Resume  Publications

[2012]

We have been working hard on research involving the use of implicit learning of motor tasks for authentication purposes. This work was extensively featured in the media in the summer of 2012.

USENIX Security 2012 paper on designing security primitives resistant to user coercion (a.k.a. "rubber hose cryptanalysis").

[2011]

I have been increasingly interested in user behaviors at the intersection of security, wireless computing, and the web. In particular, Android has been an excellent, open platform for experimentation.

Android Open 2011 slides about 3LM's end-to-end Enterprise Android solution
USENIX 2011 paper about an Android web server designed with security in mind; a continuation of our earlier embedded web interface security project
WISEC 2011 paper about Address Space Layout Randomization (ASLR) for mobile devices which requires no kernel changes in the system; in addition, we discuss Crash Stack Analysis: a novel technique for centrally identifying ASLR brute-forcing attacks
HOTMOBILE 2011 paper and slides about MagKey and MicKey: experimental hardware authentication tokens using a smartphone's compass and microphone as receivers; the main advantages of the design are low cost (less than $1 per token) and low power consumption, as well as broad applicability to existing smartphones

[2010]

CSET 2010 paper about Webseclab, a web security education tool I helped create
ESORICS 2010 paper about designing loss-resistant password managers; the high-order bit: it is hard to make security work around irrational human beings; the original publication will appear in the conference proceedings, at www.springerlink.com

[2009]

Web servers are getting embedded in electronic appliances of all kinds: from home routers, to picture frames and IP phones. Usually the goal is to provide a familiar management interface for the devices; security is typically an afterthought. In recent work we have evaluated the security of web interfaces exposed by a broad range of consumer and enterprise hardware.

CCS 2009 paper and slides about XCS vulnerabilities and SiteFirewall, a Firefox extension that prevents XCS attacks from running to completion (this work was also featured in "Communications of the ACM", August 2010, Vol.53, No.8)
BlackHat USA 2009 briefing on Embedded Management Interfaces
Article about our embedded web interface work, on The Register

[2008]

With the rapid growth of Internet use for privacy-sensitive applications (banking, healthcare, travel), it is becoming clear that securing people's online presence is an area of high potential: for academic contribution as well as business ventures. The technical problems that need a solution are neverending, yet the main hurdle is human nature: people only want computer security if it comes for free and doesn't cause any inconvenience.

Stanford Applied Crypto Group's website

[2007]

We are now in the second stage of standartization in data-at-rest encryption: key management. IEEE P1619.3 is the standard which will define common functionality and a protocol for communication between encrypting endpoints and key managers from multiple vendors. Vendors perceive key management to be the next level of value-add for storage encryption, and are clamoring to offer products that embody that value.

[2005]

Network Appliance completed the acquisition of Decru in August. This adds further credibility to our claim that securing data at rest is a market about to grow explosively. Your terabytes of confidential data are most vulnerable where they spend most of the time (at rest: on disk, or backup media), and encryption is the obvious solution to this problem.

NetApp's website

[2003]

Storage security appliances are hot. Twenty years ago people started connecting their machines to the Internet. Ten years ago they started installing firewalls in order to guard the perimeter of their networks. Now, they are realizing that perimeter defense is inadequate. The solution is to encrypt your data in storage and render it unattractive to intruders and malicious insiders.

Decru's website

[1999]

Modular, reconfigurable robots are an interesting topic, and an active field of research. There is a lot of published work on control algorithms now, so the main problem at this point seems to be the physical implementation. It is important to make the modules very small. What seems to be rather hard is fitting a good power supply in a small package, and at the same time keeping the weight down so that the actuators can be quick and efficient. Insects seem to be a great example of being light and efficient, however they don't exactly do the things we want them to do (like finding lost people in forests, guiding rescue teams into a collapsed building, etc.). So maybe it is possible to grow insects with a modified "brain" that will do stuff that we want them to do.

ICMAS 2000 paper: "Multi-agent Control of Emergent Behaviors"
ICRA 2000 paper: "Emergent Structures in Modular Self-reconfigurable Robots"