My research vision is to develop systems that automatically check the world's software for exploitable bugs. The two most important words to me are shown in red. My approach is based on using program analysis with security-specific properties, which I call software security.

Students

I am fortunate to advise Thanassis Avgerinos, Tiffany Bao, Jonathan Burket, Sang Kil Cha, Peter Chapman, and Matthew Maurer.

I have advised many students, of which I am very proud. My former PhD student are Jiyong Jang (PhD ECE 2014, now at IBM Watson), Edward Schwartz (PhD ECE 2014, now at SEI), and Alex Rebert (on leave, co-founder of ForAllSecure). I have mentored post doctoral students Maverick Woo (now CyLab Systems Scientist), JongHyup Lee (Assistant Professor KNUP), and Manuel Egele (now an Assistant Professor at Boston University).

I am also the faculty advisor to the Plaid Parliament of Pwning, a competition Capture the Flag team.

Teaching

I teach Introduction to Computer Security (18-487), Software Security (18-732), and Malware, Defense, and Vulnerability Analysis (18-739c).

I also run PicoCTF, an annual computer security contest for high school students.

Papers

[38]
Thanassis Avgerinos, Sang Kil Cha, Alexandre Rebert, Edward J. Schwartz, Maverick Woo, and David Brumley. Automatic Exploit Generation. Communications of the ACM, 57(2):74–84, 2014. (PDF) (doi:10.1145/2560217.2560219)
[37]
Thanassis Avgerinos, Alexandre Rebert, Sang Kil Cha, and David Brumley. Enhancing Symbolic Execution with Veritesting. In Proceedings of the International Conference on Software Engineering, pages 1083–1094, New York, New York, USA, 2014. ACM Press. (PDF) (doi:10.1145/2568225.2568293)
[36]
Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In Proceedings of the ACM Conference on Computer and Communications Security, pages 73–84, 2013. (PDF) (doi:10.1145/2508859.2516693)
[35]
Jiyong Jang, Maverick Woo, and David Brumley. Towards Automatic Software Lineage Inference. In Proceedings of the USENIX Security Symposium, 2013. (PDF)
[34]
Edward Schwartz, JongHyup Lee, Maverick Woo, and David Brumley. Native x86 Decompilation using Semantics-Preserving Structural Analysis and Iterative Control-Flow Structuring. In Proceedings of the USENIX Security Symposium, pages 353–368, 2013. (PDF)
[33]
Shobha Venkataraman, David Brumley, Subhabrata Sen, and Oliver Spatscheck. Automatically Inferring the Evolution of Malicious Activity on the Internet. In Proceedings of the Network and Distributed System Security Symposium, 2013. (PDF)
[32]
Maverick Woo, Sang Kil Cha, Samantha Gottlieb, and David Brumley. Scheduling Black-box Mutational Fuzzing. In Proceedings of the 2013 ACM Conference on Computer & Communications Security, pages 511–522, 2013. (PDF) (doi:10.1145/2508859.2516736)
[31]
Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. Unleashing Mayhem on Binary Code. In Proceedings of the IEEE Symposium on Security and Privacy, pages 380–394, Washington, DC, USA, 2012. IEEE Computer Society. (PDF) (doi:10.1109/SP.2012.31)
[30]
Jiyong Jang, Abeer Agrawal, and David Brumley. ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions. In Proceedings of the IEEE Symposium on Security and Privacy, pages 48–62, 2012. (PDF)
[29]
Matthew Maurer and David Brumley. Tachyon: Tandem Execution for Efficient Live Patch Testing. In Proceedings of the USENIX Security Symposium, 2012. (PDF)
[28]
Tyler Nighswander, Brent Ledvina, Jonathan Diamond, Robert Brumley, and David Brumley. GPS Software Attacks. In Proceedings of the ACM Conference on Computer and Communications Security, pages 450–461, 2012. (PDF) (doi:10.1145/2382196.2382245)
[27]
Thanassis Avgerinos, Sang Kil Cha, Brent Lim Tze Hao, and David Brumley. AEG: Automatic Exploit Generation. In Proceedings of the Network and Distributed System Security Symposium, 2011. (PDF)
[26]
David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. BAP: A Binary Analysis Platform. In Proceedings of International Conference on Computer Aided Verification, pages 463–469, Berlin, Heidelberg, 2011. Springer-Verlag. (PDF) (doi:10.1007/978-3-642-22110-1_37)
[25]
Sang Kil Cha, Iulian Moraru, Jiyong Jang, John Truelove, David Brumley, and David G Andersen. SplitScreen: Enabling Efficient, Distributed Malware Detection. Journal of Communications and Networks, 13(2):187–200, 2011. (PDF) (doi:10.1109/JCN.2011.6157418)
[24]
Jiyong Jang, David Brumley, and Shobha Venkataraman. BitShred: Feature Hashing Malware for Scalable Triage and Semantic Analysis. In Proceedings of the ACM Conference on Computer and Communications Security, pages 309–320, New York, New York, USA, 2011. ACM Press. (PDF) (doi:10.1145/2046707.2046742)
[23]
JongHyup Lee, Thanassis Avgerinos, and David Brumley. TIE: Principled Reverse Engineering of Types in Binary Programs. In Proceedings of the 18th Network and Distributed System Security Symposium. The Internet Society, 2011. (PDF)
[22]
Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. Q: Exploit Hardening Made Easy. In Proceedings of the USENIX Security Symposium, pages 379–394, 2011. (PDF)
[21]
Sang Kil Cha, Iulian Moraru, Jiyong Jang, John Truelove, David Brumley, and David G Andersen. SplitScreen: Enabling Efficient, Distributed Malware Detection. In Proceedings of the USENIX Sympsoium on Networked Systems Design and Implementation, volume 2, 2010. (PDF)
[20]
Sang Kil Cha, Brian Pak, David Brumley, and Richard Jay Lipton. Platform-Independent Programs. In Proceedings of the ACM Conference on Computer and Communications Security, pages 547–558, New York, New York, USA, 2010. ACM Press. (PDF) (doi:10.1145/1866307.1866369)
[19]
Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In Proceedings of the IEEE Symposium on Security and Privacy, pages 317–331. IEEE, 2010. (PDF) (doi:10.1109/SP.2010.26)
[18]
Edward J Schwartz, David Brumley, and Jonathan M Mccune. A Contractual Anonymity System. In Proceedings of the Network and Distribution System Security Symposium, 2010. (PDF)
[17]
David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng. Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications. In Proceedings of the IEEE Symposium on Security and Privacy, pages 143–157, 2008. (PDF) (doi:10.1109/SP.2008.17)
[16]
David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha. Theory and Techniques for Automatic Generation of Vulnerability-Based Signatures. IEEE Transactions on Dependable and Secure Computing, 5(4):224–241, October 2008. (PDF) (doi:10.1109/TDSC.2008.55)
[15]
Nikita Borisov, David J Brumley, Helen J Wang, John Dunagan, Pallavi Joshi, and Chuanxiong Guo. A Generic Application-Level Protocol Analyzer and its Language. In Proceedings of the Network and Distributed System Security Symposium, 2007. (PDF)
[14]
David Brumley, Tzi-cker Chiueh, Robert Johnson, Huijia Lin, and Dawn Song. RICH: Automatically Protecting Against Integer-Based Vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium. The Internet Society, 2007. (PDF)
[13]
Joseph Tucek, James Newsome, Shan Lu, Chengdu Huang, Spiros Xanthos, David Brumley, Yuanyuan Zhou, and Dawn Song. Sweeper: A Lightweight End-to-End System for Defending Against Fast Worms. In Proceedings of the ACM European Conference on Computer Systems (EUROSYS), pages 115–128, New York, New York, USA, 2007. ACM Press. (PDF) (doi:10.1145/1272996.1273010)
[12]
David Brumley, Juan Caballero, Zhenkai Liang, James Newsome, and Dawn Song. Towards Automatic Discovery of Deviations In Binary Implementations With Applications To Error Detection and Fingerprint Generation. In Proceedings of the USENIX Security Symposium, pages 213–228, August 2007. (PDF)
[11]
David Brumley, Hao Wang, Somesh Jha, and Dawn Song. Creating Vulnerability Signatures Using Weakest Preconditions. In Proceedings of the IEEE Computer Security Foundations Symposium, pages 311–325. IEEE, July 2007. (PDF) (doi:10.1109/CSF.2007.17)
[10]
David Brumley and James Newsome. Alias Analysis for Assembly (Revised). Technical report, Carnegie Mellon University, 2006. (PDF)
[9]
David Brumley and Dawn Song. Towards Attack-Agnostic Defenses Defenses. In Proceedings of the USENIX Workshop on Hot Topics in Computer Security, 2006. (PDF)
[8]
David Brumley, Li-Hao Liu, Pongsin Poosankam, and Dawn Song. Design Space and Analysis of Worm Defense Strategies. In Proceedings of the ACM Symposium on Information, Computer and Communications Security, pages 125–137, New York, New York, USA, 2006. ACM Press. (PDF) (doi:10.1145/1128817.1128837)
[7]
David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha. Towards Automatic Generation of Vulnerability-Based Signatures. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 2006. (PDF) (doi:10.1109/SP.2006.41)
[6]
James Newsome, David Brumley, Jason Franklin, and Dawn Song. Replayer: Automatic Protocol Replay by Binary Analysis. In Proceedings of the ACM Conference on Computer and Communications Security, pages 311–321, New York, New York, USA, 2006. ACM Press. (PDF) (doi:10.1145/1180405.1180444)
[5]
James Newsome, David Brumley, and Dawn Song. Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software. In Proceedings of the Network and Distributed System Security Symposium, 2006. (PDF)
[4]
David Brumley and Dan Boneh. Remote Timing Attacks Are Practical. Computer Networks, 48(5):701–716, August 2005. (PDF) (doi:10.1016/j.comnet.2005.01.010)
[3]
David Brumley and Dawn Song. Privtrans: Automatically Partitioning Programs for Privilege Separation. In Proceedings of the USENIX Security Symposium, 2004. (PDF)
[2]
David Brumley and Dan Boneh. Remote Timing Attacks Are Practical. In Proceedings of the USENIX Security Symposium, volume 48, 2003. (PDF) (doi:10.1016/j.comnet.2005.01.010)
[1]
Constantine Sapuntzakis, David Brumley, Ramesh Chandra, Nickolai Zeldovich, Jim Chow, Monica S. Lam, and Mendel Rosenblum. Virtual Appliances for Deploying and Maintaining Software. In Proceedings of the USENIX Large Instance System Administration Conference, 2003. (PDF)