Lujo Bauer
[loo'yo]

Associate Research Professor
CyLab and ECE, Carnegie Mellon University

Contact info
Short bio


Please consider submitting a paper or attending:

Wordle representation of paper titles.

Teaching

Spring 2015: Secure Software Systems (18-732)
Fall 2014: Information Security and Privacy (08-731/15-421/08-761/45-885/45-985)
Spring 2014: Secure Software Systems (18-732)
Spring 2013: Secure Software Systems (18-732)
Fall 2011: Intro to Computer & Network Security & Applied Cryptography (18-487)

Previous...

Fall 2010: Secure Software Systems (18-732)
Fall 2009: Introduction to Security and Policy (18-630 / 19-631 / 95-830)
Fall 2008: Secure Software Systems (18-732)
Fall 2007: Introduction to Computer Security (18-730)

Research Interests

I do research on many aspects of computer security. I'm particularly interested in building usable access-control systems with sound theoretical underpinnings, and generally in narrowing the gap between a formal model and a usable system. Key terms: proof-carrying authorization, distributed access control, program monitors, security automata, languages for specifying security policies. Some of the projects I'm currently involved in are the following.

Secure digital home / access control for non-security-experts: This project explores an architecture, mechanisms, and interfaces for helping users manage access control in the digital home of the future and on online social networks. Recent research includes investigating new ways of specifying access-control policies (e.g., reactively, and via metadata-based policy rules), and using machine learning to help with policy creation.

Publications

Toward strong, usable access control for shared distributed data.   [BibTeX, talk video]
Michelle L. Mazurek, Yuan Liang, William Melicher, Manya Sleeper, Lujo Bauer, Gregory R. Ganger, Nitin Gupta, and Michael K. Reiter.
In Proceedings of the 12th USENIX Conference on File and Storage Technologies (FAST '14), February 2014. USENIX.

Challenges faced in working with users to design access-control systems for domestic environments.   [BibTeX]
Manya Sleeper, Michelle L. Mazurek and Lujo Bauer.
In Designing with Users for Domestic Environments workshop at CSCW14 (the 17th ACM Conference on Computer Supported Cooperative Work and Social Computing), February 2014. Position paper.

The post anachronism: The temporal dimension of Facebook privacy.   [BibTeX]
Lujo Bauer, Lorrie Faith Cranor, Saranga Komanduri, Michelle L. Mazurek, Michael K. Reiter, Manya Sleeper, and Blase Ur.
In Proceedings of the 12th Annual Workshop on Privacy in the Electronic Society, November 2013. ACM. © authors  DOI:10.1145/2517840.2517859

What you want is not what you get: Predicting sharing policies for text-based content on Facebook.   [BibTeX]
Arunesh Sinha, Yan Li and Lujo Bauer.
In Proceedings of the 6th ACM Workshop on Security and Artificial Intelligence, November 2013. ACM. © authors  DOI:10.1145/2517312.2517317

What matters to users? Factors that affect users' willingness to share information with online advertisers.   [BibTeX]
Pedro G. Leon, Blase Ur, Yang Wang, Manya Sleeper, Rebecca Balebako, Richard Shay, Lujo Bauer, Mihai Christodorescu, and Lorrie Faith Cranor.
In SOUPS '13: Proceedings of the 9th Symposium on Usable Privacy and Security, July 2013. ACM. © authors  DOI:10.1145/2501604.2501611

Out of sight, out of mind: Effects of displaying access-control information near the item it controls.   [BibTeX]
Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter.
In Proceedings of the 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST), pages 128–136, July 2012. IEEE. © IEEE  DOI:10.1109/PST.2012.6297929

Tag, you can see it! Using tags for access control in photo sharing.   [BibTeX]
Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter.
In CHI 2012: Conference on Human Factors in Computing Systems, pages 377–386, May 2012. ACM. © ACM  DOI:10.1145/2207676.2207728

Exploring reactive access control.   [BibTeX]
Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, and Lorrie Faith Cranor.
In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2085–2094, May 2011. ACM. © ACM  DOI:10.1145/1978942.1979245

Access control for home data sharing: Attitudes, needs and practices.   [BibTeX]
Michelle L. Mazurek, J.P. Arsenault, Joanna Breese, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter.
In CHI 2010: Conference on Human Factors in Computing Systems, pages 645–654, April 2010. ACM. © ACM  DOI:10.1145/1753326.1753421

Passwords: Although they are often insecure and inconvenient, passwords aren't quite about to disappear. This project's goal is to help users create passwords that are easy for them to remember, but hard for attackers to guess. We work towards this goal by trying to deeply understand the password-creation process and the security of the resulting passwords, including by investigating the effects of password-composition policies and password meters on the security and usability of passwords, and by studying metrics for quantifying password strength.

Publications

new!  Can long passwords be secure and usable?   [BibTeX, video teaser]
Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In CHI 2014: Conference on Human Factors in Computing Systems, April 2014. ACM. © authors  DOI:10.1145/2556288.2557377

Measuring password guessability for an entire university.   [BibTeX]
Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur.
In Proceedings of the 2013 ACM Conference on Computer and Communications Security, November 2013. ACM. © authors  DOI:10.1145/2508859.2516726

The impact of length and mathematical operators on the usability and security of system-assigned one-time PINs.   [BibTeX]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In 2013 Workshop on Usable Security (USEC), volume 7862 of Lecture Notes in Computer Science, pages 34–51, April 2013. Springer. © Springer-Verlag  DOI:10.1007/978-3-642-41320-9_3

Helping users create better passwords.   [BibTeX]
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Julio López.
USENIX ;login:, 37(6), December 2012. USENIX. © authors

How does your password measure up? The effect of strength meters on password creation.   [BibTeX, talk video]
Blase Ur, Patrick Gage Kelly, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In Proceedings of the 21st USENIX Security Symposium, August 2012. USENIX Association. © authors

Correct horse battery staple: Exploring the usability of system-assigned passphrases.   [BibTeX]
Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '12: Proceedings of the 8th Symposium on Usable Privacy and Security, July 2012. ACM. © authors  DOI:10.1145/2335356.2335366

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms.   [BibTeX]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez.
In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 523–537, May 2012. IEEE. © IEEE  DOI:10.1109/SP.2012.38

Of passwords and people: Measuring the effect of password-composition policies.   [BibTeX]
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman.
In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2595–2604, May 2011. ACM. CHI 2011 Honorable Mention. © ACM  DOI:10.1145/1978942.1979321

Encountering stronger password requirements: User attitudes and behaviors.   [BibTeX]
Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '10: Proceedings of the 6th Symposium on Usable Privacy and Security, July 2010. ACM. © authors  DOI:10.1145/1837110.1837113

Grey: An experiment to create a universal and highly secure access-control device via software extensions to off-the-shelf "smart phones". Grey builds from formal techniques for proving authorization that assure sound access decisions and that permit virtually unlimited flexibility in the policies that can be implemented.

Publications

Discovering access-control misconfigurations: New approaches and evaluation methodologies.   [BibTeX]
Lujo Bauer, Yuan Liang, Michael K. Reiter, and Chad Spensky.
In CODASPY'12: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, February 2012. © ACM  DOI:10.1145/2133601.2133613

Detecting and resolving policy misconfigurations in access-control systems.   [BibTeX]
Lujo Bauer, Scott Garriss and Michael K. Reiter.
ACM Transactions on Information and System Security, 14(1), May 2011. ACM. © ACM  DOI:10.1145/1952982.1952984

Detecting and resolving policy misconfigurations in access-control systems.   [BibTeX]
Lujo Bauer, Scott Garriss and Michael K. Reiter.
In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pages 185–194, June 2008. ACM. © ACM  DOI:10.1145/1377836.1377866

Efficient proving for practical distributed access-control systems.   [BibTeX]
Lujo Bauer, Scott Garriss and Michael K. Reiter.
In Computer Security—ESORICS 2007: 12th European Symposium on Research in Computer Security, volume 4734 of Lecture Notes in Computer Science, pages 19–37, September 2007. Springer. (Full version appears as technical report CMU-CyLab-06-015R.) © Springer-Verlag  DOI:10.1007/978-3-540-74835-9_3

Lessons learned from the deployment of a smartphone-based access-control system.   [BibTeX]
Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea.
In SOUPS '07: Proceedings of the 3rd Symposium on Usable Privacy and Security, pages 64–75, July 2007. ACM. © authors  DOI:10.1145/1280680.1280689

Consumable credentials in logic-based access-control systems.   [BibTeX]
Kevin D. Bowers, Lujo Bauer, Deepak Garg, Frank Pfenning, and Michael K. Reiter.
In Proceedings of the 2007 Network & Distributed System Security Symposium, pages 143–157, February 2007. Internet Society. © Internet Society

User-controllable security and privacy for pervasive computing.   [BibTeX]
Jason Cornwell, Ian Fette, Gary Hsieh, Madhu Prabaker, Jinghai Rao, Karen Tang, Kami Vaniea, Lujo Bauer, Lorrie Cranor, Jason Hong, Bruce McLaren, Mike Reiter, and Norman Sadeh.
In Eighth IEEE Workshop on Mobile Computing Systems and Applications (HotMobile), pages 14–19, February 2007. IEEE. © IEEE  DOI:10.1109/WMCSA.2007.4389552

Efficient proving for distributed access-control systems.   [BibTeX]
Lujo Bauer, Scott Garriss and Michael K. Reiter.
Technical Report CMU-CYLAB-06-015R, CyLab, Carnegie Mellon University, September 2006.

A linear logic of authorization and knowledge.   [BibTeX]
Deepak Garg, Lujo Bauer, Kevin D. Bowers, Frank Pfenning, and Michael K. Reiter.
In Computer Security—ESORICS 2006: 11th European Symposium on Research in Computer Security, volume 4189 of Lecture Notes in Computer Science, pages 297–312, September 2006. Springer. Official, slightly abbreviated version. © Springer-Verlag  DOI:10.1007/11863908_19

Device-enabled authorization in the Grey system.   [BibTeX]
Lujo Bauer, Scott Garriss, Jonathan M. McCune, Michael K. Reiter, Jason Rouse, and Peter Rutenbar.
In Information Security: 8th International Conference, ISC 2005, volume 3650 of Lecture Notes in Computer Science, pages 431–445, September 2005. Springer. An extended version of this paper appears as a tech report. © Springer-Verlag  DOI:10.1007/11556992_31

Distributed proving in access-control systems.   [BibTeX]
Lujo Bauer, Scott Garriss and Michael K. Reiter.
In Proceedings of the 2005 IEEE Symposium on Security & Privacy, pages 81–95, May 2005. IEEE. © IEEE  DOI:10.1109/SP.2005.9

Run-time monitors: This project studies various facets of the theory, design, and implementation of software program monitors and monitor-specification languages. Past results included developing a language and system for specifying and enforcing composable run-time security policies on Java programs. Current research focuses on enforcing policies in distributed systems and with distributed monitors.

Publications

Probabilistic cost enforcement of security policies.   [BibTeX]
Yannis Mallios, Lujo Bauer, Dilsun Kaynar, Fabio Martinelli, and Charles Morisset.
In Security and Trust Management: 9th International Workshop, STM 2013, Proceedings, volume 8203 of Lecture Notes in Computer Science, pages 144–159, September 2013. Springer. © Springer-Verlag  DOI:10.1007/978-3-642-41098-7_10

Enforcing more with less: Formalizing target-aware run-time monitors.   [BibTeX]
Yannis Mallios, Lujo Bauer, Dilsun Kaynar, and Jay Ligatti.
In Security and Trust Management: 8th International Workshop, STM 2012, Pisa, Italy, September 13–14, 2012, Revised Selected Papers, volume 7783 of Lecture Notes in Computer Science, pages 17–32, 2013. © Springer-Verlag  DOI:10.1007/978-3-642-38004-4_2

Composing expressive runtime security policies.   [BibTeX]
Lujo Bauer, Jay Ligatti and David Walker.
ACM Transactions on Software Engineering and Methodology, 18(3), May 2009. ACM. © ACM  DOI:10.1145/1525880.1525882

Run-time enforcement of nonsafety policies.   [BibTeX]
Jay Ligatti, Lujo Bauer and David Walker.
ACM Transactions on Information and System Security, 12(3), January 2009. ACM. © ACM  DOI:10.1145/1455526.1455532

Students

I'm fortunate to advise and work with a number of talented PhD, masters, and undergraduate students; including: Jassim Aljuraidan (CMU ECE PhD), Yannis Mallios (CMU ECE PhD), Michelle Mazurek (CMU ECE PhD), Billy Melicher (CMU ECE PhD), Sean Segreti (CMU ECE PhD), Shaoying Cai (visiting PhD student from SMU, Singapore), Wataru Hasegawa (CMU INI masters), Seyoung Huh (CMU ECE masters), Timothy Passaro (CMU ugrad).

Students I have supervised or worked with closely in the past: Scott Garriss (CMU ECE, PhD 2008), Rob Reeder (CMU CSD, PhD 2008), Kami Vaniea (CMU CSD, PhD 2012), Tony Felice (CMU ECE ugrad/master's), Elli Fragkaki (CMU ECE, MS 2013), Joel Lee (CMU Heinz master's), Sudeep Modi (CMU INI master's), Brad Miller (CMU ECE ugrad).

If you're a PhD student interested in security and usability, you may want to take a look at the Carnegie Mellon Usable Privacy and Security Doctoral Training Program.

Recent publications (full list)

This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder.

new!  Analyzing the dangers posed by Chrome extensions.   [BibTeX]
L. Bauer, S. Cai, L. Jia, T. Passaro, and Y. Tian.
IEEE CNS 2014. To appear.

new!  Android taint flow analysis for app sets.   [BibTeX]
W. Klieber, L. Flynn, A. Bhosale, L. Jia, and L. Bauer.
SOAP 2014.

new!  Studying the effectiveness of security images in Internet banking.   [BibTeX]
J. Lee and L. Bauer.
W2SP 2014.

new!  Can long passwords be secure and usable?   [BibTeX, video teaser]
R. Shay, S. Komanduri, A. L. Durity, P. Huh, M. L. Mazurek, S. M. Segreti, B. Ur, L. Bauer, N. Christin, and L. F. Cranor.
CHI 2014.  DOI:10.1145/2556288.2557377

Toward strong, usable access control for shared distributed data.   [BibTeX, talk video]
M. L. Mazurek, Y. Liang, W. Melicher, M. Sleeper, L. Bauer, G. R. Ganger, N. Gupta, and M. K. Reiter.
FAST '14.

Challenges faced in working with users to design access-control systems for domestic environments.   [BibTeX]
M. Sleeper, M. L. Mazurek and L. Bauer.
Designing with Users for Domestic Environments 2014. Position paper.

A comparison of users' perceptions and willingness to use Google, Facebook, and Google+ single-sign-on functionality.   [BibTeX]
L. Bauer, C. Bravo-Lillo, E. Fragkaki, and W. Melicher.
DIM 2013.  DOI:10.1145/2517881.2517886

Measuring password guessability for an entire university.   [BibTeX]
M. L. Mazurek, S. Komanduri, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, P. G. Kelley, R. Shay, and B. Ur.
CCS 2013.  DOI:10.1145/2508859.2516726

The post anachronism: The temporal dimension of Facebook privacy.   [BibTeX]
L. Bauer, L. F. Cranor, S. Komanduri, M. L. Mazurek, M. K. Reiter, M. Sleeper, and B. Ur.
WPES 2013.  DOI:10.1145/2517840.2517859

What you want is not what you get: Predicting sharing policies for text-based content on Facebook.   [BibTeX]
A. Sinha, Y. Li and L. Bauer.
AISec 2013.  DOI:10.1145/2517312.2517317

Probabilistic cost enforcement of security policies.   [BibTeX]
Y. Mallios, L. Bauer, D. Kaynar, F. Martinelli, and C. Morisset.
STM 2013.  DOI:10.1007/978-3-642-41098-7_10

Run-time enforcement of information-flow properties on Android (extended abstract).   [BibTeX, demo]
L. Jia, J. Aljuraidan, E. Fragkaki, L. Bauer, M. Stroucken, K. Fukushima, S. Kiyomoto, and Y. Miyake.
ESORICS 2013. (Full version appears as technical report CMU-CyLab-12-015.)  DOI:10.1007/978-3-642-40203-6_43

What matters to users? Factors that affect users' willingness to share information with online advertisers.   [BibTeX]
P. G. Leon, B. Ur, Y. Wang, M. Sleeper, R. Balebako, R. Shay, L. Bauer, M. Christodorescu, and L. F. Cranor.
SOUPS 2013.  DOI:10.1145/2501604.2501611  

Updated 2014.05.12.
Copyright © Lujo Bauer