David Brumley
Professor, Electrical and Computer Engineering
Courtesy Appointment, Computer Science Department
David Brumley is a professor in the Electrical and Computer Engineering Department at Carnegie Mellon University with an additional courtesy in the Computer Science Department. He was previously the director of CyLab, the CMU Security and Privacy Institute. His research focuses on software security.
Brumley received his Ph.D. in Computer Science from Carnegie Mellon University, an M.S. in Computer Science from Stanford University, and a B.A. in Mathematics from the University of Northern Colorado. He served as a computer security officer for Stanford University from 1998-2002 and handled thousands of computer security incidents in that capacity. He is the faculty mentor for the Carnegie Mellon Hacking Team Plaid Parliament of Pwning (PPP), which is ranked internationally as one of the top teams in the world according to ctftime.org. The team was ranked #1 in 2011, #2 in 2012, and #1 in 2013, and won DefCon 2013. Brumley received the USENIX Security Best Paper Award in 2003 and 2007, and an ICSE Distinguished Paper Award in 2014.<
Brumley’s honors include being selected for the 2010 DARPA CSSP program and 2013 DARPA Information Science and Technology Advisory Board, a 2010 NSF CAREER award, a 2010 United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama (the highest award in the US for early career scientists), and a 2013 Sloan Foundation Award.
Network Security: Protecting Today's Computers
Education
2008 Ph.D., Computer Science, Carnegie Mellon University
2003 MS, Computer Science, Stanford University
1998 BA, Mathematics, University of North Colorado
Affiliations
Research Interests
- AI and ML for security
- Applications of security and privacy
- autonomy
- cryptography
- cyber physical systems security and privacy
- cyberphysical systems (CPS)
- embedded systems security
- emerging applications security
- Formal methods
- formal methods for security
- hardware security
- Internet of Things (IoT)
- IoT security and privacy
- language-based security
- malware analysis and detection
- ML and AI
- network security
- secure systems
- security of AI and ML
- software security
- systems security
- verification
Media mentions
CMU Engineering
Student donates bug bounty to support picoCTF’s cybersecurity education efforts
Seunghyun Lee discovered a series of bugs in Google Chrome’s WebAssembly type system that earned him a bug bounty, which he generously donated to CMU's picoCTF cybersecurity education platform.
CyLab Security and Privacy Institute
Student bug bounty discovery supports picoCTF’s cybersecurity education efforts with $462,000 gift
Seunghyun Lee, a first-year Ph.D. student in Carnegie Mellon University’s Computer Science Department, recently discovered a series of bugs in Google Chrome's WebAssembly type system that earned him a bug bounty, which he generously donated to CMU's picoCTF cybersecurity education platform.
Time
Brumley discusses social security number breach and cybersecurity
ECE’s David Brumley spoke with Time about the hack in April that resulted in SSN data from the NPD being leaked. “We are not talking about a startup here,” Brumley said. “Looking forward, we have to have higher standards for the custodians of our data.”
CMU Engineering
CMU hacking team wins eighth DEF CON Capture-the-Flag title
The winningest team in DEF CON’s Capture-the-Flag (CTF) competition history, CMU’s Plaid Parliament of Pwning (PPP), won its third straight title, earning its record eighth win in the past 12 years.
CyLab Security and Privacy Institute
Carnegie Mellon’s hacking team wins third straight, record eighth overall DEF CON Capture-the-Flag title
The winningest team in DEF CON’s Capture-the-Flag (CTF) competition history, Carnegie Mellon University’s Plaid Parliament of Pwning (PPP), won its third consecutive title, earning its eighth victory in the past 12 years.
Axios
Brumley talks about Biden’s plan for ethical hacking
ECE’s David Brumley spoke with Axios about Biden’s plan for ethical hacking for AI safety. Brumley said that “companies and policymakers need to shift their attention to the algorithms and data sources at the heart of the models, rather than the outputs.”
CyberScoop
Brumley gives input on recent executive order addressing AI security risks
ECE’s David Brumley gives his input on the recent executive order from the White House that addresses AI security risks in CyberScoop. “They’re relying on very traditional government agencies like NIST that have no expertise in this,” he says.
The Washington Post
Brumley speaks about hardware “ingredients list”
CyLab/ECE’s David Brumley speaks to The Washington Post about the Cybersecurity and Infrastructure Security Agency’s hardware bill of materials framework that would allow organizations to evaluate supply chain risks. “I don’t see this having much impact, and I don’t know why people would comply with it,” he says.
Dark Reading
Brumley quoted by Dark Reading
ECE Professor David Brumley explains why he feels new cybersecurity mandates for medical devices fall short and shares suggestions for the path forward.
Decipher
Brumley shares thoughts on CISA’s outline to tackle open source software security
ECE/CyLab’s David Brumley shares his thoughts on CISA's outline to tackle open source software security.
AP News
Brumley discusses CMU’s victory in DEF CON competition
CyLab/ECE’s David Brumley discusses the CMU hacking team’s victory in the DEF CON Capture-the-Flag competition with AP News. “It’s hard to understate the impact our students have in cybersecurity.” he says.
The Washington Post
Brumley discusses cyber policy
CyLab/ECE’s David Brumley talks cyber policy with The Washington Post. “I can’t think of a cyber policy that encourages proactively improving security. Everything is focused around disclosure and knowing the ingredients, not if the ingredients are spoiled,” he says.