Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Publications by: Peter Mell (Fed)

Search Title, Abstract, Conference, Citation, Keyword or Author
Displaying 1 - 25 of 66

Measuring the Exploitation of Weaknesses in the Wild

June 26, 2024
Author(s)
Peter Mell, Irena Bojanova, Carlos Eduardo Cardoso Galhardo
Identifying the software weaknesses exploited by attacks supports efforts to reduce developer introduction of vulnerabilities and to guide security code review efforts. A weakness is a bug or fault type that can be exploited through an operation that

Non-Fungible Token Security

March 1, 2024
Author(s)
Peter Mell, Dylan Yaga
Non-fungible token (NFT) technology provides a mechanism to enable real assets (both virtual and physical) to be sold and exchanged on a blockchain. While NFTs are most often used for autographing digital assets (associating one's name with a digital

Understanding Stablecoin Technology and Related Security Considerations

September 5, 2023
Author(s)
Peter Mell, Dylan Yaga
Stablecoins are cryptocurrencies whose price is pegged to that of another asset (typically one with low price volatility). The market for stablecoins has grown tremendously – up to almost $200 billion USD in 2022. These coins are being used extensively in

Recommendations for Federal Vulnerability Disclosure Guidelines

May 24, 2023
Author(s)
Kim B. Schaffer, Peter Mell, Hung Trinh, Isabel Van Wyk
Receiving reports on suspected security vulnerabilities in information systems is one of the best ways for developers and services to become aware of issues. Formalizing actions to accept, assess, and manage vulnerability disclosure reports can help reduce

Empirical Validation of Automated Vulnerability Curation and Characterization

February 23, 2023
Author(s)
Ahmet Okutan, Peter Mell, Medhi Mirakhorli, Igor Khokhlov, Joanna Santos, Danielle Gonzalez, Steven Simmons
Prior research has shown that public vulnerability systems such as US National Vulnerability Database (NVD) rely on a manual, time-consuming, and error-prone process which has led to inconsistencies and delays in releasing final vulnerability results. This

Measuring the Common Vulnerability Scoring System Base Score Equation

November 15, 2022
Author(s)
Peter Mell, Jonathan Spring, Dave Dugal, Srividya Ananthakrishna, Francesco Casotto, Troy Fridley, Christopher Ganas, Arkadeep Kundu, Phillip Nordwall, Vijayamurugan Pushpanathan, Daniel Sommerfeld, Matt Tesauro, Christopher Turner
This work evaluates the validity of the Common Vulnerability Scoring System (CVSS) Version 3 ''base score'' equation in capturing the expert opinion of its maintainers. CVSS is a widely used industry standard for rating the severity of information

A Decade of Reoccurring Software Weaknesses

June 24, 2021
Author(s)
Assane Gueye, Carlos Galhardo, Irena Bojanova, Peter Mell
The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the 'Most Dangerous Software Errors.' However, the used equation highly biases frequency and almost ignores exploitability and impact. We provide a metric to

A Historical and Statistical Study of the Software Vulnerability Landscape

April 18, 2021
Author(s)
Assane Gueye, Peter Mell
Understanding the landscape of software vulnerabilities is key for developing effective security solutions. Fortunately, the evaluation of vulnerability databases that use a framework for communicating vulnerability attributes and their severity scores

Measurements of the Most Significant Software Security Weaknesses

December 6, 2020
Author(s)
Carlos E. Cardoso Galhardo, Peter Mell, Irena Bojanova, Assane Gueye
In this work, we provide a metric to calculate the most significant software security weaknesses as defined by an aggregate metric of the frequency, exploitability, and impact of related vulnerabilities. The Common Weakness Enumeration (CWE) is a well

A Taxonomic Approach to Understanding Emerging Blockchain Identity Management Systems

January 14, 2020
Author(s)
Loic D. Lesavre, Priam C. Varin, Peter M. Mell, Michael S. Davidson, James Shook
Identity management systems (IDMSs) are widely used to provision user identities while managing authentication, authorization, and data sharing within organizations and on the web. Traditional identity systems typically suffer from single points of failure

Augmenting Fiat Currency with an Integrated Managed Cryptocurrency

November 24, 2019
Author(s)
Peter M. Mell
In this work, we investigate how the governance features of a managed currency (e.g., a fiat currency) can be built into a cryptocurrency in order to leverage potential benefits found in the use of blockchain technology and smart contracts. The resulting

Implementing a Protocol Native Managed Cryptocurrency

November 24, 2019
Author(s)
Peter M. Mell, Aurelien M. Delaitre, Frederic J. de Vaulx, Philippe J. Dessauw
Previous work presented a theoretical model based on the implicit Bitcoin specification for how an entity might issue a cryptocurrency that mimics features of fiat currencies. Novel to this work were mechanisms by which the issuing entity could manage the

Blockchain Technology Overview

October 3, 2018
Author(s)
Dylan J. Yaga, Peter M. Mell, Nik Roby, Karen Scarfone
Blockchains are tamper evident and tamper resistant digital ledgers implemented in a distributed fashion (i.e., without a central repository) and usually without a central authority (i.e., a bank, company, or government). At their basic level, they enable

Quantifying Information Exposure in Internet Routing

September 6, 2018
Author(s)
Peter M. Mell, Assane Gueye, Christopher A. Schanzle
Data sent over the Internet can be monitored and manipulated by intermediate entities in the data path from the source to the destination. For unencrypted communications (and some encrypted communications with known weaknesses), eavesdropping and man-in

Cryptocurrency Smart Contracts for Distributed Consensus of Public Randomness

October 7, 2017
Author(s)
Peter M. Mell, John M. Kelsey, James Shook
Most modern electronic devices can produce a random number. However, it is dicult to see how a group of mutually distrusting entities can have con dence in any such hardware-produced stream of random numbers, since the producer could control the output to

Measuring and Improving the Effectiveness of Defense-in-Depth Postures

January 26, 2017
Author(s)
Peter M. Mell, James Shook, Richard Harang
Defense-in-depth is an important security architecture principle that has significant application to industrial control systems (ICS), cloud services, storehouses of sensitive data, and many other areas. We claim that an ideal defense-in-depth posture is