Ashish Gehani

Over two decades at SRI, Dr. Gehani created an open-source infrastructure that has become widely used for data provenance collection and management research. With NSF’s 2007-2021 support, SPADE-v2 introduced a novel provenance kernel that decouples collection, storage, and querying of lineage metadata. The system runs on multiple operating systems, collects provenance from diverse sources, and enables storage in a range of formats and database types. It won ACM Middleware’s 2022 Test-of-Time Award.

As provenance graphs grew to billions of vertices and edges, Dr. Gehani developed novel techniques for handling the “big provenance” in domains such as operating systems and blockchains. These innovations included provenance sketches for accelerating distributed queries, compression techniques that reduce storage cost and time by an order of magnitude, and efficient querying during graph ingestion of terabyte-scale provenance repositories.

Building on SPADE’s foundation, Dr. Gehani architected the TRACE system in DARPA’s 2015-2020 Transparent Computing program (that tackled Advanced Persistent Threat detection). It increased the precision of data provenance graphs to enable tracking of sophisticated multi-stage attacks that evaded earlier security tools. Dr. Gehani then led the adaptation of SPADE to micro-service environments, where containerization can lead to false and missing dependencies. The extensions developed ensure sound and complete provenance tracking. A variant of SPADE was licensed to AccuKnox, a cloud venture.

Dr. Gehani has conducted a decade-long research program in software specialization, creating tools for security practitioners to reduce the attack surface of deployed applications. Noting that the modern software stack offers much functionality that is never used in a specific deployment, his 2013-2021 ONR-sponsored OCCAM-v2 and Trimmer projects reduced the space of possible runtime behavior in targeted applications. Experimental dynamic profiling allows OCCAM-v2 to address limitations of static analysis. DeepOCCAM, an extension, uses reinforcement learning to construct a specialization policy (instead of requiring a developer to manually create one). Trimmer was extended to make context-specific choices when pruning code, thereby improving the partial evaluation.

The security architecture and cryptographic framework of the ENCODERS peer-to-peer publish-subscribe service were designed by Dr. Gehani. Developed in DARPA’s 2011-2014 Content-Based Mobile Edge Networking program, the system ensures resilient group communication even when disconnected from the Internet. He designed protocols to enable decentralized secure content routing with dynamic provisioning of cryptographic attributes. This is essential for operations where centralized services may be compromised or unavailable. Dr. Gehani created a framework for privacy-preserving scoped content sharing that lets untrusted brokers match encrypted interests against encrypted access policies without learning sensitive information. This allows any user’s device to service as a content relay, increasing network resilience.

Prior to joining SRI, Dr. Gehani studied super-resolution video, DNA computing, and risk-based intrusion prevention at Duke University, and decentralized authentication and authorization at University of Notre Dame. He holds a Ph.D. in Computer Science from Duke University and a B.S. (Honors) in Mathematics from the University of Chicago. In 2025, Dr. Gehani became an SRI Fellow.