This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicity permission of the copyright holder.
new! The impact of length and mathematical operators on the usability and security of system-assigned one-time PINs. [BibTeX]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In 2013 Workshop on Usable Security (USEC), April 2013.
new! Helping users create better passwords. [BibTeX]
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Julio López.
USENIX ;login:, 37(6), December 2012.
Enforcing more with less: Formalizing target-aware run-time monitors. [BibTeX]
Yannis Mallios, Lujo Bauer, Dilsun Kaynar, and Jay Ligatti.
In Security and Trust Management: 8th International Workshop, STM 2012, Pisa, Italy, September 13–14, 2012, Revised Selected Papers, volume 7783 of Lecture Notes in Computer Science, pages 17–32, 2013. © Springer-Verlag DOI: 10.1007/978-3-642-38004-4_2
Modeling and enhancing Android's permission system. [BibTeX]
Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey.
In Computer Security—ESORICS 2012: 17th European Symposium on Research in Computer Security, volume 7459 of Lecture Notes in Computer Science, pages 1–18, September 2012. © Springer-Verlag DOI: 10.1007/978-3-642-33167-1_1
How does your password measure up? The effect of strength meters on password creation. [BibTeX]
Blase Ur, Patrick Gage Kelly, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In Proceedings of the 21st USENIX Security Symposium, August 2012.
Check points against privacy breaches in Android applications. [BibTeX]
Kazuhide Fukushima, Lujo Bauer, Limin Jia, Shinsaku Kiyomoto, and Yutaka Miyake.
IJCSNS, 12(8), August 2012.
Studying access control usability in the lab: Lessons learned from four studies. [BibTeX]
Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter.
In LASER 2012–Learning from Authoritative Security Experiment Results, July 2012.
Out of sight, out of mind: Effects of displaying access-control information near the item it controls. [BibTeX]
Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter.
In Proceedings of the Tenth Annual Conference on Privacy, Security and Trust, July 2012. DOI: 10.1109/PST.2012.6297929
Correct horse battery staple: Exploring the usability of system-assigned passphrases. [BibTeX]
Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '12: Proceedings of the 8th Symposium on Usable Privacy and Security, July 2012. DOI: 10.1145/2335356.2335366
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. [BibTeX]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez.
In Proceedings of the 2012 IEEE Symposium on Security and Privacy, May 2012. © IEEE
Tag, you can see it! Using tags for access control in photo sharing. [BibTeX]
Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter.
In CHI 2012: Conference on Human Factors in Computing Systems, May 2012. © ACM
Discovering access-control misconfigurations: New approaches and evaluation methodologies. [BibTeX]
Lujo Bauer, Yuan Liang, Michael K. Reiter, and Chad Spensky.
In CODASPY'12: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, February 2012. © ACM
Guess again (and again and again: Measuring password strength by simulating password-cracking algorithms. [BibTeX]
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez.
Technical Report CMU-CYLAB-11-008, CyLab, Carnegie Mellon University, August 2011.
Don't bump, shake on it: The exploitation of a popular accelerometer-based smart phone exchange and its secure replacement. [BibTeX]
Ahren Studer, Timothy Passaro, and Lujo Bauer.
In ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference, December 2011. © ACM
More than skin deep: Measuring effects of the underlying model on access-control system usability. [BibTeX]
Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea.
In CHI 2011: Conference on Human Factors in Computing Systems, pages 2065–2074, May 2011. © ACM DOI: 10.1145/1978942.1979243
Exploring reactive access control. [BibTeX]
Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, and Lorrie Faith Cranor.
In CHI 2011: Conference on Human Factors in Computing Systems, pages 2085–2094, May 2011. © ACM DOI: 10.1145/1978942.1979245
Of passwords and people: Measuring the effect of password-composition policies. [BibTeX]
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman.
In CHI 2011: Conference on Human Factors in Computing Systems, pages 2595–2604, May 2011. CHI 2011 Honorable Mention. © ACM DOI: 10.1145/1978942.1979321
Detecting and resolving policy misconfigurations in access-control systems. [BibTeX]
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
ACM Transactions on Information and System Security, 14(1), May 2011. © ACM DOI: 10.1145/1952982.1952984
Don't bump, shake on it: The exploitation of a popular accelerometer-based smart phone exchange and its secure replacement. [BibTeX]
Ahren Studer, Timothy Passaro, and Lujo Bauer.
Technical Report CMU-CYLAB-11-011, CyLab, Carnegie Mellon University, February 2011.
Access right assignment mechanisms for secure home networks. [BibTeX]
Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig, and Jesse Walker.
Journal of Communications and Networks, 13(2):175–186.
Challenges in access right assignment for secure home networks. [BibTeX]
Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig, and Jesse Walker.
In Proceedings of the 5th USENIX Workshop on Hot Topics in Security, August 2010.
Constraining credential usage in logic-based access control. [BibTeX]
Lujo Bauer, Limin Jia, and Divya Sharma.
In Proceedings of the 23rd IEEE Computer Security Foundations Symposium, pages 154–168, July 2010. © IEEE DOI: 10.1109/CSF.2010.18
Encountering stronger password requirements: User attitudes and behaviors. [BibTeX]
Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '10: Proceedings of the 6th Symposium on Usable Privacy and Security, July 2010.
Access control for home data sharing: Attitudes, needs and practices. [BibTeX]
Michelle L. Mazurek, J.P. Arsenault, Joanna Breese, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter.
In CHI 2010: Conference on Human Factors in Computing Systems, pages 645–654, April 2010. © ACM DOI: 10.1145/1753326.1753421
Access control for home data sharing: Attitudes, needs and practices. [BibTeX]
Michelle L. Mazurek, J.P. Arsenault, Joanna Breese, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter.
Technical Report CMU-CyLab-09-013, CyLab, Carnegie Mellon University, October 2009.
Composing expressive runtime security policies. [BibTeX]
Lujo Bauer, Jay Ligatti, and David Walker.
ACM Transactions on Software Engineering and Methodology, 18(3), May 2009. © ACM DOI: 10.1145/1525880.1525882
xDomain: Cross-border proofs of access. [BibTeX]
Lujo Bauer, Limin Jia, Michael K. Reiter, and David Swasey.
In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pages 43–52, June 2009. (Full version appears as technical report CMU-CyLab-09-005.) DOI: 10.1145/1542207.1542216
Real life challenges in access-control management. [BibTeX]
Lujo Bauer, Lorrie Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea.
In CHI 2009: Conference on Human Factors in Computing Systems, pages 899–908, April 2009. © ACM DOI: 10.1145/1518701.1518838
Effects of access-control policy conflict-resolution methods on policy-authoring usability. [BibTeX]
Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea.
Technical Report CMU-CyLab-09-006, CyLab, Carnegie Mellon University, March 2009.
Run-time enforcement of nonsafety policies. [BibTeX]
Jay Ligatti, Lujo Bauer, and David Walker.
ACM Transactions on Information and System Security, 12(3), January 2009. © ACM DOI: 10.1145/1455526.1455532
Usable key agreement in home networks. [BibTeX]
Ramu Panayappan, Tom Palarz, Lujo Bauer, and Adrian Perrig.
In Proceedings of the 1st International Conference on COMmunication Systems and NETworkS (COMSNETS), pages 550–559, January 2009. © IEEE
Detecting and resolving policy misconfigurations in access-control systems. [BibTeX]
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pages 185–194, June 2008. © ACM DOI: 10.1145/1377836.1377866
A user study of policy creation in a flexible access-control system. [BibTeX]
Lujo Bauer, Lorrie Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea.
In CHI 2008: Conference on Human Factors in Computing Systems, pages 543–552, April 2008. © ACM DOI: 10.1145/1357054.1357143
Expandable grids for visualizing and authoring computer security policies. [BibTeX]
Robert W. Reeder, Lujo Bauer, Lorrie Cranor, Michael K. Reiter, Kelli Bacon, Keisha How, and Heather Strong.
In CHI 2008: Conference on Human Factors in Computing Systems, pages 1473–1482, April 2008. © ACM DOI: 10.1145/1357054.1357285
Efficient proving for practical distributed access-control systems. [BibTeX]
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
In Computer Security—ESORICS 2007: 12th European Symposium on Research in Computer Security, volume 4734 of Lecture Notes in Computer Science, pages 19–37, September 2007. (Full version appears as technical report CMU-CyLab-06-015R.) © Springer-Verlag DOI: 10.1007/978-3-540-74835-9_3
Lessons learned from the deployment of a smartphone-based access-control system. [BibTeX]
Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea.
In SOUPS '07: Proceedings of the 3rd Symposium on Usable Privacy and Security, pages 64–75, July 2007. DOI: 10.1145/1280680.1280689
Consumable credentials in logic-based access-control systems. [BibTeX]
Kevin D. Bowers, Lujo Bauer, Deepak Garg, Frank Pfenning, and Michael K. Reiter.
In Proceedings of the 2007 Network & Distributed System Security Symposium, pages 143–157, February 2007. © Internet Society
Comparing access-control technologies: a study of keys and smartphones. [BibTeX]
Lujo Bauer, Lorrie Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea.
Technical Report CMU-CYLAB-07-005, CyLab, Carnegie Mellon University, February 2007.
User-controllable security and privacy for pervasive computing. [BibTeX]
Jason Cornwell, Ian Fette, Gary Hsieh, Madhu Prabaker, Jinghai Rao, Karen Tang, Kami Vaniea, Lujo Bauer, Lorrie Cranor, Jason Hong, Bruce McLaren, Mike Reiter, and Norman Sadeh.
In Eighth IEEE Workshop on Mobile Computing Systems and Applications (HotMobile), pages 14–19, February 2007. DOI: 10.1109/WMCSA.2007.4389552
Efficient proving for distributed access-control systems. [BibTeX]
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
Technical Report CMU-CYLAB-06-015R, CyLab, Carnegie Mellon University, September 2006.
A linear logic of authorization and knowledge. [BibTeX]
Deepak Garg, Lujo Bauer, Kevin D. Bowers, Frank Pfenning, and Michael K. Reiter.
In Computer Security—ESORICS 2006: 11th European Symposium on Research in Computer Security, volume 4189 of Lecture Notes in Computer Science, pages 297–312, September 2006. Official, slightly abbreviated version. © Springer-Verlag DOI: 10.1007/11863908_19
Device-enabled authorization in the Grey system. [BibTeX]
Lujo Bauer, Scott Garriss, Jonathan M. McCune, Michael K. Reiter, Jason Rouse, and Peter Rutenbar.
In Information Security: 8th International Conference, ISC 2005, volume 3650 of Lecture Notes in Computer Science, pages 431–445, September 2005. An extended version of this paper appears as a tech report. © Springer-Verlag DOI: 10.1007/11556992_31
Enforcing non-safety security policies with program monitors. [BibTeX]
Jay Ligatti, Lujo Bauer, and David Walker.
In Computer Security—ESORICS 2005: 10th European Symposium on Research in Computer Security, volume 3679 of Lecture Notes in Computer Science, pages 355–373, September 2005. © Springer-Verlag DOI: 10.1007/11555827_21
Composing security policies with Polymer. [BibTeX]
Lujo Bauer, Jay Ligatti, and David Walker.
In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 305–314, June 2005. © ACM DOI: 10.1145/1065010.1065047
Distributed proving in access-control systems. [BibTeX]
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
In Proceedings of the 2005 IEEE Symposium on Security & Privacy, pages 81–95, May 2005. © IEEE DOI: 10.1109/SP.2005.9
Enforcing non-safety security policies with program monitors. [BibTeX]
Jay Ligatti, Lujo Bauer, and David Walker.
Technical Report TR-720-05, Princeton University, January 2005.
Edit automata: Enforcement mechanisms for run-time security policies. [BibTeX]
Jay Ligatti, Lujo Bauer, and David Walker.
International Journal of Information Security, 4(1–2):2–16, February 2005. (Published online 26 Oct 2004.) © Springer-Verlag DOI: 10.1007/s10207-004-0046-8
A language and system for composing security policies. [BibTeX]
Lujo Bauer, Jay Ligatti, and David Walker.
Technical Report TR-699-04, Princeton University, January 2004.
Access control for the Web via proof-carrying authorization. [BibTeX]
Lujo Bauer.
Ph.D. Thesis, Princeton University, November 2003.
Types and effects for non-interfering program monitors. [BibTeX]
Lujo Bauer, Jarred Ligatti, and David Walker.
In Software Security—Theories and Systems. Mext-NSF-JSPS International Symposium, ISSS 2002, Tokyo, Japan, November 8-10, 2002, Revised Papers, volume 2609 of Lecture Notes in Computer Science, pages 154–171, 2003. © Springer-Verlag
Mechanisms for secure modular programming in Java. [BibTeX]
Lujo Bauer, Andrew W. Appel, and Edward W. Felten.
Software—Practice and Experience, 33(5):461–480. DOI: 10.1002/spe.516
A general and flexible access-control system for the Web. [BibTeX]
Lujo Bauer, Michael A. Schneider, and Edward W. Felten.
In Proceedings of the 11th USENIX Security Symposium, pages 93–108, August 2002.
A calculus for composing security policies. [BibTeX]
Lujo Bauer, Jarred Ligatti, and David Walker.
Technical Report TR-655-02, Princeton University, August 2002.
More enforceable security policies. [BibTeX]
Lujo Bauer, Jarred Ligatti, and David Walker.
In Foundations of Computer Security, July 2002.
More enforceable security policies. [BibTeX]
Lujo Bauer, Jarred Ligatti, and David Walker.
Technical Report TR-649-02, Princeton University, June 2002.
A proof-carrying authorization system. [BibTeX]
Lujo Bauer, Michael A. Schneider, and Edward W. Felten.
Technical Report TR-638-01, Princeton University, April 2001.
Mechanisms for secure modular programming in Java. [BibTeX]
Lujo Bauer, Andrew W. Appel, and Edward W. Felten.
Technical Report TR-603-99, Princeton University, July 1999.