 |
Lujo Bauer
Assistant Research Professor
Collaborative Innovation Center, Room 2121
phone: +1-412-268-9745
|
Fall 2011: Intro to Computer & Network Security & Applied Cryptography (18-487)
Fall 2010: Secure Software Systems (18-732)
Fall 2009: Introduction to Security and Policy (18-630 / 19-631 / 95-830)
Fall 2008: Secure Software Systems (18-732)
Fall 2007: Introduction to Computer Security (18-730)
I do research on many aspects of computer security. I'm particularly interested in building usable access-control systems with sound theoretical underpinnings, and generally in narrowing the gap between a formal model and a usable system. Key terms: proof-carrying authorization, distributed access control, program monitors, security automata, languages for specifying security policies. Some of the projects I'm currently involved in include the following.
Grey: An experiment to create a universal and highly secure access-control device via software extensions to off-the-shelf "smart phones". Grey builds from formal techniques for proving authorization that assure sound access decisions and that permit virtually unlimited flexibility in the policies that can be implemented.
Passwords: Password-composition policies specify sets of restrictions that newly created passwords must meet. This project is a holistic investigation of how password-composition policies effect the security (e.g., guessability) and usability of passwords.
Secure Digital Home: This project that explores an architecture, mechanisms, and interfaces for helping users manage access control in the digital home of the future.
Polymer: This project studies various facets of the theory, design, and implementation of software program monitors and monitor-specification languages. Past results included developing a language and system for specifying and enforcing composable run-time security policies on Java programs.
I enjoy advising (or working with) a number of talented PhD, masters, and undergraduate students; currently: Jassim Aljuraidan (CMU ECE PhD), Elli Fragkaki (CMU ECE PhD), Yuan Liang (CMU ECE PhD), Michelle Mazurek (CMU ECE PhD), Yannis Mallios (CMU ECE PhD), Divya Sharma (CMU ECE PhD), Kami Vaniea (CMU CSD PhD), Timothy Passaro (CMU ugrad).
Students I have supervised or worked with closely in the past: Scott Garriss (CMU ECE, PhD 2008), Rob Reeder (CMU CSD, PhD 2008), Tony Felice (CMU ECE ugrad/masters), Sudeep Modi (CMU INI masters), Brad Miller (CMU ECE ugrad).
If you're a PhD student interested in security and usability, you may want to take a look at the Carnegie Mellon Usable Privacy and Security Doctoral Training Program.
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicity permission of the copyright holder.
new! Tag, you can see it! Using tags for access control in photo sharing. [BibTeX]
Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter.
In CHI 2012: Conference on Human Factors in Computing Systems, May 2012. To appear.
new! Discovering access-control misconfigurations: New approaches and evaluation methodologies. [BibTeX]
Lujo Bauer, Yuan Liang, Michael K. Reiter, and Chad Spensky.
In CODASPY'12: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, February 2012. To appear.
new! Guess again (and again and again): measuring password strength by simulating password-cracking algorithms. [BibTeX]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez.
Technical Report CMU-CYLAB-11-008, CyLab, Carnegie Mellon University, August 2011.
new! Don't bump, shake on it: The exploitation of a popular accelerometer-based smart phone exchange and its secure replacement. [BibTeX]
Ahren Studer, Timothy Passaro, and Lujo Bauer.
In ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference, December 2011. © ACM
More than skin deep: Measuring effects of the underlying model on access-control system usability. [BibTeX]
Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea.
In CHI 2011: Conference on Human Factors in Computing Systems, pages 2065–2074, May 2011. © ACM DOI: 10.1145/1978942.1979243
Exploring reactive access control. [BibTeX]
Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, and Lorrie Faith Cranor.
In CHI 2011: Conference on Human Factors in Computing Systems, pages 2085–2094, May 2011. © ACM DOI: 10.1145/1978942.1979245
Of passwords and people: Measuring the effect of password-composition policies. [BibTeX]
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman.
In CHI 2011: Conference on Human Factors in Computing Systems, pages 2595–2604, May 2011. CHI 2011 Honorable Mention. © ACM DOI: 10.1145/1978942.1979321
Detecting and resolving policy misconfigurations in access-control systems. [BibTeX]
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
ACM Transactions on Information and System Security, 14(1), May 2011. © ACM DOI: 10.1145/1952982.1952984
Don't bump, shake on it: The exploitation of a popular accelerometer-based smart phone exchange and its secure replacement. [BibTeX]
Ahren Studer, Timothy Passaro, and Lujo Bauer.
Technical Report CMU-CYLAB-11-011, CyLab, Carnegie Mellon University, February 2011.
Access right assignment mechanisms for secure home networks. [BibTeX]
Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig, and Jesse Walker.
Journal of Communications and Networks, 13(2):175–186, 2011.
Challenges in access right assignment for secure home networks. [BibTeX]
Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig, and Jesse Walker.
In Proceedings of the 5th USENIX Workshop on Hot Topics in Security, August 2010.
Constraining credential usage in logic-based access control. [BibTeX]
Lujo Bauer, Limin Jia, and Divya Sharma.
In Proceedings of the 23rd IEEE Computer Security Foundations Symposium, pages 154–168, July 2010. © IEEE DOI: 10.1109/CSF.2010.18
Encountering stronger password requirements: User attitudes and behaviors. [BibTeX]
Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '10: Proceedings of the 6th Symposium on Usable Privacy and Security, July 2010.
Access control for home data sharing: Attitudes, needs and practices. [BibTeX]
Michelle L. Mazurek, J.P. Arsenault, Joanna Breese, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter.
In CHI 2010: Conference on Human Factors in Computing Systems, pages 645–654, April 2010. © ACM DOI: 10.1145/1753326.1753421
Access control for home data sharing: Attitudes, needs and practices. [BibTeX]
Michelle L. Mazurek, J.P. Arsenault, Joanna Breese, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter.
Technical Report CMU-CyLab-09-013, CyLab, Carnegie Mellon University, October 2009.
Composing expressive runtime security policies. [BibTeX]
Lujo Bauer, Jay Ligatti, and David Walker.
ACM Transactions on Software Engineering and Methodology, 18(3), May 2009. © ACM DOI: 10.1145/1525880.1525882
xDomain: Cross-border proofs of access. [BibTeX]
Lujo Bauer, Limin Jia, Michael K. Reiter, and David Swasey.
In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pages 43–52, June 2009. (Full version appears as technical report CMU-CyLab-09-005.) DOI: 10.1145/1542207.1542216
Real life challenges in access-control management. [BibTeX]
Lujo Bauer, Lorrie Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea.
In CHI 2009: Conference on Human Factors in Computing Systems, pages 899–908, April 2009. © ACM DOI: 10.1145/1518701.1518838
Effects of access-control policy conflict-resolution methods on policy-authoring usability. [BibTeX]
Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea.
Technical Report CMU-CyLab-09-006, CyLab, Carnegie Mellon University, March 2009.
Run-time enforcement of nonsafety policies. [BibTeX]
Jay Ligatti, Lujo Bauer, and David Walker.
ACM Transactions on Information and System Security, 12(3), January 2009. © ACM DOI: 10.1145/1455526.1455532
Usable key agreement in home networks. [BibTeX]
Ramu Panayappan, Tom Palarz, Lujo Bauer, and Adrian Perrig.
In Proceedings of the 1st International Conference on COMmunication Systems and NETworkS (COMSNETS), pages 550–559, January 2009. © IEEE
Detecting and resolving policy misconfigurations in access-control systems. [BibTeX]
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pages 185–194, June 2008. © ACM DOI: 10.1145/1377836.1377866
A user study of policy creation in a flexible access-control system. [BibTeX]
Lujo Bauer, Lorrie Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea.
In CHI 2008: Conference on Human Factors in Computing Systems, pages 543–552, April 2008. © ACM DOI: 10.1145/1357054.1357143
Expandable grids for visualizing and authoring computer security policies. [BibTeX]
Robert W. Reeder, Lujo Bauer, Lorrie Cranor, Michael K. Reiter, Kelli Bacon, Keisha How, and Heather Strong.
In CHI 2008: Conference on Human Factors in Computing Systems, pages 1473–1482, April 2008. © ACM DOI: 10.1145/1357054.1357285
Efficient proving for practical distributed access-control systems. [BibTeX]
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
In Computer Security—ESORICS 2007: 12th European Symposium on Research in Computer Security, volume 4734 of Lecture Notes in Computer Science, pages 19–37, September 2007. (Full version appears as technical report CMU-CyLab-06-015R.) © Springer-Verlag DOI: 10.1007/978-3-540-74835-9_3
Lessons learned from the deployment of a smartphone-based access-control system. [BibTeX]
Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea.
In SOUPS '07: Proceedings of the 3rd Symposium on Usable Privacy and Security, pages 64–75, July 2007. DOI: 10.1145/1280680.1280689
Consumable credentials in logic-based access-control systems. [BibTeX]
Kevin D. Bowers, Lujo Bauer, Deepak Garg, Frank Pfenning, and Michael K. Reiter.
In Proceedings of the 2007 Network & Distributed System Security Symposium, pages 143–157, February 2007. © Internet Society
Comparing access-control technologies: a study of keys and smartphones. [BibTeX]
Lujo Bauer, Lorrie Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea.
Technical Report CMU-CYLAB-07-005, CyLab, Carnegie Mellon University, February 2007.
User-controllable security and privacy for pervasive computing. [BibTeX]
Jason Cornwell, Ian Fette, Gary Hsieh, Madhu Prabaker, Jinghai Rao, Karen Tang, Kami Vaniea, Lujo Bauer, Lorrie Cranor, Jason Hong, Bruce McLaren, Mike Reiter, and Norman Sadeh.
In Eighth IEEE Workshop on Mobile Computing Systems and Applications (HotMobile), pages 14–19, February 2007. DOI: 10.1109/WMCSA.2007.4389552
Efficient proving for distributed access-control systems. [BibTeX]
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
Technical Report CMU-CYLAB-06-015R, CyLab, Carnegie Mellon University, September 2006.
A linear logic of authorization and knowledge. [BibTeX]
Deepak Garg, Lujo Bauer, Kevin D. Bowers, Frank Pfenning, and Michael K. Reiter.
In Computer Security—ESORICS 2006: 11th European Symposium on Research in Computer Security, volume 4189 of Lecture Notes in Computer Science, pages 297–312, September 2006. Official, slightly abbreviated version. © Springer-Verlag DOI: 10.1007/11863908_19
Device-enabled authorization in the Grey system. [BibTeX]
Lujo Bauer, Scott Garriss, Jonathan M. McCune, Michael K. Reiter, Jason Rouse, and Peter Rutenbar.
In Information Security: 8th International Conference, ISC 2005, volume 3650 of Lecture Notes in Computer Science, pages 431–445, September 2005. An extended version of this paper appears as a tech report. © Springer-Verlag DOI: 10.1007/11556992_31
Enforcing non-safety security policies with program monitors. [BibTeX]
Jay Ligatti, Lujo Bauer, and David Walker.
In Computer Security—ESORICS 2005: 10th European Symposium on Research in Computer Security, volume 3679 of Lecture Notes in Computer Science, pages 355–373, September 2005. © Springer-Verlag DOI: 10.1007/11555827_21
Composing security policies with Polymer. [BibTeX]
Lujo Bauer, Jay Ligatti, and David Walker.
In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 305–314, June 2005. © ACM DOI: 10.1145/1065010.1065047
Distributed proving in access-control systems. [BibTeX]
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
In Proceedings of the 2005 IEEE Symposium on Security & Privacy, pages 81–95, May 2005. © IEEE DOI: 10.1109/SP.2005.9
Enforcing non-safety security policies with program monitors. [BibTeX]
Jay Ligatti, Lujo Bauer, and David Walker.
Technical Report TR-720-05, Princeton University, January 2005.
Edit automata: Enforcement mechanisms for run-time security policies. [BibTeX]
Jay Ligatti, Lujo Bauer, and David Walker.
International Journal of Information Security, 4(1–2):2–16, February 2005. (Published online 26 Oct 2004.) © Springer-Verlag DOI: 10.1007/s10207-004-0046-8
A language and system for composing security policies. [BibTeX]
Lujo Bauer, Jay Ligatti, and David Walker.
Technical Report TR-699-04, Princeton University, January 2004.
Access control for the Web via proof-carrying authorization. [BibTeX]
Lujo Bauer.
Ph.D. Thesis, Princeton University, November 2003.
Types and effects for non-interfering program monitors. [BibTeX]
Lujo Bauer, Jarred Ligatti, and David Walker.
In Software Security—Theories and Systems. Mext-NSF-JSPS International Symposium, ISSS 2002, Tokyo, Japan, November 8-10, 2002, Revised Papers, volume 2609 of Lecture Notes in Computer Science, pages 154–171, 2003. © Springer-Verlag
Mechanisms for secure modular programming in Java. [BibTeX]
Lujo Bauer, Andrew W. Appel, and Edward W. Felten.
Software—Practice and Experience, 33(5):461–480, 2003. DOI: 10.1002/spe.516
A general and flexible access-control system for the Web. [BibTeX]
Lujo Bauer, Michael A. Schneider, and Edward W. Felten.
In Proceedings of the 11th USENIX Security Symposium, pages 93–108, August 2002.
A calculus for composing security policies. [BibTeX]
Lujo Bauer, Jarred Ligatti, and David Walker.
Technical Report TR-655-02, Princeton University, August 2002.
More enforceable security policies. [BibTeX]
Lujo Bauer, Jarred Ligatti, and David Walker.
In Foundations of Computer Security, July 2002.
More enforceable security policies. [BibTeX]
Lujo Bauer, Jarred Ligatti, and David Walker.
Technical Report TR-649-02, Princeton University, June 2002.
A proof-carrying authorization system. [BibTeX]
Lujo Bauer, Michael A. Schneider, and Edward W. Felten.
Technical Report TR-638-01, Princeton University, April 2001.
Mechanisms for secure modular programming in Java. [BibTeX]
Lujo Bauer, Andrew W. Appel, and Edward W. Felten.
Technical Report TR-603-99, Princeton University, July 1999.
Updated 2011.12.05.
Copyright © Lujo Bauer