Carnegie Mellon CyLab is a bold and visionary effort, which establishes public-private partnerships to develop new technologies for measurable, secure, available, trustworthy and sustainable computing and communications systems. CyLab is a world leader in both technological research and the education of professionals in information assurance, security technology, business and policy, as well as security awareness among cyber-citizens of all ages. Building on more than two decades of Carnegie Mellon leadership in Information Technology, CyLab is a university-wide initiative that involves over fifty faculty and one hundred graduate students from more than six different departments and schools. As a vital resource in the effort to address cyber vulnerabilities that threaten national and economic security, CyLab is closely affiliated with CERT® Coordination Center, a leading, internationally recognized center of internet security expertise.
Submissions from 2013
Warning Design Guidelines (CMU-CyLab-13-002), Lujo Bauer, Cristian Bravo-Lillo, Lorrie Faith Cranor, and Elli Fragkaki
Audit Games (CMU-CyLab-13-004), Jeremiah Blocki, Nicolas Christin, Anupam Datta, Ariel D. Procaccia, and Arunesh Sinha
Privacy as Part of the App Decision-Making Process (CMU-CyLab-13-003), Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh
Submissions from 2012
Run-Time Enforcement of Information-Flow Properties on Android (CMU-CyLab-12-015), Jassim Aljuraidan, Elli Fragkaki, Lujo Bauer, Limin Jia, Yutaka Miyake, Kazuhide Fukushima, and Shinsaku Kiyomoto
Towards Scalable Evaluation of Mobile Applications through Crowdsourcing and Automation (CMU-CyLab-12-006), Shahriyar Amini, Jialiu Lin, Jason Hong, Janne Lindqvist, and Joy Zhang
Auditing Rational Adversaries to Provably Manage Risks (CMU-CyLab-12-011), Jeremiah Blocki, Nicolas Christin, Anupam Datta, and Arunesh Sinha
Audit Mechanisms for Provable Risk Management and Accountable Data Governance (CMU-CyLab-12-020), Jeremiah Blocki, Nicolas Christin, Anupam Datta, and Arunesh Sinha
Design, Development and Automated Verification of an Integrity-Protected Hypervisor (CMU-CyLab-12-017), Sagar Chaki, Amit Vasudevan, Limin Jia, Jonathan M. McCune, and Anupam Datta
Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace (CMU-CyLab-12-018), Nicolas Christin
Parametric Verification of Address Space Separation (CMU-CyLab-12-001), Jason Franklin, Sagar Chaki, Anupam Datta, Jonathan M. McCune, and Amit Vasudevan
Sanctuary Trail: Refuge from Internet DDoS Entrapment (CMU-CyLab-12-013), Hsu-Chun Hsiao, Tiffany Kim, Sangjae Yoo, Xin Zhang, Soo Bum Lee, Virgil D. Gligor, and Adrian Perrig
Transparent Key Integrity (TKI): A Proposal for a Public-Key Validation Infrastructure (CMU-CyLab-12-016), Tiffany Hyun-Jin Kim, Lin-Shung Huang, Adrian Perrig, Collin Jackson, and Virgil D. Gligor
What Do Online Behavioral Advertising Disclosures Communicate to Users? (CMU-CyLab-12-008), Pedro Giovanni Leon, Justin Cranshaw, Lorrie Faith Cranor, Jim Graves, Manoj Hastak, and Guzi Xu
A Comparative Study of Location-sharing Privacy Preferences in the U.S. and China (CMU-CyLab-12-003), Jialiu Lin, Norman Sadeh, Michael Benisch, Jianwei Niu, Jason Hong, Banghui Lu, and Shaohui Guo
Enforcing More with Less: Formalizing Target-aware Run-time Monitors (CMU-CyLab-12-009), Yannis Mallios, Lujo Bauer, Dilsun Kaynar, and Jay Ligatti
Smart, Useful, Scary, Creepy: Perceptions of Online Behavioral Advertising (CMU-CyLab-12-007), Blase Ur, Pedro Giovanni Leon, Lorrie Faith Cranor, Richard Shay, and Yang Wang
"It’s an app. It’s a hypervisor. It’s a hypapp.": Design and Implementation of an eXtensible and Modular Hypervisor Framework (CMU-CyLab-12-014), Amit Vasudevan, Jonathan M. McCune, and James Newsome
QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks (CMU-CyLab-12-022), Tim Vidas, Emmanuel Owusu, Shuai Wang, Cheng Zen, and Lorrie Faith Cranor
Exploiting Privacy Policy Conflicts in Online Social Networks (CMU-CyLab-12-005), Akira Yamada, Tiffany Hyun-Jin Kim, and Adrian Perrig
Submissions from 2011
Regret Minimizing Audits: A Learning-theoretic Basis for Privacy Protection (CMU-CyLab-11-003), Jeremiah Blocki, Nicolas Christin, Anupam Datta, and Arunesh Sinha
SafeSlinger: An Easy-to-use and Secure Approach for Human Trust Establishment (CMU-CyLab-11-021), Michael W. Farb, Manish Burman, Gurtej Singh Chandok, Jonathan M. McCune, and Adrian Perrig
Modeling and Enhancing Android’s Permission System (CMU-CyLab-11-020), Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey
A Logical Method for Policy Enforcement over Evolving Audit Logs (CMU-CyLab-11-002), Deepak Garg, Limin Jia, and Anupam Datta
Towards a Theory of Trust in Networks of Humans and Computers (CMU-CyLab-11-016), Virgil D. Gligor and Jeannette M. Wing
Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms (CMU-CyLab-11-008), Patrick Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez
RelationGrams: Tie-Strength Visualization for User-Controlled Online Identity Authentication (CMU-CyLab-11-014), Tiffany Hyun-Jin Kim, Akira Yamada, Jason Hong, Virgil D. Gligor, and Adrian Perrig
AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements (CMU-CyLab-11-005), Saranga Komanduri, Richard Shay, Greg Norcie, Blase Ur, and Lorrie Faith Cranor
FLoc: Dependable Link Access for Legitimate Traffic in Flooding Attacks (CMU-CyLab-11-019), Soo Bum Lee and Virgil D. Gligor
DefAT: Dependable Connection Setup for Network Capabilities (CMU-CyLab-11-018), Soo Bum Lee, Virgil D. Gligor, and Adrian Perrig
Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioral Advertising (CMU-CyLab-11-017), Pedro Giovanni Leon, Blase Ur, Rebecca Balebako, Lorrie Cranor, Richard Shay, and Yang Wang
A Survey of the Use of Adobe Flash Local Shared Objects to Respawn HTTP Cookies (CMU-CyLab-11-001), Aleecia M. McDonald and Lorrie Faith Cranor
I Know Where You Live: Analyzing Privacy Protection in Public Databases (CMU-CyLab-11-015), Manya Sleeper, Divya Sharma, and Lorrie Faith Cranor
Don’t Bump, Shake on It: The Exploitation of a Popular Accelerometer-Based Smart Phone Exchange and Its Secure Replacement (CMU-CyLab-11-011), Ahren Studer, Timothy Passaro, and Lujo Bauer
Trustworthy Execution on Mobile Devices: What security properties can my mobile platform give me? (CMU-CyLab-11-023), Amit Vasudevan, Emmanuel Owusu, Zongwei Zhou, James Newsome, and Jonathan M. McCune
Who, when, where: Obfuscation preferences in location-sharing applications (CMU-CyLab-11-013), Jayant Venkatanathan, Jialiu Lin, Michael Benisch, Denzil Ferreira, Evangelos Karapanos, Vassilis Kostakos, Eran Toch, and Norman Sadeh
Sweetening Android Lemon Markets: Measuring and Curbing Malware in Application Marketplaces (CMU-CyLab-11-012), Tim Vidas and Nicolas Christin
ShortMAC: Efficient Data-Plane Fault Localization (CMU-CyLab-11-007), Xin Zhang, Zongwei Zhou, Hsu-Chun Hsiao, Tiffany Kim, Patrick Tague, and Adrian Perrig
Submissions from 2010
Caché: Caching Location-Enhanced Content to Improve User Privacy (CMU-CyLab-10-019), Shahriyar Amini, Janne Lindqvist, Jason Hong, Jialiu Lin, Eran Toch, and Norman Sadeh
Efficient Directionless Weakest Preconditions (CMU-CyLab-10-002), David Brumley and Ivan Jager
Dissecting One Click Frauds (CMU-CyLab-10-011), Nicolas Christin, Sally S. Yanagihara, and Keisuke Kamataki
Privacy Policy Specification and Audit in a Fixed-Point Logic - How to enforce HIPAA, GLBA and all that (CMU-CyLab-10-008), Henry DeYoung, Deepak Garg, Limin Jia, Dilsun Kaynar, and Anupam Datta
Logical Specification of the GLBA and HIPAA Privacy Laws (CMU-CyLab-10-007), Henry DeYoung, Deepak Garg, Dilsun Kaynar, and Anupam Datta
Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size (CMU-CyLab-10-005), Jason Franklin, Sagar Chaki, Anupam Datta, and Arvind Sesahdri
Compositional System Security in the Presence of Interface-Confined Adversaries (CMU-CyLab-10-004), Deepak Garg, Jason Franklin, Dilsun Kaynar, and Anupam Datta
A Diary Study of Password Usage in Daily Life (CMU-CyLab-10-016), Eiji Hayashi and Jason Hong
SCION: Scalability, Control, and Isolation On Next-Generation Networks (CMU-CyLab-10-020), Hsu-Chun Hsiao, Xin Zhang, Geoff Hasker, Haowen Chan, Adrian Perrig, and David G. Andersen
Are Security Experts Useful? Bayesian Nash Equilibria for Network Security Games with Limited Information (CMU-CyLab-10-010), Benjamin Johnson, Jens Grossklags, Nicolas Christin, and John Chuang
When Are Users Comfortable Sharing Locations with Advertisers? (CMU-CyLab-10-017), Patrick Gage Kelley, Michael Benisch, Lorrie Faith Cranor, and Norman Sadeh
Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach (CMU-CyLab-09-014), Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor
Impact Analysis of BGP Sessions for Prioritization of Maintenance Operations (CMU-CyLab-10-018), Sihyung Lee, Kyriaki Levanti, and Hyong S. Kim
Token Attempt: The Misrepresentation of Website Privacy Policies through the Misuse of P3P Compact Policy Tokens (CMU-Cylab-10-014), Pedro Giovanni Leon, Lorrie Faith Cranor, Aleecia M. McDonald, and Robert McGuire
Ho-Po Key: Leveraging Physical Constraints on Human Motion to Authentically Exchange Information in a Group (CMU-CyLab-11-004), Ghita Mezzour, Ahren Studer, Michael W. Farb, Jason Lee, Jonathan M. McCune, Hsu-Chun Hsiao, and Adrian Perrig
Submissions from 2009
TwitterJacket: An Automated Activity and Health Monitoring Solution for the Elderly (CMU-CyLab-10-003), Shahriyar Amini and Priya Narasimhan
xDomain: Cross-border Proofs of Access (CMU-CyLab-09-005), Lujo Bauer, Limin Jia, Michael K. Reiter, and David Swasey
A Logic of Secure Systems and its Application to Trusted Computing (CMU-CyLab-09-001), Anupam Datta, Jason Franklin, Deepak Garg, and Dilsun Kaynar
When Information Improves Information Security (CMU-CyLab-09-004), Jens Grossklags, Benjamin Johnson, and Nicolas Christin
BitShred: Fast, Scalable Code Reuse Detection in Binary Code (CMU-CyLab-10-006), Jiyong Jang and David Brumley
School of Phish: A Real-Word Evaluation of Anti-Phishing Training (CMU-CyLab-09-002), Ponnurangam Kumaraguru, Justin Cranshaw, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, Mary Ann Blair, and Theodore Pham
Understanding People’s Place Naming Preferences in Location Sharing (CMU-CyLab-09-010), Jialiu Lin, Jason Hong, and Norman Sadeh
Access Control for Home Data Sharing: Attitudes, Needs and Practices (CMU-CyLab-09-013, CMU-PDL-09-110), Michelle L. Mazurek, J. P. Arsenault, Joanna Bresee, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter
Efficient TCB Reduction and Attestation (CMU-CyLab-09-003), Jonathan M. McCune, Ning Qu, Yanlin Li, Anupam Datta, Virgil D. Gligor, and Adrian Perrig
An Empirical Study of How People Perceive Online Behavioral Advertising (CMU-CyLab-09-015), Aleecia M. McDonald and Lorrie Faith Cranor
Don’t Talk to Zombies: Mitigating DDoS Attacks via Attestation (CMU-CyLab-09-009), Bryan Parno, Zongwei Zhou, and Adrian Perrig
Help Me Help You: Using Trustworthy Host-Based Information in the Network (CMU-CyLab-09-016), Bryan Parno, Zongwei Zhou, and Adrian Perrig
Effects of Access-Control Policy Conflict-Resolution Methods on Policy-Authoring Usability (CMU-CyLab-09-006), Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea
Lockdown: A Safe and Practical Environment for Security Applications (CMU-CyLab-09-011), Amit Vasudevan, Bryan Parno, Ning Qu, Virgil D. Gligor, and Adrian Perrig
Submissions from 2008
Detecting and Resolving Policy Misconfigurations in Access-Control Systems (CMU-CyLab-08-004), Lujo Bauer, Scott Garriss, and Michael K. Reiter
Would Diversity Really Increase the Robustness of the Routing Infrastructure Against Software Defects?, Juan Caballero, Theocharis Kampouris, Dawn Song, and Jia Wang
Towards Generating High Coverage Vulnerability-based Signatures with Protocol-level Constraint-guided Exploration (CMU-CyLab-08-009), Juan Caballero, Zhenkai Liang, Pongsin Poosankam, and Dawn Song
Automated Verification of Security Protocol Implementations (CMU-CyLab-08-002), Sagar Chaki and Anupam Datta
GAnGS: Gather, Authenticate ’n Group Securely (CMU-CyLab-08-007), Chia-Hsin Chen, Chung-Wei Chen, Cynthia Kuo, Yan-Hao Lai, Jonathan M. McCune, Ahren Studer, Adrian Perrig, Bo-Yin Yang, and Tzong-Chen Wu
Anomaly Detection Amidst Constant Anomalies: Training IDS On Constantly Attacked Data (CMU-CyLab-08-006), M. Patrick Collins and Michael K. Reiter
A Framework for Reasoning About the Human in the Loop, Lorrie F. Cranor
Attacking, Repairing, and Verifying SecVisor: A Retrospective on the Security of a Hypervisor (CMU-CyLab-08-008), Jason Franklin, Arvind Seshadri, Ning Qu, Sagar Chaki, and Anupam Datta
Towards a Theory of Secure Systems (CMU-CyLab-08-003), Deepak Garg, Jason Franklin, Dilsun Kaynar, and Anupam Datta
Influence: A Quantitative Approach for Data Integrity (CMU-CyLab-08-005), James Newsome and Dawn Song
Flexible, Extensible, and Efficient VANET Authentication (CMU-CyLab-08-010), Ahren Struder, Fan Bai, Bhargav Bellur, and Adrian Perrig
TACKing Together Efficient Authentication, Revocation, and Privacy in VANETs (CMU-CyLab-08-011), Ahren Studer, Elaine Shi, Fan Bai, and Adrian Perrig
Submissions from 2007
Countermeasures against Government-Scale Monetary Forgery, Alessandro Acquisti, Nicolas Christin, Bryan Parno, and Adrian Perrig
Comparing Access-Control Technologies: A Study of Keys and Smartphones, Lujo Bauer, Lorrie Faith Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea
Lessons Learned from the Deployment of a Smartphone-Based Access-Control System, Lujo Bauer, Lorrie F. Cranor, Michael K. Reiter, and Kami Vaniea
Rosetta: Extracting Protocol Semantics using Binary Analysis with Applications to Protocol Replay and NATRewriting, Juan Caballero and Dawn Song
MetaMorphMagi: From Offline to Online Software Upgrades in Large-Scale IT Infrastructures, Tudor Dumitras, Jiaqi Tan, and Priya Narasimhan
Remote Detection of Virtual Machine Monitors with Fuzzy Benchmarking, Jason Franklin, Mark Luk, Jonathan M. McCune, Arvind Seshadri, Adrian Perrig, and Leendert van Doorn
PRISM: Enabling Personal Verification of Code Integrity, Untampered Execution, and Trusted I/O on Legacy Systems or Human-Verifiable Code Execution, Jason Franklin, Mark Luk, Arvind Seshadri, and Adrian Perrig
Mental Trapdoors for User Authentication on Small Mobile Devices, Eiji Hayashi, Nicolas Christin, Rachna Dhamija, and Adrian Perrig
Distributed Evasive Scan Techniques and Countermeasures, Min G. Kang, Juan Caballero, and Dawn Song
Castor: Secure Code Updates using Symmetric Cryptosystems, Donnie H. Kim, Rajeev Gandhi, and Priya Narasimhan
Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System, Ponnurangam Kumaraguru, Yong Rhee, Alessandro Acquisti, Lorrie Faith Cranor, Jason Hong, and Elizabeth Nunge
Teaching Johnny Not to Fall for Phish, Ponnurangam Kumaraguru, Steve Sheng, Alessandro Acquisti, Lorrie Faith Cranor, and Jason Hong
Tradeoffs in Configuring Secure Data Dissemination in Sensor Networks: An Empirical Outlook, Patrick E. Lanigan, Priya Narasimhan, and Rajeev Gandhi
NetPiler: Reducing Network Configuration Complexity through Policy Classification, Sihyung Lee, Tina Wong, and Hyong S. Kim
An Execution Infrastructure for TCB Minimization, Jonathan M. McCune, Bryan Parno, Adrian Perrig, Michael K. Reiter, and Hiroshi Isozaki
SNAPP: Stateless Network-Authenticated Path Pinning, Bryan Parno, Adrian Perrig, and David G. Andersen
Traffic Aggregation for Malware Detection, Michael K. Reiter and Ting-Fang Yen
HookFinder: Identifying and Understanding Malware Hooking Behaviors, Heng Yin, Zhenkai Liang, and Dawn Song
Bounding Packet Dropping and Injection Attacks in Sensor Networks, Xin Zhang, Haowen Chang, Abhishek Jain, and Adrian Perrig
Availability-Oriented Path Selection in Multi-Path Routing, Xin Zhang, Adrian Perrig, and Hui Zhang
Submissions from 2006
Consumable Credentials in Logic-Based Access Control, Lujo Bauer, Kevin D. Bowers, Frank Pfenning, and Michael K. Reiter
Efficient Proving for Distributed Access-Control Systems, Lujo Bauer, Scott Garriss, and Michael K. Reiter