Peter Chapman

Carnegie Mellon University

About

Peter Chapman Profile

I am Peter Chapman, a PhD student in the Computer Science Department at Carnegie Mellon University working with David Brumley in the Software Security Research Group. I am available via email at peter@cmu.edu. My resume is available.

I graduated from Thomas Jefferson High School for Science and Technology in 2008 and from the University of Virginia in May of 2012 with a Bachelor of Arts majoring in Computer Science and Cognitive Science.

From 2009 to 2012 I was an active member of the Security Research Group in the UVa Computer Science Department working under my advisor David Evans.

In the summer of 2011 I had the pleasure of participating in a Microsoft Research internship in Redmond, Washington under the mentorship of Jinlin Yang working with the Windows Azure System Monitoring and Diagnostics group.

In the February of 2012 I began working at Udacity as an assistant instructor for CS 101: Building a Search Engine and CS 262: Building a Web Browser . I also developed a prototype Android application for consuming course content and improved internal community management tools in collaboration with the engineering team. To correct a common misconception, I am not secretly evil. David Evans wrote a nice blog post on launching Udacity's first course. I also did an interview with a blog on MOOCs on my experiences at Udacity.

In the fall of 2012 I began attending the PhD program at Carnegie Mellon University.

In the spring of 2013 I was the technical lead for a nation-wide high school hacking competition, picoCTF. We had nearly 10,000 students compete across 2,000 teams for $25,000 in prizes.

In January of 2014 I worked as a contractor for the Pittsburgh startup ForAllSecure to host an in-person computer security competition for the United States service academies, called IOCTF.

Awards

ARCS Scholar

I have been awarded an ARCS (Achievement Rewards for College Scientists) award for 2012-2015.

National Science Foundation Graduate Research Fellowship

I was awarded a NSF Graduate Research Fellowship in 2012.

2012 Computer Research Association Outstanding Undergraduate Researcher Award Runner-Up

I was named the 2012 CRA Outstanding Undergraduate Research Award Runner-Up . This is the premier national award for undergraduate researchers in computer science.

Distinguished Major with Highest Distinction

I graduated from the University of Virginia with a Bachelor of Arts with a Distinguished Major in Computer Science with Highest Distinction.

Projects

picoCTF High School Hacking Competition

I was the technical lead for picoCTF 2013, a computer security competition for high school students. Unlike existing competitions, picoCTF focuses primarily on offensive hacking skills presented in the form of a web-based video game to better excite students about computer science and computer security. Over the 10-day competition nearly 10,000 middle and high school students participated across almost 2,000 teams vying for $25,000 in prizes, making picoCTF, to the best of our knowledge, the largest hacking competition ever held. The competition introduced thousands of high school students to advanced topics such as the command-line interface, cryptographic ciphers, the client-server paradigm of the web, file system forensics, command injection, data representation, and program representation. We presented a paper on the success of the competition at 3GSE 2014.

Log-Based Architectures

The Log-Based Architecture is a proposed set of hardware additions that leverages spare cores in a multiprocessor system to decrease the cost of dynamic execution monitoring. The decreased overhead is achieved by assigning one processor core the role of monitoring the execution of an application on a separate core with instruction granularity. I am leading the effort to modernize the development system to facilitate continuing security research.

Additionally, I worked with Stefan Muller and Deby Katz to add vulnerability-specific execution filtering (only applying taint-tracking to instructions relevant to a specific, known exploit) to the Log-Based Architecture as a course project.

Side-Channel Leaks in Web Applications

As described by Chen, et al. an adversary monitoring network traffic, even over an encrypted channel, can infer a user's browser state by examining the size and control flow of network transfers. In our CCS 2011 publication we detail an automated black-box approach to measuring and quantifying such leaks in real world web applications. We additionally demonstrate an evaluation of proposed mitigations using our framework. The source code is available from the project page.

Secure Computation on Mobile Devices

In mid-2011 we ported the Secure Computation Framework from the desktop to the Android operating system to show the feasibility and applicability of secure computation on mobile devices. We discussed our experiences and thoughts on future research in our HotSec 2011 paper, which I presented. Our demonstration applications are available on the Google Play.

Secure Computation Using Third-Party Randomness

For my distinguished major, we developed a general secure-computation protocol dependent on a trusted third party to generate correlated random numbers. The scheme is an order of magnitude more efficient than garbled circuit approaches because it does not use encryption or oblivious transfer.

Access Control Policies based on User Actions

In the winter of 2009 I worked I assisted Jeffery Shirley on a project to develop accurate access control policies based on the state of the user interface and preceding user actions.

Publications

Manuel Egele, Maverick Woo, Peter Chapman, and David Brumley. Blanket Execution: Dynamic Similarity Testing for Program Binaries and Components . In 23rd USENIX Security Symposium (USENIX 2014), San Diego, CA. 20-22 August 2014. [PDF, 15 pages]

Peter Chapman, Jonathan Burket, and David Brumley. picoCTF: A Game-Based Computer Security Competition for High School Students . In 2014 USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE '14), San Diego, CA. 18 August 2014. [PDF, 10 pages]

Peter Chapman and David Evans. Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications . In 18th ACM Conference on Computer and Communications Security (CCS 2011), Chicago, IL. 17-21 October 2011. [PDF, 12 pages]

Yan Huang, Peter Chapman, and David Evans. Privacy-Preserving Applications on Smartphones . 6th USENIX Workshop on Hot Topics in Security (HotSec 2011), San Francisco. 9 August 2011. [PDF, 6 pages]

Presentations and Posters

Peter Chapman, Jonathan Burket, and David Brumley. picoCTF: A Game-Based Computer Security Competition for High School Students . In 2014 USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE '14), San Diego, CA. 18 August 2014. [Slides, 23 slides] [Presentation Video, 22 min] [Post-Session Panel, 85 min]

Peter Chapman. picoCTF: Teaching 10,000 High School Students to Hack For Spectroscopy Society of Pittsburgh , Pittsburgh, PA. 15 January 2014. [PPTX]

Peter Chapman. What is a Hacker?. For ARCS Pittsburgh, Pittsburgh, PA. 12 November 2013. [PPTX]

Peter Chapman. picoCTF: Teaching 10,000 High School Students to Hack. For V-Unit, Pittsburgh, PA. 23 May 2013. [PPTX , Report PDF]

Peter Chapman. Secure Computation on Mobile Devices. For CS 1120 - Computing: Language, Logic, Machines, Charlottesville, VA. 2 December 2011. [PPTX , PDF]

Peter Chapman and David Evans. Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications . In 18th ACM Conference on Computer and Communications Security (CCS 2011), Chicago, IL. 19 October 2011. [PPTX , PDF]

Yan Huang, Peter Chapman, and David Evans. Privacy-Preserving Applications on Smartphones . 6th USENIX Workshop on Hot Topics in Security (HotSec 2011), San Francisco. 9 August 2011. [Slides, 29 slides] [ Presentation Video , 15 min] [ Post-Session Panel , 43 min]

Yan Huang, Peter Chapman, and David Evans. Secure Computation on Mobile Devices . Poster at IEEE Symposium on Security and Privacy , Berkeley, CA. 22-25 May 2011. [Poster] [ Poster Abstract ]

Peter Chapman, and David Evans. Automated Black-box Detection of Side-Channel Vulnerabilities . Poster at 19th USENIX Security Symposium , Washington, DC. 11-13 August 2010. [Poster] [Poster Abstract]

Peter Chapman, Jeffrey Shirley, and David Evans. Monitoring User Actions for Better Malware Specifications . Poster at IEEE Symposium on Security and Privacy , Berkeley, CA. 16-19 May 2010. [Poster] [Poster Abstract]

Press

Secret Weapon Against Hacking: College Students - PBS NewsHour. 26 October 2013.

Project Lead the Way - Engineering Health. 11 September 2013.

Meet the Pioneers: An Interview with Peter Chapman - The Good MOOC. 24 June 2013.

Hacking Competition to Teach Students about Computer Science - Center for Digital Education. 24 April 2013.

Local Students Try to Crack the Code in Competition [MP4 Video] - Pittsburgh WPXI News. 15 April 2013.

Tools

CTF Platform

The picoCTF infrastructure is maintained as an open source project. The platform is built on Flask and MongoDB.

Man Fuzzer

To serve as a simple baseline measurement in a research project I wrote this script to create fuzz testing inputs using the manual pages and help options for command-line applications. The code is available on GitHub under an Apache License, Version 2.0.

Email Textifier

Working at Udacity I regularly sent emails to thousands of our active students. To facilitate this role I created an online tool to convert a well-formatted HTML email to something friendly to text-only email clients. It is also really handy for converting anything formatted into Markdown; you can paste right from your web browser, Word, etc.