Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

D. Richard Kuhn

Computer Scientist

Biographical Information

Rick Kuhn is a computer scientist in the Computer Security Division at NIST, and is a Fellow of the Institute of Electrical and Electronics Engineers (IEEE).  He has authored three books and more than 150 conference or journal publications on information security, empirical studies of software failure, and software assurance.  He co-developed the role based access control model (RBAC) used throughout industry and led the effort that established RBAC as an ANSI standard. Previously he served as Program Manager for the Committee on Applications  and Technology of the President's  Information Infrastructure Task Force (1994-1995) and as manager  of the Software Quality Group (1996-1999) at NIST.  Before joining NIST in 1984, he worked as a software developer with NCR Corporation and the Johns  Hopkins University Applied Physics Laboratory. He received an MS in computer science from the University of Maryland College Park, and an MBA from William & Mary.All publications (at Google Scholar)Significant papers (or at least ones that seem to get a lot of attention):
  • D.R. Kuhn, D.R. Wallace, A.M. Gallo, Jr., "Software Fault Interactions and Implications for Software Testing", IEEE Transactions on Software Engineering, vol. 30, no. 6, June 2004, pp. 418-421.
    AbstractDOI: 10.1109/TSE.2004.24 - investigates number of interactions required to trigger failures in various types of systems; basis for our combinatorial testing project.
  • D.R. Kuhn, "Fault Classes and Error Detection Capability of Specification Based Testing", ACM Transactions on Software Engineering and Methodology,Vol. 8, No. 4 (October,1999) - demonstrates existence of a hierarchy of fault classes that may be used to generate test more efficiently.  Others have extended the hierarchy based on more types of faults.
  • D. Ferraiolo and D.R. Kuhn, "Role Based Access Controls"Proceedings, 15th Natl. Computer Security Conference, 1992, pp. 554–563. --- the early paper on role based access control; includes basic formal definition.  This was unified w/ Sandhu et. al (1996) to create the standard model for RBAC (more on RBAC project site).

         Professional activities:

  • Fellow, Institute of Electrical and Electronics Engineers (IEEE)
    Member, Association for Computing Machinery (ACM)
  • Co-editor, Resilient Security department, IEEE Security & Privacy
  • Co-editor, Securing IT department, IEEE IT Professional
  • Patents: "Implementation of Role Based Access Control in Multi-level Secure Systems", U.S. Patent #6,023,765.,
    "Oracle-free Match Testing of a Program Using Covering Arrays and Equivalence Classes" (pending)
    U.S. Provisional Patent Application #62/842,616 “Data Block Matrix” (blockchain/DLT allowing block edits, to enable privacy requirements such as GDPR)
  • Past member of DARPA High Confidence Systems Working Group, IEEE Technical Committee on Operating Systems POSIX 1003.1, 1003.2 and 1201.2 working groups;
  • Past projects: development of software tools and conformance  test suites; methods for analyzing changes in formal specifications;  verification of cryptographic protocols; and the first formal definition of role based access control; IEEE POSIX working groups and developing parts of the POSIX Conformance Test Suite for IEEE 1003.1; and definition of software assurance requirements  for FIPS 140-1 (Security Requirements for Cryptographic Modules).

Awards

  • IEEE Innovation in Societal Infrastructure Award, Institute of Electrical and Electronics Engineers, 2018 (for role based access control)
  • Best poster, Hot Topics in Science of Security, 2018, "What Proportion of Vulnerabilities can be Attributed to Ordinary Coding Errors?" (with Mohammad Raunak and Raghu Kacker)
  • IEEE Fellow (for contributions to access control and combinatorial test methods)
  • Silver medal award for scientific/engineering achievement, U.S. Dept. of Commerce, 2014
  • Excellence in Technology Transfer Award, Federal Laboratory Consortium Mid-Atlantic, 2009
  • Best Standards Contribution, NIST/ITL, 2008
  • Best Journal Paper Award, NIST/ITL, 2007
  • Outstanding Authorship Award, NIST/ITL, 2003
  • Gold medal award for scientific/engineering achievement, U.S. Dept. of Commerce, 2002;
  • Excellence in Technology Transfer Award, 1998, Federal Laboratory Consortium.
  • Bronze Medal, U.S. Dept. of Commerce, 1990;
  • Member, Beta Gamma Sigma honorary.

Publications

Attribute Considerations for Access Control Systems

Author(s)
Chung Tong Hu, David F. Ferraiolo, David R. Kuhn
Attribute-based access control systems rely upon attributes to not only define access control policy rules but also enforce the access control. Attributes need

Browser Fingerprinting using Combinatorial Sequence Testing

Author(s)
Bernhard Garn, Dimitris Simos, Stefan Zimmer, David R. Kuhn, Raghu N. Kacker
In this paper, we propose an approach for browser fingerprinting using their behavior during the TLS 1.2 handshake with a server. Using combinatorial methods,

Rethinking Distributed Ledger Technology

Author(s)
David R. Kuhn, Dylan J. Yaga, Jeffrey M. Voas
Blockchains were designed to solve the problem of double-spending in cryptocurrencies, and the success of the Bitcoin design has generated vastly more interest
Created October 9, 2019