Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

D. Richard Kuhn (Fed)

Computer Scientist

Biographical Information

Rick Kuhn is a computer scientist in the Computer Security Division at NIST, and is a Fellow of the Institute of Electrical and Electronics Engineers (IEEE).  His research focuses on combinatorial methods in software verification and testing (csrc.nist.gov/acts), and extending these methods for assurance and explainability in AI and machine learning.  He has authored three books and more than 150 conference or journal publications on information security, empirical studies of software failure, and software assurance.  He co-developed the role based access control model (RBAC) used worldwide and led the effort that established RBAC as an ANSI standard. Before joining NIST, he worked as a software developer with NCR Corporation and the Johns  Hopkins University Applied Physics Laboratory. He received an MS in computer science from the University of Maryland College Park.

All publications (Google Scholar)

Current professional activities and awards

  • Fellow of the Institute of Electrical and Electronics Engineers (IEEE)
  • Member Association for Computing Machinery (ACM)
  • Associate editor, IEEE Computer and IEEE Transactions on Reliability
  • Past editorial board member and department editor, IEEE Security & Privacy, IEEE IT Professional
  • IEEE Reliability Society lifetime achievement award, for combinatorial test methods
  • IEEE Innovation in Societal Infrastructure Award, for role based access control
  • ACSAC 'Test of Time' paper award for 'Role Based Access Control:  Features and Motivations' (with D. Ferraiolo and J. Cugini), Annual Computer Security Applications Conference, 2019  
  • Best poster, Hot Topics in Science of Security, 2018, "What Proportion of Vulnerabilities can be Attributed to Ordinary Coding Errors?" (with Mohammad Raunak and Raghu Kacker)
  • Silver medal award for scientific/engineering achievement, U.S. Dept. of Commerce, 2014, for contributions to combinatorial test methods
  • Excellence in Technology Transfer Award, 2009, Federal Laboratory Consortium Mid-Atlantic Region, for methods and tools for combinatorial testing
  • Best Standards Contribution, NIST/ITL, 2008
  • Best Journal Paper Award, NIST/ITL, 2007
  • Outstanding Authorship Award, NIST/ITL, 2003
  • Gold medal award for scientific/engineering achievement, U.S. Dept. of Commerce, 2002, for co-development of role based access control (RBAC)
  • Excellence in Technology Transfer Award, 1998, Federal Laboratory Consortium, for co-development of role based access control (RBAC)
  • Bronze Medal, NIST/U.S. Dept. of Commerce, 1990, for contributions to IEEE POSIX standard andconformance test suite co-development
  • Member, Eta Kappa Nu honor society
  • Member, Beta Gamma Sigma honor society

PROJECTS

Automated Combinatorial Testing for Software 

Combinatorial or t-way testing is a proven method for more effective testing at lower cost, and one of the few practical approaches for assurance in AI and machine learning, especially for autonomous systems, where many conventional methods cannot be used.  

Enhanced Distributed Ledger Technology 

Although blockchain has found many applications outside of cryptocurrency, many of its features are not well suited to common data management applications. This project has developed an alternative approach to providing the integrity protection of blockchains, with the ability to modify or delete blocks, making it possible to meet the requirements of privacy regulations such as GDPR. 

Patents

  •  "Implementation of Role Based Access Control in Multi-level Secure Systems", U.S. Patent #6,023,765.,
  • "Oracle-free Match Testing of a Program Using Covering Arrays and Equivalence Classes", U.S. Patent #10,552,300. 
  • U.S. Provisional Patent Application #62/842,616 “Data Block Matrix” (blockchain/DLT allowing block edits, to enable privacy requirements such as GDPR)

Past Professional Activities

  • Past member of DARPA High Confidence Systems Working Group, IEEE Technical Committee on Operating Systems POSIX 1003.1, 1003.2 and 1201.2 working groups;
  • Past projects: development of software tools and conformance  test suites; methods for analyzing changes in formal specifications;  verification of cryptographic protocols; and the first formal definition of role based access control; IEEE POSIX working groups and developing parts of the POSIX Conformance Test Suite for IEEE 1003.1; and definition of software assurance requirements  for FIPS 140-1 (Security Requirements for Cryptographic Modules).

Significant papers (or at least ones that seem to get a lot of attention):

  • D.R. Kuhn, D.R. Wallace, A.M. Gallo, Jr., "Software Fault Interactions and Implications for Software Testing", IEEE Transactions on Software Engineering, vol. 30, no. 6, June 2004, pp. 418-421.
    AbstractDOI: 10.1109/TSE.2004.24 - investigates number of interactions required to trigger failures in various types of systems; basis for our combinatorial testing project.
  • D.R. Kuhn, "Fault Classes and Error Detection Capability of Specification Based Testing", ACM Transactions on Software Engineering and Methodology,Vol. 8, No. 4 (October,1999) - demonstrates existence of a hierarchy of fault classes that may be used to generate test more efficiently.  Others have extended the hierarchy based on more types of faults.
  • D. Ferraiolo and D.R. Kuhn, "Role Based Access Controls"Proceedings, 15th Natl. Computer Security Conference, 1992, pp. 554–563. --- the early paper on role based access control; includes basic formal definition.  This was unified w/ Sandhu et. al (1996) to create the standard model for RBAC (more on RBAC project site).

    Publications

    Combinatorial Testing Metrics for Machine Learning

    Author(s)
    Erin Lanus, Laura Freeman, D. Richard Kuhn, Raghu N. Kacker
    This short paper defines a combinatorial coverage metric for comparing machine learning (ML) data sets and proposes the differences between data sets as a

    Combinatorial Methods for Explainable AI

    Author(s)
    David R. Kuhn, Raghu N. Kacker, Yu Lei, Dimitris Simos
    This paper introduces an approach to producing explanations or justifications of decisions made by artificial intelligence and machine learning (AI/ML) systems

    Patents

    Data Block Matrix

    NIST Inventors
    D. Richard Kuhn
    Publication Description This invention is a data structure, which can be referred to as a block matrix, that supports the ongoing addition of hash-linked records while also allowing the deletion of arbitrary records, preserving hash-based integrity assurance that other blocks are unchanged. The

    Oracle-Free Match Testing of a Program Using Covering Arrays and Equivalence Classes

    NIST Inventors
    D. Richard Kuhn and Raghu N Kacker
    Patent Description This is a method and software for testing computer software. The method applies to a broad range of software but is particularly applicable software with complex conditions and decision, e.g., process control, avionics, and other areas. This method also verifies equivalence
    Created October 9, 2019, Updated August 16, 2021