- D.R. Kuhn, H. Rossman, S. Liu, "Introducing Insecure IT", IEEE IT Professional, vol. 11, no. 1 (Jan/Feb 2009), pp. 24-26. - introductory column for the "Insecure IT" department in IT Pro.
- S. Liu, D.R. Kuhn, H. Rossman, "Surviving Insecure IT: Effective Patch Management", IEEE IT Professional, vol. 11, no. 2 (Mar/Apr 2009), pp. 49-51.
- S. Liu, D.R. Kuhn, H. Rossman, "Understanding Insecure IT: Practical Risk Assessment", IEEE IT Professional, vol. 11, no. 3 (May/Jun 2009), pp. 49-51.
- V. Hu, D.R. Kuhn, T. Xie, "Property Verification for Generic Access Control Models", IEEE/IFIP International Symposium on Trust, Security, and Privacy for Pervasive Applications, Shanghai, China, Dec. 17-20, 2008. - a method of using combinatorial testing with model checking to verify access control properties.
- D.R. Kuhn, Y.Lei, R. Kacker, "Practical Combinatorial Testing - Beyond Pairwise", IEEE IT Professional, June 2008. An overview and introduction to combinatorial testing.
- D.Ferraiolo, D.R. Kuhn, V. Hu, "Authentication, Authorization, Access Control, and Privilege Management", Wiley Handbook of Science and Technology for Homeland Security, 2008.
- D.R. Kuhn, R. Kacker, Y. Lei, "Automated Combinatorial Test Methods", Crosstalk, Journal of Defense Software Engineering, June 2008 - a tutorial on integrating combinatorial testing with model checking to automated test case generation.
- M. Forbes, J. Lawrence, Y. Lei, R.N. Kacker, and D.R. Kuhn "Refining the In-Parameter-Order Strategy for Constructing Covering Arrays", NIST Journal of Research, Vol. 113, No. 5 (Sept/Oct 2008), pp. 287 - 297.
- D.F. Ferraiolo, R. Kuhn, R. Sandhu, "RBAC Standard Rationale: comments on “A Critique of the ANSI Standard on Role Based Access Control'”, IEEE Security & Privacy, vol. 5, no. 6 (Nov/Dec 2007).
- D.R. Kuhn. , “Feature Interactions and Data Privacy,” Workshop on Data Confidentiality, Sept 6-7, 2007, Arlington, VA.
- Y.Lei, R. Kacker, D.R. Kuhn, V. Okun, J. Lawrence., "IPOG - a General Strategy for t-way Testing," IEEE Engineering of Computer Based Systems Conference, 2007.
- Y. Lei, R. Kacker, D. Kuhn, V. Okun, J. Lawrence, ``IPOG/IPOD: Efficient Test Generation for Multi-Way Software Testing," accepted for publication in Journal of Software Testing, Verification, and Reliability, vol. 18, pp. 125-148, DOI: 10.1002/stvr.381).
- D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role Based Access Control, 2nd edition (book), Artech House, January 2007.
- V. Hu, D.R. Kuhn, D.F. Ferraiolo, “The Computational Complexity of Enforceability Validation for Generic Access Control Rules”, IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC2006).
- K. Sriram, D. Montgomery, O. Kim, O. Borchert, D. R. Kuhn, "Autonomous System Isolation under BGP Session Attacks with RFD Exploitation", IEEE JSAC special issue on High-Speed Network Security, 2006.
- D. R. Kuhn, V. Okun, "Pseudo-exhaustive Testing For Software", 30th NASA/IEEE Software Engineering Workshop, April 25-27, 2006. Describes a proof of concept study of generating combinatorial tests (through 6-way) using model checking.
- D.R. Kuhn, "A Quantum Cryptographic Protocol with Detection of Compromised Server", Journal of Quantum Information and Computing, vol. 5, no. 7, 2005.(revised and extended quant-ph/0311085).
- D.F. Ferraiolo, S. Gavrila, V. Hu, D.R. Kuhn, "Composing and Combining Policies Under the Policy Machine", Proc. SACMAT 2005, ACM.
- D.R. Kuhn, "A Quantum Cryptographic Protocol with Detection of Compromised Server", quant-ph/0311085, Nov. 14, 2003.
- D.R. Kuhn, "Vulnerabilities in Quantum Key Distribution Protocols" - cryptanalysis of some recently proposed quantum cryptographic protocols. quant-ph/0305076, May 14, 2003.
- D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role Based Access Control (book), Artech House, 2003.
- D.R. Kuhn, "A Hybrid Authentication Protocol Using Quantum Entanglement and Symmetric Cryptography (pdf) " - a Hybrid Cryptographic Protocol, Using Quantum and Classical Resources, for Authentication and Authorization in a Network. quant-ph/0301150, January 28, 2003.
- P.E. Black, D.R. Kuhn, C.J. Williams, "Quantum Computing and Communication", Advances in Computers, Vol. 56, 2002 (postscript) (Word) - An Introduction to Applications of Quantum Mechanics in Computing, Cryptography, and Communications.
- D. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn,R. Chandramouli, "A Proposed Standard for Role Based Access Control ," ACM Transactions on Information and System Security , vol. 4, no. 3 (August, 2001) - draft of a consensus standard for RBAC.
- D.F. Ferraiolo, J.F. Barkley, D.R. Kuhn, "A Role Based Access Control Model and Reference Implementation within a Corporate Intranet," (postscript) ACM Transactions on Information and Systems Security, Vol.2, No. 1 (February, 1999). -- defines the NIST RBAC model, details theoretical results, and describes implementation concerns.
- D.R. Kuhn, "Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role Based Access Control Systems," (postscript) Second ACM Workshop on Role Based Access Control, 1997. -- presents a number of results on separation of duty through mutual exclusion of roles, including theorems on necessary and sufficient conditions to ensure separation safety.
- T. Phillips, T. Karygiannis, R. Kuhn, "Security Standards for the RFID Market", IEEE Security & Privacy, vol. 3, no. 6, Nov/Dec, 2005.
- T.J. Walsh, D.R. Kuhn, "Challenges in Securing Voice Over IP", IEEE Security & Privacy, vol. 3, no. 3, May/June, 2005.
- D.R. Kuhn, D.R. Wallace, A.J. Gallo, Jr., "Software Fault Interactions and Implications for Software Testing" (pdf), IEEE Trans. on Software Engineering, vol. 30, no. 6, June, 2004). Empirical study of failures in a variety of domains showing that all failures found were triggered by 2- through 6-way interactions.
- D.R. Kuhn, D. Craigen, M. Saaltink, "Practical Application of Formal Methods in Modeling and Simulation" (pdf) (invited), Summer Simulation Conference, 03, July 20 - 24, 2003.
- D.R. Kuhn, M.J. Reilly, "An Investigation of the Applicability of Design of Experiments to Software Testing" (pdf), 27th NASA/IEEE Software Engineering Workshop, NASA Goddard Space Flight Center, 4-6 December, 2002. Looks at suitability of combinatorial testing for browser and server applications.
- D.R. Kuhn, R. Chandramouli, R.W. Butler, "Cost Effective Uses of Formal Methods in V&V" (pdf), (invited) Foundations '02 Workshop, US Dept of Defense, Laurel MD, October 22-23, 2002.
- D.R. Wallace, D.R. Kuhn, "Failure Modes in Medical Device Software: an Analysis of 15 Years of Recall Data ," International Journal of Reliability, Quality, and Safety Engineering, Vol. 8, No. 4, 2001 - categorizes the failures by their symptoms and faults, and discusses methods of preventing and detecting faults in each category.
- R. Sandhu, D. Ferraiolo, R. Kuhn, "The NIST Model for Role Based Access Control: Towards a Unified Standard," (postscript) (pdf) Proceedings, 5th ACM Workshop on Role Based Access Control, July 26-27, 2000 - first public draft of proposal for an RBAC standard.
- D.R. Kuhn, "Fault Classes and Error Detection Capability of Specification Based Testing," (postscript) ACM Transactions on Software Engineering and Methodology, Vol. 8, No. 4 (October,1999) - demonstrates existence of a hierarchy of fault classes that may be used to generate test more efficiently.
- D.R. Kuhn, C. Dabrowski, T. Rhodes, "Software Standards," (invited) Encyclopedia of Electrical and Electronics Engineering, John Wiley & Sons, 1999. -- describes software standards and how to use them effectively in systems development.
- S.A. Wakid, D.R. Kuhn, D.R. Wallace, "Toward Credible IT Testing and Certification" (pdf) IEEE Software, Vol. 16, No. 4 (July, 1999) -- discusses cost-effective processes for software testing and certification by government and other certification organizations.
- D.R. Kuhn, "Role Based Access Control on MLS Systems Without Kernel Changes," (postscript) (pdf) Third ACM Workshop on Role Based Access Control, October 22-23,1998. -- a novel combinatorial algorithm mapping hierarchical role structures to categories on MLS systems implementing mandatory access control, making it possible to implement RBAC structures without modifying OS kernel.
- J.F. Barkley, D.R. Kuhn, L.S. Rosenthal, M.W. Skall, A.V. Cincotta, "Role Based Access Control for the Web," (HTML) CALS Expo International and 21st Century Commerce 1998: Global Business Solutions for the New Millenium. HTML
- D.R. Kuhn, "Sources of Failure in the Public Switched Telephone Network," (HTML), (PDF) IEEE Computer Vol. 30, No. 4 (April, 1997). --- examines causes of failure in the US public switched telephone network, providing quantitative measures of the effect of each failure source on system dependability.
- D.R. Kuhn, "Evolving Directions in Formal Methods" (pdf), (invited) Proceedings, COMPASS '97 IEEE Computer Society Press, 1997
- J.F. Barkley, A. Cincotta, D.F. Ferraiolo, S. Gavrilla, and D.R. Kuhn "Role Based Access Control for the World Wide Web" (postscript), National Information Systems Security Conference, October, 1997.
- D.F. Ferraiolo and D.R. Kuhn, "Future Directions in Role Based Access Control," (invited) Proceedings, First ACM Workshop on Role Based Access Control, ACM, 1996. -- discusses new roles for RBAC (pun intended)
- D. Ferraiolo, J. Cugini, R. Kuhn, "Role Based Access Control: Features and Motivations," (HTML) Proceedings, Annual Computer Security Applications Conference, IEEE Computer Society Press, 1995. -- elaborates the 1992 RBAC model to a level of detail suitable for building directly into an application
- D.R. Kuhn,W.J. Majurski, W. McCoy, F. Schulz, "Open Systems Software Standards in Concurrent Engineering,'' (postscript) (invited) in Control and Dynamic Systems - Concurrent Engineering Techniques and Applications, C.T. Leondes, ed., Academic Press, 1994. --- discusses open system standards and how they apply to concurrent engineering.
- D.R. Wallace, D.R. Kuhn, L.M. Ippolito, and L. Beltracchi, "Standards for High Integrity Software ,'' Nuclear Safety, Vol. 35, No. 1, (Jan - June, 1994). --- compares assurance methods required by various standards for safety critical systems and secure systems.
- D.R. Kuhn, P.N. Edfors, V. Howard, C. Caputo, T. Phillips, ``Improving Public Switched Network Security in an Open Environment,'' (invited) IEEE Computer, Vol. 26, No. 8 (August, 1993.) --- describes some government efforts to improve the security of the US public switched telephone network.
- D.R. Kuhn, "A Technique for Analyzing the Effects of Changes in Formal Specifications,'' (postscript) British Computer Society Computer Journal, Vol. 35, No. 6, (December, 1992). --- a mathematical technique (extends the boolean difference method) to determine the conditions under which a change to a variable in a predicate calculus expression will change the value of the expression; includes theorem on relationship between boolean difference and predicate difference.
- D. Ferraiolo and D.R. Kuhn, "Role Based Access Controls,'' (PDF) (HTML) (Postscript) Proceedings, 15th Natl. Computer Security Conference, 1992, pp. 554–563. --- the early paper on role based access control; includes basic formal definition.
- D.R. Kuhn, "Predicate Differences and the Analysis of Dependencies in Formal Specifications,'' Proceedings, 14th Natl. Computer Security Conference, 1991. --- describes predicate differences, an extension of boolean differences, and shows how they can be used in determining dependencies among parts of a specification, with application to security
- D.R. Kuhn, "IEEE's POSIX" (pdf), IEEE Spectrum, Vol. 28, No. 12 (December, 1991.) --- explains the IEEE POSIX open system standards and how they can help make a component based software industry economically feasible.
- D. R. Kuhn and J.F. Dray, "Formal Specification and Verification of Control Software for Cryptographic Equipment,'' (postscript) Proceedings, Annual Computer Security Applications Conference, IEEE Computer Society Press, 1990. --- design verification of software and cryptographic protocol in a smart-card system.
- D. R. Kuhn, "On the Effective Use of Software Standards in Systems Integration'', (pdf) Proceedings, First Intl. Conference on Systems Integration, IEEE Computer Society Press, 1990. --- explains open system standards and how they can be effectively applied to the problem of systems integration.
- D.R. Kuhn, "Generating Extended State Transitions from Structured Specifications for Process Control Systems,'' IEE/BCS Software Engineering Journal, Vol. 4, No. 5 ( September, 1989.) --- describes a translation tool that converts specifications written in an imperative language to a state machine representation for use with robotic control system.
- D.R. Kuhn, "Static Analysis Tools for Software Security Certification," Proceedings, 11th National Computer Security Conference, NSA/NBS, 1988
Presentations (Powerpoint - .ppt):
Rick Kuhn is a computer scientist in the Computer Security Division of the National Institute of Standards and Technology. His primary technical interests are in information security, empirical studies of software failure, and software assurance, currently focusing on combinatorial testing. He co-developed (with David Ferraiolo) the role based access control model (RBAC) used throughout industry and led the effort to establish RBAC as an ANSI standard. From 1994 to 1995, he served as Program Manager for the Committee on Applications and Technology of the President's Information Infrastructure Task Force and from 1996 to 1999 as manager of the Software Quality Group at NIST. Before joining NIST in 1984, he worked as a systems analyst with NCR Corporation and the Johns Hopkins University Applied Physics Laboratory. He received an MS in computer science from the University of Maryland College Park, and a BA and MBA from William and Mary.
Project Leader, Computer Scientist
Computer Security Division
Systems and Emerging Technologies Security Research Group
- MS, Computer Science, University of Maryland, College Park.
- BA and MBA, William and Mary