Carnegie Mellon University

Lujo Bauer

Dr. Lujo Bauer


5000 Forbes Avenue
Pittsburgh, PA 15213


Lujo Bauer is an Professor in the Electrical and Computer Engineering Department and in the Software and Societal Systems Department at Carnegie Mellon University. He received his B.S. in Computer Science from Yale University in 1997 and his Ph.D., also in Computer Science, from Princeton University in 2003.

Dr. Bauer's research interests span many areas of computer security and privacy, and include building usable access-control systems with sound theoretical underpinnings, developing languages and systems for run-time enforcement of security policies on programs, and generally narrowing the gap between a formal model and a practical, usable system. His recent work focuses on developing tools and guidance to help users stay safer online and in examining how advances in machine learning can lead to a more secure future.

Dr. Bauer served as the program chair for the flagship computer security conferences of the IEEE (S&P 2015) and the Internet Society (NDSS 2014) and is an associate editor of ACM Transactions on Information and System Security.


I do research on many aspects of computer security. I'm particularly interested in building usable access-control systems with sound theoretical underpinnings, and generally in narrowing the gap between a formal model and a usable system. Key terms: proof-carrying authorization, distributed access control, program monitors, security automata, languages for specifying security policies, usable security.


Adversarial Machine Learning: Machine learning (ML) algorithms are becoming ubiquitous; they're used in applications from playing chess and predicting the weather to cancer diagnosis and self-driving cars. In this project we first try to understand how robust ML algorithms are in the face of an adversary. Specifically, we study whether an adversary can fool ML classifiers in practical settings without arousing the suspicion of a human

Information-flow control in modern app ecosystems: Modern app platforms (e.g., mobile OSes, web browsers, desktop OSes with app markets) control apps through sandboxing and permission systems, but this often fails to stop information leaks, privilege escalation, and other undesired behavior. This project aims to secure such platforms via information-flow control mechanisms; research ranges from developing new theory to implementing running prototypes on Android and Chromium.

Secure digital home / access control for non-security-experts: This collection of projects explores architectures, mechanisms, and interfaces for helping users manage access control in the digital home of the future and on online social networks. Recent research includes investigating new ways of specifying access-control policies (e.g., reactively, and via metadata-based policy rules), and using machine learning to help users specify security policies and privacy preferences.

PasswordsAlthough they are often insecure and inconvenient, passwords aren't quite about to disappear. This project's goal is to help users create passwords that are easy for them to remember, but hard for attackers to guess. We work towards this goal by trying to deeply understand the password-creation process and the security of the resulting passwords, including by investigating the effects of password-composition policies and password meters on the security and usability of passwords, and by studying metrics for quantifying password strength.

Grey: An experiment to create a universal and highly secure access-control device via software extensions to off-the-shelf "smart phones". Grey builds from formal techniques for proving authorization that assure sound access decisions and that permit virtually unlimited flexibility in the policies that can be implemented.