David Brumley

David Brumley is an Assistant Professor at Carnegie Mellon University. He is a well-known researcher in software security, network security, and applied cryptography. Prof. Brumley also worked for 5 years as a Computer Security Officer for Stanford University.

Some of his notable accomplishments include:

• In 2008, he showed the counter-intuitive principle that patches can help attackers. In particular, he showed that given a patch for a bug and the originally buggy program, a working exploit can be automatically generated in as little as a few seconds. This result shows that current patch distribution architectures that distribute patches on time-scales larger than a few seconds are potentially insecure.^[1] In particular, this work shows one of the first applications of constraint satisfaction to generating exploits.^[2]
• In 2007, he developed techniques for automatically inferring implementation bugs in protocol implementations. This work won the best paper award at the USENIX Security conference.
• His work on a Timing attack against RSA. The work was able to recover the factors of a 1024-bit RSA private key over a network in about 2 hours. This work also won the USENIX Security ^[3] Best Paper award. As a result of this work, OpenSSL, stunnel,^[4] and others now implement defenses such as RSA blinding.
• His work on Rootkit analysis.^[5]
• His work on distributed denial of service attacks. In particular, he worked towards tracking down the attackers who brought down Yahoo in 2002.^[6]
• He was a major contributor towards the arrest of Dennis Moran^[7]
• US Patent 7373451, which is related to virtual appliance distribution and migration. This patent serves as part of the basis for founding moka5 ^[8] by his co-authors.