Eric Pauley

CEO – Terrace Networks
Assistant Professor – Virginia Tech

Biography

I am co-founder and CEO of Terrace Networks, a startup that specializes in threat intelligence for public cloud control and data planes. I am also an incoming Assistant Professor in the Department of Computer Science at Virginia Tech.

I completed my Ph.D. in the Computer Sciences department at the University of Wisconsin–Madison, where I was advised by Professor Patrick McDaniel and was the lead graduate student in the McDaniel research group. Before coming to UW–Madison, I co-founded and sold an email marketing technology startup, Sendtric.

My research focuses on measuring and securing modern Internet service deployments, particularly in the context of cloud computing. Public clouds upend service deployment assumptions, leading to new risks. At the same time, attackers have adapted to this new reality by targeting cloud systems. However, through rigorous empirical study of these deployment models we can not only improve their security, but also provide practical insights towards securing the software supply chain. I have applied this same security measurement approach to other domains, such as software security (e.g., fuzzing), machine learning security, and Internet of Things.

Outside of work, I enjoy finding new ways to challenge myself. I am an instrument-rated private pilot and spend much of my free time flying/maintaining my aircraft, a Piper Arrow. I also enjoy ☕️ coffee, 🥾 backpacking, 🧗 rock climbing, 🦆 bird watching, 📷 photography, and combinations thereof.


Email (Terrace):	[email protected]
Email (VT):	[email protected]
Email (Personal):	[email protected]

Selected Publications

Eric Pauley, Kyle Domico, Blaine Hoak, Ryan Sheatsley, Quinn Burke, Yohan Beugin, Engin Kirda, Patrick McDaniel (2025).

Secure IP Address Allocation at Cloud Scale. Network and Distributed Systems Security Symposium (NDSS).

PDFCode

@inproceedings{pauley_secure_2025,
  address   = {San Diego, CA},
  title     = {Secure {IP} {Address} {Allocation} at {Cloud} {Scale}},
  booktitle = {2025 {Network} and {Distributed} {Systems} {Security} {Symposium} ({NDSS})},
  publisher = {Internet Society},
  author    = {Pauley, Eric and Domico, Kyle and Hoak, Blaine and Sheatsley, Ryan and Burke, Quinn and Beugin, Yohan and Kirda, Engin and McDaniel, Patrick},
  month     = feb,
  year      = {2025}
}

Eric Pauley, Paul Barford, Patrick McDaniel (2023).

The CVE Wayback Machine: Measuring Coordinated Disclosure from Exploits Against 2 Years of Zero-Days. 2023 ACM Internet Measurement Conference (IMC) (Best Paper Runner-Up).

PDFSlides DOI

@inproceedings{10.1145/3618257.3624810,
  author    = {Pauley, Eric and Barford, Paul and McDaniel, Patrick},
  title     = {The CVE Wayback Machine: Measuring Coordinated Disclosure from Exploits against Two Years of Zero-Days},
  year      = {2023},
  isbn      = {9798400703829},
  publisher = {Association for Computing Machinery},
  address   = {New York, NY, USA},
  url       = {https://doi.org/10.1145/3618257.3624810},
  doi       = {10.1145/3618257.3624810},
  booktitle = {Proceedings of the 2023 ACM on Internet Measurement Conference},
  pages     = {236–252},
  numpages  = {17},
  keywords  = {known exploited vulnerabilities, coordinated vulnerability disclosure, intrusion detection systems, honeypots, internet telescopes},
  location  = {Montreal QC, Canada},
  series    = {IMC '23}
}

Blaine Hoak, Ryan Sheatsley, Eric Pauley, Patrick McDaniel (2023).

The Space of Adversarial Strategies. 32nd USENIX Security Symposium.

PDFDOI

@inproceedings{shp+23,
  title     = {The Space of Adversarial Strategies},
  author    = {Ryan Sheatsley and Blaine Hoak and Eric Pauley and Patrick McDaniel},
  booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
  year      = {2023},
  month     = aug,
  publisher = {USENIX Association}
}

Eric Pauley, Paul Barford, Patrick McDaniel (2023).

DScope: A Cloud-Native Internet Telescope. 32nd USENIX Security Symposium (CSAW ARC Finalist).

PDF Project WebsiteSlides

@inproceedings{pauley_dscope_2023,
  address   = {Anaheim, CA},
  title     = {{DScope}: {A} {Cloud}-{Native} {Internet} {Telescope}},
  booktitle = {Proceedings of the 32nd {USENIX} {Security} {Symposium} ({USENIX} {Security} 2023, to appear)},
  publisher = {USENIX Association},
  author    = {Pauley, Eric and Barford, Paul and McDaniel, Patrick},
  month     = aug,
  year      = {2023}
}

Eric Pauley, Patrick McDaniel (2023).

Understanding the Ethical Frameworks of Internet Measurement Studies. 2nd International Workshop on Ethics in Computer Security (Best Paper).

PDFSlides DOI

@inproceedings{pauley_understanding_2023,
  address   = {San Diego, CA},
  title     = {Understanding the {Ethical} {Frameworks} of {Internet} {Measurement} {Studies}},
  booktitle = {The 2nd {International} {Workshop} on {Ethics} in {Computer} {Security} ({EthiCS} 2023)},
  author    = {Pauley, Eric and McDaniel, Patrick},
  month     = feb,
  year      = {2023},
  doi       = {10.14722/ethics.2023.239547}
}

Eric Pauley, Ryan Sheatsley, Blaine Hoak, Quinn Burke, Yohan Beugin, Patrick McDaniel (2022).

Measuring and Mitigating the Risk of IP Reuse on Public Clouds. Proceedings of the 43rd IEEE Symposium on Security and Privacy.

PDF FAQ Talk/SlidesDOI

@inproceedings{pauley_measuring_2022,
  title     = {Measuring and {Mitigating} the {Risk} of {IP} {Reuse} on {Public} {Clouds}},
  isbn      = {978-1-66541-316-9},
  url       = {https://www.computer.org/csdl/proceedings-article/sp/2022/131600b523/1CIO7rpcgSs},
  doi       = {10.1109/SP46214.2022.00094},
  abstract  = {Public clouds provide scalable and cost-efficient computing through resource sharing. However, moving from traditional on-premises service management to clouds introduces new challenges; failure to correctly provision, maintain, or decommission elastic services can lead to functional failure and vulnerability to attack. In this paper, we explore a broad class of attacks on clouds which we refer to as cloud squatting. In a cloud squatting attack, an adversary allocates resources in the cloud (e.g., IP addresses) and thereafter leverages latent configu- ration to exploit prior tenants. To measure and categorize cloud squatting we deployed a custom Internet telescope within the Amazon Web Services us-east-1 region. Using this apparatus, we deployed over 3 million servers receiving 1.5 million unique IP addresses (≈ 56\% of the available pool) over 101 days beginning in March of 2021. We identified 4 classes of cloud services, 7 classes of third-party services, and DNS as sources of exploitable latent configurations. We discovered that exploitable configurations were both common and in many cases extremely dangerous; we received over 5 million cloud messages, many containing sensitive data such as financial transactions, GPS location, and PII. Within the 7 classes of third-party services, we identified dozens of exploitable software systems spanning hundreds of servers (e.g., databases, caches, mobile applications, and web services). Lastly, we identified 5446 exploitable domains spanning 231 eTLDs—including 105 in the top 10 000 and 23 in the top 1000 popular domains. Through tenant disclosures we have identified several root causes, including (a) a lack of organizational controls, (b) poor service hygiene, and (c) failure to follow best practices. We conclude with a discussion of the space of possible mitigations and describe the mitigations to be deployed by Amazon in response to this study.},
  language  = {English},
  booktitle = {2022 {IEEE} {Symposium} on {Security} and {Privacy} ({SP})},
  publisher = {IEEE Computer Society},
  author    = {Pauley, Eric and Sheatsley, Ryan and Hoak, Blaine and Burke, Quinn and Beugin, Yohan and McDaniel, Patrick},
  month     = apr,
  year      = {2022},
  note      = {ISSN: 2375-1207},
  pages     = {1523--1523}
}

See all publications →

Eric Pauley

Biography

Selected Publications

Recent Posts

Farewell to the Era of Cheap EC2 Spot Instances

The Need for Standardized Secret Scanning

Leveraging Mispriced AWS Spot Instances for Fun and Savings