NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: D. Richard Kuhn (Assoc)

Search Title, Abstract, Conference, Citation, Keyword or Author
Displaying 126 - 150 of 196

Vetting Mobile Apps

July 22, 2011
Author(s)
Stephen Quirolgico, Jeffrey M. Voas, David R. Kuhn
Billions of copies of apps for mobile devices have been purchased in recent years. With this growth, however, comes an increase in the spread of potentially dangerous security vulnerabilities. Because of an app's low cost and high proliferation, the threat

A Combinatorial Approach to Detecting Buffer Overflow Vulnerabilities

June 14, 2011
Author(s)
Raghu N. Kacker, Yu Lei, David R. Kuhn, Wenhua Wang
Buffer overflow vulnerabilities are program defects that can cause a buffer overflow to occur at runtime. Many security attacks exploit buffer overflow vulnerabilities to compromise critical data structures. In this paper, we present a black-box testing

A Survey of Binary Covering Arrays

April 7, 2011
Author(s)
James F. Lawrence, Raghu N. Kacker, Yu Lei, David R. Kuhn, Michael Forbes
Two-valued covering arrays of strength t are 0--1 matrices having the property that for each t columns and each of the possible 2t sequences of t 0's and 1's, there exists a row having that sequence in that set of t columns. Covering arrays are an

Model Checking for Verification of Mandatory Access Control Models and Properties

February 28, 2011
Author(s)
Chung Tong Hu, David R. Kuhn, Tao Xie, J Hwang
Mandatory access control (MAC) mechanisms control which users or processes have access to which resources in a system. MAC policies are increasingly specified to facilitate managing and maintaining access control. However, the correct specification of the

Managing Security: The Security Content Automation Protocol

February 4, 2011
Author(s)
Shirley M. Radack, D. Richard Kuhn
Managing information systems security is an expensive and challenging task. Many different and complex software components- including firmware, operating systems, and applications-must be configured securely, patched when needed, and continuously monitored

An Application of Combinatorial Methods to Conformance Testing for Document Object Model Events

November 1, 2010
Author(s)
Carmelo Montanez-Rivera, D. Richard Kuhn, Mary C. Brady, Richard M. Rivello, Jenise Reyes Rodriguez, Michael K. Powers
This report describes the use of combinatorial test methods to reduce the cost of testing for the Document Object Model Events standard while maintaining an equivalent level of assurance. More than 36,000 tests - all possible combinations of equivalence

Practical Combinatorial Testing

October 7, 2010
Author(s)
David R. Kuhn, Raghu N. Kacker, Yu Lei
Combinatorial testing can help detect problems like this early in the testing life cycle. The key insight underlying t-way combinatorial testing is that not every parameter contributes to every fault and most faults are caused by interactions between a

Introduction: Cybersecurity

August 31, 2010
Author(s)
David R. Kuhn
Enterprise security, often considered a burden for system administrators and users alike, is one of the most rapidly evolving areas of IT. The articles in this issue can help IT professionals who want to be intelligent providers or consumers of secure

Vulnerability Trends: Measuring Progress

July 19, 2010
Author(s)
David R. Kuhn, Christopher S. Johnson
What is the state of security engineering today? Are we as an industry making progress? What are prospects for the future? To address these questions we analyze data from the National Vulnerability Database (NVD).

Adding Attributes to Role Based Access Control

June 1, 2010
Author(s)
David R. Kuhn, Edward Coyne, Timothy Weil
Role based access control (RBAC) is a popular model for information security. It helps reduce the complexity of security administration and supports the review of permissions assigned to users, a feature critical to organizations that must determine their

Data Loss Prevention

March 29, 2010
Author(s)
Simon Liu, D. Richard Kuhn
In today's digital economy, data enters and leaves enterprises' cyberspace at record rates. For a typical enterprise, millions of emails are sent and received and thousands of files are downloaded, saved or transferred via various channels or devices on a

Practical Interdomain Routing Security

November 20, 2009
Author(s)
David R. Kuhn, Simon Liu, Hart Rossman
This article reviews risks and vulnerabilities in interdomain routing, and best practices that can have near-term benefits for routing security. It includes examples of routing failures and common attacks on routers, and coutermeasures to reduce router

A Combinatorial Approach to Building Navigation Graphs for Dynamic Web Applications

September 20, 2009
Author(s)
Raghu N. Kacker, David R. Kuhn, James F. Lawrence, Wenhua Wang, Yu Lei, Sreedevi Sampath
Modeling the navigation structure of a dynamic web application is a challenging task because of the presence of dynamic pages. In particular, there are two problems to be dealt with: (1) the page explosion problem, i.e., the number of dynamic pages may be

Combinatorial Software Testing

August 7, 2009
Author(s)
David R. Kuhn, Raghu N. Kacker, Yu Lei, Justin Hunter
Developers of large data-intensive software often notice an interesting - though not surprising - phenomenon: when usage of an application jumps dramatically, components that have operated for months without trouble suddenly develop previously undetected

Understanding Insecure IT: Practical Risk Assessment

May 27, 2009
Author(s)
Simon Liu, D. Richard Kuhn, Hart Rossman
IT systems have long been at risk from vulnerable software, malicious actions, or inadvertent user errors, in addition to run-of-the-mill natural and human-made disasters. As we discussed in the last issue ( Surviving Insecure IT: Effective Patch

Surviving Insecure IT: Effective Patch Management

March 21, 2009
Author(s)
Simon Liu, D. Richard Kuhn, Hart Rossman
The amount of time to protect enterprise systems against potential vulnerability continues to shrink. Enterprises need an effective patch management mechanism to survive the insecure IT environment. Effective patch management is a systematic and repeatable

Introducing "Insecure IT"

January 20, 2009
Author(s)
David R. Kuhn, Hart Rossman, Simon Liu
This article introduces a new department for IT Professional that will cover security in IT systems, ranging from desktops to global e-commerce networks. Our goal is to offer ideas to improve IT security, both by looking at ways it can go wrong as well as

Property Verification for Generic Access Control Models

December 20, 2008
Author(s)
Chung Tong Hu, David R. Kuhn, Tao Xie
To formally and precisely capture the security properties that access control should adhere to, access control models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a new general

Refining the In-Parameter-Order Strategy for Constructing Covering Arrrays

September 1, 2008
Author(s)
Michael Forbes, James F. Lawrence, Yu Lei, Raghu N. Kacker, D. Richard Kuhn
Covering arrays are structures for well-representing extremely large input spaces and are used to efficiently implement blackbox testing for software and hardware. This paper proposes refinements over the In-Parameter-Order strategy (for arbitrary $t$)

Automated Combinatorial Test Methods: Beyond Pairwise Testing

June 2, 2008
Author(s)
David R. Kuhn, Raghu N. Kacker, Yu Lei
Pairwise testing has become a popular approach to software quality assurance because it often provides effective error detection at low cost. However, pairwise (2-way) coverage is not sufficient for assurance of mission-critical software. Combinatorial

Practical Combinatorial Testing: Beyond Pairwise

June 1, 2008
Author(s)
David R. Kuhn, Yu Lei, Raghu N. Kacker
With new algorithms and tools, developers can apply high-strength combinatorial testing to detect elusive failures that occur only when multiple components interact. In pairwise testing, all possible pairs of parameter values are covered by at least one

IPOG/IPOG-D: Efficient Test Generation for Multi-way Combinatorial Testing

November 29, 2007
Author(s)
Yu Lei, Raghu N. Kacker, D. Richard Kuhn, Vadim Okun, James F. Lawrence
We present two strategies for multi-way testing (i.e., t-way testing with t > 2). The first strategy generalizes an existing strategy, called In-Parameter-Order, from pairwise testing to multi-way testing. This strategy requires all t-way combinations to

Border Gateway Protocol Security

July 17, 2007
Author(s)
D. Richard Kuhn, Kotikalapudi Sriram, Douglas Montgomery
This document introduces the Border Gateway Protocol (BGP), explains its importance to the internet, and provides a set of best practices that can help in protecting BGP. Best practices described here are intended to be implementable on nearly all
Was this page helpful?