Peter Chapman - Carnegie Mellon University

About

I am Peter Chapman, a PhD student in the Computer Science Department at Carnegie Mellon University working with David Brumley in the Software Security Research Group. My email address is peter@cmu.edu. My curriculum vitae is available.

This year, I am honored to serve on the program committee for the new 2016 USENIX Workshop on Advances in Security Education (ASE 16).

I graduated from Thomas Jefferson High School for Science and Technology in 2008 and from the University of Virginia in May of 2012 with a Bachelor of Arts majoring in Computer Science and Cognitive Science. I received a Master of Science from the Carnegie Mellon University Computer Science Department in 2015.

From 2009 to 2012 I was an active member of the Security Research Group in the UVa Computer Science Department working under my advisor David Evans.

In the summer of 2011 I had the pleasure of participating in a Microsoft Research internship in Redmond, Washington under the mentorship of Jinlin Yang working with the Windows Azure System Monitoring and Diagnostics group.

In the February of 2012 I began working at Udacity as an assistant instructor for CS 101: Building a Search Engine and CS 262: Building a Web Browser . I also developed a prototype Android application for consuming course content and improved internal community management tools in collaboration with the engineering team. To correct a common misconception, I am not secretly evil. David Evans wrote a nice blog post on launching Udacity's first course. I also did an interview with a blog on MOOCs on my experiences at Udacity.

In the fall of 2012 I began attending the PhD program at Carnegie Mellon University.

In the spring of 2013 I was the technical lead for a nation-wide high school hacking competition, picoCTF. We had nearly 10,000 students compete across 2,000 teams for $25,000 in prizes.

In January of 2014 I worked as a contractor for the Pittsburgh startup ForAllSecure to host an in-person computer security competition for the United States service academies, called IOCTF.

Over the summer of 2015, I interned with Shuo Chen at Microsoft Research. I was also honored to be currently serving on the program committee for the 2015 USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE).

Awards

ARCS Scholar

I have been awarded an ARCS (Achievement Rewards for College Scientists) award for 2012-2015.

National Science Foundation Graduate Research Fellowship

I was awarded a NSF Graduate Research Fellowship in 2012.

2012 Computer Research Association Outstanding Undergraduate Researcher Award Runner-Up

I was named the 2012 CRA Outstanding Undergraduate Research Award Runner-Up . This is the premier national award for undergraduate researchers in computer science.

Distinguished Major with Highest Distinction

I graduated from the University of Virginia with a Bachelor of Arts with a Distinguished Major in Computer Science with Highest Distinction.

Projects

Python Symbolic Execution

I am working on a symbolic execution engine for Python with robust symbolic string support through a cooperation with the SMT solver on a native string interface. The project builds oﬀ PyExZ3, developed at Microsoft Research by Thomas Ball, and can be found on GitHub.

picoCTF High School Hacking Competition

I was the technical lead for picoCTF 2013, a computer security competition for high school students. Unlike existing competitions, picoCTF focuses primarily on offensive hacking skills presented in the form of a web-based video game to better excite students about computer science and computer security. Over the 10-day competition nearly 2,000 teams of middle and high school students participated vying for $25,000 in prizes, making picoCTF, to the best of our knowledge, the largest hacking competition ever held. The competition introduced thousands of high school students to advanced topics such as the command-line interface, cryptographic ciphers, the client-server paradigm of the web, file system forensics, command injection, data representation, and program representation. We presented a paper on the success of the competition at 3GSE 2014.

Log-Based Architectures

The Log-Based Architecture is a proposed set of hardware additions that leverages spare cores in a multiprocessor system to decrease the cost of dynamic execution monitoring. The decreased overhead is achieved by assigning one processor core the role of monitoring the execution of an application on a separate core with instruction granularity. I am leading the effort to modernize the development system to facilitate continuing security research.

Additionally, I worked with Stefan Muller and Deby Katz to add vulnerability-specific execution filtering (only applying taint-tracking to instructions relevant to a specific, known exploit) to the Log-Based Architecture as a course project.

Side-Channel Leaks in Web Applications

As described by Chen, et al. an adversary monitoring network traffic, even over an encrypted channel, can infer a user's browser state by examining the size and control flow of network transfers. In our CCS 2011 publication we detail an automated black-box approach to measuring and quantifying such leaks in real world web applications. We additionally demonstrate an evaluation of proposed mitigations using our framework. The source code is available from the project page.

Secure Computation on Mobile Devices

In mid-2011 we ported the Secure Computation Framework from the desktop to the Android operating system to show the feasibility and applicability of secure computation on mobile devices. We discussed our experiences and thoughts on future research in our HotSec 2011 paper, which I presented. Our demonstration applications are available on the Google Play.

Secure Computation Using Third-Party Randomness

For my distinguished major, we developed a general secure-computation protocol dependent on a trusted third party to generate correlated random numbers. The scheme is an order of magnitude more efficient than garbled circuit approaches because it does not use encryption or oblivious transfer.

Access Control Policies based on User Actions

In the winter of 2009 I worked I assisted Jeffery Shirley on a project to develop accurate access control policies based on the state of the user interface and preceding user actions.

Publications

Jonathan Burket, Peter Chapman, Tim Becker, Christopher Ganas, David Brumley. Automatically Creating Problem Instances for CTF Competitions. 2015 USENIX Summit on Gaming, Games and Gamiﬁcation in Security Education (3GSE ’15), Washington, D.C. 11 August 2015. [PDF, 8 pages]

Manuel Egele, Maverick Woo, Peter Chapman, and David Brumley. Blanket Execution: Dynamic Similarity Testing for Program Binaries and Components . 23rd USENIX Security Symposium (USENIX 2014), San Diego, CA. 20-22 August 2014. [PDF, 15 pages]

Peter Chapman, Jonathan Burket, and David Brumley. picoCTF: A Game-Based Computer Security Competition for High School Students . 2014 USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE '14), San Diego, CA. 18 August 2014. [PDF, 10 pages]

Peter Chapman and David Evans. Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications . 18th ACM Conference on Computer and Communications Security (CCS 2011), Chicago, IL. 17-21 October 2011. [PDF, 12 pages]

Yan Huang, Peter Chapman, and David Evans. Privacy-Preserving Applications on Smartphones . 6th USENIX Workshop on Hot Topics in Security (HotSec 2011), San Francisco. 9 August 2011. [PDF, 6 pages]

Presentations and Posters

Peter Chapman, Jonathan Burket, and David Brumley. picoCTF: A Game-Based Computer Security Competition for High School Students . In 2014 USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE '14), San Diego, CA. 18 August 2014. [Slides, 23 slides] [Presentation Video, 22 min] [Post-Session Panel, 85 min]

Peter Chapman. picoCTF: Teaching 10,000 High School Students to Hack For Spectroscopy Society of Pittsburgh , Pittsburgh, PA. 15 January 2014. [PPTX]

Peter Chapman. What is a Hacker?. For ARCS Pittsburgh, Pittsburgh, PA. 12 November 2013. [PPTX]

Peter Chapman. picoCTF: Teaching 10,000 High School Students to Hack. For V-Unit, Pittsburgh, PA. 23 May 2013. [PPTX , Report PDF]

Peter Chapman. Secure Computation on Mobile Devices. For CS 1120 - Computing: Language, Logic, Machines, Charlottesville, VA. 2 December 2011. [PPTX , PDF]

Peter Chapman and David Evans. Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications . In 18th ACM Conference on Computer and Communications Security (CCS 2011), Chicago, IL. 19 October 2011. [PPTX , PDF]

Yan Huang, Peter Chapman, and David Evans. Secure Computation on Mobile Devices . Poster at IEEE Symposium on Security and Privacy , Berkeley, CA. 22-25 May 2011. [Poster] [ Poster Abstract ]

Peter Chapman, and David Evans. Automated Black-box Detection of Side-Channel Vulnerabilities . Poster at 19th USENIX Security Symposium , Washington, DC. 11-13 August 2010. [Poster] [Poster Abstract]

Peter Chapman, Jeffrey Shirley, and David Evans. Monitoring User Actions for Better Malware Specifications . Poster at IEEE Symposium on Security and Privacy , Berkeley, CA. 16-19 May 2010. [Poster] [Poster Abstract]

Patents

Yang, Jinlin, Haibin Xie, and Peter Chapman. Mining for Statistical Enumerated Type. Microsoft Corporation. Patent US9213743 B2. 14 Dec. 2012.

Yang, Jinlin, Jiakang Lu, and Peter Chapman. Hierarchical String Clustering on Diagnostic Logs. Microsoft Corporation. Pending Patent US20140164376 A1. 6 Dec. 2012.

Press

Capturing Capture the Flag: Further Discussions - ;login:. December 2014.

Secret Weapon Against Hacking: College Students - PBS NewsHour. 26 October 2013.

Project Lead the Way - Engineering Health. 11 September 2013.

Meet the Pioneers: An Interview with Peter Chapman - The Good MOOC. 24 June 2013.

Hacking Competition to Teach Students about Computer Science - Center for Digital Education. 24 April 2013.

Local Students Try to Crack the Code in Competition [MP4 Video] - Pittsburgh WPXI News. 15 April 2013.

Tools

Python Symbolic Executor

I have forked the PyExZ3 symbolic executor to build a tool for Python developers to automatically generate test inputs. My enhancements include full support for symbolic strings intermixed with integers. Generated queries are sent to a portfolio of solver instances with dynamically set timeouts as execution continues asynchronously. Queries can be encoded in different theories (bit-vector, integer, and string) for different solvers (CVC4, Z3, Z3str2) simultaneously. The developer can opt to create annotations for functions to test or use support for automatically instrumenting command-line scripts and argument parsing libraries.

picoCTF Platform 1

The picoCTF 2013 infrastructure is maintained as an open source project. The platform is built on Flask and MongoDB.

Man Fuzzer

To serve as a simple baseline measurement for a research project I wrote this script to create fuzz testing inputs using the manual pages and help options of command-line applications. The code is available on GitHub under an Apache License, Version 2.0. The team behind VDiscover uses this tool as a means to generate seed files for mutational fuzzing campaigns.

Email Textifier

Working at Udacity I regularly sent emails to thousands of our active students. To facilitate this role I created an online tool to convert a well-formatted HTML email to something friendly to text-only email clients. It is also really handy for converting anything formatted into Markdown; you can paste right from your web browser, Word, etc.