CSD Rolodex

Rick Kuhn

Computer Scientist

National Institute of Standards and Technology
Computer Security Division
Phone: 301-975-3337
Fax: 301-948-0279
kuhn@nist.gov

Active Projects

Publications

Biographical information:

Rick Kuhn is a computer scientist in the Computer Security Division of the National  Institute of Standards and Technology. He has authored two books and more than 100 conference or journal publications on information security, empirical studies of software failure, and software assurance, and is a senior member of the Institute of Electrical and Electronics Engineers (IEEE).  He co-developed the role based access control model (RBAC) used throughout industry and led the effort that established RBAC as an ANSI standard. Previously he served as Program Manager for the Committee on Applications  and Technology of the President's  Information Infrastructure Task Force and as manager  of the Software Quality Group at NIST.  Before joining NIST in 1984, he worked as a systems analyst with NCR Corporation and the Johns  Hopkins University Applied Physics Laboratory. He received an MS in computer science from the University of Maryland College Park, and an MBA from William & Mary.

Significant papers (or at least ones that seem to get a lot of attention):

  • D.R. Kuhn, D.R. Wallace, A.J. Gallo, Jr., "Software Fault Interactions and Implications for Software Testing", IEEE Trans. on Software Engineering, vol. 30, no. 6, June, 2004) - investigates number of interactions required to trigger failures in various types of systems; basis for our combinatorial testing project.
  • D.R. Kuhn, "Fault Classes and Error Detection Capability of Specification Based Testing," ACM Transactions on Software Engineering and Methodology,Vol. 8, No. 4 (October,1999) - demonstrates existence of a hierarchy of fault classes that may be used to generate test more efficiently.  Others have extended the hierarchy based on more types of faults.
  • D. Ferraiolo and D.R. Kuhn, "Role Based Access Controls,'' PDF Proceedings, 15th Natl. Computer Security Conference, 1992, pp. 554–563. --- the early paper on role based access control; includes basic formal definition.  This was unified w/ Sandhu et. al (1996) to create the standard model for RBAC.

Professional activities:
  • Senior member of the Institute of Electrical and Electronics Engineers (IEEE) and IEEE Computer Society;
    member, Association for Computing Machinery (ACM).
  • Editorial board member and co-editor, Emerging Technologies & Standards Dept, IEEE Security & Privacy
  • Editorial board member, IEEE IT Professional; co-editor, IT Security column
  • Excellence in Technology Transfer Award, 2009, Federal Laboratory Consortium Mid-Atlantic Region. 
  • Best Standards Contribution, NIST/ITL, 2008
  • Best Journal Paper Award, NIST/ITL, 2007
  • Outstanding Authorship Award, NIST/ITL, 2003
  • Gold medal award for scientific/engineering achievement, U.S. Dept. of Commerce, 2002;
  • Excellence in Technology Transfer Award,1998, Federal Laboratory Consortium.
  • Bronze Medal, U.S. Dept. of Commerce, 1990;
  • Member, Beta Gamma Sigma honorary.
  • Patents: Implementation of Role Based Access Control in Multi-level Secure Systems. U.S. Patent #6,023,765.,
  • Past member of DARPA High Confidence Systems Working Group, IEEE Technical Committee on Operating Systems POSIX 1003.1, 1003.2 and 1201.2 working groups; and  President's National Security Telecommunications Advisory Committee/ Network Security Information Exchange
  • Past projects: development of software tools and conformance  test suites; methods for analyzing changes in formal specifications;  verification of cryptographic protocols; and the first formal definition of role based access control; IEEE POSIX working groups and developing parts of the POSIX Conformance Test Suite for IEEE 1003.1; and definition of software assurance requirements  for FIPS 140-1 (Security Requirements for Cryptographic Modules).

Combinatorial methods and software assurance

 L. S. Ghandehari, J. Czerwonka, Y. Lei, S. Shafiee, R. Kacker and R. Kuhn, An Empirical Comparison of Combinatorial and Random Testing". 3rd  Intl Workshop on Combinatorial Testing, Cleveland, OH, Mar. 2014. 

 R. Kuhn, R  Kacker and Y. Lei, "Estimating Fault Detection Effectiveness:,  (abstract/poster) 3rd  Intl Workshop on  Combinatorial Testing, Cleveland, OH, Mar. 2014.  

 J. Hagar, R. Kuhn, R. Kacker, T. Wissink, "Introducing Combinatorial Testing in a Large Organization: Pilot Project Experience  Report  (abstract/poster), 3rd  Intl Workshop on Combinatorial Testing, Cleveland, OH, Mar. 2014. 

 R.N. Kacker, D.R. Kuhn, J.F. Lawrence, Y. Lei. "Combinatorial testing for software: An adaptation of design of experiments",  Measurement, 46(9), 3745-3752.

 C. Price, R. Kuhn, R. Forquer, A. Lagoy, R. Kacker, “Evaluating the t-way Combinatorial Technique for Determining the  Thoroughness of a Test Suite”, NASA IV&V Workshop, 2013.

 D.R. Kuhn, I. Dominguez, R.N. Kacker and Y. Lei. "Combinatorial Coverage Measurement Concepts and Applications", 2nd Intl  Workshop on Combinatorial Testing, Luxembourg, IEEE, Mar. 2013.

 L. S. Ghandehari, M. N. Bourazjany, Yu Lei, R.N. Kacker and D.R. Kuhn, "Applying Combinatorial Testing  to the Siemens Suite", 2nd Intl Workshop on Combinatorial Testing, Luxembourg, IEEE, Mar. 2013.

 Mehra Nouroz Borazjany, Laleh Shikh Gholamhossein Ghandehari, Yu Lei, Raghu Kacker and Rick Kuhn. "An Input Space  Modeling Methodology for Combinatorial Testing", 2nd Intl Workshop on Combinatorial Testing, Luxembourg, IEEE, Mar. 2013.

 D.R. Kuhn, R.N. Kacker Measuring Combinatorial Coverage of System State-space for IV&V (extended abstract) NASA IV&V  Workshop, Sept 11-13, 2012 

 D.R. Kuhn, R.N. Kacker Measuring Combinatorial Coverage of System State-space for IV&V (extended abstract) NASA IV&V  Workshop, Sept 11-13, 2012

D.R. Kuhn, R.N. Kacker, Y. Lei. “Combinatorial Testing”.  Encyclopedia of Software Engineering, CRC Press, 2012
D.R. Kuhn, J.M. Higdon, J.F. Lawrence, R.N. Kacker, Y. Lei, “Efficient Methods for Interoperability Testing Using Event Sequences”, CrossTalk, The Journal of Defense Software Engineering -  July/Aug 2012
C. Montanez, D.R. Kuhn, M. Brady, R. Rivello, J. Reyes, M.K. Powers, “Evaluation of Fault Detection Effectiveness for Combinatorial and Exhaustive Selection of Discretized Test Inputs”,  Software Quality Professional  - June, 2012.
MN Borazjany, L Yu, Y Lei, R. Kacker and D.R. Kuhn. Combinatorial Testing of ACTS: A Case Study  FIrst Intl Workshop on Combinatorial Testing, April, 2012.
K Shakya, T Xie, N Li, Y Lei, R Kracker and D.R. Kuhn.  Isolating Failure-Inducing Combinations in Combinatorial Testing using Test Augmentation and Classification, FIrst Intl Workshop on Combinatorial Testing, April, 2012.
D.R. Kuhn, J. Higdon, J. Lawrence, R.N. Kacker and Y. Lei,  Combinatorial Methods for Event Sequence Testing, FIrst Intl Workshop on Combinatorial Testing, April, 2012.
V.C. Hu, D.R. Kuhn, T. Xie, J. Hwang, "Model Checking for Verification of Mandatory Access Control Models and Properties", Intl. J. of Software Eng. and Knowledge Eng., vol. 21, no. 1, 2011, pp. 103-127. - demonstrates use of combinatorial methods for testing access control rules.
Quantum cryptography Security and role based access control
  • R. Kuhn, "Cybersecurity", (guest editor intro), IEEE IT Professional, vol. 11, no. 4 (July/Aug 2010), pp. 18-19.
  • D.R. Kuhn, E.J. Coyne, T.R. Weil, "Adding Attributes to Role Based Access Control", IEEE Computer, June, 2010, pp. 79-81.
  • R. Kuhn, C. Johnson "Vulnerability Trends: Measuring Progress", IEEE IT Professional, vol. 11, no. 4 (July/Aug 2010), pp. 51-53.
  • S. Liu, R. Kuhn, "Data Loss Prevention", IEEE IT Professional, vol. 11, no. 2 (Mar/Apr  2010), pp. 10-13.
  • D.R. Kuhn, S. Liu,H. Rossman,  "Practical Interdomain Routing Security", IEEE IT Professional, vol. 11, no. 6 (Nov/Dec 2009), pp. 54-56.
  • S. Liu, D.R. Kuhn, H. Rossman,  "Understanding Insecure IT:  Practical Risk Assessment", IEEE IT Professional, vol. 11, no. 3 (May/Jun 2009), pp. 49-51. 
  • S. Liu, D.R. Kuhn, H. Rossman,  "Surviving Insecure IT:  Effective Patch Management", IEEE IT Professional, vol. 11, no. 2 (Mar/Apr 2009), pp. 49-51. 
  • D.R. Kuhn, H. Rossman, S. Liu, "Introducing Insecure IT", IEEE IT Professional, vol. 11, no. 1 (Jan/Feb 2009), pp. 24-26. - introductory column for the "Insecure IT" department in IT Pro. 

    V. Hu, D.R. Kuhn, T. Xie, "Property Verification for Generic Access Control Models",  IEEE/IFIP International Symposium on Trust, Security, and Privacy for Pervasive Applications, Shanghai, China, Dec. 17-20, 2008. - a method of using combinatorial testing with model checking to verify access control properties. 
  • D.F. Ferraiolo, R. Kuhn, R. Sandhu, "RBAC Standard Rationale:  comments on “A Critique of the ANSI Standard on Role Based Access Control'”, IEEE Security & Privacy,  vol. 5, no. 6 (Nov/Dec 2007).`
  • D.R. Kuhn. , “Feature Interactions and Data Privacy,” Workshop on Data Confidentiality, Sept 6-7, 2007, Arlington, VA.
  • V. Hu, D.R. Kuhn, D.F. Ferraiolo, “The Computational Complexity of Enforceability Validation for Generic Access Control Rules”, IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC2006)
  • K. Sriram, D. Montgomery, O. Kim, O. Borchert, D. R. Kuhn, "Autonomous System Isolation under BGP Session Attacks with RFD Exploitation", IEEE JSAC special issue on High-Speed Network Security. 2006
  • D.F. Ferraiolo, S. Gavrila, V. Hu, D.R. Kuhn, "Composing and Combining Policies Under the Policy Machine", Proc. SACMAT 2005, ACM.
  • D. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn,R. Chandramouli, " A Proposed Standard for Role Based Access Control ," ACM Transactions on Information and System Security , vol. 4, no. 3 (August, 2001) - draft of a consensus standard for RBAC.
  • D.F. Ferraiolo, J.F. Barkley, D.R. Kuhn, "A Role Based Access Control Model and Reference Implementation within a Corporate Intranet," ACM Transactions on Information and Systems Security, Vol.2, No. 1 (February, 1999). -- defines the NIST RBAC model, details theoretical results, and describes implementation concerns.
  • D.R. Kuhn, "Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role Based Access Control Systems" Second ACM Workshop on Role Based Access Control, 1997. -- presents a number of results on separation of duty through mutual exclusion of roles, including theorems on necessary and sufficient conditions to ensure separation safety.
  • T. Phillips, T. Karygiannis, R. Kuhn, "Security Standards for the RFID Market",  IEEE Security & Privacy, vol. 3, no. 6, Nov/Dec, 2005.
  • T.J. Walsh, D.R. Kuhn, "Challenges in Securing Voice Over IP", IEEE Security & Privacy, vol. 3, no. 3, May/June, 2005.
  • R. Sandhu, D. Ferraiolo, R. Kuhn, "The NIST Model for  Role Based Access Control:  Towards a Unified Standard," (postscript)  (pdf )  Proceedings,  5th ACM Workshop on Role Based Access Control, July 26-27, 2000 - first public draft of proposal for an RBAC standard.
  • D.R. Kuhn, C. Dabrowski, T. Rhodes, "Software Standards," (invited) Encyclopedia of Electrical and Electronics Engineering, John Wiley & Sons, 1999. -- describes software standards and how to use them effectively in systems development.
  • S.A. Wakid, D.R. Kuhn, D.R. Wallace, "Toward Credible IT Testing and Certification "(pdf)  IEEE Software, Vol. 16, No. 4 (July, 1999) -- discusses cost-effective processes for software testing and certification by government and other certification organizations.
  • D.R. Kuhn, "Role Based Access Control on MLS Systems Without Kernel Changes," pdf   Third ACM Workshop on Role Based Access Control, October 22-23,1998. -- a novel combinatorial algorithm mapping hierarchical role structures to categories on MLS systems implementing mandatory access control, making it possible to implement RBAC structures without modifying OS kernel.
  • J.F. Barkley, D.R. Kuhn, L.S. Rosenthal, M.W. Skall, A.V. Cincotta, "Role Based Access Control for the Web," (HTML) CALS Expo International and 21st Century Commerce 1998: Global Business Solutions for the New Millenium. 
  • J.F. Barkley, A. Cincotta, D.F. Ferraiolo, S. Gavrilla, and D.R. Kuhn "Role Based Access Control for the World Wide Web", National Information Systems Security Conference, October, 1997.
  • D.F. Ferraiolo and D.R. Kuhn, "Future Directions in Role Based Access Control," (invited) Proceedings, First ACM Workshop on Role Based Access Control, ACM, 1996. -- discusses new roles for RBAC (pun intended)
  • D. Ferraiolo, J. Cugini, R. Kuhn, "Role Based Access Control: Features and Motivations," Proceedings, Annual Computer Security Applications Conference, IEEE Computer Society Press, 1995. -- elaborates the 1992 RBAC model to a level of detail suitable for building directly into an application
  • D.R. Wallace, D.R. Kuhn, L.M. Ippolito, and L. Beltracchi, "Standards for High Integrity Software ,'' Nuclear Safety, Vol. 35, No. 1, (Jan - June, 1994). --- compares assurance methods required by various standards for safety critical systems and secure systems.
  • D.R. Kuhn, P.N. Edfors, V. Howard, C. Caputo, T. Phillips, ``Improving Public Switched Network Security in an Open Environment,'' (invited) IEEE Computer, Vol. 26, No. 8 (August, 1993.) --- describes some government efforts to improve the security of the US public switched telephone network.
  • D. Ferraiolo and D.R. Kuhn, "Role Based Access Controls,'' PDF  Proceedings, 15th Natl. Computer Security Conference, 1992, pp. 554–563. --- the early paper on role based access control; includes basic formal definition.
  • D.R. Kuhn, "IEEE's POSIX "(pdf), IEEE Spectrum, Vol. 28, No. 12 (December, 1991.) --- explains the IEEE POSIX open system standards and how they can help make a component based software industry economically feasible.

  • Books and book chapters
  •  D.R. Kuhn, R.N. Kacker, Y. Lei, Introduction to Combinatorial Testing (book), CRC Press,  ISBN 1466552298, 2013.
  • R. Bryce, Y. Lei, D.R. Kuhn, R. Kacker, "Combinatorial Testing", Chap. 14, Handbook of Research on Software Engineering and Productivity Technologies: Implications of Globalization,  Ramachandran, ed. , IGI Global, 2009.
  • D.Ferraiolo, D.R. Kuhn, V. Hu, "Authentication, Authorization, Access Control, and Privilege Management", Wiley Handbook of Science and Technology for Homeland Security, 2008.
  • D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role Based Access Control, 2nd edition (book), Artech House,  2007.
  • D.F. Ferraiolo, D.R. Kuhn, R. Chandramouli, Role Based Access Control (book), Artech House, 2003.
  • D.R. Kuhn,W.J. Majurski, W. McCoy, F. Schulz, "Open Systems Software Standards in Concurrent Engineering,'' (invited) in Control and Dynamic Systems - Concurrent Engineering Techniques and Applications, C.T. Leondes, ed., Academic Press, 1994. --- discusses open system standards and how they apply to concurrent engineering.
  • D.R. Kuhn, C. Dabrowski, T. Rhodes, "Software Standards"  Encyclopedia of Electrical and Electronics Engineering, John Wiley & Sons, 1999. -- describes software standards and how to use them effectively in systems development.

NIST Publications:

Various Presentations:

  • Software Fault Interactions
  • Quantum Cryptography Today and Tomorrow:  Or, How to Make and Break Quantum Cryptosystems
  • Security for Telecommuting and Broadband Communications
  • Toward Credible IT Testing and Certification
  • Education: