protocol. This is very helpful because you get an idea of how individual behaviors are composed to implement the protocol as a whole. From this, I can speculate on invariants that should hold in the protocol and potential methods of attacking the protocol. These can be unique to the project, but frequently we find similar issues in projects that implement similar behaviors. Therefore, this list is informed both by the observed behaviors and my previous experience with projects that make use of similar behaviors.
After creating this list, I perform a deeper pass over the protocol where I carefully review the source code. During this pass, I modify the list that I created previously in two ways. First, I add additional properties and methods of attack discovered while inspecting the implementation. Second, I cross out properties that I know hold or attacks that are infeasible. Using this method, the goal of the audit is therefore to be able to cross out every property and attack on my list.
The other benefit of using this approach is that it lends itself quite well to a hybrid audit. When taking my first pass I also typically run automated tools like static analyzers to help inform my initial list. Additionally, as I record invariants I can determine whether they are more suitable for manual inspection or automated tools like fuzzers. These tools can be configured and run in parallel with my deeper pass over the codebase.
4. Which of the Veridise team’s achievements are you most proud of?
I am pretty proud of the Secureum ZK tooling workshop from last year. It was impressive seeing several teams come together to connect a bunch of things we had been working on developing for some time. They required very little help from me so I got to sit back and watch as they prepared the materials, the platform and ran the workshop. When it started, we had some concerns but it went quite smoothly. As an example, we hadn’t tested the platform with such a large group (i.e. the Secureum participants and our own auditors) who would be running tools in parallel but we still encountered very few problems.
5. What areas of blockchain are you’re personally interested in?
I think current efforts to move computation off-chain (through ZK, MPC, TCBs, etc) are very interesting. Not all computation is suitable for execution on-chain because it requires sensitive data or is simply too expensive. While there is no perfect solution, these techniques can alleviate some of the pain-points and are opening the door to new applications.
6. You’ve worked for a long time with your co-founder Isil Dillig in academia before founding Veridise. Can you tell me more about how you work together?
Isil is great to work with. She works extremely hard and has the ability to quickly understand problems, brainstorm solutions and present information in a very approachable way. It’s rare to find someone who is able to do all of those three things and is part of the reason why she’s so successful. While Isil is still a professor at UT, she somehow still finds time to work at Veridise and we’re very fortunate to have her.
7. What’s one book you’ll never stop recommending to people?
It really depends on the person. One book that I enjoyed recently is called Strong Female Character by Fern Brady. It’s both tragic and funny, I love it.
8. We heard through the grapevine that you like to play pranks on people. What is your favorite prank to date?
I do occasionally play pranks on people that I know well. I’m not sure about my favorite one, but one that I enjoyed recently occurred at Isil’s wedding. Myself and several people from Veridise and Utopia were attending the wedding so we decided to play a prank on her. We printed out ridiculous pictures of ourselves and hid them all over Isil’s house so that hopefully over the next few months she should open a drawer or something and see a picture of someone doing something weird. I’m pretty sure she still hasn’t found them all and it has been about 6 months.
9. What might people not know about you? When you’re not working, what might people find you doing?
I have a fairly large collection of board games that I enjoy playing. Unfortunately, they have mostly been gathering dust for the past two years but I occasionally find time to play them. I also enjoy cooking, woodworking and hiking.
10. Pineapple on pizza: yes or no?
Sure, why not? Fruit can be quite good on pizza and while pineapple isn’t my favorite thing on pizza but it does taste good. Recently I’ve been enjoying putting thinly sliced Pears on pizza with some balsamic vinegar.
Want to learn more about Veridise?
Twitter | Lens | LinkedIn | Github | Request Audit
