Advertisements — please consider submitting a paper or attending!
Spring 2013: Secure Software Systems (18-732)
Fall 2011: Intro to Computer & Network Security & Applied Cryptography (18-487)
Fall 2010: Secure Software Systems (18-732)
Fall 2009: Introduction to Security and Policy (18-630 / 19-631 / 95-830)
Fall 2008: Secure Software Systems (18-732)
Fall 2007: Introduction to Computer Security (18-730)
I do research on many aspects of computer security. I'm particularly interested in building usable access-control systems with sound theoretical underpinnings, and generally in narrowing the gap between a formal model and a usable system. Key terms: proof-carrying authorization, distributed access control, program monitors, security automata, languages for specifying security policies. Some of the projects I'm currently involved in are the following.
Passwords: Although they are often insecure and inconvenient, passwords aren't quite about to disappear. This project's goal is to help users create passwords that are easy for them to remember, but hard for attackers to guess. We work towards this goal by trying to deeply understand the password-creation process and the security of the resulting passwords, including by investigating the effects of password-composition policies and password meters on the security and usability of passwords, and by studying metrics for quantifying password strength.
Secure digital home: This project explores an architecture, mechanisms, and interfaces for helping users manage access control in the digital home of the future and on online social networks. Recent research includes investigating new ways of specifying access-control policies (e.g., reactively, and via metadata-based policy rules), and using machine learning to help with policy creation.
Grey: An experiment to create a universal and highly secure access-control device via software extensions to off-the-shelf "smart phones". Grey builds from formal techniques for proving authorization that assure sound access decisions and that permit virtually unlimited flexibility in the policies that can be implemented.
Run-time monitors: This project studies various facets of the theory, design, and implementation of software program monitors and monitor-specification languages. Past results included developing a language and system for specifying and enforcing composable run-time security policies on Java programs. Current research focuses on enforcing policies in distributed systems and with distributed monitors.
I enjoy advising and working with a number of talented PhD, masters, and undergraduate students; including: Jassim Aljuraidan (CMU ECE PhD), Shaoying Cai (visiting PhD student from SMU, Singapore), Wataru Hasegawa (CMU INI master's), Elli Fragkaki (CMU ECE PhD), Wataru Hasegawa (CMU INI master's), Joel Lee (CMU Heinz master's), Michelle Mazurek (CMU ECE PhD), Yannis Mallios (CMU ECE PhD), Timothy Passaro (CMU ugrad).
Students I have supervised or worked with closely in the past: Scott Garriss (CMU ECE, PhD 2008), Rob Reeder (CMU CSD, PhD 2008), Kami Vaniea (CMU CSD, PhD 2012), Tony Felice (CMU ECE ugrad/master's), Sudeep Modi (CMU INI master's), Brad Miller (CMU ECE ugrad).
If you're a PhD student interested in security and usability, you may want to take a look at the Carnegie Mellon Usable Privacy and Security Doctoral Training Program.
This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.
new! The impact of length and mathematical operators on the usability and security of system-assigned one-time PINs. [BibTeX]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In 2013 Workshop on Usable Security (USEC), April 2013.
new! Helping users create better passwords. [BibTeX]
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Julio López.
USENIX ;login:, 37(6), December 2012.
Enforcing more with less: Formalizing target-aware run-time monitors. [BibTeX]
Yannis Mallios, Lujo Bauer, Dilsun Kaynar, and Jay Ligatti.
In Security and Trust Management: 8th International Workshop, STM 2012, Pisa, Italy, September 13–14, 2012, Revised Selected Papers, volume 7783 of Lecture Notes in Computer Science, pages 17–32, 2013. © Springer-Verlag DOI: 10.1007/978-3-642-38004-4_2
Modeling and enhancing Android's permission system. [BibTeX]
Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey.
In Computer Security—ESORICS 2012: 17th European Symposium on Research in Computer Security, volume 7459 of Lecture Notes in Computer Science, pages 1–18, September 2012. © Springer-Verlag DOI: 10.1007/978-3-642-33167-1_1
How does your password measure up? The effect of strength meters on password creation. [BibTeX]
Blase Ur, Patrick Gage Kelly, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In Proceedings of the 21st USENIX Security Symposium, August 2012.
Check points against privacy breaches in Android applications. [BibTeX]
Kazuhide Fukushima, Lujo Bauer, Limin Jia, Shinsaku Kiyomoto, and Yutaka Miyake.
IJCSNS, 12(8), August 2012.
Studying access control usability in the lab: Lessons learned from four studies. [BibTeX]
Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter.
In LASER 2012–Learning from Authoritative Security Experiment Results, July 2012.
Out of sight, out of mind: Effects of displaying access-control information near the item it controls. [BibTeX]
Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter.
In Proceedings of the Tenth Annual Conference on Privacy, Security and Trust, July 2012. DOI: 10.1109/PST.2012.6297929
Correct horse battery staple: Exploring the usability of system-assigned passphrases. [BibTeX]
Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '12: Proceedings of the 8th Symposium on Usable Privacy and Security, July 2012. DOI: 10.1145/2335356.2335366
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. [BibTeX]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez.
In Proceedings of the 2012 IEEE Symposium on Security and Privacy, May 2012. © IEEE
Tag, you can see it! Using tags for access control in photo sharing. [BibTeX]
Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter.
In CHI 2012: Conference on Human Factors in Computing Systems, May 2012. © ACM
Discovering access-control misconfigurations: New approaches and evaluation methodologies. [BibTeX]
Lujo Bauer, Yuan Liang, Michael K. Reiter, and Chad Spensky.
In CODASPY'12: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, February 2012. © ACM
Guess again (and again and again: Measuring password strength by simulating password-cracking algorithms. [BibTeX]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez.
Technical Report CMU-CYLAB-11-008, CyLab, Carnegie Mellon University, August 2011.
Copyright © Lujo Bauer