R E S U M E
`
`RICHARD ALLEN KEMMERER
`
`PERSONAL INFORMATION
`
`Residence:
`
`Date of Birth:
`Place of Birth:
`Marital Status:
`
`EDUCATION
`
`5452 Parejo Drive
`Santa Barbara, CA 93111
`November 17, 1943
`Allentown, Pennsylvania
`Married, two children
`
`Ph.D. Computer Science, University of California, Los Angeles, California, 1979
`
`M.S.
`
`Computer Science, University of California, Los Angeles, California, 1976
`
`B.S. Mathematics, Pennsylvania State University University Park, Pennsylvania, 1966
`
`RESEARCH INTERESTS
`
`Specification and verification of systems
`Computer system security and reliability
`Programming and specification language design
`Software engineering
`Secure Mobile Computing
`
`PROFESSIONAL EXPERIENCE
`
`7/06 - Present:
`
`Leadership Professor Endowed Chair, Department of Computer Science, University
`of California, Santa Barbara
`
`7/93 - 6/97:
`
`Chair, Department of Computer Science, University of California, Santa Barbara
`
`7/89 - Present:
`
`Professor, Department of Computer Science, University of California, Santa Barbara
`
`7/85 - 6/89:
`
`9/85 - 5/86:
`
`7/79 - 6/85:
`
`Associate Professor, Department of Computer Science, University of California,
`Santa Barbara
`
`Visiting Scientist, Laboratory for Computer Science, Massachusetts Institute of
`Technology, Cambridge, Massachusetts
`
`Assistant Professor, Department of Computer Science, University of California,
`Santa Barbara
`
`7/79 - Present:
`
`System security specification and verification consultant.
`
`Consulting on enhancements to formal verification tools and the specification and
`verification of secure systems.
`
`2/77 - 6/79:
`
`Computer Science Department, UCLA
`
`Research Assistant sponsored by the Advanced Research Projects Agency of the
`Department of Defense, with the Computer Science Department. This research was
`concerned with the formal verification of the UCLA Secure Unix Operating System
`and formed the basis of my dissertation.
`
`11/74 - 1/77:
`
`Computer Science Department, UCLA
`
`Programmer for the Department of Computer Science at UCLA. Responsibilities
`included the design, implementation, checkout, and documentation of computer net-
`work simulators to test various network topologies and queuing systems.
`
`-1-
`
`

`
`Resum ´e
`
`R.A. Kemmerer
`
`1/70 - 9/72:
`
`Institute of Transportation and Traffic Engineering, UCLA
`
`Computer Services Manager for ITTE at UCLA. Supervised the programming staff
`of approximately twenty people. Responsibilities were outlining the general nature
`of tasks to be performed by the programming staff, planning of programming sys-
`tems, and assisting in proposal preparations in the areas of computer use and pro-
`gramming requirements.
`
`1/67 - 1/70:
`
`Autonetics, Division of Rockwell International, Anaheim,
`
`California
`
`Lead Engineer for Minuteman II and Minuteman III inertial navigation computer
`programs. Responsibilities were generating computer program requirements, and
`designing, implementing, and documenting computer routines. Additional software
`experience included using machine and assembly level languages for real-time,
`online, and scientific applications.
`
`MEMBERSHIPS
`
`ACM Association for Computing Machinery
`IEEE Institute of Electrical and Electronics Engineers
`IEEE/CS Computer Society of IEEE
`IEEE Technical Committee on Security and Privacy, Vice Chairman, 1983-84
`IEEE Technical Committee on Security and Privacy, Chairman, 1985-87
`IACR International Association of Cryptologic Research
`IFIP Working Group 11.3 on Database Security
`
`HONORARIES AND FELLOWSHIPS
`
`Alpha Phi Omega: National Honorary Mathematics Society
`Upsilon Pi Epsilon: Computer Science National Honor Society
`IBM Predoctoral Fellowship
`Outstanding Professor, Department of Computer Science 1981-1982
`Outstanding Professor, University of California, Santa Barbara 1983-1984
`Speaker, Naval Postgraduate School Distinguished Speaker Series 1990
`Speaker, University of California, San Diego Distinguished Lecture Series 1991
`Fellow, IEEE Institute of Electrical and Electronics Engineers 1995
`Fellow, Association for Computing Machinery 1997
`Ke ynote speaker, First IEEE International Conference on Formal Engineering Methods 1997
`Speaker, FAA Software Engineering Distinguished Lecture Series 1998
`Ke ynote speaker, Fourth International Conference on Achieving Quality in Software 1998
`Ke ynote speaker, System Design and Management (SD&M) Internet Conference 1999
`IEEE/CS Meritorious Service Award 2001
`Speaker, University of Massachusetts Amherst, Distinguished Lecture Series 2002
`Speaker, Georgia Tech Information Security Center, Distinguished Lecture Series 2002
`IEEE Golden Core Award 2002
`Speaker, Michigan State University Computer Science and Engineering, Distinguished Lecture Series 2003
`Speaker, University of California, Irvine, Institute for Software Research, Distinguished Lecture Series 2003
`Ke ynote speaker, International Conference on Information Technology 2004
`Ke ynote speaker, NAT O Symposium on Adaptive Defence in Unclassified Networks 2004
`Speaker, University of Illinois at Urbana-Champaign Information Trust Institute Distinguished Seminar Series 2005
`Speaker, University of California, Irvine, Bren School of ICS, Ted and Janice Smith Distinguished Lecture Series 2005
`Ke ynote speaker, Fifth Brazilian Symposium on Information and Computer System Security, Florianopolis, Brazil, 2005
`Ke ynote speaker, 20th IEEE/ACM International Conference on Automated Software Engineering, Long Beach, CA, 2005
`Ke ynote speaker, International Conference on Emerging Trends in Information and Communication Security,
`Freiburg, Germany, 2006
`Distinguished Lecture Series speaker (four lectures), University of Lugano, Lugano, Switzerland, 2006
`Distinguished Practitioner Award, 23rd Annual Computer Security Applications Conference, Miami, FL, 2007
`Ke ynote speaker, Fourth Annual Cyber Security and Information Intelligence Research Workshop, Oak Ridge, TN, 2008
`Ke ynote speaker, Sixth Conference on Detection of Intrusions and Malware & Vulnerability Assessment, Como, Italy, 2009
`
`-2-
`
`

`
`Ke ynote speaker, International Symposium on Software Testing and Analysis, Chicago, IL, 2009
`Ke ynote speaker, 11th International Conference on Information and Communication Security, Beijing, China, 2009
`Speaker, University of Calgary, Calgary, Canada, ISPIA Distinguished Lecture Series, 2010
`Speaker, Kansas State University, Computer and Information Science Department, Distinguished Lecture Series 2011
`Ke ynote speaker, 27th IEEE International Conference on Software Maintenance, Williamsburg, VA, 2011
`Ke ynote speaker, 7th Future Security Conference, Bonn, Germany, 2012
`Ke ynote speaker, 20th Network and Distributed Systems Security Symposium, San Diego, CA, 2013
`
`RESEARCH GRANTS
`
`NSF Grant ECS81-06688, "Research Initiation: A Specification Language for Reliable Software,"
`July 1, 1981 through December 31, 1983 ($48,000.00).
`
`University of California Instructional Improvement Grant, "A Symbolic Executer for Pascal," 1981
`($2,600.00).
`
`Italy Cooperative Science Program Travel Grant, (with Dino Mandrioli, Isti-
`-
`CNR United States
`tuto di Elettrotecnica ed Elettronica, Milano, Italy) "Formal Tools for Evaluating Real-time System
`Performance", 1982 ($5,000.00).
`
`Digital Equipment Corporation External Research Grant, "Security Kernel Verification Project",
`October 17, 1982 through June 30, 1984 ($252,000.00).
`
`University of California Opportunity Funds Grant (with Paul Eggert), "Establishing a Research Pro-
`gram in Formal Verification of Secure Systems," November 22, 1982 through June 30, 1983
`($6,000.00).
`
`University of California Instructional Improvement Grant, "Enhancements to Unisex - A Unix
`Symbolic Executer," 1983 ($2,183.00).
`
`Digital Equipment Corporation External Research Grant, "Formal Verification Program," July 1,
`1983 through December 31, 1983 ($14,436.00).
`
`Microelectronics Innovation and Computer Research Opportunities/System Development Corpora-
`tion, "A Formal Specification Testing System," September 1, 1983 through August 31, 1984
`($48,451.00).
`
`University of California Instructional Improvement Grant, "Adding Pointers to Unisex - A Unix
`Symbolic Executor," 1984 ($2,530.00).
`
`Digital Equipment Corporation External Research Grant, "Security Kernel Verification," July 1, 1984
`through June 30, 1985 ($200,000.00).
`
`U.S. Army MDA904-84-C-6030 "Verification Assessment," August 27, 1984 through June 30, 1986
`($296,285.00).
`
`Microelectronics Innovation and Computer Research Opportunities/System Development Corpora-
`tion, "A Formal Specification Testing System," September 1, 1984 through August 31, 1985
`($49,480.00).
`
`National Security Agency OCREAE grant MDA904-87-H-2005, "A Specification Language and
`Proof Methodology for Formally Verifying Real-Time Systems," January 28, 1987 through January
`27, 1989 ($101,592.00).
`
`Microelectronics Innovation and Computer Research Opportunities/UNISYS, "Formal Verification
`Techniques for Analyzing Encryption Protocols," September 1, 1987 through August 31, 1989
`($38,503.00).
`
`National Computer Security Center grant MDA904-88-C-6006, "Software Security Risk Analysis,"
`July 1, 1988 through June 30, 1992 ($279,165.00).
`
`-3-
`
`

`
`Microelectronics Innovation and Computer Research Opportunities/Ford Aerospace, "Using Non-
`monotonic Logics as a Basis for Modeling Security," July 1, 1989 through June 30, 1990
`($59,528.00).
`
`NSF grant CCR-9204249, "An ASTRAL-based Support Environment for Formal Software Develop-
`ment of Realtime Systems," July 1, 1992 through June 30,1995 ($189,091.00).
`
`Information Security University Research Program grant
`National Security Agency
`MDA904-92-C-5149, "Testing Formal Specifications," July 27,1992 through July 26, 1994
`($119,944.00).
`
`NSF/ARPA/NASA grant IRI94-11330, "The Alexandria Project: Tow ards a Distributed Digital
`Library with Comprehensive Services for Images and Spatially Referenced Information," Investigator
`on a multi-PI award, September 1, 1994 through August 31, 1998 ($4,000,000.00).
`
`NSF Software Capitalization Supplement to grant CCR-9204249, for tool distribution, June 16, 1995
`($20,953.00).
`
`Microelectronics Innovation and Computer Research Opportunities/Digital Sound Corporation,
`"Security in Distributed Environments," July 1, 1995 through June 30, 1996 ($42,860.00).
`
`SUN Microsystems Laboratories, Inc., "Network Intrusion Detection Tool," January 1, 1996 through
`December 31, 1996 ($35,000.00).
`
`Microelectronics Innovation and Computer Research Opportunities/Digital Sound Corporation,
`"Security in Distributed Environments," July 1, 1996 through December 31, 1997 ($37,704.00).
`
`DARPA grant F30602-97-1-0207, "A Model-based Real-time Intrusion Detection System for Large
`Scale Heterogeneous Networks," July 1, 1997 through June 30, 2000 ($498,356.00).
`
`Microelectronics Innovation and Computer Research Opportunities/Digital Sound Corporation,
`"Secure Web Browsers," July 1, 1997 through December 31, 1998 ($39,796.00).
`
`Data General Corporation Grant, "Research in Operating Systems Security," 1997 ($25,000.00).
`
`Argonne National Laboratories, "Research on Reverse Engineering," April 1, 1998 through March
`31, 1999 ($25,469.00).
`
`DARPA grant addition to F30602-97-1-0207, "NetSTAT : A Network-based State Transition Analysis
`Tool for Analyzing Large Scale Heterogeneous Networks," July 1, 1998 through December 31, 1999
`($276,640.00).
`
`Microelectronics Innovation and Computer Research Opportunities/PulsePoint Communications,
`"Using Safe Areas of Computation to Improve Internet Security," July 1, 1998 through December 31,
`1999 ($41,065.00).
`
`Department of Defense University Research Program grant MDA904-98-C-A891, "A Formal Lan-
`guage for State Transition Representation of Scenarios in Intrusion Detection Systems," August 1998
`through August 2000 ($152,919.00).
`
`NSF grant, "The Alexandria Digital Earth Prototype," Investigator on a multi-PI award, April 1999
`through March 2004 ($5,400,000.00).
`
`Microelectronics Innovation and Computer Research Opportunities/PulsePoint Communications,
`"Using Safe Areas of Computation to Improve Internet Security," July 1, 1999 through December 31,
`2000 ($54,000.00).
`
`Xerox Corporation Grant, "Security Solutions for External Access of Firewall Protected Data," 1999
`($20,000.00).
`
`Microelectronics Innovation and Computer Research Opportunities/PulsePoint Communications and
`Xerox Corporation, "Using Safe Areas of Computation to Improve Internet Security," July 1, 2000
`
`-4-
`
`

`
`through December 31, 2001 ($85,438.00).
`
`Army Research Laboratory grant DAAD19-01-1-0484, "Hi-DRA: High-speed, Wide-area Network
`Detection, Response, and Analysis," May 1, 2001 through June 30, 2006 ($4,283,526.00).
`
`DARPA grant addition to F30602-97-1-0207, "NetSTAT : A Network-based State Transition Analysis
`Tool for Analyzing Large Scale Heterogeneous Networks," May 1, 2001 through March 31, 2002
`($250,000.00).
`
`DARPA grant addition to F30602-97-1-0207, "NetSTAT : A Network-based State Transition Analysis
`Tool for Analyzing Large Scale Heterogeneous Networks," March 1, 2002 through December 31,
`2002 ($60,000.00).
`
`NSA, "Graphical Compiler for State Transition Analysis Technique," September 1, 2002 through
`August 31, 2004 ($46,437.00).
`
`NSF, "Using Structural and Behavioral Models to Detect Malware," October 2006 through Septem-
`ber 2008 ($235,000.00).
`
`California SoS, "Accessibility and Usability Testing of Voting Systems," June 2007 through July
`2007 ($100,300.00).
`
`NSF, "Modeling and Analyzing Trust in Service-Oriented Architectures," September 2007 through
`August 2010 ($850,002.00).
`
`NSF, "Understanding the Underground Economy," October 2008 through September 2011
`($199,994.00).
`
`"Analyzing
`NSF,
`($1,197,306.00).
`
`the Underground Economy," September 2009
`
`through August 2012
`
`Army Research Office MURI grant W911NF-09-1-0553, "A Cyber Awareness Framework for Attack
`Analysis, Prediction, and Visualization," October 2009 through September 2014 ($6,250,000.00).
`
`NATIONAL AND INTERNATIONAL SERVICE
`
`Organization Committee, IEEE Workshop on Communications Security, sponsored by the Data and
`Communications Committees of the IEEE Communications Society, Santa Barbara, California,
`August 1981.
`
`Western Area Committee of IEEE Computer Society, 1981-86, Vice Chairman Technical Activities,
`1983/84.
`
`Program Committee, Workshop on Effectiveness of Testing and Proving Methods, sponsored by the
`IEEE Computer Society, Avalon, California, May 1982.
`
`Organization Committee, Workshop on the Theory and Application of Cryptographic Techniques,
`sponsored by the IEEE Information Theory Group and the IEEE Communications Society, Santa
`Barbara, California, August 1982.
`
`Invited full-time participant at the National Academy of Science Air Force Studies Board Summer
`Study Session on Multi-Level Secure Database Management Systems, 1982 (final report "Multilevel
`Data Management Security," National Academy Press, 1983).
`
`Program Committee, Seventh International Conference on Software Engineering, sponsored by Sig-
`soft ACM, National Bureau of Standards and IEEE Computer Society, Orlando, Florida, March 1984.
`
`Organization Committee, CRYPTO 84, Workshop on Cryptographic Techniques, sponsored by the
`International Association for Cryptologic Research, Santa Barbara, California, August 1984.
`
`-5-
`
`

`
`DoD Task Force on Secure Ada, 1984.
`
`Organization Committee, Third Workshop on Formal Verification, February 1985.
`
`Advisory Board for the ACM’s Special Interest Group on Security, Audit, and Control, September
`1985 through January, 1992.
`
`National Computer Security Center Formal Verification Working Group (formerly the Formal Verifi-
`cation Panel), since February 1986.
`
`Invited participant at the Office of Technology Assessment workshop on SDI Software, January
`1987.
`
`Member of the National Academy of Science National Research Council Committee on Computer
`Security in the DOE, January 1987 through June 1988 (final report "Computer Security in the
`Department of Energy’s Classified Environment," National Academy Press, 1988).
`
`Invited Participant in the Computer Security Curricula Workshop sponsored by the National Com-
`puter Security Center, June 1987.
`
`Member National Institute of Standards and Technology (formerly NBS) Computer and Telecommu-
`nications Council since December 1987.
`
`Program Committee, 1988 IEEE Symposium on Security and Privacy, Oakland, California, April
`1988.
`
`Member of the DOE/Los Alamos National Laboratory Integrated Computing Network Study Team
`June 1988 through July 1989.
`
`Invited Participant in the SDI Software Testing and Evaluation Workshop sponsored by the Institute
`for Defense Analysis, September 1988.
`
`Program Committee, Eleventh National Computer Security Conference, Baltimore, Maryland, Octo-
`ber 1988.
`
`Program Committee, Eleventh International Conference on Software Engineering, Pittsburgh, Penn-
`sylvania, March 1989.
`
`Program Committee, 1989 IEEE Symposium on Security and Privacy, Oakland, California, May
`1989.
`
`Member of the Editorial Board of the IEEE Transactions on Software Engineering, February 1989
`through December 1999.
`
`Member of the National Academy of Science Computer Science and Technology Board’s System
`Security Study Committee, from February 1989 through June 1991 (final report "Computers at Risk:
`Safe Computing in the Information Age," National Academy Press 1991).
`
`Invited Participant in the Formal Methods Workshop, FM89, sponsored by the U.S., Canadian, and
`United Kingdom governments, Halifax, Nova Scotia, July 1989.
`
`Invited Participant in the Workshop on Directions in Software Analysis and Testing sponsored by the
`Office of Naval Research, August 1989.
`
`Invited participant in the Formal Methods and Software Engineering Workshop sponsored by the
`National Computer Security Center, Linthicum, Maryland, October 1989.
`
`Program Chair, TAV3/SIGSOFT89 -- Testing, Analysis, and Verification Symposium, Key West,
`Florida, December 1989.
`
`Invited Participant in the DARPA Formal Methods Transition Workshop sponsored by the Defense
`Advanced Research Projects Agency, Arlington, Virginia, February 1990.
`
`-6-
`
`

`
`Program Committee, Twelfth International Conference on Software Engineering, Nice, France,
`March 1990.
`
`Invited Participant at the Mathematical Concepts of Dependable Systems meeting sponsored by the
`Mathematisches Forschunginstitut Oberwolfach, Oberwolfach, Germany, April 1990.
`
`NSF Formal Methods in Software Engineering Review Panel, Reston, Virginia, May 1990.
`
`Program Committee, European Symposium on Research in Computer Security, ESORICS 90,
`Toulouse, France, October 1990.
`
`Member of review panel for the Department of Interior’s Natural Resources Damage Assessment
`Model, Washington, D.C., February 1991.
`
`Member of the External Core Review Panel for the Naval Research Laboratory’s Basic Research Pro-
`gram, Washington, D.C., February 1991.
`
`Program Committee, Thirteenth International Conference on Software Engineering, Austin, Texas,
`May 1991.
`
`Program Committee, 1991 IEEE Symposium on Research in Security and Privacy, Oakland, Califor-
`nia, May 1991.
`
`Program Committee, Fifth International Conference on the Technology of Object-Oriented Lan-
`guages and Systems, Santa Barbara, California, August 1991.
`
`Invited Participant in the Formal Methods Workshop, FM91, sponsored by the U.S., Canadian, and
`United Kingdom governments, Drymen, Scotland, September 1991.
`
`Member of the National Academy of Science Aeronautical and Space Engineering Board’s Commit-
`tee for Review of Oversight Mechanisms for Space Shuttle Flight Software Processes, January 1992
`through October 1993 (final report "An Assessment of Space Shuttle Flight Software Development
`Process," National Academy Press 1993).
`
`Program Co-Chair, 1992 IEEE Symposium on Research in Security and Privacy, Oakland, California,
`May 1992.
`
`Program Committee, Fourteenth International Conference on Software Engineering, Melbourne,
`Australia, May 1992.
`
`Member of the Editorial Board of ACM Computing Surveys, July 1992 through April 1996.
`
`Program Committee, Third IFIP Working Conference on Dependable Computing for Critical Appli-
`cations, Mondello, Sicily, Italy, September 1992.
`
`Program Committee, 15th National Computer Security Conference, Baltimore, Maryland, October
`1992.
`
`Program Committee, Eighth Annual Computer Security Applications Conference, San Antonio,
`Te xas, December 1992.
`
`Expert Consultant for the Nuclear Regulatory Commission’s Advisory Committee on Nuclear Reac-
`tor Safety February 1993 through February 1995.
`
`NSF National Young Investigator Review Panel, Washington, DC, April 1993.
`
`Program Co-Chair, 1993 IEEE Symposium on Research in Security and Privacy, Oakland, California,
`May 1993.
`
`Member of the BMD Trusted Software Methodology Peer Review Panel, Vero Beach, Florida, Octo-
`ber 1993.
`
`-7-
`
`

`
`Invited Participant, Security Architecture and Separation Kernels Workshop, sponsored by the
`National Security Agency, Fort Meade, Maryland, March 1994.
`
`Program Committee, Sixteenth International Conference on Software Engineering, Sorrento, Italy,
`May 1994.
`
`Program Committee, Features Interaction Workshop, Amsterdam, the Netherlands, May 1994.
`
`Program Committee, International Symposium on Software Testing and Analysis, Seattle, Washing-
`ton, August 1994.
`
`Program Committee, Fifth European Software Engineering Conference, Barcelona Spain, September
`1995.
`
`Program Committee, Third International Workshop on Feature Interactions in Telecommunications
`Software Systems, Kyoto, Japan, October 1995.
`
`Member of the National Academy of Science Computer Science Telecommunications Board’s Com-
`mittee on Maintaining Privacy and Security in Health Care Applications of the National Information
`Infrastructure, September 1995 through December 1996 (final report "For the Record: Protecting
`Electronic Health Information," National Academy Press, 1997).
`
`Editor-in-Chief, IEEE Transactions on Software Engineering, January 1996 through December 1999.
`
`Invited Participant, Isaac Newton Institute Research Program on Computer Security, Cryptology and
`Coding Theory, Cambridge University, Cambridge, England, April through May 1996.
`
`Program Committee, ICSE 97 International Conference on Software Engineering, Boston, Mas-
`sachusetts, May 1997.
`
`Member of the National Academy of Science Computer Science Telecommunications Board’s Com-
`mittee on the Review of Programs for Command, Control, Communication, Computers, and Intelli-
`gence (C4I) in the Department of Defense, June 1997 through February 2000 (final report "Realizing
`the Potential of C4I: Fundamental Challenges," National Academy Press, 1999).
`
`Program Committee, Sixth European Software Engineering Conference, Zurich, Switzerland,
`September 1997.
`
`Program Co-chair, ICSE 98 International Conference on Software Engineering, Kyoto, Japan, April
`1998.
`
`Member, IEEE/CS Fellow Evaluation Committee, 1999.
`
`Program Committee, ICSE 00 International Conference on Software Engineering, Limerick, Ireland,
`June 2000.
`
`Member, IEEE/CS Fellow Evaluation Committee, 2000.
`
`Program Committee, ICSE 01 International Conference on Software Engineering, Toronto, Ontario,
`Canada, May 2001.
`
`Member, IEEE Computer Society Board of Governors, 2001-2003.
`
`Member, IEEE Computer Society Audit Committee, 2001.
`
`Member, IEEE/CS Fellow Evaluation Committee, 2001.
`
`Program Committee, International Symposium on Recent Advances in Intrusion Detection (RAID
`2001), Davis, California, September 2001.
`
`Member, NSF/CISE Advisory Board, 2002-2004.
`
`Vice Chair, IEEE Computer Society Publications Board, 2002.
`
`-8-
`
`

`
`Program Committee, International Symposium on Recent Advances in Intrusion Detection (RAID
`2002), Zurich, Switzerland, September 2002.
`
`Program Committee, 9th ACM Conference on Computer and Communications Security (CCS02),
`November 2002.
`
`Member, Microsoft Trustworthy Computing Academic Advisory Board, 2002-2010.
`
`Member, DARPA Independent Assessment Team for DARPA Dem/Val project, September 2002
`through December 2004.
`
`Program Committee, Twenty Fifth International Conference on Software Engineering (ICSE03),
`Portland, Oregon, May 2003.
`
`Program Committee, 2003 IEEE Symposium on Research in Security and Privacy, Oakland, Califor-
`nia, May 2003.
`
`Member, IEEE/CS Fellow Evaluation Committee, 2003.
`
`Program Committee, 2003 USENIX Security Symposium, August 2003.
`
`Program Committee, International Symposium on Recent Advances in Intrusion Detection (RAID
`2003), Pittsburgh, Pennsylvania, September 2003.
`
`Vice President, IEEE Computer Society, 2004.
`
`Chair, IEEE Computer Society Chapter Activity Board, 2004.
`
`Program Committee, 2004 IEEE Symposium on Research in Security and Privacy, Oakland, Califor-
`nia, May 2004.
`
`Program Committee, AusCERT2004 Asia Pacific Information Technology Security Conference,
`Gold Coast, Australia, May 2004.
`
`Member, IEEE Computer Society Board of Governors, 2005-2007.
`
`Member, IEEE/CS Nominations Committee, 2005.
`
`Program Committee, Twenty Seventh International Conference on Software Engineering (ICSE05),
`Saint Louis, Missouri, May 2005.
`
`Program Committee, Software Engineering for Secure Systems (SESS05), Saint Louis, Missouri,
`May 2005.
`
`Program Committee, AusCERT2005 Asia Pacific Information Technology Security Conference,
`Gold Coast, Australia, May 2005.
`
`Program Committee, Twenty Eighth International Conference on Software Engineering (ICSE06),
`Shanghai, China, May 2006.
`
`Program Committee, AusCERT2006 Asia Pacific Information Technology Security Conference,
`Gold Coast, Australia, May 2006.
`
`Program Committee, 2006 IEEE Symposium on Research in Security and Privacy, Oakland, Califor-
`nia, May 2006.
`
`Program Committee, Fourteenth Annual Network & Distributed System Security Symposium, San
`Diego, California, February 2007.
`
`Invited Participant, Second Workshop of the EU/US Summit Series on Cyber Trust: System Depend-
`ability Security, Monticello, IL, April 2007 (sponsored by the EU and the DoD).
`
`Program Committee, AusCERT2007 Asia Pacific Information Technology Security Conference,
`Gold Coast, Australia, May 2007.
`
`-9-
`
`

`
`Program Committee, Twenty Ninth International Conference on Software Engineering (ICSE07),
`Minneapolis, Minnesota, May 2007.
`
`External Review Committee, Computer Science Department at the Naval Post Graduate School,
`September 2007.
`
`Program Committee, International Symposium on Recent Advances in Intrusion Detection (RAID
`2007), Gold Coast, Australia, September 2007.
`
`Organizer, Dagstuhl Network Attack Detection and Defense Workshop, Dagstuhl, Germany, Febru-
`ary 2008.
`
`Invited Participant, Cyber Security Research Roadmap Workshop, Menlo Park, CA, March 2008
`(sponsored by the Department of Homeland Security).
`
`Program Committee, ACM Symposium on Information, Computer and Communications Security
`(ASIACCS’08), Tokyo, Japan, March 2008.
`
`Member, IEEE/CS Fellow Evaluation Committee, 2009.
`
`Program Committee, 6th International Workshop on Visualization for Cyber Security (VizSec09),
`Atlantic City, NJ, October 2009.
`
`Program Committee, The 14th Nordic Conference on Secure IT Systems (NordSec09), Oslo, Norway
`, October 2009.
`
`Invited Participant, ISAT Black Cloud Workshop, Berkeley, CA, January 2010 (sponsored by
`DARPA).
`
`Member, IEEE/CS Fellow Evaluation Committee, 2010.
`
`"Covert Channels: Detection, Analysis, and Characterization," invited talk and panelist, IEEE Inter-
`national Conference on Technologies for Homeland Security, Waltham, MA, November 2010.
`
`Member, IEEE/CS Fellow Evaluation Committee, 2011.
`
`"Designed-in Security: Some Major Challenges," invited panelist at the NITRD: Federal Cyber-Secu-
`rity R&D Strategic Plan Conference, Oakland, CA, May 2011
`
`Program Committee, 6th USENIX Workshop on Hot Topics in Security (HotSec’11), San Francisco,
`CA, August 2011.
`
`PUBLICATIONS
`
`"Assignments and Predicates in KalKan," Fourth International Conference on the Implementation of
`Algorithmic Languages, Courant Institute of New York University, New York, N.Y., June 1976 (with
`P. Eggert, M. Hall and R. Uzgalis).
`
`"A SIMULA 67 Debugging System," Fourth International Conference on the Implementation of
`Algorithmic Languages, Courant Institute of New York University, New York, N.Y., June 1976.
`
`"An Experience in Group Structured and Modular Programming: Conclusions and Recommenda-
`tions," International Symposium on Methodologies for the Design and Construction of Software and
`Hardware Systems, Pontifica Universidade Catolica do Rio de Janeiro, Rio de Janeiro, Brazil, July
`1976 (with D.M. Berry, I.M. Campos, R.P. Hooper, M.A. Kampe and M.L. Rhodes).
`
`"The Need for a Dynamic MIL," Tenth Annual Hawaii International Conference on System Sciences,
`Honolulu, Hawaii, January 1977.
`
`"Formal Verification of the UCLA Security Kernel: Abstract Model, Mapping Functions, Theorem
`Generation, and Proofs," Ph.D. Dissertation, UCLA, Los Angeles, California, June 1979.
`
`-10-
`
`

`
`"Tow ards Modular Verifiable Exception Handling," Journal of Computer Languages, Vol. 5, pp.
`77-101, Pergamon Press, Ltd., 1980 (with D.M. Berry, A. von Staa and S. Yemini).
`
`"Specification and Verification of the UCLA Security Kernel," Presented at the 7th Symposium on
`Operating Systems Principles, December 1979; Communications of the ACM, Vol. 23, No. 2, Febru-
`ary 1980 (with B. Walker and G.J. Popek).
`
`"Retrospective: Verification Experiences with the UCLA Operating System Kernel," position paper
`at the Workshop on Formal Verification, SRI, Menlo Park, California, April 1980 (with B.J. Walker
`and G.J. Popek). Also appeared in Software Engineering Notes, Vol. 5, No. 3, July 1980.
`
`"Applications of SDC’s Formal Development Methodology," position paper at the Workshop on For-
`mal Verification, SRI, Menlo Park, California, April 1980 (with M. Schaefer). Also appeared in Soft-
`ware Engineering Notes, Vol. 5, No. 3, July 1980.
`
`"FDM - A Specification and Verification Methodology," Third Seminar on the Department of
`Defense Security Initiative, National Bureau of Standards, Gaithersburg, Maryland, November 1980.
`
`"Status Report on SDC’s Formal Development Methodology," position paper at the Second Work-
`shop on Formal Verification, National Bureau of Standards, Gaithersburg, Maryland, April 1981.
`Also appeared in Software Engineering Notes, Vol. 6, No. 3, July 1981.
`
`"A Practical Approach to Identifying Storage and Timing Channels," IEEE Symposium on Security
`and Privacy, Oakland, California, April 1982.
`
`"Finding Errors Using Formal Specification and Verification," Workshop on the Effectiveness of
`Testing and Proving Methods, Avalon, California, May 1982.
`
`"Testing Formal Specifications", Fourth Convention on Quality Assurance, Herzlia, Israel, October
`1982.
`
`"SDC Secure Release Terminal Project," IEEE Symposium on Security and Privacy, Oakland, Cali-
`fornia, April 1983 (with T. Hinke and J. Althouse).
`
`"Shared Resource Matrix Methodology: An Approach to Identifying Storage and Timing Channels",
`ACM Transactions on Computer Systems, Vol. 1, No. 3, August 1983.
`
`"Testing Formal Specifications to Detect Design Errors," IEEE Transactions on Software Engineer-
`ing, Vol. SE-11, No. 1, January 1985.
`
`"INATEST: an Interactive Environment for Testing Formal Specifications," Third Workshop on For-
`mal Verification, Pajaro Dunes, California, February 1985 (with S. Eckmann). Also appeared in Soft-
`ware Engineering Notes, Vol. 10, No. 4, August 1985.
`
`"UNISEX: A UNIx-based Symbolic EXecutor for Pascal," Software Practice and Experience, Vol.
`15, No. 5, May 1985 (with S. Eckmann).
`
`"Complexity Measures for Assembly Language Programs," The Journal of Systems and Software,
`Vol. 5, No. 3, August 1985 (with D. Blaine).
`
`"Procedural and Nonprocedural Semantics of the ASLAN Formal Specification Language," Nine-
`teenth Annual Hawaii International Conference on System Sciences, Honolulu, Hawaii, January 1986
`(with B. Auernheimer).
`
`"Analyzing Encryption Protocols Using Formal Verification Techniques," Eurocrypt 86, Linkoping,
`Sweden, May 1986.
`
`"Testing Formal Specifications and the Inatest System," Software Testing Systems Workshop, Uni-
`versity of Bremen, Bremen Germany, also appeared in Softwaretechnik Trends, June 1986.
`
`"RT-ASLAN: A Specification Language for Real-Time Systems," IEEE Transactions on Software
`Engineering, Vol. SE-12, No. 9, September 1986 (with B. Auernheimer).
`
`-11-
`
`

`
`"A Brief Summary of a Verification Assessment Study," Ninth National Computer Security Confer-
`ence, Gaithersburg, Maryland, September 1986.
`
`"An Overview of Computer Security," invited paper at IMA Conference on Cryptography and Cod-
`ing, Cirencester, England, December 1986, also included in Cryptography and Coding, edited by
`Henry J. Beker and F.C. Piper, Oxford University Press, 1989.
`
`"An Experience Using Two Covert Channel Analysis Techniques on a Real System Design," Pro-
`ceedings of the IEEE Symposium on Security and Privacy, Oakland, California, April 1986, also
`appeared in IEEE Transactions on Software Engineering,