Michael S. Kirkpatrick's research while affiliated with James Madison University and other places

Publications (40)

Article
Repeated ethical violations ends with membership revocation and ban.
Conference Paper
This special session will involve three related components. It will begin with a history of the ACM Code of Ethics and Professional Conduct (the Code), its evolving presence in the computing curriculum guidelines over time, and its documented use outside of academe. This will lead into an overview of the major changes to the Code that occurred in t...
Conference Paper
Full-text available
Introducing software testing has taken on a greater importance in undergraduate computer science curricula in the last several years, with many departments using JUnit or other testing frameworks in the programming sequence and software engineering courses. We have developed an automated framework for unit and integration testing and grading for ou...
Conference Paper
The ACM Code of Ethics provides a framework for ethical conduct within the computing industry. The Code describes ethical conduct for individuals and organizations, as well as the basic moral principles underlying these prescriptions. Principles defined in the Code include: Avoid harm; be fair and take action not to discriminate; respect privacy; e...
Conference Paper
The goal of the OpenCSF project is to develop an on- line, interactive textbook focused on the Computer Systems Fundamentals (CSF) Core Tier 1 teaching objectives of the ACM 2013 Computing Curriculum. This area includes material that would traditionally be taught in courses such as Computer Organization, Operating Systems, Computer Networks, and Pa...
Conference Paper
Team-Based Learning (TBL) is an active learning pedagogy that involves a substantial amount of preparation work by students. While previous work shows that objective measures of student learning outcomes improved after TBL adoption in CS, little work has been done to evaluate the students' perspectives rigorously. In this work, we present the quali...
Conference Paper
Before Fall 2013, our CS majors were required to take the same 4-credit introductory programming course as part of a two-semester CS1 designed to be welcoming to novices. As CS in K-12 has expanded, the diversity of incoming students' programming backgrounds has increased, raising concerns that the climate was becoming increasingly intimidating for...
Conference Paper
There is significant evidence that active learning techniques facilitate superior learning outcomes when compared to traditional lecture-based techniques. However, adopting an entirely new pedagogy is a time-consuming endeavor that requires considerable effort. In this work, we describe simple transitional steps that we used to increase the amount...
Article
This paper summarizes our experiences restructuring a core portion of our required courses for majors. Internal and external reviews of our program highlighted areas of concern in our "systems core," including inconsistent student outcomes, missing required material, and inadequate opportunities for programmatic assessment. To fix these problems, w...
Article
Code-reuse attacks, such as return-oriented programming (ROP), are a class of buffer overflow attacks that repurpose existing executable code towards malicious purposes. These attacks bypass defenses against code injection attacks by chaining together sequence of instructions, commonly known as gadgets, to execute the desired attack logic. A common...
Patent
Full-text available
A system and method for performing cryptographic functions in hardware using read-N keys comprising a cryptographic core, seed register, physically unclonable function (PUF), an error-correction core, a decryption register, and an encryption register. The PUF configured to receive a seed value as an input to generate a key as an output. The error-c...
Conference Paper
There is a growing body of evidence showing active learning pedagogies are effective for ensuring long-term student learning, reducing course failure rates, and retaining majors. While active learning pedagogies are more often employed in lower divisional CS courses, systems classes-such as OS, architecture, and networks-are just beginning to see a...
Article
To combat the threat of information leakage through pervasive access, researchers have proposed several extensions to the popular role-based access control (RBAC) model. Such extensions can incorporate contextual features, such as location, into the policy decision in an attempt to restrict access to trustworthy settings. In many cases, though, suc...
Conference Paper
With fast evolving attacks, using software patches for fixing software bugs is not enough as there are often considerable delays in their application to vulnerable systems and the attackers may find other vulnerabilities to exploit. A secure architecture design that provides robust protection against malware must be guided by strong security design...
Conference Paper
Code-reuse attacks, such as return-oriented programming (ROP), bypass defenses against code injection by repurposing existing executable code toward a malicious end. A common feature of these attacks is the reliance on the knowledge of the layout of the executable code. We propose a fine grained randomization based approach that modifies the layout...
Conference Paper
Code-reuse attacks, including return-oriented programming (ROP) and jump-oriented programming, bypass defenses against code injection by repurposing existing executable code in application binaries and shared libraries toward a malicious end. A common feature of these attacks is the reliance on the knowledge of the layout of the executable code. We...
Article
Full-text available
—Several models for incorporating spatial constraints into role-based access control (RBAC) have been proposed, and researchers are now focusing on the challenge of ensuring such policies are enforced correctly. However, existing approaches have a major shortcoming, as they assume the server is trustworthy and require complete disclosure of sensiti...
Article
Modern computer systems are built on a foundation of software components from a variety of vendors. While critical applications may undergo extensive testing and evaluation procedures, the heterogeneity of software sources threatens the integrity of the execution environment for these trusted programs. For instance, if an attacker can combine an ap...
Conference Paper
Full-text available
Many organizations require that sensitive information only be accessed on the organization premises or in secure locations. Access to certain information is thus allowed to authorized users, provided that these users are in specific locations when accessing the information. The GEO-RBAC model addresses such requirement. It is based on the notion of...
Conference Paper
Full-text available
As mobile computing devices are becoming increasingly dominant in enterprise and government organizations, the need for fine-grained access control in these environments continues to grow. Specifically, advanced forms of access control can be deployed to ensure authorized users can access sensitive resources only when in trusted locations. One tech...
Conference Paper
Full-text available
Cryptographers have proposed the notion of read-once keys (ROKs) as a beneficial tool for a number of applications, such as delegation of authority. The premise of ROKs is that the key is destroyed by the process of reading it, thus preventing subsequent accesses. While the idea and the applications are well-understood, the consensus among cryptogr...
Conference Paper
In a distributed computing environment, remote devices must often be granted access to sensitive information. In such settings, it is desirable to restrict access only to known, trusted devices. While approaches based on public key infrastructure and trusted hardware can be used in many cases, there are settings for which these solutions are not pr...
Conference Paper
Full-text available
As the use of peer-to-peer (P2P) services for distributed file sharing has grown, the need for fine-grained access control (FGAC) has emerged. Existing access control frameworks use an all-or-nothing approach that is inadequate for sensitive content that may be shared by multiple users. In this paper, we propose a FGAC mechanism based on selective...
Article
Full-text available
Cryptographers have proposed the notion of read-once keys (ROKs) as a beneficial tool for a number of applications, such as delegation of authority. The premise of ROKs is that the key is destroyed by the process of reading it, thus preventing subsequent accesses. While the idea and the ap-plications are well-understood, the consensus among cryp-to...
Conference Paper
Full-text available
As users have to manage an increasing number of accounts, they have to balance password security and password usability. As such, many users use insecure passwords resulting in their accounts and data being vulnerable to unauthorized accesses. In this paper, we present Physically Enhanced Authentication Ring, or PEAR, a system that alleviates this...
Article
Full-text available
Proposed models for spatially-aware extensions of role-based access control (RBAC) combine the administrative and security advantages of RBAC with the dynamic nature of mobile and pervasive computing systems. However, implementing systems that enforce these models poses a number of challenges. As a solution, we propose an architecture for designing...
Chapter
As mobile computing continues to rise, users are increasingly able to connect to remote services from a wide range of settings. To provide this flexibility, security policies must be adaptive to the user’s environment when the request is made. In our work, we define context to include the spatiotemporal aspects of the user request, in addition to q...
Conference Paper
Full-text available
The paper first discusses motivations why taking into account location information in authentication and access control is important. The paper then surveys current approaches to location-aware authentication, including the notion of context-based flexible authentication policies, and to location-aware access control, with focus on the GEO-RBAC mod...
Article
Full-text available
Modern computer systems permit users to access protected information from remote locations. In certain secure environments, it would be desirable to restrict this access to a particular computer or set of computers. Existing solutions of machine-level authentication are undesirable for two reasons. First, they do not allow fine-grained application...
Conference Paper
Full-text available
Recent advances in positioning and tracking technologies have led to the emergence of novel location-based applications that allow participants to access information relevant to their spatio-temporal context. Traditional access control models, such as role-based access control (RBAC), are not sufficient to address the new challenges introduced by t...
Article
Discretionary access control (DAC), while useful in many settings, does not solve every access control problem. Specifically it is not helpful when users wish to maintain secure file systems when physically lending their computer to an untrusted user without logging out. To solve this problem we designed a role-based access control (RBAC) policy fo...
Article
Full-text available
Cyber-physical systems (CPS) are characterized by the close linkage of computational resources and phys-ical devices. These systems can be deployed in a num-ber of critical infrastructure settings. As a result, the security requirements of CPS are different than tra-ditional computing architectures. For example, criti-cal functions must be identifi...
Article
The text-based ID/password scheme is the most widely used user authentication method in the real world, but its drawbacks and vulnerabilties have been continuously pointed out. Owing to the limitation of size of possible password space, it is not resistant to the dictionary attacks (even with the salt). In addition, it is not easy for uses to creat...
Article
Full-text available
Physically unclonable functions (PUFs) provide a mechanism for uniquely identifying a hardware device based on the intrinsic variations of physical components. Common applications for PUFs include generating or binding cryptographic keys in a secure manner. In recent work, though, we have examined the possibility of incorpo-rating PUFs directly int...
Article
Recent studies have shown that data theft and computer security breaches have translated into large financial losses. These studies have also demonstrated that malicious insiders are respon- sible for a large number of these attacks. The Heuristic Identification and Tracking of Insider Threats (HIT-IT) project attempts to counter- act this problem...
Article
Full-text available
Recent studies have shown there is a growing concern about the damage possible when trusted organization insiders behave maliciously. In particular, data exfiltration can lead to loss of revenue, damage to an organization's reputation, and disruption of service for critical infrastructure systems. In this work, we introduce the Contextually Adaptiv...
Article
Full-text available
Recent advances in positioning and tracking technologies have led to the emergence of novel location-based applica- tions that allow participants to access information relevant to their spatio-temporal context. Traditional access control models, such as role-based access control (RBAC), are not sufficient to address the new challenges introduced by...

Citations

... Consequently, they argue that tech ethics "could be part of every computing course" [13]. Recent work in undergraduate computing ethics include designs for standalone ethics courses [11,32]; integrated ethics across the curriculum [7,16]; and integrated ethics modules or lessons in courses such as machine learning [35], human-centered computing [37], and introductory CS [10,12]. Critical approaches to computing ethics challenge dominant narratives by centering computing's moral, ethical, and social values as well as its political power to reshape social structures and hierarchies [11,20,26,29,34,38,39,41]. Computing does not exist separate from the world; computation is designed by people to realize their political visions about how the world ought to work [20,41]. ...
... However, there is little specific guidance on what form this professional ethics training must take across the curriculum, with some programs focusing on standalone ethics courses and others integrating training across cornerstone, capstone, and other project-based coursework. From a professional organizational perspective, the Association for Computing Machinery (ACM) code of ethics has also incorporated language relevant to computing education curricula in a range of programs [12,59], with a trajectory towards socially responsible computing practices. While there have been debates about the power or role of such codes, studies have shown that the updated ACM code has had little impact on producing actual ethically-centered practices. ...
... However, both groups indicated that debugging was difficult but less frequently mentioned by both groups. Some studies (e.g., [60][61][62]) indicated the positive impact of prior coding/computing experience on students' performance in computer science courses. Alvarado et al. [60] observed this positive impact on student grades in introductory and advanced courses in computer science, revealing students with pre-college computing experience performed significantly better than their peers with less or without experience in these courses. ...
... There was no significant difference, and they concluded that iRAT could be done at home for more simplicity. Kirkpatrick (2017) also recommended using pre-class online quizzes for iRAT. In this study, we used the class time for team application exercises (tAPP), and we did not include tRAT due to the lack of time as tasks related to programming require more time (Lasserre, 2009), and the programme timetable could not fit additional time. ...
... • The IoT device micro-controller and the PUF are assumed to be a system on chip (SoC). Therefore, based on SoC security [33], [34], the communication between them is considered to be secure, in the sense that it will be difficult for an adversary to intercept the on-chip communication between the device and the PUF and break the SoC security within polynomial time. We now describe our PUF-based authentication scheme. ...
... In CS, in particular, it has been found that this student-centred instructional approach has many advantages, including a high level of engagement, better academic performance for weaker students, enhanced programming skills and confidence in the ability to program (Elnagar & Ali, 2013;Kirkpatrick & Prins, 2015;Lasserre & Szostak, 2011;Rankin et al., 2007). This study will examine whether some of these advantages are observed in a new postgraduate course we created: Programming and Systems Development (ProgSD). ...
... The automated testing tool that we present here is part of a larger departmental effort to redesign our systems curriculum [6]. Specifically, our aim has been to adopt a learner-centered philosophy that supports and encourages student autonomy within the constraints of a discipline with a rapidly growing and evolving body of knowledge. ...
... To defend against code reuse attacks, such as return-oriented programming (ROP), Gupta et al. [142] propose a fine-grained software diversity approach called Marlin. Marlin breaks a software binary into function blocks and randomly shuffles the order. ...
... It only takes the binary of the application and outputs a new binary with addresses determinable at load-time. Ref. [40] presented Marlin's randomization method that rearranges the code block in the text section of the program's binary whenever it is executed. It makes exploitation difficult for attacks like ROP because shuffling changes the sequence of gadgets that are not useful for attackers. ...
... For instance, Hamming codes are considered in [13], however, the Hamming codes can correct one-bit error. To improve error correction capability, other high-performance ECCs are used, such as Bose-Chaudhuri-Hocquenghem (BCH) codes [5], Reed-Solomon (RS) codes [14], and Reed-Muller (RM) codes [12]. To further improve the error performance and decrease the complexity of FEs, concatenated error correction codes [15,16] and soft-decision decoders [17,18] are considered. ...