His research has been funded by the NASA Ames Research Center, by Trident Data Systems and the Air Force, by Lawrence Livermore National Laboratories, and by the National Security Agency. In 1992, he won a Dartmouth College Fellowship to enable him to pursue research into some aspects of the Take-Grant Protection Model.
His areas of research include formal modelling of access controls. His thesis demonstrated the flexibility of the Take-Grant Protection Model, in which not only can access control questions be answered quickly, but also issues of information flow and theft of information can be answered. He presented some results in this area at the first Foundations of Computer Security Workshop, and subsequently chaired the session on access controls at the second workshop.
Another of his interests is network security; as a member of the Privacy and Security Research Group (under the auspices of the Internet Activities Board), he helped develop the protocols to provide confidentiality, authentication, and integrity to electronic mail, and is an active participant in the development of the Internet Security Architecture.
His work in auditing explores the theoretical conditions under which, given a log, the state of the system can be reconstructed, and he has studied the ability of existing systems to meet these criteria. He is also working on a methodology to enable a designer to determine what information should be logged, since one of the major problems with auditing is that there is too much information recorded and at too low a level to enable simple analysis. Part of this work includes relating these low-level events to higher-level application programs. As part of this work, he has devised a standard log format to facilitate interchange of logs among hosts of different types, and which facilitates the analysis of logs set up for disparate goals (such as integrating a financial log with a system security log).
He is also interested in vulnerabilities in systems, at all the layers of abstraction, and has worked extensively in this area. His current work is to develop tools, techniques, and methodologies to detect, prevent, or limit these vulnerabilities. Some of his work has resulted in a scanner for potential race conditions in UNIX system file accesses; the theory he developed generalizes readily to other systems.
While at Purdue, he wrote a widely-circulated paper describing flaws in the UNIX operating system, and since then has been associated with UNIX system security in a variety of ways. In 1988, he chaired the first USENIX UNIX Security Workshop; it was so successful that in 1990 he chaired the second. He has been on the program committees of the Third (1992) and Fourth (1993) UNIX Security Symposia. He has also written widely on different aspects of UNIX security and secure programming, as well as giving frequent tutorials at USENIX, SANS, the World Conference on Security and Systems Administration, FedUNIX, the Sun Users' Group conferences, and the FIRST Incident Response Workshop held in 1993. He has also spoken at SHARE 84.0 on UNIX security.
His thesis discussed the practical implications of the Take-Grant Protection Model; his advisor was Dr. Dorothy Denning.