Faculty Spotlight: Daniel Votipka
Daniel Votipka completed a MS in Information Security, Technology, and Management at Carnegie Mellon University and his PhD in Computer Science at the University of Maryland. His research focuses on computer security, with an emphasis on the human factors in security professional tasks, such as vulnerability discovery, network defense, and malware analysis.
Dan shared the following during an interview with Sandie Schulenburg from the CS front office:
What attracted you to Computer Science?
It’s a little hard for me to put my finger on exactly why I decided I wanted to get into CS. Growing up, I really had no idea what computer science or even programming really was. I didn't know anyone who knew how to program and a computer was basically just a fancy typewriter for all intents and purposes. That being said, I strongly remember knowing that I was going to be someone who wrote computer programs as early as middle school. By high school, I had decided I was going to work in computer security. I worked my whole sophomore summer mowing lawns to make enough money to pay tuition for an engineering camp the next year so I could learn the basics of programming (I wrote my first Java Hello World program and a few functions, but not much more). It wasn't really until I started my undergraduate degree that I really learned what programming was and how computers actually worked.
So, why did I decide, with no real evidence, that I wanted to work in computer science? One thing I do remember is that I was also interested in how things worked. I would find myself watching a piece of machinery operate and try to think through how the internals must work. Because of this, computer programs regularly caught my interest. First, unlike mechanical devices where you could see the parts moving and infer some of the process based on a basic understanding of physics, the underlying processes of computers were a black box to me, which piqued my curiosity. Also, because it's relatively low cost to write and run a new program, as opposed to fabricating a machine, programming felt immediately accessible (once I figured out the first steps). Therefore, I think I saw computer science as a field where I could jump in, tinker, and learn a lot, which I've found to be true throughout my career.
Tell us more about your research. Why did you choose that area and what are you hoping to learn?
Prior to starting my PhD, I worked as a reverse engineer at the NSA for three years. During that time, it became very clear that there wasn't much consideration of the people actually doing reverse engineering when RE tools were built. You basically needed to read a textbook on any particular tool before you could use it. Also, integrating any interesting security analysis into your pipeline was a significant challenge. When I started my PhD, I had some familiarity with the growing field of research into usability for end-users, but there wasn't much work considering these challenges faced by security professionals (who are still users, just of a generally more complex tool). So, I set out to better understand the needs of security professionals -- mostly in reverse engineering and vulnerability discovery -- but I also have done some work in network defense. This research has followed two directions. First, I've investigated how practitioners actually look for vulnerabilities and reverse engineer programs, using my findings to develop more usable tools for vulnerability discovery. I've also done work looking at how security is taught (here and here) and thinking about ways we can improve the current model.
The research I've been doing in vulnerability discovery is still in its early phases, so I plan to continue this work. I'm looking for interesting ways we can apply lessons learned from how professionals find vulnerabilities to integrate advanced program analysis techniques into their workflow. For example, I'm currently working with Jeff Foster to develop more usable program analyses to better leverage human expertise in the analysis process. I'm also continuing to investigate the educational aspects of vulnerability discovery. This includes both developing and evaluating novel methods for education, but also investigating barriers to entry and retention for some students in the current ecosystem, with an eye toward improving diversity in the vulnerability discovery community. The high-level goal of my research is to democratize the vulnerability discovery process by building more usable tools that make the process more accessible, and improving education to bring more qualified people into the market.
Why did you choose to come to Tufts?
I chose Tufts because it just felt like a perfect fit for me. My research sits at the intersection of several fields--Security, Programming Languages, and human-computer interaction--so it was really great to know that I would have the opportunity to draw on the experiences of and work with outstanding researchers in each area.
Also, the close and supportive culture among the faculty was really admirable. This culture was evident from my interviews and all my discussions with people outside the department who had worked with the Tufts faculty. I was looking for a department where I knew any students I brought to Tufts would be well cared for; I know I have that at Tufts.
Tell us something about yourself that is unrelated to CS.
I'm the son of a U.S. Air Force pilot and I served four years in the Air Force (as a cyber-operation officer), so I've moved several times in my life (13 times). I call North Carolina home (I'm a die-hard Duke basketball fan), but the longest place I've ever lived in is Baltimore (during my PhD). I'm hoping Boston will move to the top of that list soon and I can finally settle down in one place for a long while.
The Department of Computer Science welcomes Dan to Boston and to Tufts!