About

Nikos Vasilakis is an Assistant Professor of Computer Science at Brown University and is also affiliated with the Brown Data Science Institute. Additionally, he serves as an Affiliated Researcher under Athena's Archimedes Research Unit on AI and Data Science. His research interests span software systems, programming languages, and computer security, with a focus on building new systems or enhancing existing ones by incorporating capabilities such as parallelism, distribution, isolation, and security. This work aims to facilitate a transition towards secure distributed environments that operate effectively at multiple scales. Vasilakis's research is highly collaborative and oriented towards serving everyday developers with real-world impact. He has developed systems targeting the JavaScript dependency ecosystem to automate the analysis, transformation, and synthesis of dependencies, addressing software supply-chain threats. Furthermore, he has worked on automating the acceleration and scale-out of software systems, particularly in programming environments like the shell, which are widely used due to their simplicity in combining components written in multiple languages. His projects, including PaSh and related extensions, provide automated acceleration and scale-out capabilities with strong correctness and compatibility guarantees. Vasilakis also focuses on automated transformation towards secure scalable computing paradigms such as confidential computing, microservices, serverless computing, and edge computing. His research develops systems that support decomposing conventional programs to leverage these paradigms, utilizing special hardware capabilities available in networks to improve performance and maintain program correctness.

Research topics

• Computer Science
• Computer Security
• Operating system
• World Wide Web
• Programming language
• Engineering

Selected publications

• hS: Speculative Script Reordering at Subprocess Granularity (Artifact)

  Zenodo (CERN European Organization for Nuclear Research) · 2026-04-27

  otherOpen accessSenior author

  `hS` is a research prototype for speculative, out-of-order execution of shell scripts. It traces script execution, detects dependency violations, and selectively re-executes affected commands to preserve correct behavior while exposing parallelism. This archive contains the source code, tests, documentation, and artifacts needed to run and evaluate the system.

  PublisherDOI

• hS: Speculative Script Reordering at Subprocess Granularity (Artifact)

  Zenodo (CERN European Organization for Nuclear Research) · 2026-04-27

  otherOpen accessSenior author

  `hS` is a research prototype for speculative, out-of-order execution of shell scripts. It traces script execution, detects dependency violations, and selectively re-executes affected commands to preserve correct behavior while exposing parallelism. This archive contains the source code, tests, documentation, and artifacts needed to run and evaluate the system.

  PublisherDOI

• Towards Practically-Secure Tools for AI Agents

  2026-04-27

  articleSenior author
  PublisherDOI

• Guarding LLM-aided Software Transformation Tasks via Component Exoskeletons

  2025-10-01

  articleOpen accessSenior author

  Large language models (LLMs) are achieving state-of-the-art results across a wide variety of software transformation tasks---including translating across languages and lifting opaque software components to high-level languages. Unfortunately, their results are often subtly incorrect, insecure, or underperformant---affecting the widespread deployment of these LLM-driven techniques in settings that go beyond the narrow scope of academic papers. This paper posits that such widespread deployment crucially depends on developing appropriate model guardrails for safeguarding the results of the transformation process. Such guardrails can be supported by component exoskeletons, tunable partial specifications extracted mostly automatically from the original, pre-transformed component. Exoskeletons serve as component projections that supplement, and often go through, the entire transformation process, confirming that the new, transformed component meets the original specifications. They show promise on several real-world scenarios and unearth exciting research directions.

  PublisherDOI

• Towards Hybrid Cooperative-Preemptive Scheduling

  2025-10-01

  articleOpen accessSenior author

  Cooperative scheduling avoids the many shared-state pitfalls of preemption, but risks fairness---in the limit resulting in denial of service and resource exhaustion. This paper argues that a careful hybrid between cooperation and preemption is both feasible and advantageous: by allowing only carefully controlled and developer-configurable preemption in an otherwise cooperative environment, the scheduler can maintain key invariants while restoring fairness. The paper presents a series of case-study workloads that motivate the need for preemption in real-world cooperative environments, sketches a hybrid design that introduces controlled preemption while maintaining cooperation benefits, and discusses the benefits by applying this hybrid design on the case-study workloads. A hybrid scheduling implementation, Cx, is in progress.

  PublisherDOI

• From Ahead-of- to Just-in-Time and Back Again: Static Analysis for Unix Shell Programs

  2025-05-14

  articleOpen accessSenior author

  Shell programming is as prevalent as ever. It is also quite complex, due to the structure of shell programs, their use of opaque software components, and their complex interactions with the broader environment. As a result, even when exercising an abundance of care, shell developers discover devastating bugs in their programs only at runtime: at best, shell programs going wrong crash the execution of a long-running task; at worst, they silently corrupt the broader environment in which they execute---affecting user data, modifying system files, and rendering entire systems unusable. Could the shell's users enjoy the benefits of semantics-driven static analysis before their programs' execution---as offered by most other production languages?

  PublisherDOI

• KLean: Extending Operating System Kernels with Lean

  2025-10-01

  articleOpen accessSenior author

  Safe kernel extension is an extremely successful feature in OS kernels with a plethora of interesting applications. It provides significant performance benefits by avoiding context switching and data copying, without compromising the kernel's integrity due to its verifiable safety. The most mature existing approach, namely BPF, verifies extension safety using sound abstract interpretation techniques with best effort precision. Such design not only increases the kernel maintenance burden due to its complexity, but also restricts extension expressiveness due to its approximations. The core of the problem, we argue, is the BPF verifier's dual mandate of precision and soundness in its safety analysis.

  PublisherDOI

• Executing Shell Scripts in the Wrong Order, Correctly

  2023-06-22 · 3 citations

  articleOpen accessSenior author

  Shell scripts are critical infrastructure for developers, administrators, and scientists; and ought to enjoy the performance benefits of the full suite of advances in compiler optimizations. But between the shell's inherent challenges and neglect from the community, shell tooling and performance lags far behind the state of the art. We propose executing scripts out-of-order to better use modern computational resources. Optimizing any part of an arbitrary shell script is very challenging: the shell language's complex, late-bound semantics makes extensive use of opaque external commands with arbitrary side effects.

  PublisherOA PDFDOI

• BinWrap: Hybrid Protection against Native Node.js Add-ons

  2023-07-05 · 8 citations

  articleOpen accessSenior author

  Modern applications, written in high-level programming languages, enjoy the security benefits of memory and type safety. Unfortunately, even a single memory-unsafe library can wreak havoc on the rest of an otherwise safe application, nullifying all the security guarantees offered by the high-level language and its managed runtime. We perform a study across the Node.js ecosystem to understand the use patterns of binary add-ons. Taking the identified trends into account, we propose a new hybrid permission model aimed at protecting both a binary add-on and its language-specific wrapper. The permission model is applied all around a native add-on and is enforced through a hybrid language-binary scheme that interposes on accesses to sensitive resources from all parts of the native library. We infer the add-on’s permission set automatically over both its binary and JavaScript sides, via a set of novel program analyses. Applied to a wide variety of native add-ons, we show that our framework, BinWrap, reduces access to sensitive resources, defends against real-world exploits, and imposes an overhead that ranges between 0.71%–10.4%.

  PublisherOA PDFDOI

• A systematic analysis of the event-stream incident

  2022-03-28 · 8 citations

  articleOpen accessSenior author

  On October 5, 2018, a GitHub user announced a critical security vulnerability in event-stream, a JavaScript package meant to simplify working with data-streams. The vulnerability, was introduced by a new maintainer, by including code designed to harvest account details from select Bitcoin wallets when executing as part of the Copay wallet. At the time of the incident, event-stream was used by hundreds of applications and averaged about two million downloads per week. This paper reports on the results of an independent analysis of the event-steam incident. A series of steps allowed the attacker to take control of important account functions, while the attack was designed to activate only on select few environments---only when part of a specific dependency tree, only on specific wallets, and only on the live Bitcoin network. Conventional program analysis techniques would have likely missed the attack, and manual vetting proved to be inadequate given the scale and complexity of dependencies typical of in modern applications. The event-stream incident provides an important case study of the risks associated with long and convoluted chains of third-party components, calling the research community to arms.

  PublisherDOI

Frequent coauthors

• Κωνσταντίνος Καλλάς

  California University of Pennsylvania

  16 shared

• Jonathan M. Smith

  California University of Pennsylvania

  11 shared

• André DeHon

  University of Pennsylvania

  9 shared

• Georgios Liargkovas

  Athens University of Economics and Business

  9 shared

• Michael Greenberg

  8 shared

• Martin Rinard

  Massachusetts Institute of Technology

  8 shared

• Grigoris Ntousakis

  Hellenic American University

  6 shared

• Ben Karel

  6 shared