new! User perceptions vs. proxy LLM judges: Privacy and helpfulness in LLM responses to privacy-sensitive scenarios.
Xiaoyuan Wu, Roshni Kaushik, Wenkai Li, Lujo Bauer, and Koichi Onoue.
In Proceedings of the 64th Annual Meeting of the Association for Computational Linguistics, July 2026. To appear.
[BibTeX, ]

new! Incalmo: An autonomous LLM-assisted system for red teaming multi-host networks.
Brian Singer, Keane Lucas, Lakshmi Adiga, Meghna Jain, Lujo Bauer, and Vyas Sekar.
In Proceedings of the 47th IEEE Symposium on Security and Privacy, May 2026. To appear.
[BibTeX, ]

new! U.S. Southerners' attitudes towards AI analysis of voice data for high-stakes employment and education evaluations.
Andrea Gallardo, Lily Klucinec, Lujo Bauer, and Lorrie Faith Cranor.
In Proceedings of the 29th ACM Conference on Computer-Supported Cooperative Work and Social Computing, October 2026. To appear.
[BibTeX, ]

new! Passing down passwords: How older adults approach postmortem account access and digital estate planning.
Jenny Tang, Xiaoyuan Wu, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In CHI '26: Proceedings of the 2026 CHI Conference on Human Factors in Computing Systems, April 2026. ACM. © authors DOI: 10.1145/3772318.3791633
[PDF, BibTeX, ]

new! Location-enhanced information flow for home automations.
McKenna McCall, Benjamin Weinshel, Kunlin Cai, Ying Li, Eric Zeng, Devika Manohar, Lujo Bauer, Limin Jia, and Yuan Tian.
Proceedings on Privacy Enhancing Technologies, 2026 (1). 2026. © authors DOI: 10.56553/popets-2026-0018
[PDF, BibTeX, data and code, ]

DOM-XSS detection via webpage interaction fuzzing and URL component synthesis.
Nuno Sabino, Darion Cassel, Rui Abreu, Pedro Adão, Lujo Bauer, and Limin Jia.
In Proceedings of the 33rd Network and Distributed System Security Symposium, February 2026. Internet Society. © authors DOI: 10.14722/ndss.2026.231467
[PDF, BibTeX, code, ]

Estimating LLM consistency: A user baseline vs surrogate metrics.
Xiaoyuan Wu, Weiran Lin, Omer Akgul, and Lujo Bauer.
In Proceedings of the 2025 Conference on Empirical Methods in Natural Language Processing, November 2025. Association for Computational Linguistics. Senior Area Chair Highlight DOI: 10.18653/v1/2025.emnlp-main.1554
[PDF, BibTeX, talk video, data and code, ]

The impact of device type, data practices, and use case scenarios on privacy concerns about eye-tracked augmented reality in the United States and Germany.
Efe Bozkir, Babette Bühler, Xiaoyuan Wu, Enkelejda Kasneci, Lujo Bauer, and Lorrie Faith Cranor.
Journal of Cybersecurity, 11 (1). November 2025. Oxford University Press. © authors DOI: 10.1093/cybsec/tyaf036
[PDF, BibTeX, ]

Perry: A high-level framework for accelerating cyber deception experimentation.
Brian Singer, Yusuf Saquib, Lujo Bauer, and Vyas Sekar.
In Proceedings of the 28th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2025), October 2025. DOI: 10.1109/RAID67961.2025.00049
[PDF, BibTeX, code, ]

Misuse, misreporting, misinterpretation of statistical methods in usable privacy and security papers.
Jenny Tang, Lujo Bauer, and Nicolas Christin.
In SOUPS '25: Proceedings of the 21st Symposium on Usable Privacy and Security, August 2025. USENIX. © authors
[PDF, BibTeX, slides, video, supplemental data, ]

Adopting AI to protect industrial control systems: Assessing challenges and opportunities from the operators’ perspective.
Clement Fung, Eric Zeng, and Lujo Bauer.
In SOUPS '25: Proceedings of the 21st Symposium on Usable Privacy and Security, August 2025. USENIX. © authors
[PDF, BibTeX, slides, video, ]

“I would still use it but I wouldn't trust it”: Evaluating mechanisms for transparency and control for smart-home sensors.
Benjamin Weinshel, Yuvraj Agarwal, and Lujo Bauer.
Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 9 (2). June 2025. ACM. © authors DOI: 10.1145/372948
[PDF, BibTeX, dataset, ]

LLM whisperer: an inconspicuous attack to bias LLM responses.
Weiran Lin, Anna Gerchanovsky, Omer Akgul, Lujo Bauer, Matt Fredrikson, and Zifan Wang.
In CHI '25: Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems, April 2025. ACM. © authors DOI: 10.1145/3706598.3714025
[PDF, BibTeX, code, talk video, ]

Measuring risks to users' health privacy posed by third-party web tracking and targeted advertising.
Eric Zeng, Xiaoyuan Wu, Emily Ertmann, Lily Huang, Danielle Johnson, Anusha Mehendale, Brandon Tang, Karolina Zhukoff, Michael Adjei-Poku, Lujo Bauer, Ari Friedman, and Matthew McCoy.
In CHI '25: Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems, April 2025. ACM. © authors DOI: 10.1145/3706598.3714318
[PDF, BibTeX, dataset, ]

Transparency or information overload? Evaluating users’ comprehension and perceptions of the iOS App Privacy Report.
Xiaoyuan Wu, Lydia Hu, Eric Zeng, Hana Habib, and Lujo Bauer.
In Proceedings of the 32nd Network and Distributed System Security Symposium, February 2025. Internet Society. © authors DOI: 10.14722/ndss.2025.230081
[PDF, BibTeX, ]

Training robust ML-based raw-binary malware detectors in hours, not months.
Keane Lucas, Weiran Lin, Lujo Bauer, Michael K. Reiter, and Mahmood Sharif.
In Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security, October 2024. © authors DOI: 10.1145/3658644.3690208
[PDF, BibTeX, ]

The impact of exposed passwords on honeyword efficacy.
Zonghao Huang, Lujo Bauer, and Michael K. Reiter.
In Proceedings of the 33rd USENIX Security Symposium, August 2024. USENIX. © authors
[PDF, BibTeX, talk slides, ]

Approach for the optimization of machine learning models for calculating binary function similarity.
Suguru Horimoto, Keane Lucas, and Lujo Bauer.
In Proceedings of the 21st Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '24), July 2024. DOI: 10.1007/978-3-031-64171-8_16
[PDF, BibTeX, code and data, ]

CoCoT: Collaborative contact tracing.
Trevor Kann, Lujo Bauer, and Robert K. Cunningham.
In Proceedings of the 14th ACM Conference on Data and Application Security and Privacy (CODASPY), June 2024. ACM. © authors DOI: 10.1145/3626232.3653254
[PDF, BibTeX, talk video, ]

Interdisciplinary approaches to cybervulnerability impact assessment for energy critical infrastructure.
Andrea Gallardo, Robert Erbes, Katya Le Blanc, Lujo Bauer, and Lorrie Faith Cranor.
In CHI '24: Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems, May 2024. ACM. CHI 2024 Honorable Mention © authors DOI: 10.1145/3613904.3642493
[PDF, BibTeX, talk video, ]

Group-based robustness: A general framework for customized robustness in the real world.
Weiran Lin, Keane Lucas, Neo Eyal, Lujo Bauer, Michael K. Reiter, and Mahmood Sharif.
In Proceedings of the 31st Network and Distributed System Security Symposium, February 2024. Internet Society. © authors DOI: 10.14722/ndss.2024.24084
[PDF, BibTeX, talk video, ]

Attributions for ML-based ICS anomaly detection: From theory to practice.
Clement Fung, Eric Zeng, and Lujo Bauer.
In Proceedings of the 31st Network and Distributed System Security Symposium, February 2024. Internet Society. © authors DOI: 10.14722/ndss.2024.23216
[PDF, BibTeX, talk video, code, ]

RS-Del: Edit distance robustness certificates for sequence classifiers via randomized deletion.
Zhuoqun Huang, Neil G. Marchant, Keane Lucas, Lujo Bauer, Olga Ohrimenko, and Benjamin I. P. Rubinstein.
In Advances in Neural Information Processing Systems 36 (NeurIPS 2023), 2023.
[PDF, BibTeX, ]

Adversarial training for raw-binary malware classifiers.
Keane Lucas, Samruddhi Pai, Weiran Lin, Lujo Bauer, Michael K. Reiter, and Mahmood Sharif.
In Proceedings of the 32nd USENIX Security Symposium, August 2023. USENIX.
[PDF, BibTeX, talk video and slides, ]

Towards usable security analysis tools for trigger-action programming.
McKenna McCall, Eric Zeng, Faysal Hossain Shezan, Mitchell Yang, Lujo Bauer, Abhishek Bichhawat, Camille Cobb, Limin Jia, and Yuan Tian.
In SOUPS '23: Proceedings of the 19th Symposium on Usable Privacy and Security, August 2023. USENIX. © authors
[PDF, BibTeX, talk video and slides, ]

Speculative privacy attitudes and concerns about AR glasses data collection.
Andrea Gallardo, Christopher Choy, Jaideep Juneja, Efe Bozkir, Camille Cobb, Lujo Bauer, and Lorrie Faith Cranor.
Proceedings on Privacy Enhancing Technologies, 2023 (4). July 2023. © authors DOI: 10.56553/popets-2023-0117
[PDF, BibTeX, ]

Shedding light on inconcistencies in grid cybersecurity: Disconnects and recommendations.
Brian Singer, Amritanshu Pandey, Shimiao Li, Lujo Bauer, Craig Miller, Lawrence Pileggi, and Vyas Sekar.
In Proceedings of the 2023 IEEE Symposium on Security and Privacy, May 2023. DOI: 10.1109/SP46215.2023.10179343
[PDF, BibTeX, YouTube, talk video, ]

Widespread third-party tracking on hospital websites poses privacy risks for patients and legal liability for hospitals.
Ari B. Friedman, Raina M. Merchant, Amey Maley, Karim Farhat, Kristen Smith, Jackson Felkins, Rachel E. Gonzales, Lujo Bauer, and Matthew S. McCoy.
Health Affairs, 42 (4) 508-515. 2023. DOI: 10.1377/hlthaff.2022.01205
[PDF, BibTeX, ]

Prevalence of third-party tracking on abortion clinic web pages.
Ari B. Friedman, Lujo Bauer, Rachel Gonzales, and Matthew S. McCoy.
JAMA Internal Medicine. 2022. DOI: 10.1001/jamainternmed.2022.4208
[PDF, BibTeX, ]

“Adulthood is trying each of the same six passwords that you use for everything”: The Scarcity and Ambiguity of Security Advice on Social Media.
Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia.
In Proceedings of the 25th ACM Conference on Computer-Supported Cooperative Work and Social Computing, November 2022. © authors DOI: 10.1145/3555154
[PDF, BibTeX, ]

Perspectives from a comprehensive evaluation of reconstruction-based anomaly detection in industrial control systems.
Clement Fung, Shreya Srinarasi, Keane Lucas, Hay Bryan Phee, and Lujo Bauer.
In ESORICS 2022: 27th European Symposium on Research in Computer Security, September 2022. © authors DOI: 10.1007/978-3-031-17143-7_24
[PDF, BibTeX, talk video, code, ]

Detecting iPhone security compromise in simulated stalking scenarios: Strategies and obstacles.
Andrea Gallardo, Hanseul Kim, Tianying Li, Lorrie Faith Cranor, and Lujo Bauer.
In SOUPS '22: Proceedings of the 18th Symposium on Usable Privacy and Security, August 2022. © authors
[PDF, BibTeX, ]

Constrained Gradient Descent: a powerful and principled evasion attack against neural networks.
Weiran Lin, Keane Lucas, Lujo Bauer, Michael K. Reiter, and Mahmood Sharif.
In Proceedings of the 39th International Conference on Machine Learning, ICML 2022, July 2022.
[PDF, BibTeX, talk video, talk slides, ]

Investigating advertisers' domain-changing behaviors and their impacts on ad-blocker filter lists.
Su-Chin Lin, Kai-Hsiang Chou, Yen Chen, Hsu-Chun Hsiao, Darion Cassel, Lujo Bauer, and Limin Jia.
In Proceedings of The Web Conference, April 2022. © ACM DOI: 10.1145/3485447.3512218
[PDF, BibTeX, talk video, ]

OmniCrawl: Comprehensive measurement of Web tracking with real desktop and mobile browsers.
Darion Cassel, Su-Chin Lin, Alessio Buraggina, William Wang, Andrew Zhang, Lujo Bauer, Hsu-Chun Hsiao, Limin Jia, and Timothy Libert.
Proceedings on Privacy Enhancing Technologies, 2022 (1). January 2022. De Gruyter Open. PETS 2022 Artifact Award. © authors DOI: 10.2478/popets-2022-0012
[PDF, BibTeX, code, talk video, slides, ]

(How) Do people change their passwords after a breach?
Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia.
USENIX ;login:. December 2021. USENIX. © authors
[PDF, BibTeX, ]

What breach? Measuring online awareness of security incidents by studying real-world browsing behavior.
Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia.
In 2021 European Symposium on Usable Security, October 2021. ACM. © authors DOI: 10.1145/3481357.3481517
[PDF, BibTeX, ]

“I would have to evaluate their objections”: Privacy tensions between smart home device owners and incidental users.
Camille Cobb, Sruti Bhagavatula, Kalil Anderson Garrett, Alison Hoffman, Varun Rao, and Lujo Bauer.
Proceedings on Privacy Enhancing Technologies, 2021 (4). October 2021. De Gruyter Open. © authors DOI: 10.2478/popets-2021-0060
[PDF, BibTeX, talk video, ]

What breach? Measuring online awareness of security incidents by studying real-world browsing behavior.
Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia.
In Workshop on Technology and Consumer Protection, May 2021. Extended abstract. © authors
[PDF, BibTeX, ]

What makes people install a COVID-19 contact-tracing app? Understanding the influence of app design and individual difference on contact-tracing app adoption intention.
Tianshi Li, Camille Cobb, Jackie (Junrui) Yang, Sagar Baviskar, Yuvraj Agarwal, Beibei Li, Lujo Bauer, and Jason I. Hong.
Pervasive and Mobile Computing, 75. August 2021. Elsevier. Pervasive and Mobile Computing Best research papers 2019-2021 Award. © Elsevier; CC BY 4.0 DOI: 10.1016/j.pmcj.2021.101439
[PDF, BibTeX, ]

Malware makeover: breaking ML-based static analysis by modifying executable bytes.
Keane Lucas, Mahmood Sharif, Lujo Bauer, Michael K. Reiter, and Saurabh Shintre.
In Proceedings of the ACM Asia Conference on Computer and Communications Security, June 2021. © authors DOI: 10.1145/3433210.3453086
[PDF, BibTeX, slides, talk video, code, ]

Towards a lightweight, hybrid approach for detecting DOM XSS vulnerabilities with machine learning.
William Melicher, Clement Fung, Lujo Bauer, and Limin Jia.
In Proceedings of The Web Conference, April 2021. © International World Wide Web Conference Committee DOI: 10.1145/3442381.3450062
[PDF, BibTeX, ]

“Did you know this camera tracks your mood?”: Understanding privacy expectations and preferences in the age of video analytics.
Shikun Zhang, Yuanyuan Feng, Lujo Bauer, Lorrie Cranor, Anupam Das, and Norman Sadeh.
Proceedings on Privacy Enhancing Technologies, 2021 (2). April 2021. De Gruyter Open. 2022 Privacy Papers for Policymakers Award. © authors DOI: 10.2478/popets-2021-0028
[PDF, BibTeX, ]

Practical recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blocklist requirements.
Joshua Tan, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In Proceedings of the 27th ACM SIGSAC Conference on Computer and Communications Security, November 2020. ACM. © authors DOI: 10.1145/3372297.3417882
[PDF, BibTeX, talk video, ]

(How) Do people change their passwords after a breach?
Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia.
arXiv preprint 2010.09853, October 2020.
[PDF, BibTeX, ]

What breach? Measuring online awareness of security incidents by studying real-world browsing behavior.
Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia.
arXiv preprint 2010.09843, October 2020.
[PDF, BibTeX, ]

How risky are real users' IFTTT applets?
Camille Cobb, Milijana Surbatovich, Anna Kawakami, Mahmood Sharif, Lujo Bauer, Anupam Das, and Limin Jia.
In SOUPS '20: Proceedings of the 16th Symposium on Usable Privacy and Security, August 2020. © authors
[PDF, BibTeX, 5-min talk (+ slides), 14-min talk, ]

Metering graphical data leakage with Snowman.
Qiuyu Xiao, Brittany Subialdea, Lujo Bauer, and Michael K. Reiter.
In 25th ACM Symposium on Access Control Models and Technologies, June 2020. © authors DOI: 10.1145/3381991.3395598
[PDF, BibTeX, ]

(How) Do people change their passwords after a breach?
Sruti Bhagavatula, Lujo Bauer, and Apu Kapadia.
In Workshop on Technology and Consumer Protection, May 2020. © authors
[PDF, BibTeX, talk video, ]

Cybersecurity and privacy.
Lujo Bauer.
In An Introduction to Privacy for Technology Professionals, 2020. International Association of Privacy Professionals.
[PDF, BibTeX, ]

n-ML: Mitigating adversarial examples via ensembles of topologically manipulated classifiers.
Mahmood Sharif, Lujo Bauer, and Michael K. Reiter.
arXiv preprint 1912.09059, December 2019.
[PDF, BibTeX, project page, ]

Optimization-guided binary diversification to mislead neural networks for malware detection.
Mahmood Sharif, Keane Lucas, Lujo Bauer, Michael K. Reiter, and Saurabh Shintre.
arXiv preprint 1912.09064, December 2019.
[PDF, BibTeX, project page, ]

Why people (don't) use password managers effectively.
Sarah Pearman, Aerin Shikun Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '19: Proceedings of the 15th Symposium on Usable Privacy and Security, July 2019. © authors
[PDF, BibTeX, ]

A general framework for adversarial examples with objectives.
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter.
ACM Transactions on Privacy and Security, 22 (3). June 2019. (Revised version of arXiv preprint 1801.00349.) © authors DOI: 10.1145/3317611
[PDF, BibTeX, project page, ]

A field study of computer-security perceptions using anti-virus customer-support chats.
Mahmood Sharif, Kevin A. Roundy, Matteo Dell'Amico, Christopher Gates, Daniel Kats, Lujo Bauer, and Nicolas Christin.
In CHI'19: 37th Annual ACM Conference on Human Factors in Computing Systems, May 2019. © authors DOI: 10.1145/3290605.3300308
[PDF, BibTeX, ]

The influence of friends and experts on privacy decision making in IoT scenarios.
Pardis Emami Naeini, Martin Degeling, Lujo Bauer, Richard Chow, Lorrie Cranor, Mohammad Reza Haghighat, and Heather Patterson.
In Proceedings of the 21st ACM Conference on Computer-Supported Cooperative Work and Social Computing, November 2018. © authors DOI: 10.1145/3274317
[PDF, BibTeX, ]

Comparing hypothetical and realistic privacy valuations.
Joshua Tan, Mahmood Sharif, Sruti Bhagavatula, Matthias Beckerle, Michelle L. Mazurek, and Lujo Bauer.
In Proceedings of the 2018 Workshop on Privacy in the Electronic Society, October 2018. © authors DOI: 10.1145/3267323.3268961
[PDF, BibTeX, ]

User behaviors and attitudes under password expiration policies.
Hana Habib, Pardis Emami-Naeini, Maggie Oates, Chelse Swoopes, Lujo Bauer, Lorrie Faith Cranor, and Nicolas Christin.
In SOUPS '18: Proceedings of the 14th Symposium on Usable Privacy and Security, August 2018. © authors
[PDF, BibTeX, slides, ]

On the suitability of L_p-norms for creating and preventing adversarial examples.
Mahmood Sharif, Lujo Bauer, and Michael K. Reiter.
In Proceedings of The Bright and Dark Sides of Computer Vision: Challenges and Opportunities for Privacy and Security (in conjunction with the 2018 IEEE Conference on Computer Vision and Pattern Recognition), June 2018. © IEEE
[PDF, BibTeX, project page, ]

“It's not actually that horrible”: Exploring adoption of two-factor authentication at a university.
Jessica Colnago, Summer Devlin, Maggie Oates, Chelse Swoopes, Lujo Bauer, Lorrie Faith Cranor, and Nicolas Christin.
In CHI'18: 36th Annual ACM Conference on Human Factors in Computing Systems, April 2018. ACM. © authors DOI: 10.1145/3173574.3174030
[PDF, BibTeX, teaser video, ]

Riding out DOMsday: Toward detecting and preventing DOM cross-site scripting.
William Melicher, Anupam Das, Mahmood Sharif, Lujo Bauer, and Limin Jia.
In Proceedings of the 25th Network and Distributed System Security Symposium, February 2018. Internet Society. © authors DOI: 10.14722/ndss.2018.23309
[PDF, BibTeX, slides, talk video, code, ]

Adversarial Generative Nets: Neural network attacks on state-of-the-art face recognition.
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter.
arXiv preprint 1801.00349, December 2017.
[PDF, BibTeX, project page, ]

Better passwords through science (and neural networks).
William Melicher, Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
USENIX ;login:, 42 (4). December 2017. USENIX. © authors
[PDF, BibTeX, official version, ]

Let's go in for a closer look: Observing passwords in their natural habitat.
Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget.
In Proceedings of the 24th ACM SIGSAC Conference on Computer and Communications Security, October 2017. ACM. © authors DOI: 10.1145/3133956.3133973
[PDF, BibTeX, ]

Self-driving cars and data collection: Privacy perceptions of networked autonomous vehicles.
Cara Bloom, Joshua Tan, Javed Ramjon, and Lujo Bauer.
In SOUPS '17: Proceedings of the 13th Symposium on Usable Privacy and Security, July 2017. USENIX. © authors
[PDF, BibTeX, slides, audio, ]

Privacy expectations and preferences in an IoT world.
Pardis Emami-Naeini, Sruti Bhagavatula, Hana Habib, Martin Degeling, Lujo Bauer, Lorrie Cranor, and Norman Sadeh.
In SOUPS '17: Proceedings of the 13th Symposium on Usable Privacy and Security, July 2017. USENIX. © authors
[PDF, BibTeX, slides, audio, ]

Diversify to survive: Making passwords stronger with adaptive policies.
Sean Segreti, William Melicher, Saranga Komanduri, Darya Melicher, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Cranor, and Michelle L. Mazurek.
In SOUPS '17: Proceedings of the 13th Symposium on Usable Privacy and Security, July 2017. USENIX. © authors
[PDF, BibTeX, slides, audio, ]

Towards privacy-aware smart buildings: Capturing, communicating, and enforcing privacy policies and preferences.
Primal Pappachan, Martin Degeling, Roberto Yus, Anupam Das, Sruti Bhagavatula, William Melicher, Pardis Emami Naeini, Shikun Zhang, Lujo Bauer, Alfred Kobsa, Sharad Mehrotra, Norman Sadeh, and Nalini Venkatasubramanian.
In International Workshop on the Internet of Things Computing and Applications, June 2017. In conjunction with ICDCS2017.
[BibTeX, ]

Can unicorns help users compare crypto key fingerprints?
Joshua Tan, Lujo Bauer, Joe Bonneau, Lorrie Cranor, Jeremy Thomas, and Blase Ur.
In CHI'17: 35th Annual ACM Conference on Human Factors in Computing Systems, May 2017. ACM. © authors DOI: 10.1145/3025453.3025733
[PDF, BibTeX, video teaser, ]

Design and evaluation of a data-driven password meter.
Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Cranor, Harold Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher.
In CHI'17: 35th Annual ACM Conference on Human Factors in Computing Systems, May 2017. ACM. CHI Best Paper. © authors DOI: 10.1145/3025453.3026050
[PDF, BibTeX, video teaser, code, online demo, ]

Timing-sensitive noninterference through composition.
Willard Rafnsson, Limin Jia, and Lujo Bauer.
In Proceedings of the 6th International Conference on the Principles of Security and Trust, April 2017. Springer. © Springer-Verlag DOI: 10.1007/978-3-662-54455-6_1
[PDF, BibTeX, ]

Some recipes can do more than spoil your appetite: Analyzing the security and privacy risks of IFTTT recipes.
Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, and Limin Jia.
In Proceedings of the 26th International World Wide Web Conference, April 2017. © IW3C2, CC BY 4.0 DOI: 10.1145/3038912.3052709
[PDF, BibTeX, video from PrivacyCon, ]

Password creation in the presence of blacklists.
Hana Habib, Jessica Colnago, William Melicher, Blase Ur, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Cranor.
In Proceedings of Usable Security (USEC) 2017, February 2017. Internet Society. © Internet Society DOI: 10.14722/usec.2017.23043
[PDF, BibTeX, slides, ]

Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition.
Mahmood Sharif, Sruti Bhagavatula, Lujo Bauer, and Michael K. Reiter.
In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security, October 2016. DOI: 10.1145/2976749.2978392
[PDF, BibTeX, talk video, project page, ]

Fast, lean, and accurate: Modeling password guessability using neural networks.
William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In Proceedings of the 25th USENIX Security Symposium, August 2016. USENIX Security Best Paper.
[PDF, BibTeX, video teaser, slides, talk video, code, ]

Designing Password Policies for Strength and Usability.
Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
ACM Transactions on Information and System Security, 18 (4). May 2016. ACM. Notable Article, ACM 21st Annual Best of Computing © authors DOI: 10.1145/2891411
[PDF, BibTeX, ]

Usability and Security of Text Passwords on Mobile Devices.
William Melicher, Darya Kurilova, Sean Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek.
In CHI'16: 34th Annual ACM Conference on Human Factors in Computing Systems, May 2016. ACM. © authors DOI: 10.1145/2858036.2858384
[PDF, BibTeX, ]

Do Users' Perceptions of Password Security Match Reality?
Blase Ur, Jonathan Bees, Sean Segreti, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In CHI'16: 34th Annual ACM Conference on Human Factors in Computing Systems, May 2016. ACM. CHI 2016 Honorable Mention. © authors DOI: 10.1145/2858036.2858546
[PDF, BibTeX, video teaser, online game, ]

Sharing personal content online: exploring channel choice and multi-channel behaviors.
Manya Sleeper, William Melicher, Hana Habib, Lujo Bauer, Lorrie Faith Cranor, and Michelle L. Mazurek.
In CHI'16: 34th Annual ACM Conference on Human Factors in Computing Systems, May 2016. ACM. © authors DOI: 10.1145/2858036.2858170
[PDF, BibTeX, video teaser, ]

(Do not) Track me sometimes: Users' contextual preferences for web tracking.
William Melicher, Mahmood Sharif, Joshua Tan, Lujo Bauer, Mihai Christodorescu, and Pedro Giovanni Leon.
Proceedings on Privacy Enhancing Technologies (2). April 2016. De Gruyter Open. © authors DOI: 10.1515/popets-2016-0009
[PDF, BibTeX, slides, talk video, ]

Introducing reputation systems to the economics of outsourcing computations to rational workers.
Jassim Aljuraidan, Lujo Bauer, Michael K. Reiter, and Matthias Beckerle.
In Financial Cryptography and Data Security, February 2016. Springer-Verlag. © International Financial Cryptography Association
[PDF, BibTeX, ]

Introducing reputation systems to the economics of outsourcing computations to rational workers.
Jassim Aljuraidan, Lujo Bauer, Michael K. Reiter, and Matthias Beckerle.
Technical Report CMU-CyLab-16-001, CyLab, Carnegie Mellon University, February 2016.
[PDF, BibTeX, ]

Probabilistic Cost Enforcement of Security Policies.
Yannis Mallios, Lujo Bauer, Dilsun Kaynar, Fabio Martinelli, and Charles Morisset.
Journal of Computer Security, 23 (6) 759--787. 2015. IOS Press. DOI: 10.3233/JCS-150538
[PDF, BibTeX, ]

Measuring Real-World Accuracies and Biases in Modeling Password Guessability.
Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay.
In Proceedings of the 24th USENIX Security Symposium, August 2015. USENIX. © authors
[PDF, BibTeX, talk video, video teaser, ]

"I added '!' at the end to make it secure": Observing password creation in the lab.
Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '15: Proceedings of the 11th Symposium on Usable Privacy and Security, July 2015. USENIX. © authors
[PDF, BibTeX, ]

A spoonful of sugar? The impact of guidance and feedback on password-creation behavior.
Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L. Mazurek, William Melicher, Sean M. Segreti, and Blase Ur.
In CHI'15: 33rd Annual ACM Conference on Human Factors in Computing Systems, April 2015. ACM. © authors DOI: 10.1145/2702123.2702586
[PDF, BibTeX, video teaser, ]

Run-time monitoring and formal analysis of information flows in Chromium.
Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, Michael Stroucken, and Yuan Tian.
In Proceedings of the 22nd Annual Network & Distributed System Security Symposium, February 2015. Internet Society. © Internet Society DOI: 10.14722/ndss.2015.23295
[PDF, BibTeX, ]

Studying the effectiveness of security images in Internet banking.
Joel Lee, Lujo Bauer, and Michelle L. Mazurek.
IEEE Internet Computing, 13 (1). 2015. IEEE. © IEEE DOI: 10.1109/MIC.2014.108
[BibTeX, ]

Analyzing the dangers posed by Chrome extensions.
Lujo Bauer, Shaoying Cai, Limin Jia, Timothy Passaro, and Yuan Tian.
In Proceedings of the IEEE Conference on Communications and Network Security, pages 184-192, October 2014. IEEE. © IEEE DOI: 10.1109/CNS.2014.6997485
[PDF, BibTeX, ]

Android taint flow analysis for app sets.
William Klieber, Lori Flynn, Amar Bhosale, Limin Jia, and Lujo Bauer.
In Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis (SOAP 2014), June 2014. ACM. © ACM DOI: 10.1145/2614628.2614633
[BibTeX, ]

Studying the effectiveness of security images in Internet banking.
Joel Lee and Lujo Bauer.
In Web 2.0 Security and Privacy (W2SP) Workshop, May 2014.
[PDF, BibTeX, ]

Can long passwords be secure and usable?
Richard Shay, Saranga Komanduri, Adam L. Durity, Philip (Seyoung) Huh, Michelle L. Mazurek, Sean M. Segreti, Blase Ur, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In CHI'14: Conference on Human Factors in Computing Systems, April 2014. ACM. © authors DOI: 10.1145/2556288.2557377
[PDF, BibTeX, video teaser, ]

Toward strong, usable access control for shared distributed data.
Michelle L. Mazurek, Yuan Liang, William Melicher, Manya Sleeper, Lujo Bauer, Gregory R. Ganger, Nitin Gupta, and Michael K. Reiter.
In Proceedings of the 12th USENIX Conference on File and Storage Technologies (FAST '14), February 2014. USENIX.
[PDF, BibTeX, talk video, ]

Challenges faced in working with users to design access-control systems for domestic environments.
Manya Sleeper, Michelle L. Mazurek, and Lujo Bauer.
In Designing with Users for Domestic Environments workshop at CSCW14 (the 17th ACM Conference on Computer Supported Cooperative Work and Social Computing), February 2014. Position paper.
[PDF, BibTeX, ]

A comparison of users' perceptions and willingness to use Google, Facebook, and Google+ single-sign-on functionality.
Lujo Bauer, Cristian Bravo-Lillo, Elli Fragkaki, and William Melicher.
In Proceedings of the ACM Digital Identity Management Workshop, November 2013. ACM. © authors DOI: 10.1145/2517881.2517886
[PDF, BibTeX, ]

Measuring Password Guessability for an Entire University.
Michelle L. Mazurek, Saranga Komanduri, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Patrick Gage Kelley, Richard Shay, and Blase Ur.
In Proceedings of the 2013 ACM Conference on Computer and Communications Security, November 2013. ACM. © authors DOI: 10.1145/2508859.2516726
[PDF, BibTeX, ]

The post anachronism: The temporal dimension of Facebook privacy.
Lujo Bauer, Lorrie Faith Cranor, Saranga Komanduri, Michelle L. Mazurek, Michael K. Reiter, Manya Sleeper, and Blase Ur.
In Proceedings of the 12th Annual Workshop on Privacy in the Electronic Society, November 2013. ACM. © authors DOI: 10.1145/2517840.2517859
[PDF, BibTeX, ]

What you want is not what you get: Predicting sharing policies for text-based content on Facebook.
Arunesh Sinha, Yan Li, and Lujo Bauer.
In Proceedings of the 6th ACM Workshop on Security and Artificial Intelligence, November 2013. ACM. © authors DOI: 10.1145/2517312.2517317
[PDF, BibTeX, ]

Probabilistic Cost Enforcement of Security Policies.
Yannis Mallios, Lujo Bauer, Dilsun Kaynar, Fabio Martinelli, and Charles Morisset.
In Security and Trust Management: 9th International Workshop, STM 2013, Proceedings, volume 8203 of Lecture Notes in Computer Science, pages 144--159, September 2013. Springer. © Springer-Verlag DOI: 10.1007/978-3-642-41098-7_10
[PDF, BibTeX, ]

Run-time enforcement of information-flow properties on Android (extended abstract).
Limin Jia, Jassim Aljuraidan, Elli Fragkaki, Lujo Bauer, Michael Stroucken, Kazuhide Fukushima, Shinsaku Kiyomoto, and Yutaka Miyake.
In Computer Security---ESORICS 2013: 18th European Symposium on Research in Computer Security, pages 775--792, September 2013. Springer. (Full version appears as technical report CMU-CyLab-12-015.) © Springer-Verlag DOI: 10.1007/978-3-642-40203-6_43
[PDF, BibTeX, demo, ]

What matters to users? Factors that affect users' willingness to share information with online advertisers.
Pedro G. Leon, Blase Ur, Yang Wang, Manya Sleeper, Rebecca Balebako, Richard Shay, Lujo Bauer, Mihai Christodorescu, and Lorrie Faith Cranor.
In SOUPS '13: Proceedings of the 9th Symposium on Usable Privacy and Security, July 2013. ACM. © authors DOI: 10.1145/2501604.2501611
[PDF, BibTeX, ]

The impact of length and mathematical operators on the usability and security of system-assigned one-time PINs.
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In 2013 Workshop on Usable Security (USEC), volume 7862 of Lecture Notes in Computer Science, pages 34--51, April 2013. Springer. © Springer-Verlag DOI: 10.1007/978-3-642-41320-9_3
[PDF, BibTeX, ]

Warning Design Guidelines.
Lujo Bauer, Cristian Bravo-Lillo, Lorrie Cranor, and Elli Fragkaki.
Technical Report CMU-CyLab-13-002, CyLab, Carnegie Mellon University, February 2013.
[PDF, BibTeX, ]

Helping users create better passwords.
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle L. Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Julio López.
USENIX ;login:, 37 (6). December 2012. USENIX. © authors
[PDF, BibTeX, ]

Enforcing more with less: Formalizing target-aware run-time monitors.
Yannis Mallios, Lujo Bauer, Dilsun Kaynar, and Jay Ligatti.
In Security and Trust Management: 8th International Workshop, STM 2012, Pisa, Italy, September 13--14, 2012, Revised Selected Papers, volume 7783 of Lecture Notes in Computer Science, pages 17--32, 2013. © Springer-Verlag DOI: 10.1007/978-3-642-38004-4_2
[PDF, BibTeX, ]

Modeling and enhancing Android's permission system.
Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey.
In Computer Security---ESORICS 2012: 17th European Symposium on Research in Computer Security, volume 7459 of Lecture Notes in Computer Science, pages 1--18, September 2012. (Full version appears as Technical report CMU-CyLab-11-020.) © Springer-Verlag DOI: 10.1007/978-3-642-33167-1_1
[PDF, BibTeX, ]

Run-time enforcement of information-flow properties on Android.
Jassim Aljuraidan, Elli Fragkaki, Lujo Bauer, Limin Jia, Kazuhide Fukushima, Shinsaku Kiyomoto, and Yutaka Miyake.
Technical Report CMY-CyLab-12-015, CyLab, Carnegie Mellon University, July 2012.
[PDF, BibTeX, ]

How does your password measure up? The effect of strength meters on password creation.
Blase Ur, Patrick Gage Kelley, Saranga Komanduri, Joel Lee, Michael Maass, Michelle Mazurek, Timothy Passaro, Richard Shay, Timothy Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In Proceedings of the 21st USENIX Security Symposium, August 2012. USENIX Association. © authors
[PDF, BibTeX, talk video, ]

Check points against privacy breaches in Android applications.
Kazuhide Fukushima, Lujo Bauer, Limin Jia, Shinsaku Kiyomoto, and Yutaka Miyake.
IJCSNS, 12 (8). August 2012.
[BibTeX, ]

Studying access control usability in the lab: Lessons learned from four studies.
Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter.
In LASER '12: Proceedings of the 2012 Workshop on Learning from Authoritative Security Experiment Results, pages 31--40, July 2012. ACM. © ACM DOI: 10.1145/2379616.2379621
[PDF, BibTeX, ]

Out of sight, out of mind: Effects of displaying access-control information near the item it controls.
Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, and Michael K. Reiter.
In Proceedings of the 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST), pages 128--136, July 2012. IEEE. © IEEE DOI: 10.1109/PST.2012.6297929
[PDF, BibTeX, ]

Correct horse battery staple: Exploring the usability of system-assigned passphrases.
Richard Shay, Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Blase Ur, Tim Vidas, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '12: Proceedings of the 8th Symposium on Usable Privacy and Security, July 2012. ACM. © authors DOI: 10.1145/2335356.2335366
[PDF, BibTeX, ]

Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms.
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Richard Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez.
In Proceedings of the 2012 IEEE Symposium on Security and Privacy, pages 523--537, May 2012. IEEE. IEEE Test of Time award, 2023 © IEEE DOI: 10.1109/SP.2012.38
[PDF, BibTeX, ]

Tag, you can see it! Using tags for access control in photo sharing.
Peter F. Klemperer, Yuan Liang, Michelle L. Mazurek, Manya Sleeper, Blase Ur, Lujo Bauer, Lorrie Faith Cranor, Nitin Gupta, and Michael K. Reiter.
In CHI 2012: Conference on Human Factors in Computing Systems, pages 377--386, May 2012. ACM. © ACM DOI: 10.1145/2207676.2207728
[PDF, BibTeX, ]

Discovering access-control misconfigurations: New approaches and evaluation methodologies.
Lujo Bauer, Yuan Liang, Michael K. Reiter, and Chad Spensky.
In CODASPY'12: Proceedings of the Second ACM Conference on Data and Application Security and Privacy, February 2012. © ACM DOI: 10.1145/2133601.2133613
[PDF, BibTeX, ]

Guess again (and again and again: Measuring password strength by simulating password-cracking algorithms.
Patrick Gage Kelley, Saranga Komanduri, Michelle L. Mazurek, Rich Shay, Tim Vidas, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Julio Lopez.
Technical Report CMU-CYLAB-11-008, CyLab, Carnegie Mellon University, August 2011.
[PDF, BibTeX, ]

Don't bump, shake on it: The exploitation of a popular accelerometer-based smart phone exchange and its secure replacement.
Ahren Studer, Timothy Passaro, and Lujo Bauer.
In ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference, pages 333--342, December 2011. ACM. © ACM DOI: 10.1145/2076732.2076780
[PDF, BibTeX, ]

More than skin deep: Measuring effects of the underlying model on access-control system usability.
Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea.
In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2065--2074, May 2011. ACM. © ACM DOI: 10.1145/1978942.1979243
[PDF, BibTeX, ]

Exploring Reactive Access Control.
Michelle L. Mazurek, Peter F. Klemperer, Richard Shay, Hassan Takabi, Lujo Bauer, and Lorrie Faith Cranor.
In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2085--2094, May 2011. ACM. © ACM DOI: 10.1145/1978942.1979245
[PDF, BibTeX, ]

Of passwords and people: Measuring the effect of password-composition policies.
Saranga Komanduri, Richard Shay, Patrick Gage Kelley, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Serge Egelman.
In CHI '11: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 2595--2604, May 2011. ACM. CHI 2011 Honorable Mention. © ACM DOI: 10.1145/1978942.1979321
[PDF, BibTeX, ]

Detecting and resolving policy misconfigurations in access-control systems.
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
ACM Transactions on Information and System Security, 14 (1). May 2011. ACM. © ACM DOI: 10.1145/1952982.1952984
[PDF, BibTeX, ]

Don't bump, shake on it: The exploitation of a popular accelerometer-based smart phone exchange and its secure replacement.
Ahren Studer, Timothy Passaro, and Lujo Bauer.
Technical Report CMU-CYLAB-11-011, CyLab, Carnegie Mellon University, February 2011.
[PDF, BibTeX, ]

Access Right Assignment Mechanisms for Secure Home Networks.
Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig, and Jesse Walker.
Journal of Communications and Networks, 13 (2) 175--186. 2011. Korean Institute of Communication Sciences.
[BibTeX, ]

Challenges in Access Right Assignment for Secure Home Networks.
Tiffany Hyun-Jin Kim, Lujo Bauer, James Newsome, Adrian Perrig, and Jesse Walker.
In Proceedings of the 5th USENIX Workshop on Hot Topics in Security, August 2010.
[BibTeX, ]

Constraining credential usage in logic-based access control.
Lujo Bauer, Limin Jia, and Divya Sharma.
In Proceedings of the 23rd IEEE Computer Security Foundations Symposium, pages 154--168, July 2010. IEEE. © IEEE DOI: 10.1109/CSF.2010.18
[PDF, BibTeX, ]

Encountering stronger password requirements: User attitudes and behaviors.
Richard Shay, Saranga Komanduri, Patrick Gage Kelley, Pedro Giovanni Leon, Michelle L. Mazurek, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor.
In SOUPS '10: Proceedings of the 6th Symposium on Usable Privacy and Security, July 2010. ACM. © authors DOI: 10.1145/1837110.1837113
[PDF, BibTeX, ]

Access control for home data sharing: Attitudes, needs and practices.
Michelle L. Mazurek, J.P. Arsenault, Joanna Breese, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter.
In CHI 2010: Conference on Human Factors in Computing Systems, pages 645--654, April 2010. ACM. © ACM DOI: 10.1145/1753326.1753421
[PDF, BibTeX, ]

Access control for home data sharing: Attitudes, needs and practices.
Michelle L. Mazurek, J.P. Arsenault, Joanna Breese, Nitin Gupta, Iulia Ion, Christina Johns, Daniel Lee, Yuan Liang, Jenny Olsen, Brandon Salmon, Richard Shay, Kami Vaniea, Lujo Bauer, Lorrie Faith Cranor, Gregory R. Ganger, and Michael K. Reiter.
Technical Report CMU-CyLab-09-013, CyLab, Carnegie Mellon University, October 2009.
[PDF, BibTeX, ]

Composing Expressive Runtime Security Policies.
Lujo Bauer, Jay Ligatti, and David Walker.
ACM Transactions on Software Engineering and Methodology, 18 (3). May 2009. ACM. © ACM DOI: 10.1145/1525880.1525882
[PDF, BibTeX, ]

xDomain: Cross-border proofs of access.
Lujo Bauer, Limin Jia, Michael K. Reiter, and David Swasey.
In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, pages 43--52, June 2009. ACM. (Full version appears as technical report CMU-CyLab-09-005.) © ACM DOI: 10.1145/1542207.1542216
[PDF, BibTeX, ]

Real life challenges in access-control management.
Lujo Bauer, Lorrie Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea.
In CHI 2009: Conference on Human Factors in Computing Systems, pages 899--908, April 2009. ACM. © ACM DOI: 10.1145/1518701.1518838
[PDF, BibTeX, ]

Effects of access-control policy conflict-resolution methods on policy-authoring usability.
Robert W. Reeder, Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea.
Technical Report CMU-CyLab-09-006, CyLab, Carnegie Mellon University, March 2009.
[PDF, BibTeX, ]

Run-time enforcement of nonsafety policies.
Jay Ligatti, Lujo Bauer, and David Walker.
ACM Transactions on Information and System Security, 12 (3). January 2009. ACM. © ACM DOI: 10.1145/1455526.1455532
[PDF, BibTeX, ]

Usable key agreement in home networks.
Ramu Panayappan, Tom Palarz, Lujo Bauer, and Adrian Perrig.
In Proceedings of the 1st International Conference on COMmunication Systems and NETworkS (COMSNETS), pages 550--559, January 2009. IEEE Press. © IEEE DOI: 10.1109/COMSNETS.2009.4808898
[BibTeX, ]

Detecting and resolving policy misconfigurations in access-control systems.
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, pages 185--194, June 2008. ACM. © ACM DOI: 10.1145/1377836.1377866
[PDF, BibTeX, ]

A user study of policy creation in a flexible access-control system.
Lujo Bauer, Lorrie Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea.
In CHI 2008: Conference on Human Factors in Computing Systems, pages 543--552, April 2008. ACM. © ACM DOI: 10.1145/1357054.1357143
[PDF, BibTeX, ]

Expandable grids for visualizing and authoring computer security policies.
Robert W. Reeder, Lujo Bauer, Lorrie Cranor, Michael K. Reiter, Kelli Bacon, Keisha How, and Heather Strong.
In CHI 2008: Conference on Human Factors in Computing Systems, pages 1473--1482, April 2008. ACM. © ACM DOI: 10.1145/1357054.1357285
[PDF, BibTeX, ]

Efficient proving for practical distributed access-control systems.
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
In Computer Security---ESORICS 2007: 12th European Symposium on Research in Computer Security, volume 4734 of Lecture Notes in Computer Science, pages 19--37, September 2007. Springer. (Full version appears as technical report CMU-CyLab-06-015R.) © Springer-Verlag DOI: 10.1007/978-3-540-74835-9_3
[PDF, BibTeX, ]

Lessons learned from the deployment of a smartphone-based access-control system.
Lujo Bauer, Lorrie Faith Cranor, Michael K. Reiter, and Kami Vaniea.
In SOUPS '07: Proceedings of the 3rd Symposium on Usable Privacy and Security, pages 64--75, July 2007. ACM. © authors DOI: 10.1145/1280680.1280689
[PDF, BibTeX, ]

Consumable credentials in logic-based access-control systems.
Kevin D. Bowers, Lujo Bauer, Deepak Garg, Frank Pfenning, and Michael K. Reiter.
In Proceedings of the 2007 Network & Distributed System Security Symposium, pages 143--157, February 2007. Internet Society. © Internet Society
[PDF, BibTeX, ]

Comparing access-control technologies: A study of keys and smartphones.
Lujo Bauer, Lorrie Cranor, Robert W. Reeder, Michael K. Reiter, and Kami Vaniea.
Technical Report CMU-CYLAB-07-005, CyLab, Carnegie Mellon University, February 2007.
[PDF, BibTeX, ]

User-controllable security and privacy for pervasive computing.
Jason Cornwell, Ian Fette, Gary Hsieh, Madhu Prabaker, Jinghai Rao, Karen Tang, Kami Vaniea, Lujo Bauer, Lorrie Cranor, Jason Hong, Bruce McLaren, Mike Reiter, and Norman Sadeh.
In Eighth IEEE Workshop on Mobile Computing Systems and Applications (HotMobile), pages 14--19, February 2007. IEEE. © IEEE DOI: 10.1109/WMCSA.2007.4389552
[PDF, BibTeX, ]

Efficient proving for distributed access-control systems.
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
Technical Report CMU-CYLAB-06-015R, CyLab, Carnegie Mellon University, September 2006.
[PDF, BibTeX, ]

A linear logic of authorization and knowledge.
Deepak Garg, Lujo Bauer, Kevin D. Bowers, Frank Pfenning, and Michael K. Reiter.
In Computer Security---ESORICS 2006: 11th European Symposium on Research in Computer Security, volume 4189 of Lecture Notes in Computer Science, pages 297--312, September 2006. Springer. Official, slightly abbreviated version. © Springer-Verlag DOI: 10.1007/11863908_19
[PDF, BibTeX, ]

Device-enabled authorization in the Grey system.
Lujo Bauer, Scott Garriss, Jonathan M. McCune, Michael K. Reiter, Jason Rouse, and Peter Rutenbar.
In Information Security: 8th International Conference, ISC 2005, volume 3650 of Lecture Notes in Computer Science, pages 431--445, September 2005. Springer. An extended version of this paper appears as a © Springer-Verlag DOI: 10.1007/11556992_31
[PDF, BibTeX, ]

Enforcing non-safety security policies with program monitors.
Jay Ligatti, Lujo Bauer, and David Walker.
In Computer Security---ESORICS 2005: 10th European Symposium on Research in Computer Security, volume 3679 of Lecture Notes in Computer Science, pages 355--373, September 2005. Springer. © Springer-Verlag DOI: 10.1007/11555827_21
[PDF, BibTeX, ]

Composing security policies with Polymer.
Lujo Bauer, Jay Ligatti, and David Walker.
In Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 305--314, June 2005. ACM. © ACM DOI: 10.1145/1065010.1065047
[PDF, BibTeX, ]

Distributed proving in access-control systems.
Lujo Bauer, Scott Garriss, and Michael K. Reiter.
In Proceedings of the 2005 IEEE Symposium on Security & Privacy, pages 81--95, May 2005. IEEE. © IEEE DOI: 10.1109/SP.2005.9
[PDF, BibTeX, ]

Enforcing non-safety security policies with program monitors.
Jay Ligatti, Lujo Bauer, and David Walker.
Technical Report TR-720-05, Princeton University, January 2005.
[PDF, BibTeX, ]

Edit automata: Enforcement mechanisms for run-time security policies.
Jay Ligatti, Lujo Bauer, and David Walker.
International Journal of Information Security, 4 (1--2) 2--16. February 2005. Springer. (Published online 26 Oct 2004.) © Springer-Verlag DOI: 10.1007/s10207-004-0046-8
[PDF, BibTeX, ]

A Language and System for Composing Security Policies.
Lujo Bauer, Jay Ligatti, and David Walker.
Technical Report TR-699-04, Princeton University, January 2004.
[PDF, BibTeX, ]

Access control for the Web via proof-carrying authorization.
Lujo Bauer.
Ph.D. Thesis, Princeton University, November 2003.
[PDF, BibTeX, ]

Types and Effects for Non-interfering Program Monitors.
Lujo Bauer, Jarred Ligatti, and David Walker.
In Software Security---Theories and Systems. Mext-NSF-JSPS International Symposium, ISSS 2002, Tokyo, Japan, November 8-10, 2002, Revised Papers, volume 2609 of Lecture Notes in Computer Science, pages 154--171, 2003. Springer. © Springer-Verlag DOI: 10.1007/3-540-36532-X_10
[PDF, BibTeX, ]

Mechanisms for secure modular programming in Java.
Lujo Bauer, Andrew W. Appel, and Edward W. Felten.
Software—Practice and Experience, 33 (5) 461--480. 2003. Wiley. © Wiley DOI: 10.1002/spe.516
[PDF, BibTeX, ]

A general and flexible access-control system for the Web.
Lujo Bauer, Michael A. Schneider, and Edward W. Felten.
In Proceedings of the 11th USENIX Security Symposium, pages 93--108, August 2002. USENIX. © authors
[PDF, BibTeX, ]

A Calculus for Composing Security Policies.
Lujo Bauer, Jarred Ligatti, and David Walker.
Technical Report TR-655-02, Princeton University, August 2002.
[PDF, BibTeX, ]

More Enforceable Security Policies.
Lujo Bauer, Jarred Ligatti, and David Walker.
In Foundations of Computer Security, July 2002.
[PDF, BibTeX, ]

More Enforceable Security Policies.
Lujo Bauer, Jarred Ligatti, and David Walker.
Technical Report TR-649-02, Princeton University, June 2002.
[PDF, BibTeX, ]

A Proof-Carrying Authorization System.
Lujo Bauer, Michael A. Schneider, and Edward W. Felten.
Technical Report TR-638-01, Princeton University, April 2001.
[PDF, BibTeX, ]

Mechanisms for secure modular programming in Java.
Lujo Bauer, Andrew W. Appel, and Edward W. Felten.
Technical Report TR-603-99, Princeton University, July 1999.
[PDF, BibTeX, ]