I am a Research Associate Professor at the Computer Science Department
at Dartmouth College. I am interested in all aspects of Unix security,
in particular in Linux kernel security, detection and reverse
engineering of malware (primarly kernel mode, Linux and Windows),
wireless networking, and visualizations of security-related
information. In a word, I believe that state-of-the-art hacking is
already a distinct discipline of computer science, even though not
formally recognized as such; this is where my main interest is.
My other interests are in applications of Natural Language Processing
for better indexing, search and navigation of natural language documents.
Before coming to Dartmouth, I worked on NLP systems at BBN Technologies
[CS 258, Advanced OS]
[CS 60, Computer Networks]
[CS 59, Programming Languages]
[CS 38, Computer Security]
I also teach a variety of low-level networking and systems security
reading courses; ask if interested.
In May 2009 I provided an expert witness report for the
Franklin Pierce Law Center's legal team
led by Prof. Ashlyn Lembree
defending Mavis Roy
in UMG Recordings et al. v. Roy civil action lawsuit. This led
to a research paper with Prof. Lembree
on the general issues and challenges of trust in
computer-generated evidence, presented
at TRUST 2010:
[discussion on Bruce Schneier's blog].
More information about the case can be found on
Beckerman's blog] and
- Language-theoretic approach to security,
invented by Len Sassaman and Meredith L. Patterson.
- DemystiPHY, hacking 802.15.4/ZigBee digital radio PHY using our
APImote utility, with Travis Goodspeed and
River Loop Security;
BabylonPHY, exploring digital radio polyglots and cross-PHY injection,
with Travis Goodspeed & Debanjum S. Solanky ([WOOT'16])
- BinderFilter, an Android Binder firewall & instrumentation framework, with
David X. Wu.
- USB Facedancer and FreeBSD firewall, with Travis Goodspeed & Peter C. Johnson.
- Packet-in-packet attacks on digital radio protocols
(follow the link to read about it in Travis Goodspeed's blog).
- "Weird machines", unexpected and unusual (and mostly even Turing-complete)
programming models via inputs ordinarily thought to be "metadata", "tables", or "descriptors".
So far found in the ELF and DWARF formats, x86 MMU descriptors, and other unlikely places.
Exploits are programs that run on weird machines made of bugs and features in their targets,
and serve as proofs by construction of the weird machine's existence. Many weird machines
are emergent, brought into being within the target by careful memory allocations ("heap feng-shui"),
resource starvation, thread manipulation, etc.
- Battleaxe shows a new vector for introducing
attack logic into modern GCC toolchain's exception handling
mechanism based on DWARF. This is not a weakness of GCC, nor
do we mean to criticize GCC, but rather a call to developers
to more deeply understand the ELF and DWARF formats we all
- Baffle -- active
(behavioral) fingerprinting of 802.11 devices.
- A side-project tested the reliability of the
timestamps clock skew in 802.11 beacon frames for
AP fingerprinting (
- Kerf --
data organization and machine learning techniques for smarter
log and packet capture browsing, analysis and sharing.
- An offshot of this work was the
log and packet trace visualization technique based on
graphically representing the amounts of information and
conditional information in log cross-sections.
- While working on Kerf, I developed several
tools as side projects. A tool for visualizing and browsing
Linux Snare and Solaris BSM system call traces
(and is freely available upon request).
- LZfuzz --
a simple fuzzer for plain text proprietary protocols, such as
those still found in SCADA systems.
- Windsock --
networks monitoring sensors based on streaming estimation
of information-theoretic measures.
Being much indebted to the hacker community for many things I learned
from its amazingly rich sources, I tried to describe some trends in
the hacker learning experience (the so-called
"hacker curriculum") that distinguish it from the typical
experiences of traditionally trained developers and CS students.
We use some (implicit) principles of this "hidden curriculum"
and related experiences in our teaching of Computer Security at Dartmouth.
Some of my "random" patches to standard tools
(Etherape, dsniff, fragrouter, tcpflow, tcpreplay, etc., see
I received my undergraduate education at the
Moscow Institute of Physics and Technology (aka Moscow Phystech),
and my Ph.D. at Northeastern University (1999).
Before coming to Dartmouth I worked at BBN Technologies on
statistical learning methods in Natural Language Processing (NLP) for
information extraction from natural English text, "text understanding",
and similar topics.
My old homepage is at
My GPG public key.