Mike Hicks on

Automatically Synthesizing Structured Input Generators

Thu, 29 Jan 2026 16:20:06 -0500

Overview

The goal of this project is to build PL/formal methods-based technology, in combination with GenAI, that can automate the synthesis of test input generators. Such generators are useful property-based testing, model-based testing, differential testing, fuzz testing, and other automated testing setups. Generators for complex inputs formats, such as those used for testing compilers, are quite labor intensive to write by hand, and they are easy to get wrong. Our goal is to bring proof-based technology in the Lean programming language together with the power of GenAI to produce efficient, effective, and proved correct generators.

Publications

Wed, 01 Oct 2025 00:00:00 +0000

Redirecting to publications page…

Fuzz Testing & Property-Based Testing

Fri, 02 Jan 2026 10:01:26 -0500

Overview

Fuzz testing (fuzzing) and property-based testing are powerful techniques for automatically finding bugs and security vulnerabilities in software. My research focuses on making these techniques more effective, easier to use, and applicable to a wider range of software systems. A key area of current interest is how GenAI-driven coding can improve, and be improved by, these testing techniques.

Measuring Cybersecurity

Fri, 02 Jan 2026 10:01:26 -0500

Overview

A fundamental challenge in cybersecurity is connecting innovations to their real-world impact. How do we know if a new security tool, technique, or policy actually makes people safer? How do we assess the effectiveness of secure development practices? My research aims to apply empirical measurements to better understand and improve cybersecurity outcomes.

Cedar & Authorization

Fri, 02 Jan 2026 10:01:26 -0500

Overview

Cedar is a domain-specific language for writing and enforcing authorization policies. You write Cedar policies to say who can do what in your application, which invokes the Cedar authorization engine to allow/deny each user request. Cedar is designed to be:

Expressive: Rich enough to encode complex authorization requirements
Fast: Efficient authorization decisions even at cloud scale
Safe: Type system prevents common policy errors
Analyzable: Automated reasoning can verify policy properties

Cedar demonstrates how programming language techniques — type systems, formal semantics, verification — can underpin practical, high-assurance security tools. I co-led Cedar’s development (with Emina Torlak) during 2022-2024 while full-time at Amazon Web Services, and I’m still involved today as a Cedar user and maintainer.

Research Group

Fri, 02 Jan 2026 10:01:26 -0500

Hiring

I am currently looking for talented PhD students to work on projects in computer security and software quality! See my research summary for an overview, including in-flight projects, and my publications for specific past work.

Current and former group

Since I’ve been at Penn, I am pleased to be working with Noopur Bhatt (advised by Sebastian Angel) and Thia Richey and Joe Cutler (both advised by Benjamin Pierce).

Talks

Fri, 21 Nov 2025 08:04:13 -0500

Professional Activities

Fri, 02 Jan 2026 10:01:26 -0500

I was the Chair (2015-2018) and Past Chair (2018-2021) of ACM SIGPLAN; I was the Steering Committee Chair for POPL (2018-2021); Founder and Editor of PL Perspectives, the SIGPLAN blog (2019-2021); an Associate Editor for TOPLAS (2012-2016); and I have served (or am serving) on the following committees:

2026	OOPSLA, S&P
2025	CSF
2024	POPL
2023	PLDI (Area Chair), PACMPL (Editor in Chief, until Nov 2028)
2022	S&P
2021	PLDI, OOPSLA, ASPLOS (ERC)
2020	PLanQC (co-organizer), PLDI (ERC)
2019	POPL SRC, ASPLOS (ERC), SNAPL, CCS (Area Chair), SecDev
2018	POST, S&P (Area Chair), SecDev
2017	S&P, ESSoS, CCS, USENIX ASE, SecDev
2016	PLDI, CSF (PC co-chair), USENIX ASE, SecDev (PC chair), CSAW (judge)
2015	S&P, CSF (PC co-chair), SNAPL
2014	OBT, CSF, OOPSLA/SPLASH
2013	POPL (ERC), PLDI
2012	POPL (PC chair), HotSWUp
2011	TLDI, HotSWUp (co-organizer), OOPSLA
2010	ESOP, PLDI (ERC and tutorials chair), ICFP (PC and local arrangements), PASTE
2009	POPL, S&P, PLDI SRC
2008	CCS, CATARS, COORDINATION, ISMM (ERC)
2007	PLAS (general and PC chair), OOPSLA, COORDINATION, PLDI
2006	FTfJP, PLAS, SPACE, OOPS (part of SAC 2006) (part of SAC 2006)
2005	SCOOL, VEE
2004	IWAN, ICPP, FUSE
2003	IWAN, USE
2002	IWAN, USE
2001	IWAN

Hello, World: A New Blog

Thu, 12 Mar 2026 00:00:00 +0000

Welcome to my blog. After years of inactivity on the blogging front, I feel I have the time and energy to start writing again. The PL Enthusiast will remain where it is, and new thoughts will show up here.

What to expect

I plan to write about topics I think about in my research and teaching.

Secure System Engineering and Management: A Data-Driven Approach

Thu, 01 Jan 2026 00:00:00 +0000

About

In this course, students learn techniques for building, deploying, and maintaining secure systems. As computer security is a constantly evolving field, the course places particular emphasis on means to empirically evaluate security technology, processes, and operational practices. As security is always in support of a primary activity and resources are limited, the course also places emphasis on strong communications, using evidence and empathy to explain and collaborate on security needs. Course activities include reading and discussing technical papers and other communications; carrying out five homework projects, on technical and non-technical topics; and taking a midterm and final exam.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Inference of Static Types for Ruby. Jong hoon (David) An, Avik Chaudhuri, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), pages 459–472, January 2011.

There have been several efforts to bring static type inference to object-oriented dynamic languages such as Ruby, Python, and Perl. In our experience, however, such type inference systems are extremely difficult to develop, because dynamic languages are typically complex, poorly specified, and include features, such as eval and reflection, that are hard to analyze.

In this paper, we introduce constraint-based dynamic type inference, a technique that infers static types based on dynamic program executions. In our approach, we wrap each run-time value to associate it with a type variable, and the wrapper generates constraints on this type variable when the wrapped value is used. This technique avoids many of the often overly conservative approximations of static tools, as constraints are generated based on how values are used during actual program runs. Using wrappers is also easy to implement, since we need only write a constraint resolution algorithm and a transformation to introduce the wrappers. The best part is that we can eat our cake, too: our algorithm will infer sound types as long as it observes every path through each method body—note that the number of such paths may be dramatically smaller than the number of paths through the program as a whole.

We have developed Rubydust, an implementation of our algorithm for Ruby. Rubydust takes advantage of Ruby’s dynamic features to implement wrappers as a language library. We applied Rubydust to a number of small programs and found it to be both easy to use and useful: Rubydust discovered 1 real type error, and all other inferred types were correct and readable.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Scalable Resource Control in Active Networks. Kostas G. Anagnostakis, Michael W. Hicks, Sotiris Ioannidis, Angelos D. Keromytis, and Jonathan M. Smith. In Hiroshi Yashuda, editor, Proceedings of the Second International Working Conference on Active Networks (IWAN), volume 1942 of Lecture Notes in Computer Science, pages 343–358. Springer-Verlag, October 2000.

The increased complexity of the service model relative to store-and-forward routers, has made resource management one of the paramount concerns in active networking research and engineering. Previous work investigated methods for controlling access to resources by restricting namespaces or providing limited functionality in a domain-specific language. Combinations of these methods and scheduling technologies have also been used to demonstrate a resource-managed node architecture. In this paper, we address Two major challenges in scaling resource management to many-node active networks. The first is the use of market mechanisms and trading amongst nodes and programs with varying degrees of competition and cooperation to provide a scalable approach to managing active network resources. The second is the use of a trust-management architecture to ensure that the participants in the resource management marketplace have a policy-driven “rule of law” in which marketplace decisions can be made and relied upon. We have used lottery scheduling and the Keynote trust-management system for our implementation, for which we provide some initial performance indications.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Decomposition Instead of Self-Composition for Proving the Absence of Timing Channels. Timos Antonopoulos, Paul Gazzillo, Michael Hicks, Eric Koskinen, Tachio Terauchi, and Shiyi Wei. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), June 2017.

We present a novel approach to proving the absence of timing channels. The idea is to partition the program’s execution traces in such a way that each partition component is checked for timing attack resilience by a time complexity analysis and that per-component resilience implies the resilience of the whole program. We construct a partition by splitting the program traces at secret-independent branches. This ensures that any pair of traces with the same public input has a component containing both traces. Crucially, the per-component checks can be normal safety properties expressed in terms of a single execution. Our approach is thus in contrast to prior approaches, such as self-composition, that aim to reason about multiple (k>=2) executions at once.

We formalize the above as an approach called quotient partitioning, generalized to any k-safety property, and prove it to be sound. A key feature of our approach is a demand-driven partitioning strategy that uses a regex-like notion called trails to identify sets of execution traces, particularly those influenced by tainted (or secret) data. We have applied our technique in a prototype implementation tool called Blazer, based on WALA, PPL, and the brics automaton library. We have proved timing-channel freedom of (or synthesized an attack specification for) 24 programs written in Java bytecode, including 6 classic examples from the literature and 6 examples extracted from the DARPA STAC challenge problems.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

BullFrog: Online Schema Evolution via Lazy Evaluation. Souvik Bhattacherjee, Gang Liao, Michael Hicks, and Daniel J. Abadi. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), June 2021.

BullFrog is a relational DBMS that supports single-step schema migrations—even those that are backwards incompatible—without downtime, and without need for advanced warning. When a schema migration is submitted, BullFrog initiates a logical switch to the new schema, but physically migrates affected data lazily, as it is accessed by incoming transactions. BullFrog’s internal concurrency control algorithms and data structures enable concurrent processing of schema migration operations with post-migration transactions, while ensuring exactly-once migration of all old data into the physical layout required by the new schema. BullFrog is implemented as an open source extension to PostgreSQL. Experiments using this prototype over a TPC-C based workload (supplemented to include schema migrations) show that BullFrog can achieve zero-downtime migration to non-trivial new schemas with near-invisible impact on transaction throughput and latency.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Formalizing Dynamic Software Updating. Gavin Bierman, Michael Hicks, Peter Sewell, and Gareth Stoyle. In On-line Proceedings of the Second International Workshop on Unanticipated Software Evolution (USE), April 2003.

http://www.informatik.uni-bonn.de/~gk/use/2003/Papers/papers.html.

Dynamic software updating (DSU) enables running programs to be updated with new code and data without interrupting their execution. A number of DSU systems have been designed, but there is still little rigorous understanding of how to use DSU technology so that updates are safe. As a first step in this direction, we introduce a small update calculus with a precise mathematical semantics. The calculus is formulated as an extension of a typed lambda calculus, and supports updating technology similar to that of the programming language Erlang. Our goal is to provide a simple yet expressive foundation for reasoning about dynamically updateable software. In this paper, we present the details of the calculus, give some examples of its expressive power, and discuss how it might be used or extended to guarantee safety properties.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Rebinding for Marshalling and Update with Destruct-time λ. Gavin Bierman, Michael Hicks, Peter Sewell, Gareth Stoyle, and Keith Wansbrough. In Proceedings of the ACM International Conference on Functional Programming (ICFP), pages 99–110, August 2003.

Most programming languages adopt static binding, but for distributed programming an exclusive reliance on static binding is too restrictive: dynamic binding is required in various guises. Typically it is provided only by ad-hoc mechanisms that lack clean semantics. In this paper we adopt a more foundational approach, showing how core dynamic rebinding mechanisms can be added to a CBV λ-calculus. To do so we first develop two refinements of the CBV reduction strategy with delayed instantiation, the redex-time and destruct-time semantics. Delayed instantiation ensures we obtain the most recent version of a definition following a rebinding. The destruct-time semantics gives the basis for a λ_marsh calculus that supports dynamic rebinding, with primitives to package values and marks to control which identifiers are dynamically rebound when they are unpackaged. We extend λ_marsh with concurrency and communication, giving examples showing how wrappers for encapsulating untrusted code can be expressed, and discuss the extent to which it can be statically typed. Finally, we use the destruct-time semantics also as a basis for a λ_update calculus with simple primitives to provide type-safe, dynamic updating of code. We thereby put a variety of real-world mechanisms on a common semantic foundation.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

A Multimodal Study of Challenges Using Rust. Michael Coblenz, April Porter, Varun Das, Teja Nallagorla, and Michael Hicks. In Proceedings of the Workshop on the Evaluation and Usability of Programming Languages and Tools (PLATEAU), February 2023.

Rust is a programming language that provides strong safety properties, but does so at a usability cost. We conducted an observational study of Rust learners and a thematic analysis of StackOverflow posts about Rust to identify opportunities for improvement in Rust’s usability. Key challenges that we observed included syntactic challenges posed by the ? operator, block-terminal statements, and automatic dereferencing; late delivery of error messages; and the opacity of Rust errors resulting in programmers being unable to identify whether their partial fixes represented progress. We describe a collection of opportunities for improvement that leverage the compiler and the IDE.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Combining Provenance and Security Policies in a Web-based Document Management System. Brian Corcoran, Nikhil Swamy, and Michael Hicks. In On-line Proceedings of the Workshop on Principles of Provenance (PrOPr), November 2007. http://homepages.inf.ed.ac.uk/jcheney/propr/.

Provenance and security are intimately related. Cheney et al. show that the dependencies underlying provenance information also underly information flow security policies. Provenance information can also play a role in history-based access control policies. Many real applications have the need to combine a variety of security policies with provenance tracking. For instance, an online stock trading website might restrict access to certain premium features it offers using an access control policy, while at the same time using an information flow policy to ensure that a user’s sensitive trading information is not leaked to other users. Similarly, the application might need to track the provenance of transaction information to support an annual financial audit while also using provenance to attest to the reliability of stock analyses that it presents to its users.

We have been exploring the interaction between provenance and security policies while developing a document management system we call the Collaborative Planning Application (CPA). The CPA is written in SELinks, our language for supporting user-defined, label-based security policies. SELinks is an extension of the Links web-programming language with means to express label-based security policies. Labels are associated with the data they protect by using dependent types which, along with some syntactic restrictions, suffice to ensure that user-defined policies enjoy complete mediation and cannot be circumvented. Our interest in provenance and security policies is thus part of a broader exploration of how security policies can be encoded, composed, and reasoned about within SELinks. In this paper, we describe the architecture of the CPA and its approach to label-based provenance and security policies and we sketch directions for further exploration on the interaction between the two.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Cross-tier, Label-based Security Enforcement for Web Applications. Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 269–282, June 2009.

This paper presents SELinks, a programming language focused on building secure multi-tier web applications. SELinks provides a uniform programming model, in the style of LINQ and Ruby on Rails, with language syntax for accessing objects residing either in the database or at the server. Object-level security policies are expressed as fully-customizable, first-class labels which may themselves be subject to security policies. Access to labeled data is mediated via trusted, user-provided policy enforcement functions.

SELinks has two novel features that ensure security policies are enforced correctly and efficiently. First, SELinks implements a type system called Fable that allows a protected object’s type to refer to its protecting label. The type system can check that labeled data is never accessed directly by the program without first consulting the appropriate policy enforcement function. Second, SELinks compiles policy enforcement code to database-resident user-defined functions that can be called directly during query processing. Database-side checking avoids transferring data to the server needlessly, while still allowing policies to be expressed in a customizable and portable manner.

Our experience with two sizable web applications, a model health-care database and a secure wiki with fine-grained security policies, indicates that cross-tier policy enforcement in SELinks is flexible, relatively easy to use, and, when compared to a single-tier approach, improves throughput by nearly an order of magnitude. SELinks is freely available.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Safe and Flexible Dynamic Linking of Native Code. Michael Hicks, Stephanie Weirich, and Karl Crary. In Robert Harper, editor, Proceedings of the ACM SIGPLAN Workshop on Types in Compilation (TIC), volume 2071 of Lecture Notes in Computer Science. Springer-Verlag, September 2000.

We present the design and implementation of the first complete framework for flexible and safe dynamic linking of native code. Our approach extends Typed Assembly Language with a primitive for loading and typechecking code, which is flexible enough to support a variety of linking strategies, but simple enough that it does not significantly expand the trusted computing base. Using this primitive, along with the ability to compute with types, we show that we can program many existing dynamic linking approaches. As a concrete demonstration, we have used our framework to implement dynamic linking for a type-safe dialect of C, closely modeled after the standard linking facility for Unix C programs. Aside from the unavoidable cost of verification, our implementation performs comparably with the standard, untyped approach.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Symphony: A Concise Language Model for MPC. Ian Sweet, David Darais, David Heath, Ryan Estes, William Harris, and Michael Hicks. In Informal Proceedings of the Workshop on Foundations on Computer Secuirty (FCS), June 2021.

Secure multi-party computation (MPC) allows mutually distrusting parties to cooperatively compute, using a cryptographic protocol, a function over their private data. This short paper presents Symphony, an expressive yet concise domain-specific language for expressing MPCs. Symphony starts with the standard, simply-typed λ calculus extended with integers, sums, products, recursive types, and references. It layers on two additional elements: (1) A datatype representing secret shares, which are the basis of multiparty computation, and (2) a simple mechanism called par blocks to express which scopes are to be executed by which parties, and which determine to whom various data values are visible at any given time. The meaning of a Symphony program can be expressed using a single-threaded semantics even though in actuality the program will be run by multiple communicating parties in parallel. Our distributed semantics is expressed naturally as piecewise, single-threaded steps of slices of the program among its parties. We prove that these two semantic interpretations of a program coincide, and we prove a standard type soundness result. To demonstrate Symphony’s expressiveness, we have built an interpreter for it (with some extensions) and used it to implement a number of realistic MPC applications, including sorting, statistical and numeric computations, and private information retrieval.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Automating NISQ Application Design with Meta Quantum Circuits with Constraints (MQCC). Haowei Deng, Yuxiang Peng, Michael Hicks, and Xiaodi Wu. ACM Transactions on Quantum Computing (TQC), 4(3), April 2023.

Near-term intermediate scale quantum (NISQ) computers are likely to have very restricted hardware resources, where precisely controllable qubits are expensive, error-prone, and scarce. Programmers of such computers must therefore balance trade-offs among a large number of (potentially heterogeneous) factors specific to the targeted application and quantum hardware. To assist them, we propose Meta Quantum Circuits with Constraints (MQCC), a meta-programming framework for quantum programs. Programmers express their application as a succinct collection of normal quantum circuits stitched together by a set of (manually or automatically) added meta-level choice variables, whose values are constrained according to a programmable set of quantitative optimization criteria. MQCC’s compiler generates the appropriate constraints and solves them via an SMT solver, producing an optimized, runnable program. We showcase a few MQCC’s applications for its generality including an automatic generation of efficient error syndrome extraction schemes for fault-tolerant quantum error correction with heterogeneous qubits and an approach to writing approximate quantum Fourier transformation and quantum phase estimation that smoothly trades off accuracy and resource use. We also illustrate that MQCC can easily encode prior one-off NISQ application designs —multi-programming (MP), crosstalk mitigation (CM)— as well as a combination of their optimization goals (i.e., a combined MP-CM).

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Toward On-line Schema Evolution for Non-stop Systems. Amol Deshpande and Michael Hicks. Presented at the 11th High Performance Transaction Systems Workshop, September 2005.

Considers how to perform handle database schema evolution for on-line systems that are actively using the database whose schema is to be changed.

[ .pdf ]

@misc{despande05dbupdate,
 author = {Amol Deshpande and Michael Hicks},
 title = {Toward On-line Schema Evolution for Non-stop Systems},
 howpublished = {Presented at the 11th High Performance Transaction Systems Workshop},
 month = {September},
 location = {Pacific Grove, CA},
 year = 2005
}

This file was generated by bibtex2html 1.99.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Checked C: Making C Safe by Extension. Archibald Samuel Elliott, Andrew Ruef, Michael Hicks, and David Tarditi. In Proceedings of the IEEE Conference on Secure Development (SecDev), September 2018.

This paper presents Checked C, an extension to C designed to support spatial safety, implemented in Clang and LLVM. Checked C’s design is distinguished by its focus on backward-compatibility, incremental conversion, developer control, and enabling highly performant code. Like past approaches to a safer C, Checked C employs a form of checked pointer whose accesses can be statically or dynamically verified. Performance evaluation on a set of standard benchmark programs shows overheads to be relatively low. More interestingly, Checked C introduces the notions of a checked region and bounds-safe interfaces.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Improving Software Quality with Static Analysis. Jeffrey S. Foster, Michael W. Hicks, and William Pugh. In Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering (PASTE), pages 83–84, June 2007.

At the University of Maryland, we have been working to improve the reliability and security of software by developing new, effective static analysis tools. These tools scan software for bug patterns or show that the software is free from a particular class of defects. There are two themes common to our different projects:

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Benefits and Drawbacks of Adopting a Secure Programming Language: Rust as a Case Study. Kelsey Fulton, Anna Chan, Dan Votipka, Michael Hicks, and Michelle Mazurek. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS), August 2021.

Programming languages such as Rust and Go were developed to combat common and potentially devastating memory-safety-related vulnerabilities. Adoption of new, more secure languages is often seen as fraught and complex. We use Rust as a case study to better understand the benefits and challenges associated with this adoption. To this end, we conducted semi-structured interviews with professional, primarily senior software developers who have worked to introduce or worked with Rust on their teams (n = 16) and deployed a survey to the Rust development community (n = 178). We asked participants about their personal experiences using Rust, as well as experiences using Rust at their companies. We find a range of positive features, including good tooling and documentation, benefits for the development lifecycle, and improvement of overall secure coding skills, as well as drawbacks including a steep learning curve, limited library support, and concerns about the ability to hire additional Rust developers in the future. Our results have implications for promoting the adoption of Rust specifically and secure programming languages and tools more generally.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Understanding the how and the why: Exploring secure development practices through a course competition. Kelsey R. Fulton, Daniel Votipka, Desiree Abrokwa, Michelle L. Mazurek, Michael Hicks, and James Parker. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2022.

This paper presents the results of in-depth study of 14 teams’ development processes during a three-week undergraduate course organized around a secure coding competition. Contest participants were expected to first build code to a specification—emphasizing correctness, performance, and security—and then to find vulnerabilities in other teams’ code while fixing discovered vulnerabilities in their own code. Our study aimed to understand why developers introduce different vulnerabilities, the ways they evaluate programs for vulnerabilities, and why different vulnerabilities are (not) found and (not) fixed. We used iterative open coding to systematically analyze contest data including code, commit messages, and team design documents. Our results point to the importance of existing best practices for secure development, the use of security tools, and development team organization.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Static Type Inference for Ruby. Michael Furr, Jong hoon (David) An, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the ACM Symposium on Applied Computing, Object-oriented Programming Languages and Systems Track (OOPS), pages 1859–1866, March 2009.

Many general-purpose, object-oriented scripting languages are dynamically typed, which provides flexibility but leaves the programmer without the benefits of static typing, including early error detection and the documentation provided by type annotations. This paper describes Diamondback Ruby (DRuby), a tool that blends Ruby’s dynamic type system with a static typing discipline. DRuby provides a type language that is rich enough to precisely type Ruby code we have encountered, without unneeded complexity. When possible, DRuby infers static types to discover type errors in Ruby programs. When necessary, the programmer can provide DRuby with annotations that assign static types to dynamic code. These annotations are checked at run time, isolating type errors to unverified code. We applied DRuby to a suite of benchmarks and found several bugs that would cause run-time type errors. DRuby also reported a number of warnings that reveal questionable programming practices in the benchmarks. We believe that DRuby takes a major step toward bringing the benefits of combined static and dynamic typing to Ruby and other object-oriented languages.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

The Ruby Intermediate Language. Michael Furr, Jong hoon (David) An, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the ACM SIGPLAN Dynamic Languages Symposium (DLS), pages 89–98, October 2009.

Ruby is a popular, dynamic scripting language that aims to “feel natural to programmers” and give users the “freedom to choose” among many different ways of doing the same thing. While this arguably makes programming in Ruby easier, it makes it hard to build analysis and transformation tools that operate on Ruby source code. In this paper, we present the Ruby Intermediate Language (RIL), a Ruby front-end and intermediate representation that addresses these challenges. Our system includes an extensible GLR parser for Ruby, and an automatic translation into RIL, an easy-to-analyze intermediate form. This translation eliminates redundant language constructs, unravels the often subtle ordering among side effecting operations, and makes implicit interpreter operations explicit in its representation.

We demonstrate the usefulness of RIL by presenting a simple static analysis and source code transformation to eliminate null pointer errors in Ruby programs. We also describe several additional useful features of RIL, including a pretty printer that outputs RIL as syntactically valid Ruby code, a dataflow analysis engine, and a dynamic instrumentation library for profiling source code. We hope that RIL’s features will enable others to more easily build analysis tools for Ruby, and that our design will inspire the creation of similar frameworks for other dynamic languages.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Tests to the Left of Me, Types to the Right: How Not to Get Stuck in the Middle of a Ruby Execution (A Demo of Diamondback Ruby). Michael Furr, Jong hoon (David) An, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the Workshop on Scripts to Programs (STOP), July 2009.

Ruby is a popular dynamic scripting language that permits terse, expressive code, but provides no static checks to detect errors before running the program. To address this, we have developed Diamondback Ruby (DRuby), a tool that blends the beneﬁts of static and dynamic typing. This paper brieﬂy describes the main features of DRuby, which we will present in a tool demonstration. The presentation will concentrate on the development of a small, statically typed Ruby program, illustrating how DRuby might be used in practice. The audience will learn about some of the practical design decisions that went into DRuby, and how to use it to develop a type-safe Ruby program.

[ .pdf ]

@inproceedings{furr09stop,
title = {Tests to the Left of Me, Types to the Right: How Not to Get Stuck in the Middle of a {Ruby} Execution (A Demo of Diamondback Ruby)},
author = {Michael Furr and Jong-hoon (David) An and Jeffrey S. Foster and Michael Hicks},
booktitle = {Proceedings of the Workshop on Scripts to Programs (STOP)},
year = 2009,
month = jul
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Cyclone: a Type-safe Dialect of C. Dan Grossman, Michael Hicks, Trevor Jim, and Greg Morrisett. C/C++ Users Journal, 23(1), January 2005.

Cyclone is an effort to bring safety to C. This article briefly introduces Cyclone.

[ http | .pdf ]

@article{grossman04cuj,
 author = {Dan Grossman and Michael Hicks and Trevor Jim and Greg Morrisett},
 title = {Cyclone: a Type-safe Dialect of {C}},
 journal = {{C/C++} Users Journal},
 volume = 23,
 number = 1,
 month = {January},
 year = 2005,
 http = {http://cyclone.thelanguage.org}
}

This file was generated by bibtex2html 1.99.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Formal Type Soundness for Cyclone’s Region System. Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. Technical Report CS 2001-1856, Cornell University, November 2001.

[ .pdf ]

@techreport{GrossmanMJHWC02tr,
author = {Dan Grossman and Greg Morrisett and Trevor Jim and Michael Hicks and Yanling Wang and James Cheney},
title = {Formal Type Soundness for {Cyclone}’s Region System},
number = {CS 2001-1856},
month = nov,
year = 2001,
institution = {Cornell University}
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

A demo of Coco: a compiler for monadic coercions in ML. Nataliya Guts, Michael Hicks, Nikhil Swamy, and Daan Leijen. In Informal proceedings of the ML Workshop, September 2011.

Combining monadic computations may induce a significant syntactic overhead. To allow monadic programming in direct style, we have developed Coco, a type-based tool that automatically rewrites ML code inserting necessary binds, unit, and morphisms between monads. This tool demonstration will show how to take advantage of Coco to facilitate using monadic libraries in practice, and will discuss possible future development of Coco to fit the actual needs of programmers.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Adapton: Composable, Demand-Driven Incremental Computation. Matthew Hammer, Yit Phang Khoo, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), June 2014.

Many researchers have proposed programming languages that support incremental computation (IC), which allows programs to be efficiently re-executed after a small change to the input. However, existing implementations of such languages have two important drawbacks. First, recomputation is oblivious to specific demands on the program output; that is, if a program input changes, all dependencies will be recomputed, even if an observer no longer requires certain outputs. Second, programs are made incremental as a unit, with little or no support for reusing results outside of their original context, e.g., when reordered.

To address these problems, we present λ^CDD_IC, a core calculus that applies a demand-driven semantics to incremental computation, tracking changes in a hierarchical fashion in a novel demanded computation graph. λ^CDD_IC also formalizes an explicit separation between inner, incremental computations and outer observers. This combination ensures λ^CDD_IC programs only recompute computations as demanded by observers, and allows inner computations to be reused more liberally. We present Adapton, an OCaml library implementing λ^CDD_IC. We evaluated Adapton on a range of benchmarks, and found that it provides reliable speedups, and in many cases dramatically outperforms state-of-the-art IC approaches.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Incremental Computation with Names. Matthew Hammer, Kyle Headley, Nicholas Labich, Jeffrey S. Foster, Michael Hicks, David Van Horn, and Jana Dunfield. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2015.

Over the past thirty years, there has been significant progress in developing general-purpose, language-based approaches to incremental computation, which aims to efficiently update the result of a computation when an input is changed. A key design challenge in such approaches is how to provide efficient incremental support for a broad range of programs. In this paper, we argue that first-class names are a critical linguistic feature for efficient incremental computation. Names identify computations to be reused across differing runs of a program, and making them first class gives programmers a high level of control over reuse. We demonstrate the benefits of names by presenting Nominal Adapton, an ML-like language for incremental computation with names. We describe how to use Nominal Adapton to efficiently incrementalize several standard programming patterns—including maps, folds, and unfolds—and show how to build efficient, incremental probabilistic trees and tries. Since Nominal Adapton’s implementation is subtle, we formalize it as a core calculus and prove it is from-scratch consistent, meaning it always produces the same answer as simply re-running the computation. Finally, we demonstrate that Nominal Adapton can provide large speedups over both from-scratch computation and Adapton, a previous state-of-the-art incremental system.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Efficient Systematic Testing for Dynamically Updatable Software. Christopher M. Hayden, Eric A. Hardisty, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the Workshop on Hot Topics in Software Upgrades (HotSWUp), October 2009. Invited article.

Recent years have seen significant advances in dynamic software updating (DSU) systems, which allow programs to be patched on the fly. However, a significant challenge remains: How can we ensure the act of applying a patch does not itself introduce errors? In this paper, we address this problem by presenting a new systematic testing methodology for updatable programs. Our idea is to transform standard system tests into update tests that execute as before, but each transformed test applies a patch at a different update point during execution. To mitigate the increase in the number of tests, we developed an algorithm for test suite minimization that finds a subset of update points that, if fully tested, yields the equivalent to full update point coverage. We implemented our approach and evaluated it on OpenSSH and Vsftpd, two widely used server applications. We found that minimization is highly effective, reducing the number of update tests required for full coverage by 93%.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

A Testing Based Empirical Study of Dynamic Software Update Safety Restrictions. Christopher M. Hayden, Eric A. Hardisty, Michael Hicks, and Jeffrey S. Foster. Technical Report CS-TR-4949, University of Maryland, Department of Computer Science, November 2009.

Recent years have seen significant advances in dynamic software updating (DSU) systems, which allow programs to be patched on the fly. Most DSU systems employ automatic safety checks to avoid applying a patch if doing so may lead to incorrect behavior. This paper presents what we believe is the first comprehensive empirical evaluation of the two most significant DSU safety checks: activeness safety (AS), which disallows patches that modify functions on the stack, and con-freeness safety (CFS), which allows modifications to active functions, but only when doing so will be type safe.

To measure the checks’ effectiveness, we tested them against three years of updates to OpenSSH and vsftpd. We performed this testing using a novel DSU testing methodology that systematically applies updates throughout the execution of a test suite. After testing updates to both applications in this way, we tracked how often the safety checks allow updates and which updates result in test failures. We found that updating without safety checks produced many failures, and that both AS and CFS dramatically reduced, but did not fully eliminate, these failures. CFS yielded more failures than AS, but AS was more restrictive than CFS, disallowing far more successful updates. Our results suggest that neither AS nor CFS is likely suitable for general-purpose DSU on its own. Indeed, we found that selecting update points manually could avoid all failures while still permitting sufficient updates. Our results present a challenge and important insights for future work: to discover safe and sufficient update points fully automatically.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Specifying and Verifying the Correctness of Dynamic Software Updates. Christopher M. Hayden, Stephen Magill, Michael Hicks, Nate Foster, and Jeffrey S. Foster. Technical Report CS-TR-4997, University of Maryland Department of Computer Science, November 2011. Extended version of VSTTE'12 paper with proofs of theorems and additional discussion.

Dynamic software updating (DSU) systems allow running programs to be patched on-the-fly to add features or fix bugs. While dynamic updates can be tricky to write, techniques for establishing their correctness have received little attention. In this paper, we present the first methodology for automatically verifying the correctness of dynamic updates. Programmers express the desired properties of an updated execution using client-oriented specifications (CO-specs), which can describe a wide range of client-visible behaviors. We verify CO-specs automatically by using off-the-shelf tools to analyze a merged program, which is a combination of the old and new versions of a program. We formalize the merging transformation and prove it correct. We have implemented a program merger for C, and applied it to updates for the Redis key-value store and several synthetic programs. Using Thor, a verification tool, we could verify many of the synthetic programs; using Otter, a symbolic executor, we could analyze every program, often in less than a minute. Both tools were able to detect faulty patches and incurred only a factor-of-four slowdown, on average, compared to single version programs.

[ .pdf ]

@techreport{hayden11dsucorrectTR,
title = {Specifying and Verifying the Correctness of Dynamic Software Updates},
author = {Christopher M. Hayden and Stephen Magill and Michael Hicks and Nate Foster and Jeffrey S. Foster},
institution = {University of Maryland Department of Computer Science},
number = {CS-TR-4997},
year = 2011,
month = nov,
note = {Extended version of VSTTE'12 paper with proofs of theorems and additional discussion}
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Kitsune: Efficient, General-purpose Dynamic Software Updating for C. Christopher M. Hayden, Edward K. Smith, Michail Denchev, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2012.

Dynamic software updating (DSU) systems allow programs to be updated while running, thereby permitting developers to add features and fix bugs without downtime. This paper introduces Kitsune, a new DSU system for C whose design has three notable features. First, Kitsune’s updating mechanism updates the whole program, not individual functions. This mechanism is more flexible than most prior approaches and places no restrictions on data representations or allowed compiler optimizations. Second, Kitsune makes the important aspects of updating explicit in the program text, making the program’s semantics easy to understand while minimizing programmer effort. Finally, the programmer can write simple specifications to direct Kitsune to generate code that traverses and transforms old-version state for use by new code; such state transformation is often necessary, and is significantly more difficult in prior DSU systems. We have used Kitsune to update five popular, open-source, single- and multi-threaded programs, and find that few program changes are required to use Kitsune, and that it incurs essentially no performance overhead.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

A Study of Dynamic Software Update Quiescence for Multithreaded Programs. Christopher M. Hayden, Karla Saur, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the Workshop on Hot Topics in Software Upgrades (HotSWUp), pages 6–10, June 2012.

Dynamic software updating (DSU) techniques show great promise in allowing vital software services to be upgraded without downtime, avoiding dropped connections and the loss of critical program state. For multithreaded programs, DSU systems must balance correctness and timeliness. To simplify reasoning that an update is correct, we could limit updates to take place only when all threads have blocked at well-defined update points. However, several researchers have pointed out that this approach poses the risk of delaying an update for too long, even indefinitely, and therefore have developed fairly complicated mechanisms to mitigate the risk. This paper argues that such mechanisms are unnecessary by demonstrating empirically that many multithreaded programs can be updated with minimal delay using only a small number of manually annotated update points. Our study of the time taken for all of the threads in six real-world, event-driven programs to reach their update points ranged from 0.155 to 107.558 ms, and most were below 1 ms.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Evaluating Dynamic Software Update Safety Using Efficient Systematic Testing. Christopher M. Hayden, Edward K. Smith, Eric A. Hardisty, Michael Hicks, and Jeffrey S. Foster. IEEE Transactions on Software Engineering, 38(6):1340–1354, December 2012. Accepted September 2011.

Dynamic software updating (DSU) systems patch programs on the fly without incurring downtime. To avoid failures due to the updating process itself, many DSU systems employ timing restrictions. However, timing restrictions are theoretically imperfect, and their practical effectiveness is an open question.

This paper presents the first significant empirical evaluation of three popular timing restrictions: activeness safety (AS), which prevents updates to active functions; con-freeness safety (CFS), which only allows modifications to active functions when doing so is provably type-safe; and manual identification of the event-handling loops during which an update may occur.

We evaluated these timing restrictions using a series of DSU patches to three programs: OpenSSH, vsftpd, and ngIRCd. We systematically applied updates at each distinct update point reached during execution of a suite of system tests for these programs to determine which updates pass and which fail. We found that all three timing restrictions prevented most failures, but only manual identification allowed none. Further, although CFS and AS allowed many more update points, manual identification still supported updates with minimal delay. Finally, we found that manual identification required the least developer effort. Overall, we conclude that manual identification is most effective.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Efficient, General-purpose Dynamic Software Updating for C. Christopher M. Hayden, Karla Saur, Edward K. Smith, Michael Hicks, and Jeffrey S. Foster. ACM Transactions on Programming Languages and Systems (TOPLAS), 36(4):13, October 2014.

Dynamic software updating (DSU) systems facilitate software updates to running programs, thereby permitting developers to add features and fix bugs without downtime. This paper introduces Kitsune, a DSU system for C. Kitsune’s design has three notable features. First, Kitsune updates the whole program, rather than individual functions, using a mechanism that places no restrictions on data representations or allowed compiler optimizations. Second, Kitsune makes the important aspects of updating explicit in the program text, making the program’s semantics easy to understand while minimizing programmer effort. Finally, the programmer can write simple specifications to direct Kitsune to generate code that traverses and transforms old-version state for use by new code; such state transformation is often necessary and is significantly more difficult in prior DSU systems. We have used Kitsune to update six popular, open-source, single- and multi-threaded programs, and find that few program changes are required to use Kitsune, that it incurs essentially no performance overhead, and that update times are fast.

[ .pdf ]

@article{hayden14kitsune-journal,
title = {Efficient, General-purpose Dynamic Software Updating for C},
author = {Christopher M. Hayden and Karla Saur and Edward K. Smith and Michael Hicks and Jeffrey S. Foster},
journal = {{ACM} Transactions on Programming Languages and Systems (TOPLAS)},
month = oct,
year = 2014,
volume = 36,
number = 4,
pages = 13
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

State Transfer for Clear and Efficient Runtime Upgrades. Christopher M. Hayden, Edward K. Smith, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the Workshop on Hot Topics in Software Upgrades (HotSWUp), pages 179–184, April 2011.

Dynamic software updating (DSU), the practice of updating software while it executes, is a lively area of research. The DSU approach most prominent in both commercial and research systems is in-place updating, in which patches containing program modifications are loaded into a running process. However, in-place updating suffers from several problems: it requires complex tool support, it may adversely affect the performance of normal execution, it requires challenging reasoning to understand the behavior of an updated program, and it requires extra effort to modify program state to be compatible with an update.

This paper presents preliminary work investigating the potential for state transfer updating to address these problems. State transfer updates work by launching a new process running the updated program version and transferring program state from the running process to the updated version. In this paper, we describe the use and implementation of Ekiden, a new state transfer updating library for C/C++ programs. Ekiden seeks to redress the difficulties of in-place updating, and we report on our experience updating vsftpd using Ekiden. This initial experience suggests that state transfer provides the availability benefits of in-place DSU approaches while addressing many of their shortcomings.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Software Updating. Michael Hicks. PhD thesis, Department of Computer and Information Science, University of Pennsylvania, August 2001. Winner of the 2002 ACM SIGPLAN Doctoral Dissertation award.

[ .pdf ]

@phdthesis{Hicks01,
author = {Michael Hicks},
title = {Dynamic Software Updating},
year = 2001,
month = {August},
school = {Department of Computer and Information Science, University of Pennsylvania},
note = {Winner of the 2002 {ACM SIGPLAN Doctoral Dissertation} award}
}

This file was generated by bibtex2html 1.99.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

User-specified Adaptive Scheduling in a Streaming Media Network. Michael Hicks, Adithya Nagarajan, and Robbert van Renesse. Technical Report CS-TR-4430, University of Maryland Department of Computer Science, March 2003.

In disaster and combat situations, mobile cameras and other sensors transmit real-time data, used by many operators and/or analysis tools. Unfortunately, in the face of limited, unreliable resources, and varying demands, not all users may be able to get the
fidelity they require. This paper describes MediaNet, a distributed multi-media processing system designed with the above scenarios in mind. Unlike past
approaches, MediaNet’s users can intuitively specify how the system should adapt based on their individual needs. MediaNet uses both local and on-line global resource scheduling to improve user performance and network utilization, and adapts without requiring underlying support for resource reservations. Performance experiments show that our scheduling algorithm is reasonably fast, and that user performance and network utilization are both significantly improved.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Safe and Flexible Memory Management in Cyclone. Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim. Technical Report CS-TR-4514, University of Maryland Department of Computer Science, July 2003.

Cyclone is a type-safe programming language intended for applications requiring control over memory management. Our previous work on Cyclone included support for stack allocation, lexical region allocation, and a garbage-collected heap. We achieved safety (i.e., prevented dangling pointers) through a region-based type-and-effects system. This paper describes some new memory-management mechanisms that we have integrated into Cyclone: dynamic regions, unique pointers, and reference-counted objects. Our experience shows that these new mechanisms are well suited for the timely recovery of objects in situations where it is awkward to use lexical regions. Crucially, programmers can write reusable functions without unnecessarily restricting callers’ choices among the variety of memory-management options. To achieve this goal, Cyclone employs a combination of polymorphism and scoped constructs that temporarily let us treat objects as if they were allocated in a lexical region. In our experience, our new constructs can significantly improve application performance, while adding a modest programming overhead.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Experience with Safe Manual Memory Management in Cyclone. Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim. In Proceedings of the ACM International Symposium on Memory Management (ISMM), pages 73–84, October 2004. An abstract of this paper appeared in SPACE `04, http://www.diku.dk/topps/space2004/space_final/hicks-grossman-jim.pdf.

The goal of the Cyclone project is to investigate type safety for low-level languages such as C . Our hardest challenge has been providing programmers control over memory management while retaining type safety. This paper reports on our experience trying to integrate and effectively use two previously proposed, type-safe memory management mechanisms: statically-scoped regions and unique pointers. We found that these typing mechanisms can be combined to build alternative memory-management abstractions, such as reference counted objects and arenas with dynamic lifetimes, and thus provide a flexible basis. Our experience—porting C code and building new applications for resource-constrained systems—confirms that experts can use these features to improve memory footprint and sometimes to improve throughput when used instead of, or in combination with, a conservative garbage collector.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Updating of Information-Flow Policies. Michael Hicks, Stephen Tse, Boniface Hicks, and Steve Zdancewic. In Proceedings of the International Workshop on Foundations of Computer Security (FCS), pages 7–18, June 2005.

Applications that manipulate sensitive information should ensure end-to-end security by satisfying two properties: sound execution and some form of noninterference. By the former, we mean the program should always perform actions in keeping with its current policy, and by the latter we mean that these actions should never cause high-security information to be visible to a low-security observer. Over the last decade, security-typed languages have been developed that exhibit these properties, increasingly improving so as to model important features of real programs. No current security-typed language, however, permits general changes to security policies in use by running programs. This paper presents a simple information flow type system that allows for dynamic security policy updates while ensuring sound execution and a relaxed form of noninterference we term noninterference between updates. We see this work as an important step toward using language-based techniques to ensure end-to-end security for realistic applications.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Inferring Locking for Atomic Sections. Michael Hicks, Jeffrey S. Foster, and Polyvios Pratikakis. In On-line Proceedings of the ACM SIGPLAN Workshop on Languages, Compilers, and Hardware Support for Transactional Computing (TRANSACT), June 2006.

http://www.cs.purdue.edu/homes/jv/events/TRANSACT/transact-06.tgz.

Software transactions allow the programmer to specify sections of code that should be serializable, without the programmer needing to worry about exactly how atomicity is enforced. Recent research proposes using optimistic concurrency to implement transactions. In this short paper, we propose a pessimistic lock-based technique that uses the results of static whole-program analysis to enforce atomicity. The input to our analysis is a program that contains programmer-specified atomic sections and calls to fork. We present a sharing inference algorithm that uses the results of points-to analysis to determine which memory locations are shared. Our analysis uses continuation effects to track the locations accessed after a point in the program. This allows data to be thread-local before a fork and thread-shared afterward. We then present a mutex inference algorithm that determines a sufficient set of locks to guard accesses to shared locations. After mutex inference, a compiler adds the appropriate lock acquires and releases to the beginning and end of atomic sections. Our algorithm is efficient, and provides parallelism according to precision of the alias analysis while minimizing the number of required locks.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Trusted Declassification: high-level policy for a security-typed language. Boniface Hicks, Dave King, Patrick McDaniel, and Michael Hicks. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), pages 65–74, June 2006.

Security-typed languages promise to be a powerful tool with which provably secure software applications may be developed. Programs written in these languages enforce a strong, global policy of noninterference which ensures that high-security data will not be observable on low-security channels. Because noninterference is typically too strong a property, most programs use some form of declassification to selectively leak high security information, e.g. when performing a password check or data encryption. Unfortunately, such a declassification is often expressed as an operation within a given program, rather than as part of a global policy, making reasoning about the security implications of a policy more difficult.

In this paper, we propose a simple idea we call trusted declassification in which special declassifier functions are specified as part of the global policy. In particular, individual principals declaratively specify which declassifiers they trust so that all information flows implied by the policy can be reasoned about in absence of a particular program. We formalize our approach for a Java-like language and prove a modified form of noninterference which we call noninterference modulo trusted methods. We have implemented our approach as an extension to Jif and provide some of our experience using it to build a secure e-mail client.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Trusted Declassification: high-level policy for a security-typed language (Extended version). Boniface Hicks, Dave King, Patrick McDaniel, and Michael Hicks. Technical Report NAS-TR-033-2006, Department of Computer Science and Engineering, the Pennsylvania State University, June 2006. Extended version of the PLAS 2006 paper with full formal development.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Toward Specifying and Validating Cross-Domain Policies. Michael Hicks, Nikhil Swamy, and Simon Tsang. Technical Report CS-TR-4870, Department of Computer Science, University of Maryland, April 2007.

Formal security policies are extremely useful for two related reasons. First, they allow a policy to be considered in isolation, separate from programs under the purview of the policy and separate from the implementation of the policy’s enforcement. Second, policies can be checked for compliance against higher-level security goals by using automated analyses. By contrast, ad hoc enforcement mechanisms (for which no separate policies are specified) enjoy neither benefit, and non-formal policies enjoy the first but not the second.

We would like to understand how best to define (and enforce) multi-level security policies when information must be shared across domains that have varying levels of trust (the so-called “cross domain” problem). Because we wish to show such policies meet higher-level security goals with high assurance, we are interested in specifying cross domain policies formally, and then reasoning about them using automated tools. In this report, we briefly survey work that presents formal security policies with cross-domain concerns, in particular with respect to the problem of downgrading. We also describe correctness properties for such policies, all based on noninterference. Finally, we briefly discuss recently-developed tools for analyzing formal security policies; though no existing tools focus on the analysis of downgrading-oriented policies, existing research points the way to providing such support.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Adapting Scrum to Managing a Research Group. Michael Hicks and Jeffrey S. Foster. Technical Report CS-TR-4966, University of Maryland, Department of Computer Science, September 2010.

Score is an adaptation of the Scrum agile software development methodology to the task of managing Ph.D. students in an academic research group. This paper describes Score, conceived in October 2006, and our experience using it. We have found that Score enables us—faculty and students—to be more efficient and thereby more productive, and enhances the cohesion of our research group.

[ .pdf ]

@techreport{hicks10score,
title = {Adapting {Scrum} to Managing a Research Group},
author = {Michael Hicks and Jeffrey S. Foster},
institution = {University of Maryland, Department of Computer Science},
number = {CS-TR-4966},
month = sep,
year = 2010
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Score: Agile Research Group Management. Michael Hicks and Jeffrey S. Foster. Communications of the ACM, 53(10):30–31, October 2010.

[ .pdf ]

@article{hicks10scoreshort,
title = {Score: Agile Research Group Management},
author = {Michael Hicks and Jeffrey S. Foster},
journal = {Communications of the {ACM}},
month = oct,
volume = {53},
number = {10},
pages = {30–31},
year = 2010
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Polymonads. Nataliya Guts, Michael Hicks, Nikhil Swamy, Daan Leijen, and Gavin Bierman. Technical Report XXX, University of Maryland Department of Computer Science, July 2012. Extended version of POPL'13 submission.

From their semantic origins to their use in structuring effectful computations, monads are now also used as a programming pattern to structure code in a number of important scenarios, including functional reactivity, information flow tracking and probabilistic computation. However, whilst these examples are inspired by monads they are not strictly speaking monadic but rather something more general. The first contribution of this paper is the definition of a new structure, the polymonad, which subsumes monads and encompasses the monad-like programming patterns that we have observed. A concern is that given such a general setting, a program would quickly become polluted with polymonadic coercions, making it hard to read and maintain. The second contribution of this paper is to build on previous work to define a polymorphic type inference algorithm that supports programming with polymonads using a direct style, e.g., as if computations of type M τ were expressions of type τ. During type inference the program is rewritten to insert the necessary polymonadic coercions, a process that we prove is coherent—all sound rewritings produce programs with the same semantics. The resulting programming style is powerful and lightweight.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

POPL'12 Program Chair’s Report (or, how to run a medium-sized conference). Michael Hicks. SIGPLAN Notices, 47(4), April 2012.

It was a pleasure and a privilege to serve as the program committee (PC) chair of the 39th Symposium on the Principles of Programming Languages (POPL). This paper describes the review process we used, why we used it, and an assessment of how it worked out.

We made some substantial changes to the review process this year, most notably by incorporating a form of double-blind reviewing. These and other changes were made in an attempt to improve accepted paper quality, as well as to improve review quality and fairness (both of which ultimately support paper quality).

Much of this paper argues in favor of these changes based on principle, i.e., why one might think the process should increase quality. Ideally we could also evaluate the process directly, i.e., by showing that this year’s program was better than it would have been under a different review process. Unfortunately, I think it would be very difficult to efficiently evaluate a review process directly (e.g., by having two committees and two review processes on the same papers). As such, I exercised a more tractable alternative: I polled the authors and reviewers to report on their experience, and to see whether that experience convinces them that the process has merit. In most cases, the answer was “yes.”

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Languages for Oblivious Computation. Michael Hicks. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), October 2017.

This is a 1-page abstract of my keynote talk at Workshop on Programming Languages and Security, colocated with the ACM Symposium on Computer and Communications Security. It discusses the role of programming languages in ensuring oblivious (side channel-free) computation.

[ .pdf ]

@inproceedings{hicks17plas,
 author = {Michael Hicks},
 title = {Languages for Oblivious Computation},
 booktitle = {Proceedings of the {ACM SIGPLAN} Workshop on Programming Languages and Analysis for Security (PLAS)},
 year = {2017},
 month = oct
}

This file was generated by bibtex2html 1.99.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Types and Intermediate Representations. Michael Hicks. Technical Report MS-CIS-98-05, Department of Computer and Information Science, University of Pennsylvania, April 1998.

The design objectives and the mechanisms for achieving those objectives are considered for each of three systems, Java, Erlang, and TIL. In particular, I examine the use of types and intermediate representations in the system implementation. In addition, the systems are compared to examine how one system’s mechanisms may (or may not) be applied to another.

[ .ps ]

@techreport{Hicks98A,
author = {Michael Hicks},
title = {{Types and Intermediate Representations}},
institution = {Department of Computer and Information Science, University of Pennsylvania},
type = {Technical Report},
number = {MS-CIS-98-05},
month = {April},
year = {1998}
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Transparent Communication for Distributed Objects in Java. Michael Hicks, Suresh Jagannathan, Richard Kelsey, Jonathan T. Moore, and Cristian Ungureanu. In Proceedings of the ACM SIGPLAN Java Grande Conference, pages 160–170. ACM, June 1999.

We describe a native-code implementation of Java that supports distributed objects. In order to foster the correctness of distributed programs, remote access is syntactically and semantically indistinguishable from local access. This transparency is provided by the runtime system through the implicit generation of remote references to an object when it is passed as an argument or returned from a remote method call. Consistency is achieved through the use of a distributed (and thus scalable) global addressing scheme. Experiments show that application performance is a function of data layout, access algorithm, and local workload. For distributed applications, such as distributed databases, these factors may not be known statically, suggesting the importance of runtime support.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

PLAN: A Packet Language for Active Networks (Extended version). Michael W. Hicks, Pankaj Kakkar, Jonathan T. Moore, Carl A. Gunter, and Scott M. Nettles. Unpublished manuscript. Consolidates ICFP 98, IPL 98, Allterton 99 papers, May 2006.

The Internet protocols were designed to emphasize simple rout- ing elements and intelligent hosts. However, there are applications that benefit from allowing hosts to customize or program routers, a concept known as active networking. Since routers are shared, this raises challenges with delivering sufficient flexibility while preserving or improving performance, security, and safety. PLAN (Packet Lan- guage for Active Networks) is a language designed for the SwitchWare active network architecture. This architecture comprises active pack- ets containing PLAN programs that invoke service routines over an active OS. PLAN is based on the polymorphic lambda calculus and provides a restricted set of primitives and datatypes that enables rea- soning about its impact on network resources based on features of the language design. This paper focuses on the PLAN language with the aim of consolidating a variety of studies that were carried out in the years after its introduction in 1998. These studies include the require- ments for PLAN, its design, programming in PLAN, the specification and theory of PLAN, and its use in networking applications.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

A Secure PLAN. Michael Hicks, Angelos D. Keromytis, and Jonathan M. Smith. IEEE Transactions on Systems, Man, and Cybernetics, Part C, 33(3):413–426, August 2003. Special Issue on Technologies Promoting Computational Intelligence, Openness and Programmability in Networks and Internet Services, Part I.

Active Networks, being programmable, promise greater flexibility than current networks. Programmability, however, may introduce safety and security risks. This paper describes the design and implementation of a security architecture for the active network PLANet. Security is obtained with a two-level architecture that combines a functionally restricted packet language, PLAN, with an environment of general-purpose service routines governed by trust management. In particular, a technique is used which expands or contracts a packet’s service environment based on its level of privilege, termed namespace-based security. The design and implementation of an active-network firewall and virtual private network is used as an application of the security architecture. Measurements of the system show that the addition of the firewall imposes an approximately 34% latency overhead and as little as a 6.7% space overhead to incoming packets.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Software Updating. Michael Hicks, Jonathan T. Moore, and Scott Nettles. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 13–23. ACM, June 2001.

Many important applications must run continuously and without interruption, yet must be changed to fix bugs or upgrade functionality. No prior general-purpose methodology for dynamic updating achieves a practical balance between flexibility, robustness, low overhead, and ease of use.

We present a new approach for C-like languages that provides type-safe dynamic updating of native code in an extremely flexible manner (code, data, and types may be updated, at programmer-determined times) and permits the use of automated tools to aid the programmer in the updating process. Our system is based on dynamic patches that both contain the updated code and the code needed to transition from the old version to the new. A novel aspect of our patches is that they consist of verifiable native code (e.g. Proof-Carrying Code or Typed Assembly Language, which is native code accompanied by annotations that allow on-line verification of the code’s safety. We discuss how patches are generated mostly automatically, how they are applied using dynamic-linking technology, and how code is compiled to make it updateable.

To concretely illustrate our system, we have implemented a dynamically-updateable web server, FlashEd. We discuss our experience building and maintaining FlashEd. Performance experiments show that for FlashEd, the overhead due to updating is typically less than 1 percent.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Compiling PLAN to SNAP. Michael Hicks, Jonathan T. Moore, and Scott Nettles. In Ian W. Marshall, Scott Nettles, and Naoki Wakamiya, editors, Proceedings of the Third International Working Conference on Active Networks (IWAN), volume 2207 of Lecture Notes in Computer Science, pages 134–151. Springer-Verlag, October 2001.

PLAN (Packet Language for Active Networks) is a highly flexible and usable active packet language, whereas SNAP (Safe and Nimble Active Packets) offers significant resource usage safety and achieves much higher performance compared to PLAN, but at the cost of flexibility and usability. Ideally, we would like to combine the good properties of PLAN with those of SNAP. We have achieved this end by developing a compiler that translates PLAN into SNAP. The compiler allows us to achieve the flexibility and usability of PLAN, but with the safety and efficiency of SNAP. In this paper, we describe both languages, highlighting the features that require special compilation techniques. We then present the details of our compiler and experimental results to evaluate our compiler with respect to code size.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Experiences with Capsule-based Active Networking. Michael Hicks, Jonathan T. Moore, David Wetherall, and Scott Nettles. In Proceedings of the DARPA Active Networks Conference and Exposition (DANCE), pages 16–24. IEEE, May 2002.

Active Networking adds programmability to the elements of the network, most aggressively by using programmable packets, or capsules. ANTS and PLANet are the most mature examples of capsule-based systems, both having been publicly available for several years. This paper presents our experience with these systems and the lessons they hold for the future of capsule-based Active Networking.

The paper focuses on four key issues: flexibility, performance, security, and usability. We consider how ANTS and PLANet address these issues, noting that despite substantial surface differences, both systems identify similar key problems and use closely related solutions. Based on our experience with these systems we conclude that capsule-based systems can achieve useful levels of flexibility, performance, and usability. Many aspects of security can also be adequately addressed, but some important problems related to denial of service remain as open problems.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Active Networking means Evolution (or Enhanced Extensibility Required). Michael Hicks and Scott Nettles. In Hiroshi Yashuda, editor, Proceedings of the Second International Working Conference on Active Networks (IWAN), volume 1942 of Lecture Notes in Computer Science, pages 16–32. Springer-Verlag, October 2000.

The primary goal of active networking is to increase the pace of network evolution. The approach to achieving this goal, as well as the goal of enhancing customizability, is to allow network nodes to be extended by dynamically loaded code. Most active network implementations employ plug-in extensibility, a technique for loading code characterized by a concrete, pre-defined abstraction of future change. After giving examples of plug-in extensibility, we argue that while it is flexible and convenient, it is not sufficient to facilitate true evolution of the network. To remedy this problem, we propose the use of dynamic software updating. Dynamic software updating reduces the a priori assumptions of plug-in extensibility, improving flexibility and eliminating the need to pre-plan extensions. However, this additional flexibility results in additional complexity and creates issues involving validity and security. We discuss these issues, and describe the state-of-the-art in systems that support dynamic software updating, thus framing the problem for researchers developing next-generation active networks.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

User-Specified Adaptive Scheduling in a Streaming Media Network. Michael Hicks, Adithya Nagarajan, and Robbert van Renesse. In Proceedings of the IEEE Conference on Open Architectures (OPENARCH), pages 87–96, April 2003.

In disaster and combat situations, mobile cameras and other sensors transmit real-time data, used by many operators or analysis tools. Unfortunately, in the face of limited, unreliable resources, and varying demands, not all users may be able to get the fidelity they require. This paper describes MediaNet, a distributed stream processing system designed with the above scenarios in mind. Unlike past approaches, MediaNet’s users can intuitively specify how the system should adapt based on their individual needs. MediaNet uses both local and on-line global resource scheduling to improve user performance and network utilization, and adapts without requiring underlying support for resource reservations. Performance experiments show that our scheduling algorithm is reasonably fast, and that user performance and network utilization are both significantly improved.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

A Calculus for Dynamic Loading. Michael Hicks and Stephanie Weirich. Technical Report MS-CIS-00-07, University of Pennsylvania, April 2000.

[ .pdf ]

@techreport{HicksW00type-loading-tr,
author = {Michael Hicks and Stephanie Weirich},
title = {A Calculus for Dynamic Loading},
institution = {University of Pennsylvania},
year = {2000},
number = {MS-CIS-00-07},
month = {April}
}

This file was generated by bibtex2html 1.99.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Applying and Expanding the VOQC Toolkit. Kesha Hietala, Liyi Li, Akshaj Gaur, Aaron Green, Robert Rand, Xiaodi Wu, and Michael Hicks. In Informal Proceedings of the Workshop on Programming Languages and Quantum Computing (PLanQC), June 2021.

This abstract presents recent extensions to VOQC, a verified optimizer for quantum circuits. All code described in this abstract is freely available online at https://github.com/inQWIRE/SQIR/.

[ .pdf ]

@inproceedings{hietala21expvoqc,
 title = {Applying and Expanding the {VOQC} Toolkit},
 booktitle = {Informal Proceedings of the Workshop on Programming Languages and Quantum Computing (PLanQC)},
 author = {Kesha Hietala and Liyi Li and Akshaj Gaur and Aaron Green and Robert Rand and Xiaodi Wu and Michael Hicks},
 year = 2021,
 month = jun
}

This file was generated by bibtex2html 1.99.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

A Verified Optimizer for Quantum Circuits. Kesha Hietala, Robert Rand, Shih-Han Hung, Xiaodi Wu, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2021. Distinguished Paper.

We present VOQC, the first fully verified optimizer for quantum circuits, written using the Coq proof assistant. Quantum circuits are expressed as programs in a simple, low-level language called SQIR, a simple quantum intermediate representation, which is deeply embedded in Coq. Optimizations and other transformations are expressed as Coq functions, which are proved correct with respect to a semantics of SQIR programs. SQIR uses a semantics of matrices of complex numbers, which is the standard for quantum computation, but treats matrices symbolically in order to reason about programs that use an arbitrary number of quantum bits. SQIR’s careful design and our provided automation make it possible to write and verify a broad range of optimizations in VOQC, including full-circuit transformations from cutting-edge optimizers.

[ .pdf ]

@inproceedings{hietala21voqc,
author = {Kesha Hietala and Robert Rand and Shih-Han Hung and Xiaodi Wu and Michael Hicks},
title = {A Verified Optimizer for Quantum Circuits},
booktitle = {Proceedings of the {ACM} Conference on Principles of Programming Languages (POPL)},
month = jan,
note = {\textbf{Distinguished Paper}},
year = {2021}
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

A Verified Optimizer for Quantum Circuits. Kesha Hietala, Robert Rand, Liyi Li, Shih-Han Hung, Xiaodi Wu, and Michael Hicks. ACM Transactions on Programming Languages and Systems (TOPLAS), 45(3), September 2023. Extends POPL'21 paper.

We present VOQC, the first fully verified optimizer for quantum circuits, written using the Coq proof assistant. Quantum circuits are expressed as programs in a simple, low-level language called SQIR, a small quantum intermediate representation, which is deeply embedded in Coq. Optimizations and other transformations are expressed as Coq functions, which are proved correct with respect to a semantics of SQIR programs. SQIR programs denote complex-valued matrices, as is standard in quantum computation, but we treat matrices symbolically in order to reason about programs that use an arbitrary number of quantum bits. SQIR’s careful design and our provided automation make it possible to write and verify a broad range of optimizations in VOQC, including full-circuit transformations from cutting-edge optimizers.

[ .pdf ]

@article{hietala22voqc-journal,
author = {Kesha Hietala and Robert Rand and Liyi Li and Shih-Han Hung and Xiaodi Wu and Michael Hicks},
title = {A Verified Optimizer for Quantum Circuits},
journal = {{ACM} Transactions on Programming Languages and Systems (TOPLAS)},
month = sep,
volume = 45,
number = 3,
note = {Extends POPL'21 paper},
year = {2023}
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Quantitative Robustness Analysis of Quantum Programs. Shih-Han Hung, Kesha Hietala, Shaopeng Zhu, Mingsheng Ying, Michael Hicks, and Xiaodi Wu. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2019.

Quantum computation is a topic of significant recent interest, with practical advances coming from both research and industry. A major challenge in quantum programming is dealing with errors (quantum noise) during execution. Because quantum resources (e.g., qubits) are scarce, classical error correction techniques applied at the level of the architecture are currently cost-prohibitive. But while this reality means that quantum programs are almost certain to have errors, there as yet exists no principled means to reason about erroneous behavior. This paper attempts to fill this gap by developing a semantics for erroneous quantum while-programs, as well as a logic for reasoning about them. This logic permits proving a property we have identified, called ε-robustness, which characterizes possible “distance” between an ideal program and an erroneous one. We have proved the logic sound, and showed its utility on several case studies, notably: (1) analyzing the robustness of noisy versions of the quantum Bernoulli factory (QBF) and quantum walk (QW); (2) demonstrating the (in)effectiveness of different error correction schemes on single-qubit errors; and (3) analyzing the robustness of a fault-tolerant version of QBF.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Defeating Scripting Attacks with Browser-Enforced Embedded Policies. Trevor Jim, Nikhil Swamy, and Michael Hicks. In Proceedings of the International World Wide Web Conference (WWW), pages 601–610, May 2007.

Web sites that accept and display content such as wiki articles or comments typically filter the content to prevent injected script code from running in browsers that view the site. The diversity of browser rendering algorithms and the desire to allow rich content make filtering quite difficult, however, and attacks such as the Samy and Yamanner worms have exploited filtering weaknesses. This paper proposes a simple alternative mechanism for preventing script injection called Browser-Enforced Embedded Policies (BEEP). The idea is that a web site can embed a policy in its pages that specifies which scripts are allowed to run. The browser, which knows exactly when it will run a script, can enforce this policy perfectly. We have added BEEP support to several browsers, and built tools to simplify adding policies to web applications. We found that supporting BEEP in browsers requires only small and localized modifications, modifying web applications requires minimal effort, and enforcing policies is generally lightweight.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Path Projection for User-Centered Static Analysis Tools. Yit Phang Khoo, Jeffrey S. Foster, Michael Hicks, and Vibha Sazawal. In Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering (PASTE), pages 57–63, November 2008.

The research and industrial communities have made great strides in developing sophisticated defect detection tools based on static analysis. To date most of the work in this area has focused on developing novel static analysis algorithms, but has neglected study of other aspects of static analysis tools, particularly user interfaces. In this work, we present a novel user interface toolkit called Path Projection that helps users visualize, navigate, and understand program paths, a common component of many tools’ error reports. We performed a controlled user study to measure the benefit of Path Projection in triaging error reports from Locksmith, a data race detection tool for C . We found that Path Projection improved participants’ time to complete this task without affecting accuracy, while participants felt Path Projection was useful and strongly preferred it to a more standard viewer.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Directing JavaScript with Arrows. Yit Phang Khoo, Michael Hicks, Jeffrey S. Foster, and Vibha Sazawal. In Proceedings of the ACM SIGPLAN Dynamic Languages Symposium (DLS), pages 49–58, October 2009.

JavaScript programmers make extensive use of event-driven programming to help build responsive web applications. However, standard approaches to sequencing events are messy, and often lead to code that is difficult to understand and maintain. We have found that arrows, a generalization of monads, are an elegant solution to this problem. Arrows allow us to easily write asynchronous programs in small, modular units of code, and flexibly compose them in many different ways, while nicely abstracting the details of asynchronous program composition. In this paper, we present Arrowlets, a new JavaScript library that offers arrows to the everyday JavaScript programmer. We show how to use Arrowlets to construct a variety of state machines, including state machines that branch and loop. We also demonstrate how Arrowlets separate computation from composition with examples such as a drag-and-drop handler and a bubblesort animation.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Triaging Checklists: a Substitute for a PhD in Static Analysis. Yit Phang Khoo, Jeffrey S. Foster, Michael Hicks, and Vibha Sazawal. In Proceedings of the Workshop on the Evaluation and Usability of Programming Languages and Tools (PLATEAU), October 2009.

Static analysis tools have achieved great success in recent years in automating the process of detecting defects in software. However, these sophisticated tools have yet to gain widespread adoption, since many of these tools remain too difficult to understand and use. In previous work, we discovered that even with an effective code visualization tool, users still found it hard to determine if warnings reported by these tools were true errors or false warnings. The fundamental problem users face is to understand enough of the underlying algorithm to determine if a warning is caused by imprecision in the algorithm. In our current work, we propose to use triaging checklists to provide users with systematic guidance to identify false warnings by taking into account specific sources of imprecision in the particular tool. Additionally, we plan to provide checklist assistants, which is a library of simple analyses designed to aid users in answering checklist questions.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Expositor: Scriptable Time-Travel Debugging with First Class Traces (Full version). Yit Phang Khoo, Jeffrey S. Foster, and Michael Hicks, December 2013. Extended version of ICSE'13 paper.

We present Expositor, a new debugging environment that combines scripting and time-travel debugging to allow programmers to automate complex debugging tasks. The fundamental abstraction provided by Expositor is the execution trace, which is a time-indexed sequence of program state snapshots or projections thereof. Programmers can manipulate traces as if they were simple lists with operations such as map and filter. Under the hood, Expositor efficiently implements traces as lazy, sparse interval trees whose contents are materialized on demand. Expositor also provides a novel data structure, the edit hash array mapped trie, which is a lazy implementation of sets, maps, multisets, and multimaps that enables programmers to maximize the efficiency of their debugging scripts. In our micro-benchmarks, Expositor scripts are faster than the equivalent non-lazy scripts for common debugging scenarios. We have also used Expositor to debug a stack overflow, and to unravel a subtle data race in Firefox. We believe that Expositor represents an important step forward in improving the technology for diagnosing complex, hard-to-understand bugs.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Expositor: Scriptable Time-Travel Debugging with First Class Traces. Yit Phang Khoo, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the International Conference on Software Engineering (ICSE), May 2013.

We present Expositor, a new debugging environment that combines scripting and time-travel debugging to allow programmers to automate complex debugging tasks. The fundamental abstraction provided by Expositor is the execution trace, which is a time-indexed sequence of program state snapshots. Programmers can manipulate traces as if they were simple lists with operations such as map and filter. Under the hood, Expositor efficiently implements traces as lazy, sparse interval trees whose contents are materialized on demand. Expositor also provides a novel data structure, the edit hash array mapped trie, which is a lazy implementation of sets, maps, multisets, and multimaps that enables programmers to maximize the efficiency of their debugging scripts. We have used Expositor to debug a stack overflow and to unravel a subtle data race in Firefox. We believe that Expositor represents an important step forward in improving the technology for diagnosing complex, hard-to-understand bugs.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Implicit Flows: Can’t live with ’em, can’t live without ’em. Dave King, Boniface Hicks, Michael Hicks, and Trent Jaeger. In R. Sekar and Arun K. Pujari, editors, Proceedings of the International Conference on Information Systems Security (ICISS), volume 5352 of Lecture Notes in Computer Science, pages 56–70. Springer, December 2008.

Verifying that programs trusted to enforce security actually do so is a practical concern for programmers and administrators. However, there is a disconnect between the kinds of tools that have been successfully applied to real software systems (such as taint mode in Perl and Ruby), and information-flow compilers that enforce a variant of the stronger security property of noninterference. Tools that have been successfully used to find security violations have focused on explicit flows of information, where high-security information is directly leaked to output. Analysis tools that enforce noninterference also prevent implicit flows of information, where high-security information can be inferred from a program’s flow of control. However, these tools have seen little use in practice, despite the stronger guarantees that they provide.

To better understand why, this paper experimentally investigates the explicit and implicit flows identified by the standard algorithm for establishing noninterference. When applied to implementations of authentication and cryptographic functions, the standard algorithm discovers many real implicit flows of information, but also reports an extremely high number of false alarms, most of which are due to conservative handling of unchecked exceptions (e.g., null pointer exceptions). After a careful analysis of all sources of true and false alarms, due to both implicit and explicit flows, the paper concludes with some ideas to improve the false alarm rate, toward making stronger security analysis more practical.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Coverage Guided, Property Based Testing. Leonidas Lampropoulos, Michael Hicks, and Benjamin C. Pierce. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2019.

Property-based random testing, exemplified by frameworks such as Haskell’s QuickCheck, works by testing an executable predicate (a property) on a stream of randomly generated inputs. Property testing works very well in many cases, but not always. Some properties are conditioned on the input satisfying demanding semantic invariants that are not consequences of its syntactic structure—e.g., that an input list must be sorted or have no duplicates. Most randomly generated inputs fail to satisfy properties with such sparse preconditions, and so are simply discarded. As a result, much of the target system may go untested.

We address this issue with a novel technique called coverage guided, property based testing (CGPT). Our approach is inspired by the related area of coverage guided fuzzing, exemplified by tools like AFL . Rather than just generating a fresh random input at each iteration, CGPT can also produce new inputs by mutating previous ones using type-aware, generic mutation operators. The target program is instrumented to track which control flow branches are executed during a run and inputs whose runs expand control-flow coverage are retained for future mutations. This means that, when sparse conditions in the target are satisfied and new coverage is observed, the input that triggered them will be retained and used as a springboard to go further.

We have implemented CGPT as an extension to the QuickChick property testing tool for Coq programs; we call our implementation FuzzChick. We evaluate FuzzChick on two Coq developments for abstract machines that aim to enforce flavors of noninterference, which has a (very) sparse precondition. We systematically inject bugs in the machines’ checking rules and use FuzzChick to look for counterexamples to the claim that they satisfy a standard noninterference property. We find that vanilla QuickChick almost always fails to find any bugs after a long period of time, as does an earlier proposal for combining property testing and fuzzing. In contrast, FuzzChick often finds them within seconds to minutes. Moreover, FuzzChick is almost fully automatic; although highly tuned, hand-written generators can find the bugs faster than FuzzChick, they require substantial amounts of insight and manual effort.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Memory Trace Oblivious Program Execution. Chang Liu, Michael Hicks, and Elaine Shi. In Proceedings of the Computer Security Foundations Symposium (CSF), June 2013. Winner of the 2nd NSA Best Scientific Cybersecurity Paper competition.

Cloud computing allows users to delegate data and computation to cloud service providers, at the cost of giving up physical control of their computing infrastructure. An attacker (e.g., insider) with physical access to the computing platform can perform various physical attacks, including probing memory buses and cold-boot style attacks. Previous work on secure (co-)processors provides hardware support for memory encryption and prevents direct leakage of sensitive data over the memory bus. However, an adversary snooping on the bus can still infer sensitive information from the memory access traces. Existing work on Oblivious RAM (ORAM) provides a solution for users to put all data in an ORAM; and accesses to an ORAM are obfuscated such that no information leaks through memory access traces. This method, however, incurs significant memory access overhead.

In this work, we are among the first to leverage programming language techniques to offer efficient memory-trace oblivious program execution, while providing formal security guarantees. We formally define the notion of memory-trace obliviousness, and provide a type system for verifying that a program satisfies this property. We also describe a compiler that transforms a program into a structurally similar one that satisfies memory trace obliviousness. To achieve optimal efficiency, our compiler partitions variables into several small ORAM banks rather than one large one, without risking security. We use several example programs to demonstrate the efficiency gains our compiler achieves in comparison with the naive method of placing all variables in the same ORAM.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Automating Efficient RAM-Model Secure Computation. Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, and Michael Hicks. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2014.

RAM-model secure computation addresses the inherent limitations of circuit-model secure computation considered in almost all previous work. Here, we describe the first automated approach for RAM-model secure computation in the semi-honest model. We define an intermediate representation called SCVM and a corresponding type system suited for RAM-model secure computation. Leveraging compile-time optimizations, our approach achieves order-of-magnitude speedups compared to both circuit-model secure computation and the state-of-art RAM-model secure computation.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation. Chang Liu, Austin Harris, Martin Maas, Michael Hicks, Mohit Tiwari, and Elaine Shi. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), March 2015. Winner of Best Paper Award.

This paper presents a new, co-designed compiler and architecture called GhostRider for supporting privacy preserving computation in the cloud. GhostRider ensures all programs satisfy a property called memory-trace obliviousness (MTO): Even an adversary that observes memory, bus traffic, and access times while the program executes can learn nothing about the program’s sensitive inputs and outputs. One way to achieve MTO is employ Oblivious RAM (ORAM), allocating all code and data in a single ORAM bank, and to also disable caches or fix the rate of memory traffic. This baseline approach can be inefficient, and so GhostRider’s compiler uses a program analysis to do better, allocating data to non-oblivious, encrypted RAM (ERAM) and employing a scratchpad when doing so will not compromise MTO . The compiler can also allocate to multiple ORAM banks, which sometimes significantly reduces access times. We have formalized our approach and proved it enjoys MTO . Our FPGA-based hardware prototype and simulation results show that GhostRider significantly outperforms the baseline strategy.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Verifying Replicated Data Types with Typeclass Refinements in Liquid Haskell. Yiyun Liu, James Parker, Patrick Redmond, Lindsey Kuper, Michael Hicks, and Niki Vazou. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2020.

This paper presents an extension to Liquid Haskell that facilitates stating and semi-automatically proving properties of typeclasses. Liquid Haskell augments Haskell with refinement types—our work allows such types to be attached to typeclass method declarations, and ensures that instance implementations respect these types. The engineering of this extension is a modular interaction between GHC, the Glasgow Haskell Compiler, and Liquid Haskell’s core proof infrastructure. The design sheds light on the interplay between modular proofs and typeclass resolution, which in Haskell is coherent by default, but in other dependently typed languages is not.

We demonstrate the utility of our extension by using Liquid Haskell to modularly verify that 34 instances satisfy the laws of five standard typeclasses. More substantially, we implement a framework for programming distributed applications based on conflict-free replicated data types (CRDTs). We define a typeclass whose Liquid Haskell type captures the mathematical properties CRDTs should satisfy; prove in Liquid Haskell that these properties are sufficient to ensure that replicas’ states converge despite out-of-order update delivery; implement (and prove correct) several instances of our CRDT typeclass; and use them to build two realistic applications, a multi-user calendar event planner and a collaborative text editor.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Directed Symbolic Execution. Kin-Keung Ma, Yit Phang Khoo, Jeffrey S. Foster, and Michael Hicks. In Eran Yahav, editor, Proceedings of the Static Analysis Symposium (SAS), volume 6887 of Lecture Notes in Computer Science, pages 95–111. Springer, September 2011.

In this paper, we study the problem of automatically finding program executions that reach a particular target line. This problem arises in many debugging scenarios; for example, a developer may want to confirm that a bug reported by a static analysis tool on a particular line is a true positive. We propose two new directed symbolic execution strategies that aim to solve this problem: shortest-distance symbolic execution (SDSE) uses a distance metric in an interprocedural control flow graph to guide symbolic execution toward a particular target; and call-chain-backward symbolic execution (CCBSE) iteratively runs forward symbolic execution, starting in the function containing the target line, and then jumping backward up the call chain until it finds a feasible path from the start of the program. We also propose a hybrid strategy, Mix-CCBSE, which alternates CCBSE with another (forward) search strategy. We compare these three with several existing strategies from the literature on a suite of six GNU coreutils programs. We find that SDSE performs extremely well in many cases but may fail badly. CCBSE also performs quite well, but imposes additional overhead that sometimes makes it slower than SDSE. Considering all our benchmarks together, Mix-CCBSE performed best on average, combining to good effect the features of its constituent components.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Directed Symbolic Execution. Kin-Keung Ma, Yit Phang Khoo, Jeffrey S. Foster, and Michael Hicks. Technical Report CS-TR-4979, University of Maryland Department of Computer Science, April 2011. Extended version contains refinements and further experimental analysis.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Automating Object Transformations for Dynamic Software Updating. Stephen Magill, Michael Hicks, Suriya Subramanian, and Kathryn S. McKinley. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2012.

Dynamic software updating (DSU) systems eliminate costly downtime by dynamically fixing bugs and adding features to executing programs. Given a static code patch, most DSU systems construct runtime code changes automatically. However, a dynamic update must also specify how to change the running program’s execution state, e.g., the stack and heap, to make it compatible with the new code. Constructing such state transformations correctly and automatically remains an open problem. This paper presents a solution called Targeted Object Synthesis (TOS). TOS first executes the same tests on the old and new program versions separately, observing the program heap state at a few corresponding points. Given two corresponding heap states, TOS matches objects in the two versions using key fields that uniquely identify objects and correlate old and new-version objects. Given example object pairs, TOS then synthesizes the simplest-possible function that transforms an old-version object to its new-version counterpart. We show that TOS is effective on updates to four open-source server programs for which it generates non-trivial transformation functions that use conditionals, operate on collections, and fix memory leaks. These transformations help programmers understand their changes and apply dynamic software updates.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Secure sharing in distributed information management applications: problems and directions. Piotr Mardziel, Adam Bender, Michael Hicks, Dave Levin, Mudhakar Srivatsa, and Jonathan Katz. In Proceedings of the Annual Conference of the International Technology Alliance (ACITA), September 2010.

Interaction between entities who may not trust each other is now commonplace on the Internet. This paper focuses on the specific problem of sharing information between distrusting parties. Previous work in this area shows that privacy and utility can co-exist, but often do not provide strong assurances of one or the other. In this paper, we sketch a research agenda with several directions for attacking these problems, considering several alternative systems that examine the privacy vs. utility problem from different angles. We consider new mechanisms such as economic incentives to share data or discourage data leakage and a hybrid of code-splitting and secure multi-party computation to provide various assurances of secrecy. We discuss how to incorporate these mechanisms into practical applications, including online social networks, a recommendation system based on users' qualifications rather than identities, and a personal information broker that monitors data leakage over time.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Enforcement of Knowledge-based Security Policies. Piotr Mardziel, Stephen Magill, Michael Hicks, and Mudhakar Srivatsa. In Proceedings of the Computer Security Foundations Symposium (CSF), pages 114–128, June 2011.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Enforcement of Knowledge-based Security Policies. Piotr Mardziel, Stephen Magill, Michael Hicks, and Mudhakar Srivatsa. Technical Report CS-TR-4978, University of Maryland Department of Computer Science, July 2011. Extended version with proofs and additional benchmarks.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Knowledge-Oriented Secure Multiparty Computation. Piotr Mardziel, Michael Hicks, Jonathan Katz, and Mudhakar Srivatsa. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), June 2012.

Protocols for secure multiparty computation (SMC) allow a set of mutually distrusting parties to compute a function f of their private inputs while revealing nothing about their inputs beyond what is implied by the result. Depending on f, however, the result itself may reveal more information than parties are comfortable with. Almost all previous work on SMC treats f as given. Left unanswered is the question of how parties should decide whether it is “safe” for them to compute f in the first place.

We propose here a way to apply belief tracking to SMC in order to address exactly this question. In our approach, each participating party is able to reason about the increase in knowledge that other parties could gain as a result of computing f, and may choose not to participate (or participate only partially) so as to restrict that gain in knowledge. We develop two techniques—the belief set method and the SMC belief tracking method—prove them sound, and discuss their precision/performance tradeoffs using a series of experiments.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Knowledge inference for optimizing and enforcing secure computations. Piotr Mardziel, Michael Hicks, Jonathan Katz, Matthew Hammer, Aseem Rastogi, and Mudhakar Srivatsa. In Proceedings of the Annual Meeting of the US/UK International Technology Alliance, September 2013. This short paper consists of coherent excerpts from several prior papers.

We present several techniques that aim to compute the belief or knowledge a party might have about the values of hidden variables involved in the computation. These techniques can be used for enforcing knowledge-based security policies and for optimizing secure multiparty computations.

[ .pdf ]

@inproceedings{mardziel13belief,
author = {Piotr Mardziel and Michael Hicks and Jonathan Katz and Matthew Hammer and Aseem Rastogi and Mudhakar Srivatsa},
title = {Knowledge inference for optimizing and enforcing secure computations},
booktitle = {Proceedings of the Annual Meeting of the US/UK International Technology Alliance},
note = {This short paper consists of coherent excerpts from several prior papers},
year = 2013,
month = sep
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Enforcement of Knowledge-based Security Policies using Probabilistic Abstract Interpretation. Piotr Mardziel, Stephen Magill, Michael Hicks, and Mudhakar Srivatsa. Journal of Computer Security, 21:463–532, October 2013.

This paper explores the idea of knowledge-based security policies, which are used to decide whether to answer queries over secret data based on an estimation of the querier’s (possibly increased) knowledge given the results. Limiting knowledge is the goal of existing information release policies that employ mechanisms such as noising, anonymization, and redaction. Knowledge-based policies are more general: they increase flexibility by not fixing the means to restrict information flow. We enforce a knowledge-based policy by explicitly tracking a model of a querier’s belief about secret data, represented as a probability distribution, and denying any query that could increase knowledge above a given threshold. We implement query analysis and belief tracking via abstract interpretation, which allows us to trade off precision and performance through the use of abstraction. We have developed an approach to augment standard abstract domains to include probabilities, and thus define distributions. We focus on developing probabilistic polyhedra in particular, to support numeric programs. While probabilistic abstract interpretation has been considered before, our domain is the first whose design supports sound conditioning, which is required to ensure that estimates of a querier’s knowledge are accurate. Experiments with our implementation show that several useful queries can be handled efficiently, particularly compared to exact (i.e., sound) inference involving sampling. We also show that, for our benchmarks, restricting constraints to octagons or intervals, rather than full polyhedra, can dramatically improve performance while incurring little to no loss in precision.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Adversary Gain vs. Defender Loss in Quantified Information Flow. Piotr Mardziel, Mário S. Alvim, and Michael Hicks. In (Unofficial) Proceedings of the International Workshop on Foundations of Computer Security (FCS), July 2014.

Metrics for quantifying information leakage assume that an adversary’s gain is the defender’s loss. We demonstrate that this assumption does not always hold via a class of scenarios. We describe how to extend quantification to account for a defender with goals distinct from adversary failure. We implement the extension and experimentally explore the impact on the measured information leakage of the motivating scenario.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Quantifying Information Flow for Dynamic Secrets. Piotr Mardziel, Mario Alvim, Michael Hicks, and Michael Clarkson. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2014.

A metric is proposed for quantifying leakage of information about secrets and about how secrets change over time. The metric is used with a model of information flow for probabilistic, interactive systems with adaptive adversaries. The model and metric are implemented in a probabilistic programming language and used to analyze several examples. The analysis demonstrates that adaptivity increases the amount of information that adversaries learn.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Quantifying Information Flow for Dynamic Secrets (extended version). Piotr Mardziel, Mario Alvim, Michael Hicks, and Michael Clarkson. Technical Report CS-TR-5035, Department of Computer Science, the University of Maryland, College Park, May 2014.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamically Checking Ownership Policies in Concurrent C/C++ Programs. Jean-Philippe Martin, Michael Hicks, Manuel Costa, Periklis Akritidis, and Miguel Castro. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), pages 457–470, January 2010. Full version.

Concurrent programming errors arise when threads share data incorrectly. Programmers often avoid these errors by using synchronization to enforce a simple ownership policy: data is either owned exclusively by a thread that can read or write the data, or it is read owned by a set of threads that can read but not write the data. Unfortunately, incorrect synchronization often fails to enforce these policies and memory errors in languages like C and C++ can violate these policies even when synchronization is correct.

In this paper, we present a dynamic analysis for checking ownership policies in concurrent C and C++ programs despite memory errors. The analysis can be used to find errors in commodity multi-threaded programs and to prevent attacks that exploit these errors. We require programmers to write ownership assertions that describe the sharing policies used by different parts of the program. These policies may change over time, as may the policies’ means of enforcement, whether it be locks, barriers, thread joins, etc. Our compiler inserts checks in the program that signal an error if these policies are violated at runtime. We evaluated our tool on several benchmark programs. The run-time overhead was reasonable: between 0 and 49% with an average of 26%. We also found the tool easy to use: the total number of ownership assertions is small, and the asserted specification and implementation can be debugged together by running the instrumented program and addressing the errors that arise. Our approach enjoys a pleasing modular soundness property: if a thread executes a sequence of statements on variables it owns, the statements are serializable within a valid execution, and thus their effects can be reasoned about in isolation from other threads in the program.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Serializing C intermediate representations for efficient and portable parsing. Jeffrey A. Meister, Jeffrey S. Foster, and Michael Hicks. Software, Practice, and Experience, 40(3):225–238, February 2010.

C static analysis tools often use intermediate representations (IRs) that organize program data in a simple, well-structured manner. However, the C parsers that create IRs are slow, and because they are difficult to write, only a few implementations exist, limiting the languages in which a C static analysis can be written. To solve these problems, we investigate two language-independent, on-disk representations of C IRs: one using XML, and the other using an Internet standard binary encoding called XDR. We benchmark the parsing speeds of both options, finding the XML to be about a factor of two slower than parsing C and the XDR over six times faster. Furthermore, we show that the XML files are far too large at 19 times the size of C source code, while XDR is only 2.2 times the C size. We also demonstrate the portability of our XDR system by presenting a C source code querying tool in Ruby. Our solution and the insights we gained from building it will be useful to analysis authors and other clients of C IRs. We have made our software freely available for download at http://www.cs.umd.edu/projects/PL/scil/.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Authenticated Data Structures, Generically. Andrew Miller, Michael Hicks, Jonathan Katz, and Elaine Shi. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2014.

An authenticated data structure (ADS) is a data structure whose operations can be carried out by an untrusted prover, the results of which a verifier can efficiently check as authentic. This is done by having the prover produce a compact proof that the verifier can check along with each operation’s result. ADSs thus support outsourcing data maintenance and processing tasks to untrusted servers without loss of integrity. Past work on ADSs has focused on particular data structures (or limited classes of data structures), one at a time, often with support only for particular operations.

This paper presents a generic method, using a simple extension to a ML-like functional programming language we call LambdaAuth, with which one can program authenticated operations over any data structure defined by standard type constructors, including recursive types, sums, and products. The programmer writes the data structure largely as usual and it is compiled to code to be run by the prover and verifier. Using a formalization of LambdaAuth we prove that all well-typed LambdaAuth programs result in code that is secure under the standard cryptographic assumption of collision-resistant hash functions. We have implemented LambdaAuth as an extension to the OCaml compiler, and have used it to produce authenticated versions of many interesting data structures including binary search trees, red-black+ trees, skip lists, and more. Performance experiments show that our approach is efficient, giving up little compared to the hand-optimized data structures developed previously.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

General-Purpose Persistence Using Flash Memory. Jonathan T. Moore, Michael Hicks, and Scott Nettles. Unpublished manuscript, April 1997.

Flash memory is a semiconductor memory technology that has interesting price, performance, and semantic tradeoffs. We have developed Gordon, a general-purpose persistence system for Standard ML that uses Flash mapped into the virtual address space as its stable storage medium.

Flash supports a write-once/bulk-erase interface that makes it difficult to support update-in-place semantics. In addition, Flash chips are only guaranteed to survive a limited number of erase cycles. Gordon has been designed to overcome these difficulties, and our performance analysis demonstrates good performance and reasonable lifetimes for appropriate application domains.

[ .ps ]

@unpublished{MooreHN98,
author = {Jonathan T. Moore and Michael Hicks and Scott Nettles},
title = {General-Purpose Persistence Using Flash Memory},
year = 1997,
month = {April},
note = {Unpublished manuscript}
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Contextual Effects for Version-Consistent Dynamic Software Updating and Safe Concurrent Programming (extended version). Iulian Neamtiu, Michael Hicks, Jeffrey S. Foster, and Polyvios Pratikakis. Technical Report CS-TR-4875, University of Maryland, Department of Computer Science, July 2007.

This paper presents a generalization of standard effect systems that we call contextual effects. A traditional effect system computes the effect of an expression e. Our system additionally computes the effects of the computational context in which e occurs: both the effect of the computation that has already occurred (prior effects) and the effect of the computation yet to take place (future effects).

Contextual effects can be used in any application in which the past or future computation of the program is relevant at various program points. We present two substantial examples. First, we show how prior and future effects can be used to enforce transactional version consistency (TVC), a novel correctness property for dynamic software updates. TVC ensures that programmer-designated transactional code blocks appear to execute entirely at the same code version, even if a dynamic update occurs in the middle of the block. Second, we show how future effects can be used in the analysis of multi-threaded programs to find thread-shared locations. This is an essential step in applications such as data race detection.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Understanding Source Code Evolution Using Abstract Syntax Tree Matching. Iulian Neamtiu, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the International Workshop on Mining Software Repositories (MSR), pages 1–5, May 2005.

Mining software repositories at the source code level can provide a greater understanding of how software evolves. We present a tool for quickly comparing the source code of different versions of a C program. The approach is based on partial abstract syntax tree matching, and can track simple changes to global variables, types and functions. These changes can characterize aspects of software evolution useful for answering higher level questions. In particular, we consider how they could be used to inform the design of a dynamic software updating system. We report results based on measurements of various versions of popular open source programs, including BIND, OpenSSH, Apache, Vsftpd and the Linux kernel.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Practical Dynamic Software Updating for C. Iulian Neamtiu, Michael Hicks, Gareth Stoyle, and Manuel Oriol. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 72–83, June 2006.

Software updates typically require stopping and restarting an application, but many systems cannot afford to halt service, or would prefer not to. Dynamic software updating (DSU) addresses this difficulty by permitting programs to be updated while they run. DSU is appealing compared to other approaches for on-line upgrades because it is quite general and requires no redundant hardware. The challenge is in making DSU practical: it should be flexible, and yet safe, efficient, and easy to use.

In this paper, we present Ginseng, a DSU implementation for C that aims to meet this challenge. We compile programs specially so that they can be dynamically patched, and generate most of a dynamic patch automatically. Ginseng performs a series of analyses that when combined with some simple runtime support ensure that an update will not violate type-safety while guaranteeing that data is kept up-to-date. We have used Ginseng to construct and dynamically apply patches to three substantial open-source server programs—Very Secure FTP daemon, OpenSSH sshd daemon, and GNU Zebra. In total, we dynamically patched each program with three years’ worth of releases. Though the programs changed substantially, the majority of updates were easy to generate. Performance experiments show that all patches could be applied in less than 5 ms, and that the overhead on application throughput due to updating support ranged from 0 to at most 32%.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Contextual Effects for Version-Consistent Dynamic Software Updating and Safe Concurrent Programming. Iulian Neamtiu, Michael Hicks, Jeffrey S. Foster, and Polyvios Pratikakis. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), pages 37–50, January 2008.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Safe and Timely Dynamic Updates for Multi-threaded Programs. Iulian Neamtiu and Michael Hicks. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 13–24, June 2009.

Many dynamic updating systems have been developed that enable a program to be patched while it runs, to fix bugs or add new features. This paper explores techniques for supporting dynamic updates to multi-threaded programs, focusing on the problem of applying an update in a timely fashion while still producing correct behavior. Past work has shown that this tension of safety versus timeliness can be balanced for single-threaded programs. For multi-threaded programs, the task is more difficult because myriad thread interactions complicate understanding the possible program states to which a patch could be applied. Our approach allows the programmer to specify a few program points (e.g., one per thread) at which a patch may be applied, which simplifies reasoning about safety. To improve timeliness, a combination of static analysis and run-time support automatically expands these few points to many more that produce behavior equivalent to the originals. Experiments with thirteen realistic updates to three multi-threaded servers show that we can safely perform a dynamic update within milliseconds when more straightforward alternatives would delay some updates indefinitely.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

A Counterexample-guided Approach to Finding Numerical Invariants. ThanhVu Nguyen, Timos Antopoulos, Andrew Ruef, and Michael Hicks. In Proceedings of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), September 2017.

Numerical invariants, e.g., relationships among numerical variables in a program, represent a useful class of properties to analyze programs. General polynomial invariants represent more complex numerical relations, but they are often required in many scientific and engineering applications. We present NumInv, a tool that implements a counterexample-guided invariant generation (CEGIR) to automatically discover numerical invariants, which are polynomial equality and inequality relations among numerical variables. This CEGIR technique infers candidate invariants from program traces and then checks them against the program source code using the KLEE test-input generation tool. If the invariants are incorrect KLEE returns counterexample traces, which help the dynamic inference obtain better results. Existing CEGIR approaches often require sound invariants, however NumInv sacrifices soundness and produces results that KLEE cannot refute within certain time bound. This design and the use of KLEE as a verifier allow NumInv to discover useful and important numerical invariants for many challenging programs.

Preliminary results show that NumInv generates required invariants for understanding and verifying correctness of programs involving complex arithmetic. We also show that NumInv discovers polynomial invariants that capture precise complexity bounds of programs used to benchmark existing static complexity analysis techniques. Finally, we show that NumInv performs competitively comparing to state of the art numerical invariant analysis tools

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Tagged Sets: a Secure and Transparent Coordination Medium. Manuel Oriol and Michael Hicks. In Jean-Marie Jacquet and Gian Pietro Picco, editors, Proceedings of the International Conference on Coordination Models and Languages (COORDINATION), volume 3454 of Lecture Notes in Computer Science, pages 252–267. Springer-Verlag, April 2005.

A simple and effective way of coordinating distributed, mobile, and parallel applications is to use a virtual shared memory (VSM), such as a Linda tuple-space. In this paper, we propose a new kind of VSM, called a tagged set. Each element in the VSM is a value with an associated tag, and values are read or removed from the VSM by matching the tag. Tagged sets exhibit three properties useful for VSMs:

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Merging Network Measurement with Data Transport (Extended Abstract). Pavlos Papageorgiou and Michael Hicks. In Proceedings of the IEEE Passive/Active Measurement Workshop (PAM), volume 3431, pages 368–371. Springer-Verlag, March 2005.

The tasks of measurement and data transport are often treated independently, but we believe there are benefits to bringing them together. This paper proposes the simple idea of a transport agent to encapsulate useful data within probe packets in place of useless padding.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Passive Aggressive Measurement with MGRP. Pavlos Papageorge, Justin McCann, and Michael Hicks. In Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), pages 279–290, August 2009.

We present the Measurement Manager Protocol (MGRP), an in-kernel service that schedules and transmits probes on behalf of active measurement tools. Unlike prior measurement services, MGRP transparently piggybacks application packets inside the often significant amounts of empty padding contained in typical probes. Using MGRP thus combines the modularity, flexibility, and accuracy of standalone active measurement tools with the lower overhead of passive measurement techniques. Microbenchmark experiments show that the resulting bandwidth savings makes it possible to measure the network accurately, but faster and more aggressively than without piggybacking, and with few ill effects to piggybacked application or competing traffic. When using MGRP to schedule measurements on behalf of MediaNet, an overlay service that adaptively schedules media streams, we show MediaNet can achieve significantly higher streaming rates under the same network conditions.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Build It, Break It, Fix It: Contesting Secure Development. James Parker, Michael Hicks, Andrew Ruef, Michelle L. Mazurek, Dave Levin, Daniel Votipka, Piotr Mardziel, and Kelsey R. Fulton. ACM Transactions on Privacy and Security (TOPS), 23(2), April 2020.

Typical security contests focus on breaking or mitigating the impact of buggy systems. We present the Build-it, Break-it, Fix-it (BIBIFI) contest, which aims to assess the ability to securely build software, not just break it. In BIBIFI, teams build specified software with the goal of maximizing correctness, performance, and security. The latter is tested when teams attempt to break other teams’ submissions. Winners are chosen from among the best builders and the best breakers. BIBIFI was designed to be open-ended—teams can use any language, tool, process, etc. that they like. As such, contest outcomes shed light on factors that correlate with successfully building secure software and breaking insecure software. We ran three contests involving a total of 156 teams and three different programming problems. Quantitative analysis from these contests found that the most efficient build-it submissions used C/C++, but submissions coded in a statically-type safe language were 11× less likely to have a security flaw than C/C++ submissions. Break-it teams that were also successful build-it teams were significantly better at finding security bugs.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Automated Detection of Persistent Kernel Control-Flow Attacks. Nick L. Petroni, Jr. and Michael Hicks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), pages 103–115, October 2007.

This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modification of the kernel’s control-flow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-flow modifications; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-flow modifying rootkits we could install, while imposing unnoticeable overhead for both a typical web server workload and CPU-intensive workloads when operating at 10 second intervals.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Automated Detection of Persistent Kernel Control-Flow Attacks. Nick L. Petroni, Jr. and Michael Hicks. Technical Report CS-TR-4880, Department of Computer Science, University of Maryland, October 2007. Extends the CCS 2007 paper with more thorough performance results.

This paper presents a new approach to dynamically monitoring operating system kernel integrity, based on a property called state-based control-flow integrity (SBCFI). Violations of SBCFI signal a persistent, unexpected modification of the kernel’s control-flow graph. We performed a thorough analysis of 25 Linux rootkits and found that 24 (96%) employ persistent control-flow modifications; an informal study of Windows rootkits yielded similar results. We have implemented SBCFI enforcement as part of the Xen and VMware virtual machine monitors. Our implementation detected all the control-flow modifying rootkits we could install, while imposing negligible overhead for both a typical web server workload and CPU-intensive workloads when operating at 1 second intervals on a multi-core machine.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Rubah: Efficient, General-purpose Dynamic Software Updating for Java. Luis Pina and Michael Hicks. In Proceedings of the Workshop on Hot Topics in Software Upgrades (HotSWUp), June 2013.

This paper presents Rubah, a new dynamic software updating (DSU) system for Java programs that works on stock VMs. Rubah supports a large range of program changes (e.g., changes to the class hierarchy and updates to running methods), does not restrict important programming idioms (e.g., reflection), and, as shown by performance experiments using an updatable version of the H2 database management system, imposes low overhead on normal execution.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Rubah: DSU for Java on a stock JVM. Luís Pina, Luís Veiga, and Michael Hicks. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2014.

This paper presents Rubah, the first dynamic software updating system for Java that: is portable, implemented via libraries and bytecode rewriting on top of a standard JVM; is efficient, imposing essentially no overhead on normal, steady-state execution; is flexible, allowing nearly arbitrary changes to classes between updates; and is non-disruptive, employing either a novel eager algorithm that transforms the program state with multiple threads, or a novel lazy algorithm that transforms objects as they are demanded, post-update. Requiring little programmer effort, Rubah has been used to dynamically update five long-running applications: the H2 database, the Voldemort key-value store, the Jake2 implementation of the Quake 2 shooter game, the CrossFTP server, and the JavaEmailServer.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Tedsuto: A General Framework for Testing Dynamic Software Updates. Luis Pina and Michael Hicks. In Proceedings of the International Conference on Software Testing (ICST), April 2016.

Dynamic software updating (DSU) is a technique for patching running programs, to fix bugs or add new features. DSU avoids the downtime of stop-and-restart updates, but creates new risks—an incorrect or ill-timed dynamic update could result in a crash or misbehavior, defeating the whole purpose of DSU . To reduce such risks, dynamic updates should be carefully tested before they are deployed. This paper presents Tedsuto, a general testing framework for DSU, along with a concrete implementation of it for Rubah, a state-of-the-art Java-based DSU system. Tedsuto uses system-level tests developed for the old and new versions of the updateable software, and systematically tests whether a dynamic update might result in a test failure. Very often this process is fully automated, while in some cases (e.g., to test new-version functionality) some manual annotations are required. To evaluate Tedsuto’s efficacy, we applied it to dynamic updates previously developed (and tested in an ad hoc manner) for the H2 SQL database server and the CrossFTP server— two real-world, multithreaded systems. We used three large test suites, totalling 446 tests, and we found a variety of update-related bugs in short order, and at low cost.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

MVEDSUa: Higher Availability Dynamic Software Updates via Multi-Version Execution. Luis Pina, Anastasios Andronidis, Michael Hicks, and Cristian Cadar. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), April 2019.

Dynamic Software Updating (DSU) is a general-purpose technique for patching stateful software without shutting it down, which enables both timely updates and non-stop service. However, applying an update could induce a long delay in service, and bugs in the update—both in the changed code and in the specification for effecting that change dynamically—may cause the updated software to crash or misbehave.

This paper proposes MVEDSUa, a system that solves these problems by augmenting a DSU system with support for Multi-Version Execution (MVE). To start, MVEDSUa performs an update in parallel with the original system, thereby avoiding any service delay. Then, it monitors that the updated and original systems’ responses agree when given the same inputs. Expected differences are specified by the programmer, so remaining differences signal likely errors. If the new version shows no problems, it can be installed permanently.

We implemented MVEDSUa on top of Kitsune and Varan, state-of-the-art DSU and MVE systems respectively, and used it to update several high-performance servers: redis, memcached, and vsftpd. Our results show that MVEDSUa significantly reduces the update-time delay, imposes little overhead in steady state, and easily recovers from a variety of update-related errors.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Transparent Proxies for Java Futures. Polyvios Pratikakis, Jaime Spacco, and Michael Hicks. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), pages 206–223, October 2004.

A proxy object is a surrogate or placeholder that controls access to another target object. Proxies can be used to support distributed programming, lazy or parallel evaluation, access control, and other simple forms of behavioral reflection. However, wrapper proxies (like futures or suspensions for yet-to-be-computed results) can require significant code changes to be used in statically-typed languages, while proxies more generally can inadvertently violate assumptions of transparency, resulting in subtle bugs.

To solve these problems, we have designed and implemented a simple framework for proxy programming that employs a static analysis based on qualifier inference, but with additional novelties. Code for using wrapper proxies is automatically introduced via a classfile-to-classfile transformation, and potential violations of transparency are signaled to the programmer. We have formalized our analysis and proven it sound. Our framework has a variety of applications, including support for asynchronous method calls returning futures. Experimental results demonstrate the benefits of our framework: programmers are relieved of managing and/or checking proxy usage, analysis times are reasonably fast, overheads introduced by added dynamic checks are negligible, and performance improvements can be significant. For example, changing two lines in a simple RMI-based peer-to-peer application and then using our framework resulted in a large performance gain.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Transparent Proxies for Java Futures (Extended version). Polyvios Pratikakis, Jaime Spacco, and Michael Hicks. Technical Report CS-TR-4574, University of Maryland, Department of Computer Science, October 2004.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Existential Label Flow Inference via CFL Reachability (Extended Version). Polyvios Pratikakis, Michael Hicks, and Jeffrey S. Foster. Technical Report CS-TR-4700, Department of Computer Science, University of Maryland, July 2005.

Label flow analysis is a fundamental static analysis problem with a wide variety of applications. Previous work by Mossin developed a polynomial time subtyping-based label flow inference that supports Hindley-Milner style polymorphism with polymorphic recursion. Rehof et al have developed an efficient O(n³) inference algorithm for Mossin’s system based on context-free language (CFL) reachability. In this paper, we extend these results to a system that also supports existential polymorphism, which is important for precisely describing correlations among members of a structured type, even when values of that type are part of dynamic data structures. We first develop a provably sound checking system based on polymorphically-constrained types. As usual, we restrict universal quantification to the top level of a type, but existential quantification is first class, with subtyping allowed between existentials with the same binding structure. We then develop a CFL-based inference system. Programmers specify which positions in a type are existentially quantified, and the algorithm infers the constraints bound in the type, or rejects a program if the annotations are inconsistent.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Existential Label Flow Inference via CFL Reachability. Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. In Kwangkeun Yi, editor, Proceedings of the Static Analysis Symposium (SAS), volume 4134 of Lecture Notes in Computer Science, pages 88–106. Springer-Verlag, August 2006.

In programming languages, existential quantification is useful for describing relationships among members of a structured type. For example, we may have a list in which there exists some mutual exclusion lock l in each list element such that l protects the data stored in that element. With this information, a static analysis can reason about the relationship between locks and locations in the list even when the precise identity of the lock and/or location is unknown. To facilitate the construction of such static analyses, this paper presents a context-sensitive label flow analysis algorithm with support for existential quantification. Label flow analysis is a core part of many static analysis systems. Following Rehof et al, we use context-free language (CFL) reachability to develop an efficient O(n³) label flow inference algorithm. We prove the algorithm sound by reducing its derivations to those in a system based on polymorphically-constrained types, in the style of Mossin. We have implemented a variant of our analysis as part of a data race detection tool for C programs.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Context-sensitive Correlation Analysis for Detecting Races. Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 320–331, June 2006.

One common technique for preventing data races in multi-threaded programs is to ensure that all accesses to shared locations are consistently protected by a lock. We present a tool called Locksmith for detecting data races in C programs by looking for violations of this pattern. We call the relationship between locks and the locations they protect consistent correlation, and the core of our technique is a novel constraint-based analysis that infers consistent correlation context-sensitively, using the results to check that locations are properly guarded by locks. We present the core of our algorithm for a simple formal language lambda-corr which we have proven sound, and discuss how we scale it up to an algorithm that aims to be sound for all of C. We develop several techniques to improve the precision and performance of the analysis, including a sharing analysis for inferring thread locality; existential quantification for modeling locks in data structures; and heuristics for modeling unsafe features of C such as type casts. When applied to several benchmarks, including multi-threaded servers and Linux device drivers, Locksmith found several races while producing a modest number of false alarms.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Context-sensitive Correlation Analysis for Detecting Races (Extended version). Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. Technical Report CS-TR-4789, Department of Computer Science, University of Maryland, June 2006. Extends PLDI 2006 paper with full formal development.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Formalizing Soundness of Contextual Effects. Polyvios Pratikakis, Jeffrey S. Foster, Michael Hicks, and Iulian Neamtiu. In Otmane Aït Mohamed, César Mun̄oz, and Sofiène Tahar, editors, Proceedings of the International Conference on Theorem Proving in Higher Order Logics (TPHOLs), volume 5170 of Lecture Notes in Computer Science, pages 262–277. Springer, August 2008.

A contextual effects system generalizes standard type and effect systems: where a standard effects system computes the effect of an expression e, a contextual effects system additionally computes the prior and future effect of e, which characterize the behavior of computation prior to, and following, respectively, the evaluation of e. This paper describes the formalization and proof of soundness of contextual effects, which we mechanized using the Coq proof assistant. Contextual effect soundness is an unusual property because the prior and future effect of a term e depends not on e itself (or its evaluation), but rather on the evaluation of the context in which e appears. Therefore, to state and prove soundness we must “match up” a subterm in the original typing derivation with the possibly-many evaluations of that subterm during the evaluation of the program, in a way that is robust under substitution. We do this using a novel typed operational semantics. We conjecture that our approach could prove useful for approaching other properties of derivations that rely on the context in which that derivation appears.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Locksmith: Practical Static Race Detection for C. Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. ACM Transactions on Programming Languages and Systems (TOPLAS), 33(1):Article 3, January 2011.

Locksmith is a static analysis tool for automatically detecting data races in C programs. In this paper, we describe each of Locksmith’s component analyses precisely, and present systematic measurements that isolate interesting tradeoffs between precision and efficiency in each analysis. Using a benchmark suite comprising standalone applications and Linux device drivers totaling more than 200,000 lines of code, we found that a simple no-worklist strategy yielded the most efficient interprocedural dataflow analysis; that our sharing analysis was able to determine that most locations are thread-local, and therefore need not be protected by locks; that modeling C structs and void pointers precisely is key to both precision and efficiency; and that context-sensitivity yields a much more precise analysis, though with decreased scalability. Put together, our results illuminate some of the key engineering challenges in building Locksmith and data race detection analyses in particular, and constraint-based program analyses in general.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Knowledge Inference for Optimizing Secure Multi-party Computation. Aseem Rastogi, Piotr Mardziel, Matthew Hammer, and Michael Hicks. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), June 2013.

In secure multi-party computation, mutually distrusting parties cooperatively compute functions of their private data; in the process, they only learn certain results as per the protocol (e.g., the final output). The realization of these protocols uses cryptographic techniques to avoid leaking information between the parties. A protocol for a secure computation can sometimes be optimized without changing its security guarantee: when the parties can use their private data and the revealed output to infer the values of other data, then this other data need not be concealed from them via cryptography.

In the context of automatically optimizing secure multi-party computation, we define two related problems, knowledge inference and constructive knowledge inference. In both problems, we attempt to automatically discover when and if intermediate variables used in a protocol will (eventually) be known to the parties involved in the computation. Provably-known variables offer optimization opportunities.

We formally state the problem of knowledge inference (and its constructive variant); we describe our solutions, which are built atop existing, standard technology such as SMT solvers. We show that our approach is sound, and further, we characterize the completeness properties enjoyed by our approach. We have implemented our approach, and present a preliminary experimental evaluation.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations. Aseem Rastogi, Matthew A. Hammer, and Michael Hicks. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2014.

In a Secure Multiparty Computation (SMC), mutually distrusting parties use cryptographic techniques to cooperatively compute over their private data; in the process each party learns only explicitly revealed outputs. In this paper, we present Wysteria, a high-level programming language for writing SMCs. As with past languages, like Fairplay, Wysteria compiles secure computations to circuits that are executed by an underlying engine. Unlike past work, Wysteria provides support for mixed-mode programs, which combine local, private computations with synchronous SMCs. Wysteria complements a standard feature set with built-in support for secret shares and with wire bundles, a new abstraction that supports generic n-party computations. We have formalized Wysteria, its refinement type system, and its operational semantics. We show that Wysteria programs have an easy-to-understand single-threaded interpretation and prove that this view corresponds to the actual multi-threaded semantics. We also prove type soundness, a property we show has security ramifications, namely that information about one party’s data can only be revealed to another via (agreed upon) secure computations. We have implemented Wysteria, and used it to program a variety of interesting SMC protocols from the literature, as well as several new ones. We find that Wysteria’s performance is competitive with prior approaches while making programming far easier, and more trustworthy.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations (extended version). Aseem Rastogi, Matthew A. Hammer, and Michael Hicks. Technical Report CS-TR-5034, Department of Computer Science, the University of Maryland, College Park, May 2014.

In a Secure Multiparty Computation (SMC), mutually distrusting parties use cryptographic techniques to cooperatively compute over their private data; in the process each party learns only explicitly revealed outputs. In this paper, we present Wysteria, a high-level programming language for writing SMCs. As with past languages, like Fairplay, Wysteria compiles secure computations to circuits that are executed by an underlying engine. Unlike past work, Wysteria provides support for mixed-mode programs, which combine local, private computations with synchronous SMCs. Wysteria complements a standard feature set with built-in support for secret shares and with wire bundles, a new abstraction that supports generic n-party computations. We have formalized Wysteria, its refinement type system, and its operational semantics. We show that Wysteria programs have an easy-to-understand single-threaded interpretation and prove that this view corresponds to the actual multi-threaded semantics. We also prove type soundness, a property we show has security ramifications, namely that information about one party’s data can only be revealed to another via (agreed upon) secure computations. We have implemented Wysteria, and used it to program a variety of interesting SMC protocols from the literature, as well as several new ones. We find that Wysteria’s performance is competitive with prior approaches while making programming far easier, and more trustworthy.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Inference of Polymorphic Lock Types. James Rose, Nikhil Swamy, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Distributed Computing (PODC) Workshop on Concurrency and Synchronization in Java Programs (CSJP), pages 18–25, July 2004.

We present an approach for automatically proving the absence of race conditions in multi-threaded Java programs, using a combination of dynamic and static analysis. The program in question is instrumented so that when executed it will gather information about locking relationships. This information is then fed to our tool, FindLocks, that generates annotations needed to type check the program using the Race-Free Java type system. Our approach extends existing inference algorithms by being fully context-sensitive. We describe the design and implementation of our approach, and our experience applying the tool to a variety of Java programs. In general, we have found the approach works well, but has trouble scaling to large programs, which require extensive testing for full coverage.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Inference of Polymorphic Lock Types. James Rose, Nikhil Swamy, and Michael Hicks. Science of Computer Programming (SCP), 58(3):366–383, December 2005. Special Issue on Concurrency and Synchronization in Java programs. Supercedes 2004 CSJP paper of the same name.

[ .pdf ]

@article{rose05scp,
author = {James Rose and Nikhil Swamy and Michael Hicks},
title = {Dynamic Inference of Polymorphic Lock Types},
journal = {Science of Computer Programming (SCP)},
volume = 58,
number = 3,
pages = {366–383},
month = {December},
year = 2005,
note = {Special Issue on Concurrency and Synchronization in Java programs. Supercedes 2004 CSJP paper of the same name.},
publisher = {Elsevier}
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Build It Break It: Measuring and Comparing Development Security. Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Atif Memon, Jandelyn Plane, and Piotr Mardziel. In Proceedings of the USENIX Workshop on Cyber Security Instrumentation and Test (CSET), August 2015.

There is currently little evidence about what tools, methods, processes, and languages lead to secure software. We present the experimental design of the Build it Break it secure programming contest as an aim to provide such evidence. The contest also provides education value to participants where they gain experience developing programs in an adversarial settings. We show preliminary results from previous runs of the contest that demonstrate the contest works as designed, and provides the data desired. We are in the process of scaling the contest to collect larger data sets with the goal of making statistically significant correlations between various factors of development and software security.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Achieving Safety Incrementally with Checked C. Andrew Ruef, Leonidas Lampropoulos, Ian Sweet, David Tarditi, and Michael Hicks. In Proceedings of the Symposium on Principles of Security and Trust (POST), April 2019.

Checked C is a new effort working toward a memory-safe C. Its design is distinguished from that of prior efforts by truly being an extension of C: Every C program is also a Checked C program. Thus, one may make incremental safety improvements to existing codebases while retaining backward compatibility. This paper makes two contributions. First, to help developers convert existing C code to use so-called checked (i.e., safe) pointers, we have developed a preliminary, automated porting tool. Notably, this tool takes advantage of the flexibility of Checked C’s design: The tool need not perfectly classify every pointer, as required of prior all-or-nothing efforts. Rather, it can make a best effort to convert more pointers accurately, without letting inaccuracies inhibit compilation. However, such partial conversion raises the question: If safety violations can still occur, what sort of advantage does using Checked C provide? We draw inspiration from research on migratory typing to make our second contribution: We prove a blame property that renders so-called checked regions blameless of any run-time failure. We formalize this property for a core calculus and mechanize the proof in Coq.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Safe and Flexible Controller Upgrades for SDNs. Karla Saur, Joseph Collard, Nate Foster, Arjun Guha, Laurent Vanbever, and Michael Hicks. In Proceedings of the Symposium on SDN Research (SOSR), March 2016.

SDN controllers must be periodically upgraded to add features, improve performance, and fix bugs, but current techniques for implementing dynamic updates—i.e., without disrupting ongoing network functions—are inadequate. Simply halting the old controller and bringing up the new one can cause state to be lost, leading to incorrect behavior. For example, if the state represents flows blacklisted by a firewall, then traffic that should be blocked may be allowed to pass through. Techniques based on record and replay can reconstruct controller state automatically, but they are expensive to deploy and do not work in all scenarios.

This paper presents a new approach to implementing dynamic updates for SDN controllers. We present the design and implementation of a new controller platform called Morpheus that uses explicit state transfer to implement dynamic updates. Morpheus enables programmers to directly initialize the upgraded controller’s state as a function of its existing state, using a domain-specific language that is designed to be easy to use. Morpheus also offers a distributed protocol for safely deploying updates across multiple nodes. Experiments confirm that Morpheus provides correct behavior and good performance.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

C-Strider: Type-Aware Heap Traversal for C. Karla Saur, Michael Hicks, and Jeffrey S. Foster. Software, Practice, and Experience, May 2015.

Researchers have proposed many tools and techniques that work by traversing the heap, including checkpointing systems, heap profilers, heap assertion checkers, and dynamic software updating systems. Yet building a heap traversal for C remains difficult, and to our knowledge extant services have used their own application-specific traversals. This paper presents C-strider, a framework for writing C heap traversals and transformations. Writing a basic C-strider service requires implementing only four callbacks; C-strider then generates a program-specific traversal that invokes the callbacks as each heap location is visited. Critically, C-strider is type aware—it tracks types as it walks the heap, so every callback is supplied with the exact type of the associated location. We used C-strider to implement heap serialization, dynamic software updating, heap checking, and profiling, and then applied the resulting traversals to several programs. We found C-strider requires little programmer effort, and the resulting services are efficient and effective.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Evolving NoSQL Databases Without Downtime. Karla Saur, Tudor Dumitraş, and Michael Hicks. In Proceedings of the International Conference on Software Maintenance and Evolution (ICSME), October 2016.

NoSQL databases like Redis, Cassandra, and MongoDB are increasingly popular because they are flexible, lightweight, and easy to work with. Applications that use these databases will evolve over time, sometimes necessitating (or preferring) a change to the format or organization of the data. The problem we address in this paper is: How can we support the evolution of high-availability applications and their NoSQL data online, without excessive delays or interruptions, even in the presence of backward-incompatible data format changes?

We present KVolve, an extension to the popular Redis NoSQL database, as a solution to this problem. KVolve permits a developer to submit an upgrade specification that defines how to transform existing data to the newest version. This transformation is applied lazily as applications interact with the database, thus avoiding long pause times. We demonstrate that KVolve is expressive enough to support substantial practical updates, including format changes to RedisFS, a Redis-backed file system, while imposing essentially no overhead in general use and minimal pause times during updates.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Rebinding for Marshalling and Update, via Redex-time and Destruct-time Reduction. Peter Sewell, Gareth Stoyle, Michael Hicks, Gavin Bierman, and Keith Wansbrough. Journal of Functional Programming (JFP), 18(4):437–502, July 2008. Appeared on-line October, 2007. Supercedes ICFP 2003 and USE 2003 papers.

Most programming languages adopt static binding, but for distributed programming an exclusive reliance on static binding is too restrictive: dynamic binding is required in various guises, for example when a marshalled value is received from the network, containing identifiers that must be rebound to local resources. Typically it is provided only by ad-hoc mechanisms that lack clean semantics.

In this paper we adopt a foundational approach, developing core dynamic rebinding mechanisms as extensions to the simply-typed call-by-value lambda-calculus. To do so we must first explore refinements of the call-by-value reduction strategy that delay instantiation, to ensure computations make use of the most recent versions of rebound definitions. We introduce redex-time and destruct-time strategies. The latter forms the basis for a lambda-marsh calculus that supports dynamic rebinding of marshalled values, while remaining as far as possible statically-typed. We sketch an extension of lambda-marsh with concurrency and communication, giving examples showing how wrappers for encapsulating untrusted code can be expressed. Finally, we show that a high-level semantics for dynamic updating can also be based on the destruct-time strategy, defining a lambda-update calculus with simple primitives to provide type-safe updating of running code. We show how the ideas of this simple calculus extend to more real-world, module-level dynamic updating in the style of Erlang. We thereby establish primitives and a common semantic foundation for a variety of real-world dynamic rebinding requirements.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Towards Standardized Benchmarks for Dynamic Software Updating Systems. Edward K. Smith, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the Workshop on Hot Topics in Software Upgrades (HotSWUp), pages 11–15, June 2012.

Dynamic Software Updating (DSU) has been an active topic of research for at least the last 30 years. However, despite many recent advances, DSU has yet to see widespread adoption and deployment in practice. In this paper, we review a slice of the history of DSU research to study how DSU for C has evolved over the last two decades. We examine the ways DSU systems are evaluated in the research literature. We identify several shortcomings of the evaluation criteria that have been used, and propose key improvements. We believe that using better evaluation criteria can guide DSU research to produce systems that will be more practical, flexible, and usable.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Evolution in Action: Using Active Networking to Evolve Network Support for Mobility. Seo-Kyu Song, Stephen Shannon, Michael Hicks, and Scott Nettles. In James Sterbenz, Osamu Takada, Christian Tschudin, and Bernhard Plattner, editors, Proceedings of the Fourth International Working Conference on Active Networks (IWAN), volume 2546 of Lecture Notes in Computer Science, pages 146–161. Springer-Verlag, December 2002.

A key early objective of Active Networking (AN) was to support on-the-fly network evolution. Although AN has been used relatively extensively to build application-customized protocols and even whole networking systems, demonstrations of evolution have been limited. This paper examines three AN mechanisms and how they enable evolution: active packets and plug-in extensions, well-known to the AN community, and update extensions, which are novel to AN. We devote our presentation to a series of demonstrations of how each type of evolution can be applied to the problem of adding support for mobility to a network. This represents the most large-scale demonstration of AN evolution to date. These demonstrations show what previous AN research has not: that AN technology can, in fact, support very significant changes to the network, even while the network is operational.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Defining and Enforcing C’s Module System. Saurabh Srivastava, Michael Hicks, Jeffrey S. Foster, and Bhargav Kanagal. Technical Report CS-4816, Department of Computer Science, University of Maryland, July 2006.

Programming language module systems are an important tool for managing the complexity of large software systems. The C programming language is used to build many such systems, yet it lacks a proper module system. Instead, C programmers typically follow a convention that treats .h header files as interfaces and .c source files as modules. This convention can be effective, but there are many subtleties in using it correctly, and the compiler and linker provide no enforcement mechanism. As a result, misuse of the convention can lead to hard-to-find bugs, can make reasoning about code in isolation more difficult, and can complicate future code maintenance.

This paper presents CMod, a module system for C that ensures abstraction via information hiding and type-safe separate compilation. Our approach is to identify and enforce the circumstances under which C’s current modular programming convention is sound. The result is four rules that, using an operational semantics for an idealized preprocessor, we have proven are sufficient to guarantee the desired modularity properties. We have implemented CMod for the full C language and applied it to a number of benchmarks. We found that most of the time legacy programs obey CMod’s rules, or can be made to with minimal effort, and rule violations often result in type errors or brittle code. Thus CMod brings the benefits of modular programming to C while still supporting legacy systems.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Modular Information Hiding and Type Safety for C. Saurabh Srivastava, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the ACM Workshop on Types in Language Design and Implementation (TLDI), pages 3–14, January 2007.

This paper presents CMod, a novel tool that provides a sound module system for C . CMod works by enforcing a set of four rules that are based on principles of modular reasoning and on current programming practice. CMod’s rules flesh out the convention that .h header files are module interfaces and .c source files are module implementations. Although this convention is well-known, developing CMod’s rules revealed there are many subtleties in applying the basic pattern correctly. We have proven formally that CMod’s rules enforce both information hiding and type-safe linking. We evaluated CMod on a number of benchmarks, and found that most programs obey CMod’s rules, or can be made to with minimal effort, while rule violations reveal brittle coding practices including numerous information hiding violations and occasional type errors.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Appendix to CMod: Modular Information Hiding and Type-Safe Linking for C. Saurabh Srivastava, Michael Hicks, and Jeffrey S. Foster. Technical Report CS-TR-4874, Department of Computer Science, University of Maryland, June 2007.

This brief note is an appendix to CMod: Modular Information Hiding and Type-Safe Linking for C (Srivastava et al., June 2007). It consists of the proof of soundness for the formal language presented in that paper.

[ .pdf ]

@techreport{srivastava07cmodjournaltr,
 author = {Saurabh Srivastava and Michael Hicks and Jeffrey S. Foster},
 title = {Appendix to {CMod}: Modular Information Hiding and Type-Safe Linking for {C}},
 institution = {Department of Computer Science, University of Maryland},
 month = jun,
 year = 2007,
 number = {CS-TR-4874}
}

This file was generated by bibtex2html 1.99.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Modular Information Hiding and Type Safe Linking for C. Saurabh Srivastava, Michael Hicks, Jeffrey S. Foster, and Patrick Jenkins. IEEE Transactions on Software Engineering, 34(3):1–20, May 2008. Full version of TLDI 07 paper.

To use CMod, the programmer develops and builds their software as usual, redirecting the compiler and linker to CMod’s wrappers. We evaluated CMod by applying it to 30 open source programs, totaling more than one million lines of code. Violations to CMod’s rules revealed more than a thousand information hiding errors, dozens of typing errors, and hundreds of cases that, although not currently bugs, make programming mistakes more likely as the code evolves. At the same time, programs generally adhere to the assumptions underlying CMod’s rules, and so we could fix rule violations with a modest effort. We conclude that CMod can effectively support modular programming in C: it soundly enforces type-safe linking and information hiding while being largely compatible with existing practice.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Deanonymizing Mobility Traces: Using a Social Network as a Side-Channel. Mudhakar Srivatsa and Michael Hicks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2012.

Location-based services, which employ data from smartphones, vehicles, etc., are growing in popularity.
To reduce the threat that shared location data poses to a user’s privacy, some services anonymize or obfuscate this data. In this paper, we show these methods can be effectively defeated: a set of location traces can be deanonymized given an easily obtained social network graph. The key idea of our approach is that a user may be identified by those she meets: a contact graph identifying meetings between anonymized users in a set of traces can be structurally correlated with a social network graph, thereby identifying anonymized users. We demonstrate the effectiveness of our approach using three real world datasets: University of St Andrews mobility trace and social network (27 nodes each), SmallBlue contact trace and Facebook social network (125 nodes), and Infocom 2006 bluetooth contact traces and conference attendees’ DBLP social network (78 nodes). Our experiments show that 80% of users are identified precisely, while only 8% are identified incorrectly, with the remainder mapped to a small set of users.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Mutatis Mutandis: Safe and Flexible Dynamic Software Updating. Gareth Stoyle, Michael Hicks, Gavin Bierman, Peter Sewell, and Iulian Neamtiu. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), pages 183–194, January 2005.

Dynamic software updates can be used to fix bugs or add features to a running program without downtime. Essential for some applications and convenient for others, low-level dynamic updating support has been used for many years. However, there is little high-level understanding that would support programmers in writing dynamic updates effectively.

In an effort to bridge this gap, we present a formal calculus called Proteus for modeling dynamic software updating in C-like languages that is flexible, safe, and predictable. Proteus supports dynamic updates to functions (even those that are active) and types, allowing on-line evolution to match source-code evolution as we have observed it in practice. All updates are provably type-safe and representation-consistent, meaning that only one version of a given type may exist in the program at any time, simplifying reasoning and avoiding unintuitive copy-based semantics. Finally, Proteus’s novel and efficient static updateability analysis allows a programmer to automatically prove that an update is independent of the on-line program state, and thus predict it will not fail dynamically. Proteus admits a straightforward implementation, and we sketch how it could be extended to more advanced language features including threads.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Mutatis Mutandis: Safe and Flexible Dynamic Software Updating (full version). Gareth Stoyle, Michael Hicks, Gavin Bierman, Peter Sewell, and Iulian Neamtiu. ACM Transactions on Programming Languages and Systems (TOPLAS), 29(4), August 2007. Full version of POPL 05 paper.

This paper presents Proteus, a core calculus that models dynamic software updating, a service for fixing bugs and adding features to a running program. Proteus permits a program’s type structure to change dynamically but guarantees the updated program remains type-correct by ensuring a property we call “con-freeness.” We show how con-freeness can be enforced dynamically, and how it can be approximated via a novel static analysis. This analysis can be used to assess the implications of a program’s structure on future updates, to make update success more predictable. We have implemented Proteus for C, and briefly discuss our implementation, which we have tested on several well-known programs.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Dynamic Software Updates: A VM-Centric Approach. Suriya Subramanian, Michael Hicks, and Kathryn S. McKinley. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 1–12, June 2009.

Software evolves to fix bugs and add features. Stopping and restarting programs to apply changes is inconvenient and often costly. Dynamic software updating (DSU) addresses this problem by updating programs while they execute, but existing DSU systems for managed languages do not support many updates that occur in practice and are inefficient. This paper presents the design and implementation of Jvolve, a DSU-enhanced Java VM. Updated programs may add, delete, and replace fields and methods anywhere within the class hierarchy. Jvolve implements these updates by adding to and coordinating VM classloading, just-in-time compilation, scheduling, return barriers, on-stack replacement, and garbage collection. Jvolve is safe: its use of bytecode verification and VM thread synchronization ensures that an update will always produce type-correct executions. Jvolve is flexible: it can support 20 of 22 updates to three open-source programs—Jetty web server, JavaEmailServer, and CrossFTP server—based on actual releases occurring over 1 to 2 years. Jvolve is efficient: performance experiments show that incurs no overhead during steady-state execution. These results demonstrate that this work is a significant step towards practical support for dynamic updates in virtual machines for managed languages.

[ .pdf ]

@inproceedings{subramanian09jvolve,
author = {Suriya Subramanian and Michael Hicks and Kathryn S. McKinley},
title = {Dynamic Software Updates: A {VM}-Centric Approach},
booktitle = {Proceedings of the {ACM} Conference on Programming Language Design and Implementation (PLDI)},
month = jun,
year = 2009,
pages = {1–12}
}

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Safe Manual Memory Management in Cyclone. Nikhil Swamy, Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim. Science of Computer Programming (SCP), 62(2):122–144, October 2006. Special issue on memory management. Expands ISMM conference paper of the same name.

The goal of the Cyclone project is to investigate how to make a low-level C-like language safe. Our most difficult challenge has been providing programmers control over memory management while retaining safety. This paper describes our experience trying to integrate and use effectively two previously-proposed, safe memory-management mechanisms: statically-scoped regions and tracked pointers. We found that these typing mechanisms can be combined to build alternative memory-management abstractions, such as reference counted objects and arenas with dynamic lifetimes, and thus provide a flexible basis. Our experience—porting C programs and device drivers, and building new applications for resource-constrained systems—confirms that experts can use these features to improve memory footprint and sometimes to improve throughput when used instead of, or in combination with, conservative garbage collection.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Managing Policy Updates in Security-Typed Languages. Nikhil Swamy, Michael Hicks, Stephen Tse, and Steve Zdancewic. In Proceedings of the Computer Security Foundations Workshop (CSFW), pages 202–216, July 2006.

This paper presents RX, a new security-typed programming language with features intended to make the management of information-flow policies more practical. Security labels in RX, in contrast to prior approaches, are defined in terms of owned roles, as found in the RT role-based trust-management framework. Role-based security policies allows flexible delegation, and our language RX provides constructs through which programs can robustly update policies and react to policy updates dynamically. Our dynamic semantics use statically verified transactions to eliminate illegal information flows across updates, which we call transitive flow. Because policy updates can be observed through dynamic queries, policy updates can potentially reveal sensitive information. As such, RX considers policy statements themselves to be potentially confidential information and subject to information-flow metapolicies.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Managing Policy Updates in Security-Typed Languages (Extended version). Nikhil Swamy, Michael Hicks, Stephen Tse, and Steve Zdancewic. Technical Report CS-TR-4793, Department of Computer Science, University of Maryland, August 2006. Extends CSFW version to include full proofs and additional discussion about metapolicies.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Verified Enforcement of Security Policies for Cross-Domain Information Flows. Nikhil Swamy, Michael Hicks, and Simon Tsang. In Proceedings of the 2007 Military Communications Conference (MILCOM), October 2007.

We describe work in progress that uses program analysis to show that security-critical programs, such as cross-domain guards, correctly enforce cross-domain security policies. We are enhancing existing techniques from the field of security-oriented programming languages to construct a new language for the construction of secure networked applications, SELinks. In order to specify and enforce expressive and fine-grained policies, we advocate dynamically associating security labels with sensitive entities. Programs written in SELinks are statically guaranteed to correctly manipulate an entity’s security labels and to ensure that the appropriate policy checks mediate all operations that are performed on the entity. We discuss the design of our main case study: a web-based collaborative planning application that will permit a collection of users, with varying security requirements and clearances, to access sensitive data sources and collaboratively create documents based on these sources.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Verified Enforcement of Stateful Information Release Policies. Nikhil Swamy and Michael Hicks. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), pages 21–32, June 2008.

Many organizations specify information release policies to describe the terms under which sensitive information may be released to other organizations. This paper presents a new approach for ensuring that security-critical software correctly enforces its information release policy. Our approach has two parts. First, an information release policy is specified as a security automaton written in a new language called AIR. Second, we enforce an AIR policy by translating it into an API for programs written in Lair, a core formalism for a functional programming language. Lair uses a novel combination of dependent, affine, and singleton types to ensure that the API is used correctly. As a consequence we can certify that programs written in Lair meet the requirements of the original AIR policy specification.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Fable: A Language for Enforcing User-defined Security Policies. Nikhil Swamy, Brian Corcoran, and Michael Hicks. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), pages 369–383, May 2008.

This paper presents Fable, a core formalism for a programming language in which programmers may specify security policies and reason that these policies are properly enforced. In Fable, security policies can be expressed by associating security labels with the data or actions they protect. Programmers define the semantics of labels in a separate part of the program called the enforcement policy. Fable prevents a policy from being circumvented by allowing labeled terms to be manipulated only within the enforcement policy; application code must treat labeled values abstractly. Together, these features facilitate straightforward proofs that programs implementing a particular policy achieve their high-level security goals. Fable is flexible enough to implement a wide variety of security policies, including access control, information flow, provenance, and security automata. We have implemented Fable as part of the Links web programming language; we call the resulting language SELinks. We report on our experience using SElinks to build two substantial applications, a wiki and an on-line store, equipped with a combination of access control and provenance policies. To our knowledge, no existing framework enables the enforcement of such a wide variety of security policies with an equally high level of assurance.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

A Theory of Typed Coercions and its Applications. Nikhil Swamy, Michael Hicks, and Gavin S. Bierman. In Proceedings of the ACM International Conference on Functional Programming (ICFP), pages 329–340, August 2009.

A number of important program rewriting scenarios can be recast as type-directed coercion insertion. These range from more theoretical applications such as coercive subtyping and supporting overloading in type theories, to more practical applications such as integrating static and dynamically typed code using gradual typing, and inlining code to enforce security policies such as access control and provenance tracking. In this paper we give a general theory of type-directed coercion insertion. We specifically explore the inherent tradeoff between expressiveness and ambiguity—the more powerful the strategy for generating coercions, the greater the possibility of several, semantically distinct rewritings for a given program. We consider increasingly powerful coercion generation strategies, work out example applications supported by the increased power (including those mentioned above), and identify the inherent ambiguity problems of each setting, along with various techniques to tame the ambiguities.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Lightweight Monadic Programming in ML. Nikhil Swamy, Nataliya Guts, Daan Leijen, and Michael Hicks. In Proceedings of the ACM International Conference on Functional Programming (ICFP), pages 15–27, September 2011.

Many useful programming constructions can be expressed as monads. Examples include probabilistic modeling, functional reactive programming, parsing, and information flow tracking, not to mention effectful functionality like state and I/O. In this paper, we present a type-based rewriting algorithm to make programming with arbitrary monads as easy as using ML’s built-in support for state and I/O. Developers write programs using monadic values of type M t as if they were of type t, and our algorithm inserts the necessary binds, units, and monad-to-monad morphisms so that the program type checks. Our algorithm, based on Jones' qualified types, produces principal types. But principal types are sometimes problematic: the program’s semantics could depend on the choice of instantiation when more than one instantiation is valid. In such situations we are able to simplify the types to remove any ambiguity but without adversely affecting typability; thus we can accept strictly more programs. Moreover, we have proved that this simplification is efficient (linear in the number of constraints) and coherent: while our algorithm induces a particular rewriting, all related rewritings will have the same semantics. We have implemented our approach for a core functional language and applied it successfully to simple examples from the domains listed above, which are used as illustrations throughout the paper.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

What’s the Over/Under? Probabilistic Bounds on Information Leakage. Ian Sweet, José Manuel Calderón Trilla, Chad Scherrer, Michael Hicks, and Stephen Magill. In Proceedings of the Symposium on Principles of Security and Trust (POST), April 2018.

Quantitative information flow (QIF) is concerned with measuring how much of a secret is leaked to an adversary who observes the result of a computation that uses it. Prior work has shown that QIF techniques based on abstract interpretation with probabilistic polyhedra can be used to analyze the worst-case leakage of a query, on-line, to determine whether that query can be safely answered. While this approach can provide precise estimates, it does not scale well. This paper shows how to solve the scalability problem by augmenting the baseline technique with sampling and symbolic execution. We prove that our approach never underestimates a query’s leakage (it is sound), and detailed experimental results show that we can match the precision of the baseline technique but with orders of magnitude better performance.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Short Paper: Probabilistically Almost-Oblivious Computation. Ian Sweet, David Darais, and Michael Hicks. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), November 2020.

Memory-trace Obliviousness (MTO) is a noninterference property: programs that enjoy it have neither explicit nor implicit information leaks, even when the adversary can observe the program counter and the address trace of memory accesses. Probabilistic MTO relaxes MTO to accept probabilistic programs. In prior work, we developed λ_obliv, whose type system aims to enforce PMTO. We showed that λ_obliv could typecheck (recursive) Tree ORAM, a sophisticated algorithm that implements a probabilistically oblivious key-value store. We conjectured that λ_obliv ought to be able to typecheck more optimized oblivious data structures (ODSs), but that its type system was as yet too weak.

In this short paper we show we were wrong: ODSs cannot be implemented in λ_obliv because they are not actually PMTO, due to the possibility of overflow, meaning: a write may silently fail due to a local lack of space. This was surprising to us because Tree ORAM can also overflow but is still PMTO . The paper explains what is going on and sketches the task of adapting the PMTO property, and λ_obliv’s type system, to characterize ODS security.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Symphony: Expressive Secure Multiparty Computation with Coordination. Ian Sweet, David Darais, David Heath, Ryan Estes, Bill Harris, and Michael Hicks. <Programming>, 7(14), February 2023.

Context Secure Multiparty Computation (MPC) refers to a family of cryptographic techniques where mutually untrusting parties may compute functions of their private inputs while revealing only the function output.

Inquiry It can be hard to program MPCs correctly and efficiently using existing languages and frameworks, especially when they require coordinating disparate computational roles. How can we make this easier?

Publication

Fri, 17 Oct 2025 07:37:49 -0400

MultiOtter: Multiprocess Symbolic Execution. Jonathan Turpie, Elnatan Reisner, Jeffrey S. Foster, and Michael Hicks. Technical Report CS-TR-4982, University of Maryland Department of Computer Science, August 2011.

Symbolic execution can be an effective technique for exploring large numbers of program paths, but it has generally been applied to programs running in isolation, whose inputs are files or command-line arguments. Programs that take inputs from other programs—servers, for example—have been beyond the reach of symbolic execution. To address this, we developed a multiprocess symbolic executor called MultiOtter, along with an implementation of many of the POSIX functions, such as socket and select, that interactive programs usually rely on. However, that is just a first step. Next, we must determine what symbolic inputs to feed to an interactive program to make multiprocess symbolic execution effective. Providing completely unconstrained symbolic values causes symbolic execution to spend too much time exploring uninteresting paths, such as paths to handle invalid inputs. MultiOtter allows us to generate inputs that conform to a context-free grammar, similar to previous work, but it also enables new input generation capabilities because we can now run arbitrary programs concurrently with the program being studied. As examples, we symbolically executed a key-value store server, redis, and an FTP server, vsftpd, each with a variety of inputs, including symbolic versions of tests from redis’s test suite and wget as a client for vsftpd. We report the coverage provided by symbolic execution with various forms of symbolic input, showing that different testing goals require different degrees of symbolic inputs.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Toward A Quantum Programming Language for Higher-Level Formal Verification. Finn Voichick and Michael Hicks. In Informal Proceedings of the Workshop on Programming Languages and Quantum Computing (PLanQC), June 2021.

We present QuantumOne, a quantum programming language formalized within the Coq proof assistant and designed for formal verification of quantum algorithms. This language allows for working with superpositions of tagged unions, allowing for quantum data more complicated than simple qubits. This paper outlines the formal syntax, operational semantics, and typing judgment of QuantumOne.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Qunity: A Unified Language for Quantum and Classical Computing. Finn Voichick, Liyi Li, Robert Rand, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2023.

We introduce Qunity, a new quantum programming language designed around the central goal of treating quantum computing as a natural generalization of classical computing. Qunity presents a unified syntax where familiar programming constructs can have both quantum and classical effects. For example, one can use sum types to implement the direct sum of linear operators, exception handling syntax to implement projective measurements, and aliasing to induce entanglement. Further, Qunity takes advantage of the overlooked bqp subroutine theorem, allowing one to construct reversible subroutines from irreversible quantum algorithms through the uncomputation of “garbage” outputs. Unlike existing languages that enable quantum aspects with a separate add-on (e.g., gates added to a classical language), we unify quantum and classical computing through novel compositional semantics based on Kraus operators. We present Qunity’s syntax, type system, and denotational semantics, showing how it can cleanly express several quantum algorithms. We also outline how Qunity could be compiled to OpenQasm, demonstrating the realizability of our design.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Evaluating Design Tradeoffs in Numeric Static Analysis for Java. Shiyi Wei, Piotr Mardziel, Andrew Ruef, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the European Symposium on Programming (ESOP), April 2018.

Numeric static analysis for Java has a broad range of potentially useful applications, including array bounds checking and resource usage estimation. However, designing a scalable numeric static analysis for real-world Java programs presents a multitude of design choices, each of which may interact with others. For example, an analysis could handle method calls via either a top-down or bottom-up interprocedural analysis. Moreover, this choice could interact with how we choose to represent aliasing in the heap and/or whether we use a relational numeric domain, e.g., convex polyhedra. In this paper, we present a family of abstract interpretation-based numeric static analyses for Java and systematically evaluate the impact of 162 analysis configurations on the DaCapo benchmark suite. Our experiment considered the precision and performance of the analyses for discharging array bounds checks. We found that top-down analysis is generally a better choice than bottom-up analysis, and that using access paths to describe heap objects is better than using summary objects corresponding to points-to analysis locations. Moreover, these two choices are the most significant, while choices about the numeric domain, representation of abstract objects, and context-sensitivity make much less difference to the precision/performance tradeoff.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Wys: A DSL for Verified Secure Multi-party Computations. Aseem Rastogi, Nikhil Swamy, and Michael Hicks. In Proceedings of the Symposium on Principles of Security and Trust (POST), April 2019.

Secure multi-party computation (MPC) enables a set of mutually distrusting parties to cooperatively compute, using a cryptographic protocol, a function over their private data. This paper presents Wys, a new domain-specific language (DSL) for writing MPCs. Wys is an embedded DSL hosted in F, a verification-oriented, effectful programming language. Wys source programs are essentially F programs written in a custom MPC effect, meaning that the programmers can use F’s logic to verify the correctness and security properties of their programs. To reason about the distributed runtime semantics of these programs, we formalize a deep embedding of Wys, also in F. We mechanize the necessary metatheory to prove that the properties verified for the Wys source programs carry over to the distributed, multi-party semantics. Finally, we use F’s extraction mechanism to extract an interpreter that we have proved matches this semantics, yielding a verified implementation. Wys is the first DSL to enable formal verification of source MPC programs, and also the first MPC DSL to provide a verified implementation. With Wys^* we have implemented several MPC protocols, including private set intersection, joint median, and an MPC-based card dealing application, and have verified their security and correctness.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

Fuzzing Configurations of Program Options. Zenong Zhang, George Klees, Eric Wang, Michael Hicks, and Shiyi Wei. In Proceedings of the International Fuzzing Workshop, April 2022.

While many real-world programs are shipped with configurations to enable/disable functionalities, fuzzers have mostly been applied to test single configurations of these programs. In this work, we first conduct an empirical study to understand how program configurations affect fuzzing performance. We find that limiting a campaign to a single configuration can result in failing to cover a significant amount of code. We also observe that different program configurations contribute differing amounts of code coverage, challenging the idea that each one can be efficiently fuzzed individually. Motivated by these two observations we propose ConfigFuzz, which can fuzz configurations along with normal inputs. ConfigFuzz transforms the target program to encode its program options within part of the fuzzable input, so existing fuzzers’ mutation operators can be reused to fuzz program configurations. We instantiate ConfigFuzz on 3 configurable, common fuzzing targets, and integrate their executions in FuzzBench. In our preliminary evaluation, ConfigFuzz nearly always outperforms the baseline fuzzing of a single configuration, and in one target also outperforms the fuzzing of a sequence of sampled configurations. However, we find that sometimes fuzzing a sequence of sampled configurations, with shared seeds, improves on ConfigFuzz. We propose hypotheses and plan to use data visualization to further understand the behavior of ConfigFuzz, and refine it, in the full evaluation.

Publication

Fri, 17 Oct 2025 07:37:49 -0400

FixReverter: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing. Zenong Zhang, Zach Patterson, Michael Hicks, and Shiyi Wei. In Proceedings of the USENIX Security Symposium (USENIX SEC), August 2022. Distinguished Paper.

Fuzz testing is an active area of research with proposed improvements published at a rapid pace. Such proposals are assessed empirically: Can they be shown to perform better than the status quo? Such an assessment requires a benchmark of target programs with well-identified, realistic bugs. To ease the construction of such a benchmark, this paper presents FixReverter, a tool that automatically injects realistic bugs in a program. FixReverter takes as input a bugfix pattern which contains both code syntax and semantic conditions. Any code site that matches the specified syntax is undone if the semantic conditions are satisfied, as checked by static analysis, thus (re)introducing a likely bug. This paper focuses on three bugfix patterns, which we call conditional-abort, conditional-execute, and conditional-assign, based on a study of fixes in a corpus of Common Vulnerabilities and Exposures (CVEs). Using FixReverter we have built RevBugBench, which consists of 10 programs into which we have injected nearly 8,000 bugs; the programs are taken from FuzzBench and Binutils, and represent common targets of fuzzing evaluations. We have integrated RevBugBench into the FuzzBench service, and used it to evaluate five fuzzers. Fuzzing performance varies by fuzzer and program, as desired/expected. Overall, 219 unique bugs were reported, 19% of which were detected by just one fuzzer.

Publication

Sat, 11 Oct 2025 16:11:40 -0400

Mike Hicks' Publications, by Category

Also see publications by year, on DBLP, and Google Scholar.

Security

The widespread sharing of information over the Internet has led to an explosive growth of useful services. The challenge is to provide information sharing while still ensuring integrity and confidentiality of data. I have looked at programming language-based techniques -- new analyses and programming languages -- for ensuring these properties.

Publication

Sat, 11 Oct 2025 16:11:40 -0400

Mike Hicks' Publications, by Year

Also see publications by category, on DBLP, and Google Scholar.

2025

[1]

Formally Verified Cloud-Scale Authorization. Aleks Chakarov, Jaco Geldenhuys, Matthew Heck, Michael Hicks, Sam Huang, Georges-Axel Jaloyan, Anjali Joshi, K. Rustan M. Leino, Mikael Mayer, Sean McLaughlin, Akhilesh Mritunjai, Clement Pit-Claudel, Sorawee Porncharoenwase, Marianna Rapoport, Cody Roux, Neha Rungta, Robin Salkeld, Matthias Schlaipfer, Daniel Schoepe, Johanna Schwartzentruber, Serdar Tasiran, Aaron Tomb, Jean-Baptiste Tristan, Emina Torlak, Lucas Wagner, Michael W. Whalen, Remy Willems, Tongtong Xiang, Tae Joon Byun, Joshua Cohen, Ruijie Fang, Junyoung Jang, Jakob Rath, Hira Taqdees Syeda, Dominik Wagner, and Yongwei Yuan. In Proceedings of the International Conference on Software Engineering (ICSE), April 2025. Distinguished Paper.

2024

[1]	How We Built Cedar: A Verification-Guided Approach. Craig Disselkoen, Aaron Eline, Shaobo He, Kyle Headley, Michael Hicks, Kesha Hietala, John Kastner, Anwar Mamat, Matt McCutchen, Neha Rungta, Bhakti Shah, Emina Torlak, and Andrew Wells. In Proceedings of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), July 2024. Industry papers track.
[2]	Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Authorization (Extended Version). Joseph W. Cutler, Craig Disselkoen, Aaron Eline, Shaobo He, Kyle Headley, Michael Hicks, Kesha Hietala, Eleftherios Ioannidis, John Kastner, Anwar Mamat, Darin McAdams, Matt McCutchen, Neha Rungta, Emina Torlak, and Andrew Wells. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), April 2024.
[3]	Improving the Stability of Type Safety Proofs in Dafny. Joseph W. Cutler, Michael Hicks, and Emina Torlak, January 2024. Dafny Workshop talk.

2023

[1]	A Verified Optimizer for Quantum Circuits. Kesha Hietala, Robert Rand, Liyi Li, Shih-Han Hung, Xiaodi Wu, and Michael Hicks. ACM Transactions on Programming Languages and Systems (TOPLAS), 45(3), September 2023. Extends POPL'21 paper.
[2]	A Formally Certified End-to-End Implementation of Shor's Factorization Algorithm. Yuxiang Peng, Kesha Hietala, Runzhou Tao, Liyi Li, Robert Rand, Michael Hicks, and Xiaodi Wu. Proceedings of the National Academy of Sciences, 120(21), May 2023. Preprint at https://arxiv.org/abs/2204.07112.
[3]	Fat Pointers for Temporal Memory Safety of C. Jie Zhou, John Criswell, and Michael Hicks. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), April 2023.
[4]	Automating NISQ Application Design with Meta Quantum Circuits with Constraints (MQCC). Haowei Deng, Yuxiang Peng, Michael Hicks, and Xiaodi Wu. ACM Transactions on Quantum Computing (TQC), 4(3), April 2023.
[5]	Fuzzing Configurations of Program Options. Zenong Zhang, George Klees, Eric Wang, Michael Hicks, and Shiyi Wei. ACM Transactions on Software Engineering and Methodology (TOSEM), 32(2), March 2023. A shorter version appeared at the 2022 Fuzzing Workshop.
[6]	Symphony: Expressive Secure Multiparty Computation with Coordination. Ian Sweet, David Darais, David Heath, Ryan Estes, Bill Harris, and Michael Hicks. <Programming>, 7(14), February 2023.
[7]	A Multimodal Study of Challenges Using Rust. Michael Coblenz, April Porter, Varun Das, Teja Nallagorla, and Michael Hicks. In Proceedings of the Workshop on the Evaluation and Usability of Programming Languages and Tools (PLATEAU), February 2023.
[8]	Qunity: A Unified Language for Quantum and Classical Computing. Finn Voichick, Liyi Li, Robert Rand, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2023.

2022

[1]	Verified Compilation of Quantum Oracles. Liyi Li, Finnegan Voichick, Kesha Hietala, Yuxiang Peng, Xiaodi Wu, and Michael Hicks. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), December 2022.
[2]	C to Checked C by 3C. Aravind Machiry, John Kastner, Matt McCutchen, Aaron Eline, Kyle Headley, and Michael Hicks. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), December 2022. Distinguished Paper.
[3]	Understanding the how and the why: Exploring secure development practices through a course competition. Kelsey R. Fulton, Daniel Votipka, Desiree Abrokwa, Michelle L. Mazurek, Michael Hicks, and James Parker. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2022.
[4]	A Formal Model of Checked C. Liyi Li, Yiyun Liu, Deena L. Postol, Leonidas Lampropoulos, David Van Horn, and Michael Hicks. In Proceedings of the Computer Security Foundations Symposium (CSF), August 2022.
[5]	FixReverter: A Realistic Bug Injection Methodology for Benchmarking Fuzz Testing. Zenong Zhang, Zach Patterson, Michael Hicks, and Shiyi Wei. In Proceedings of the USENIX Security Symposium (USENIX SEC), August 2022. Distinguished Paper.
[6]	Does the Bronze Garbage Collector Make Rust Easier to Use? A Controlled Experiment. Michael Coblenz, Michelle Mazurek, and Michael Hicks. In Proceedings of the International Conference on Software Engineering (ICSE), May 2022. Distinguished Paper Award Nominee.
[7]	Fuzzing Configurations of Program Options. Zenong Zhang, George Klees, Eric Wang, Michael Hicks, and Shiyi Wei. In Proceedings of the International Fuzzing Workshop, April 2022.

2021

[1]	Benefits and Drawbacks of Adopting a Secure Programming Language: Rust as a Case Study. Kelsey Fulton, Anna Chan, Dan Votipka, Michael Hicks, and Michelle Mazurek. In Proceedings of the Symposium on Usable Privacy and Security (SOUPS), August 2021.
[2]	Symphony: A Concise Language Model for MPC. Ian Sweet, David Darais, David Heath, Ryan Estes, William Harris, and Michael Hicks. In Informal Proceedings of the Workshop on Foundations on Computer Secuirty (FCS), June 2021.
[3]	Proving Quantum Programs Correct. Kesha Hietala, Robert Rand, Shih-Han Hung, Liyi Li, and Michael Hicks. In Proceedings of the Conference on Interative Theorem Proving (ITP), June 2021.
[4]	BullFrog: Online Schema Evolution via Lazy Evaluation. Souvik Bhattacherjee, Gang Liao, Michael Hicks, and Daniel J. Abadi. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), June 2021.
[5]	Toward A Quantum Programming Language for Higher-Level Formal Verification. Finn Voichick and Michael Hicks. In Informal Proceedings of the Workshop on Programming Languages and Quantum Computing (PLanQC), June 2021.
[6]	Applying and Expanding the VOQC Toolkit. Kesha Hietala, Liyi Li, Akshaj Gaur, Aaron Green, Robert Rand, Xiaodi Wu, and Michael Hicks. In Informal Proceedings of the Workshop on Programming Languages and Quantum Computing (PLanQC), June 2021.
[7]	A Verified Optimizer for Quantum Circuits. Kesha Hietala, Robert Rand, Shih-Han Hung, Xiaodi Wu, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2021. Distinguished Paper.

2020

[1]	Probabilistic Abstract Interpretation: Sound Inference and Application to Privacy. Jose Manuel Calderón Trilla, Michael Hicks, Stephen Magill, Piotr Mardziel, and Ian Sweet. In Gilles Barthe, Joost-Pieter Katoen, and Alexandra Silva, editors, Foundations of Probabilistic Programming, chapter 11, pages 361--389. Cambridge University Press, November 2020.
[2]	Short Paper: Probabilistically Almost-Oblivious Computation. Ian Sweet, David Darais, and Michael Hicks. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), November 2020.
[3]	Verifying Replicated Data Types with Typeclass Refinements in Liquid Haskell. Yiyun Liu, James Parker, Patrick Redmond, Lindsey Kuper, Michael Hicks, and Niki Vazou. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2020.
[4]	Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It. Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. In Proceedings of the USENIX Security Symposium (USENIX SEC), August 2020. Distinguished Paper.
[5]	Build It, Break It, Fix It: Contesting Secure Development. James Parker, Michael Hicks, Andrew Ruef, Michelle L. Mazurek, Dave Levin, Daniel Votipka, Piotr Mardziel, and Kelsey R. Fulton. ACM Transactions on Privacy and Security (TOPS), 23(2), April 2020.
[6]	Conferences in an Era of Expensive Carbon. Benjamin Pierce, Michael Hicks, Crista Lopes, and Jens Palsberg. Communications of the ACM, March 2020. Preprint at https://www.cs.umd.edu/~mwh/papers/co2acm.pdf.
[7]	A Language for Probabilistically Oblivious Computation. David Darais, Ian Sweet, Chang Liu, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2020.
[8]	Build It, Break It, Fix It Contests: Motivated Developers Still Make Security Mistakes. Daniel Votipka, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. ;login;, 45(4), winter 2020.

2019

[1]	Coverage Guided, Property Based Testing. Leonidas Lampropoulos, Michael Hicks, and Benjamin C. Pierce. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2019.
[2]	Verified Optimization in a Quantum Intermediate Representation. Kesha Hietala, Robert Rand, Shih-Han Hung, Xiaodi Wu, and Michael Hicks, June 2019. Extended abstract appeared at QPL 2019.
[3]	Formal Verification vs. Quantum Uncertainty. Robert Rand, Kesha Hietala, and Michael Hicks. In Benjamin S. Lerner, Rastislav Bodík, and Shriram Krishnamurthi, editors, 3rd Summit on Advances in Programming Languages (SNAPL 2019), volume 136 of Leibniz International Proceedings in Informatics (LIPIcs), pages 12:1--12:11, Dagstuhl, Germany, May 2019. Schloss Dagstuhl--Leibniz-Zentrum fuer Informatik.
[4]	MVEDSUa: Higher Availability Dynamic Software Updates via Multi-Version Execution. Luis Pina, Anastasios Andronidis, Michael Hicks, and Cristian Cadar. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), April 2019.
[5]	Achieving Safety Incrementally with Checked C. Andrew Ruef, Leonidas Lampropoulos, Ian Sweet, David Tarditi, and Michael Hicks. In Proceedings of the Symposium on Principles of Security and Trust (POST), April 2019.
[6]	*Wys^: A DSL for Verified Secure Multi-party Computations*. Aseem Rastogi, Nikhil Swamy, and Michael Hicks. In Proceedings of the Symposium on Principles of Security and Trust (POST)*, April 2019.
[7]	LWeb: Information Flow Security for Multi-Tier Web Applications. James Parker, Niki Vazou, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2019.
[8]	Quantitative Robustness Analysis of Quantum Programs. Shih-Han Hung, Kesha Hietala, Shaopeng Zhu, Mingsheng Ying, Michael Hicks, and Xiaodi Wu. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2019.

Technical Reports

[1]	A Language for Probabilistically Oblivious Computation. David Darais, Ian Sweet, Chang Liu, and Michael Hicks. Technical Report abs/1711.09305, CoRR, July 2019.

2018

[1]	Evaluating Fuzz Testing. George T. Klees, Andrew Ruef, Benjamin Cooper, Shiyi Wei, and Michael Hicks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2018. Winner of the 7th NSA Best Scientific Cybersecurity Paper competition.
[2]	Checked C: Making C Safe by Extension. Archibald Samuel Elliott, Andrew Ruef, Michael Hicks, and David Tarditi. In Proceedings of the IEEE Conference on Secure Development (SecDev), September 2018.
[3]	Evaluating Design Tradeoffs in Numeric Static Analysis for Java. Shiyi Wei, Piotr Mardziel, Andrew Ruef, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the European Symposium on Programming (ESOP), April 2018.
[4]	What's the Over/Under? Probabilistic Bounds on Information Leakage. Ian Sweet, José Manuel Calderón Trilla, Chad Scherrer, Michael Hicks, and Stephen Magill. In Proceedings of the Symposium on Principles of Security and Trust (POST), April 2018.

2017

[1]	Languages for Oblivious Computation. Michael Hicks. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), October 2017.
[2]	A Counterexample-guided Approach to Finding Numerical Invariants. ThanhVu Nguyen, Timos Antopoulos, Andrew Ruef, and Michael Hicks. In Proceedings of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), September 2017.
[3]	Decomposition Instead of Self-Composition for Proving the Absence of Timing Channels. Timos Antonopoulos, Paul Gazzillo, Michael Hicks, Eric Koskinen, Tachio Terauchi, and Shiyi Wei. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), June 2017.
[4]	Quantifying vulnerability of secret generation using hyper-distributions. Mário S. Alvim, Piotr Mardziel, and Michael Hicks. In Proceedings of the Symposium on Principles of Security and Trust (POST), April 2017. Extended version of short paper that appeared at FCS 2016: http://www.cs.umd.edu/~mwh/papers/stratquant.pdf.

Technical Reports

[1]	*Wys^: A Verified Language Extension for Secure Multi-Party Computations**. Aseem Rastogi, Nikhil Swamy, and Michael Hicks. Technical Report abs/1711.06467, CoRR, November 2017.

2016

[1]	Evolving NoSQL Databases Without Downtime. Karla Saur, Tudor Dumitraş, and Michael Hicks. In Proceedings of the International Conference on Software Maintenance and Evolution (ICSME), October 2016.
[2]	Build It, Break It, Fix It: Contesting Secure Development. Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2016.
[3]	Tedsuto: A General Framework for Testing Dynamic Software Updates. Luis Pina and Michael Hicks. In Proceedings of the International Conference on Software Testing (ICST), April 2016.
[4]	Safe and Flexible Controller Upgrades for SDNs. Karla Saur, Joseph Collard, Nate Foster, Arjun Guha, Laurent Vanbever, and Michael Hicks. In Proceedings of the Symposium on SDN Research (SOSR), March 2016.

2015

[1]	Incremental Computation with Names. Matthew Hammer, Kyle Headley, Nicholas Labich, Jeffrey S. Foster, Michael Hicks, David Van Horn, and Jana Dunfield. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2015.
[2]	Build It Break It: Measuring and Comparing Development Security. Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Atif Memon, Jandelyn Plane, and Piotr Mardziel. In Proceedings of the USENIX Workshop on Cyber Security Instrumentation and Test (CSET), August 2015.
[3]	C-Strider: Type-Aware Heap Traversal for C. Karla Saur, Michael Hicks, and Jeffrey S. Foster. Software, Practice, and Experience, May 2015.
[4]	GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation. Chang Liu, Austin Harris, Martin Maas, Michael Hicks, Mohit Tiwari, and Elaine Shi. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), March 2015. Winner of Best Paper Award.
[5]	The Synergy Between Programming Languages and Cryptography (Dagstuhl Seminar 14492). Gilles Barthe, Michael Hicks, Florian Kerschbaum, and Dominique Unruh. Dagstuhl Reports, 4(12):29--47, 2015.
[6]	Build it, break it, fix it: Competing to build secure systems. Andrew Ruef and Michael Hicks. The Next Wave, 21(1):19--23, 2015.

2014

[1]	Efficient, General-purpose Dynamic Software Updating for C. Christopher M. Hayden, Karla Saur, Edward K. Smith, Michael Hicks, and Jeffrey S. Foster. ACM Transactions on Programming Languages and Systems (TOPLAS), 36(4):13, October 2014.
[2]	Rubah: DSU for Java on a stock JVM. Luís Pina, Luís Veiga, and Michael Hicks. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2014.
[3]	Adversary Gain vs. Defender Loss in Quantified Information Flow. Piotr Mardziel, Mário S. Alvim, and Michael Hicks. In (Unofficial) Proceedings of the International Workshop on Foundations of Computer Security (FCS), July 2014.
[4]	Adapton: Composable, Demand-Driven Incremental Computation. Matthew Hammer, Yit Phang Khoo, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), June 2014.
[5]	Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations. Aseem Rastogi, Matthew A. Hammer, and Michael Hicks. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2014.
[6]	Quantifying Information Flow for Dynamic Secrets. Piotr Mardziel, Mario Alvim, Michael Hicks, and Michael Clarkson. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2014.
[7]	Automating Efficient RAM-Model Secure Computation. Chang Liu, Yan Huang, Elaine Shi, Jonathan Katz, and Michael Hicks. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), May 2014.
[8]	Polymonadic Programming. Michael Hicks, Gavin Bierman, Nataliya Guts, Daan Leijen, and Nikhil Swamy. In Proceedings of the Fifth Workshop on Mathematically Structured Functional Programming (MSFP), April 2014.
[9]	Authenticated Data Structures, Generically. Andrew Miller, Michael Hicks, Jonathan Katz, and Elaine Shi. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2014.

Technical Reports

[1]	Wysteria: A Programming Language for Generic, Mixed-Mode Multiparty Computations (extended version). Aseem Rastogi, Matthew A. Hammer, and Michael Hicks. Technical Report CS-TR-5034, Department of Computer Science, the University of Maryland, College Park, May 2014.
[2]	Quantifying Information Flow for Dynamic Secrets (extended version). Piotr Mardziel, Mario Alvim, Michael Hicks, and Michael Clarkson. Technical Report CS-TR-5035, Department of Computer Science, the University of Maryland, College Park, May 2014.

2013

[1]	Expositor: Scriptable Time-Travel Debugging with First Class Traces (Full version). Yit Phang Khoo, Jeffrey S. Foster, and Michael Hicks, December 2013. Extended version of ICSE'13 paper.
[2]	Dynamic Enforcement of Knowledge-based Security Policies using Probabilistic Abstract Interpretation. Piotr Mardziel, Stephen Magill, Michael Hicks, and Mudhakar Srivatsa. Journal of Computer Security, 21:463--532, October 2013.
[3]	Knowledge inference for optimizing and enforcing secure computations. Piotr Mardziel, Michael Hicks, Jonathan Katz, Matthew Hammer, Aseem Rastogi, and Mudhakar Srivatsa. In Proceedings of the Annual Meeting of the US/UK International Technology Alliance, September 2013. This short paper consists of coherent excerpts from several prior papers.
[4]	Knowledge Inference for Optimizing Secure Multi-party Computation. Aseem Rastogi, Piotr Mardziel, Matthew Hammer, and Michael Hicks. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), June 2013.
[5]	Memory Trace Oblivious Program Execution. Chang Liu, Michael Hicks, and Elaine Shi. In Proceedings of the Computer Security Foundations Symposium (CSF), June 2013. Winner of the 2nd NSA Best Scientific Cybersecurity Paper competition.
[6]	Rubah: Efficient, General-purpose Dynamic Software Updating for Java. Luis Pina and Michael Hicks. In Proceedings of the Workshop on Hot Topics in Software Upgrades (HotSWUp), June 2013.
[7]	Expositor: Scriptable Time-Travel Debugging with First Class Traces. Yit Phang Khoo, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the International Conference on Software Engineering (ICSE), May 2013.

Technical Reports

[1]	Adapton: Composable, Demand-Driven Incremental Computation. Matthew Hammer, Yit Phang Khoo, Michael Hicks, and Jeffrey S. Foster. Technical Report CS-TR-5027, Department of Computer Science, the University of Maryland, College Park, July 2013.
[2]	Expositor: Scriptable Time-Travel Debugging with First-Class Traces. Yit Phang Khoo, Jeffrey S. Foster, and Michael Hicks. Technical Report CS-TR-5021, Department of Computer Science, University of Maryland, College Park, February 2013.

2012

[1]	Evaluating Dynamic Software Update Safety Using Efficient Systematic Testing. Christopher M. Hayden, Edward K. Smith, Eric A. Hardisty, Michael Hicks, and Jeffrey S. Foster. IEEE Transactions on Software Engineering, 38(6):1340--1354, December 2012. Accepted September 2011.
[2]	Automating Object Transformations for Dynamic Software Updating. Stephen Magill, Michael Hicks, Suriya Subramanian, and Kathryn S. McKinley. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2012.
[3]	Kitsune: Efficient, General-purpose Dynamic Software Updating for C. Christopher M. Hayden, Edward K. Smith, Michail Denchev, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), October 2012.
[4]	Deanonymizing Mobility Traces: Using a Social Network as a Side-Channel. Mudhakar Srivatsa and Michael Hicks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2012.
[5]	Towards Standardized Benchmarks for Dynamic Software Updating Systems. Edward K. Smith, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the Workshop on Hot Topics in Software Upgrades (HotSWUp), pages 11--15, June 2012.
[6]	A Study of Dynamic Software Update Quiescence for Multithreaded Programs. Christopher M. Hayden, Karla Saur, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the Workshop on Hot Topics in Software Upgrades (HotSWUp), pages 6--10, June 2012.
[7]	Knowledge-Oriented Secure Multiparty Computation. Piotr Mardziel, Michael Hicks, Jonathan Katz, and Mudhakar Srivatsa. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), June 2012.
[8]	POPL'12 Program Chair's Report (or, how to run a medium-sized conference). Michael Hicks. SIGPLAN Notices, 47(4), April 2012.
[9]	Specifying and Verifying the Correctness of Dynamic Software Updates. Christopher M. Hayden, Stephen Magill, Michael Hicks, Nate Foster, and Jeffrey S. Foster. In Proceedings of the International Conference on Verified Software: Theories, Tools, and Experiments (VSTTE), pages 278--293, January 2012.

Technical Reports

[1]	Polymonads. Nataliya Guts, Michael Hicks, Nikhil Swamy, Daan Leijen, and Gavin Bierman. Technical Report XXX, University of Maryland Department of Computer Science, July 2012. Extended version of POPL'13 submission.

2011

[1]	Lightweight Monadic Programming in ML. Nikhil Swamy, Nataliya Guts, Daan Leijen, and Michael Hicks. In Proceedings of the ACM International Conference on Functional Programming (ICFP), pages 15--27, September 2011.
[2]	Directed Symbolic Execution. Kin-Keung Ma, Yit Phang Khoo, Jeffrey S. Foster, and Michael Hicks. In Eran Yahav, editor, Proceedings of the Static Analysis Symposium (SAS), volume 6887 of Lecture Notes in Computer Science, pages 95--111. Springer, September 2011.
[3]	A demo of Coco: a compiler for monadic coercions in ML. Nataliya Guts, Michael Hicks, Nikhil Swamy, and Daan Leijen. In Informal proceedings of the ML Workshop, September 2011.
[4]	Dynamic Enforcement of Knowledge-based Security Policies. Piotr Mardziel, Stephen Magill, Michael Hicks, and Mudhakar Srivatsa. In Proceedings of the Computer Security Foundations Symposium (CSF), pages 114--128, June 2011.
[5]	State Transfer for Clear and Efficient Runtime Upgrades. Christopher M. Hayden, Edward K. Smith, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the Workshop on Hot Topics in Software Upgrades (HotSWUp), pages 179--184, April 2011.
[6]	Locksmith: Practical Static Race Detection for C. Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. ACM Transactions on Programming Languages and Systems (TOPLAS), 33(1):Article 3, January 2011.
[7]	Dynamic Inference of Static Types for Ruby. Jong hoon (David) An, Avik Chaudhuri, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), pages 459--472, January 2011.
[8]	Position Paper: Dynamically Inferred Types for Dynamic Languages. Jong hoon (David) An, Avik Chaudhuri, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the Workshop on Scripts to Programs (STOP), January 2011.

Technical Reports

[1]	Specifying and Verifying the Correctness of Dynamic Software Updates. Christopher M. Hayden, Stephen Magill, Michael Hicks, Nate Foster, and Jeffrey S. Foster. Technical Report CS-TR-4997, University of Maryland Department of Computer Science, November 2011. Extended version of VSTTE'12 paper with proofs of theorems and additional discussion.
[2]	Evaluating Dynamic Software Update Safety Using Efficient Systematic Testing. Christopher M. Hayden, Edward K. Smith, Eric A. Hardisty, Michael Hicks, and Jeffrey S. Foster. Technical Report CS-TR-4993, University of Maryland, Department of Computer Science, September 2011.
[3]	MultiOtter: Multiprocess Symbolic Execution. Jonathan Turpie, Elnatan Reisner, Jeffrey S. Foster, and Michael Hicks. Technical Report CS-TR-4982, University of Maryland Department of Computer Science, August 2011.
[4]	Dynamic Enforcement of Knowledge-based Security Policies. Piotr Mardziel, Stephen Magill, Michael Hicks, and Mudhakar Srivatsa. Technical Report CS-TR-4978, University of Maryland Department of Computer Science, July 2011. Extended version with proofs and additional benchmarks.
[5]	Lightweight Monadic Programming in ML. Nikhil Swamy, Nataliya Guts, Daan Leijen, and Michael Hicks. Technical Report MSR-TR-2011-039, Microsoft Research, May 2011.
[6]	Directed Symbolic Execution. Kin-Keung Ma, Yit Phang Khoo, Jeffrey S. Foster, and Michael Hicks. Technical Report CS-TR-4979, University of Maryland Department of Computer Science, April 2011. Extended version contains refinements and further experimental analysis.

2010

[1]	Score: Agile Research Group Management. Michael Hicks and Jeffrey S. Foster. Communications of the ACM, 53(10):30--31, October 2010.
[2]	Secure sharing in distributed information management applications: problems and directions. Piotr Mardziel, Adam Bender, Michael Hicks, Dave Levin, Mudhakar Srivatsa, and Jonathan Katz. In Proceedings of the Annual Conference of the International Technology Alliance (ACITA), September 2010.
[3]	Serializing C intermediate representations for efficient and portable parsing. Jeffrey A. Meister, Jeffrey S. Foster, and Michael Hicks. Software, Practice, and Experience, 40(3):225--238, February 2010.
[4]	Dynamically Checking Ownership Policies in Concurrent C/C++ Programs. Jean-Philippe Martin, Michael Hicks, Manuel Costa, Periklis Akritidis, and Miguel Castro. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), pages 457--470, January 2010. Full version.

Technical Reports

[1]	Adapting Scrum to Managing a Research Group. Michael Hicks and Jeffrey S. Foster. Technical Report CS-TR-4966, University of Maryland, Department of Computer Science, September 2010.
[2]	Dynamic Inference of Static Types for Ruby. Jong hoon (David) An, Avik Chaudhuri, Jeffrey S. Foster, and Michael Hicks. Technical Report CS-TR-4965, University of Maryland Department of Computer Science, July 2010. Extended version contains proofs of theorems.

2009

[1]	Directing JavaScript with Arrows. Yit Phang Khoo, Michael Hicks, Jeffrey S. Foster, and Vibha Sazawal. In Proceedings of the ACM SIGPLAN Dynamic Languages Symposium (DLS), pages 49--58, October 2009.
[2]	The Ruby Intermediate Language. Michael Furr, Jong hoon (David) An, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the ACM SIGPLAN Dynamic Languages Symposium (DLS), pages 89--98, October 2009.
[3]	Triaging Checklists: a Substitute for a PhD in Static Analysis. Yit Phang Khoo, Jeffrey S. Foster, Michael Hicks, and Vibha Sazawal. In Proceedings of the Workshop on the Evaluation and Usability of Programming Languages and Tools (PLATEAU), October 2009.
[4]	Efficient Systematic Testing for Dynamically Updatable Software. Christopher M. Hayden, Eric A. Hardisty, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the Workshop on Hot Topics in Software Upgrades (HotSWUp), October 2009. Invited article.
[5]	Passive Aggressive Measurement with MGRP. Pavlos Papageorge, Justin McCann, and Michael Hicks. In Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), pages 279--290, August 2009.
[6]	A Theory of Typed Coercions and its Applications. Nikhil Swamy, Michael Hicks, and Gavin S. Bierman. In Proceedings of the ACM International Conference on Functional Programming (ICFP), pages 329--340, August 2009.
[7]	Tests to the Left of Me, Types to the Right: How Not to Get Stuck in the Middle of a Ruby Execution (A Demo of Diamondback Ruby). Michael Furr, Jong hoon (David) An, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the Workshop on Scripts to Programs (STOP), July 2009.
[8]	Cross-tier, Label-based Security Enforcement for Web Applications. Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD), pages 269--282, June 2009.
[9]	Dynamic Software Updates: A VM-Centric Approach. Suriya Subramanian, Michael Hicks, and Kathryn S. McKinley. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 1--12, June 2009.
[10]	Safe and Timely Dynamic Updates for Multi-threaded Programs. Iulian Neamtiu and Michael Hicks. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 13--24, June 2009.
[11]	Static Type Inference for Ruby. Michael Furr, Jong hoon (David) An, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the ACM Symposium on Applied Computing, Object-oriented Programming Languages and Systems Track (OOPS), pages 1859--1866, March 2009.

Technical Reports

[1]	A Testing Based Empirical Study of Dynamic Software Update Safety Restrictions. Christopher M. Hayden, Eric A. Hardisty, Michael Hicks, and Jeffrey S. Foster. Technical Report CS-TR-4949, University of Maryland, Department of Computer Science, November 2009.

2008

[1]	Implicit Flows: Can't live with 'em, can't live without 'em. Dave King, Boniface Hicks, Michael Hicks, and Trent Jaeger. In R. Sekar and Arun K. Pujari, editors, Proceedings of the International Conference on Information Systems Security (ICISS), volume 5352 of Lecture Notes in Computer Science, pages 56--70. Springer, December 2008.
[2]	Path Projection for User-Centered Static Analysis Tools. Yit Phang Khoo, Jeffrey S. Foster, Michael Hicks, and Vibha Sazawal. In Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering (PASTE), pages 57--63, November 2008.
[3]	Directing JavaScript with Arrows (poster summary). Yit Phang Khoo, Michael Hicks, Jeffrey S. Foster, and Vibha Sazawal. In Poster Proceedings of the ACM International Conference on Functional Programming (ICFP), September 2008.
[4]	Formalizing Soundness of Contextual Effects. Polyvios Pratikakis, Jeffrey S. Foster, Michael Hicks, and Iulian Neamtiu. In Otmane Aït Mohamed, César Mun̄oz, and Sofiène Tahar, editors, Proceedings of the International Conference on Theorem Proving in Higher Order Logics (TPHOLs), volume 5170 of Lecture Notes in Computer Science, pages 262--277. Springer, August 2008.
[5]	Dynamic Rebinding for Marshalling and Update, via Redex-time and Destruct-time Reduction. Peter Sewell, Gareth Stoyle, Michael Hicks, Gavin Bierman, and Keith Wansbrough. Journal of Functional Programming (JFP), 18(4):437--502, July 2008. Appeared on-line October, 2007. Supercedes ICFP 2003 and USE 2003 papers.
[6]	Verified Enforcement of Stateful Information Release Policies. Nikhil Swamy and Michael Hicks. In Proceedings of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), pages 21--32, June 2008.
[7]	Modular Information Hiding and Type Safe Linking for C. Saurabh Srivastava, Michael Hicks, Jeffrey S. Foster, and Patrick Jenkins. IEEE Transactions on Software Engineering, 34(3):1--20, May 2008. Full version of TLDI 07 paper.
[8]	Fable: A Language for Enforcing User-defined Security Policies. Nikhil Swamy, Brian Corcoran, and Michael Hicks. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), pages 369--383, May 2008.
[9]	Contextual Effects for Version-Consistent Dynamic Software Updating and Safe Concurrent Programming. Iulian Neamtiu, Michael Hicks, Jeffrey S. Foster, and Polyvios Pratikakis. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), pages 37--50, January 2008.

Technical Reports

[1]	Path Projection for User-Centered Static Analysis Tools (long version). Yit Phang Khoo, Jeffrey S. Foster, Michael Hicks, and Vibha Sazawal. Technical Report CS-TR-4919, University of Maryland, Department of Computer Science, August 2008.
[2]	Directing JavaScript with Arrows (Functional Pearl). Yit Phang Khoo, Michael Hicks, Jeffrey S. Foster, and Vibha Sazawal. Technical Report CS-TR-4923, University of Maryland, Department of Computer Science, August 2008. Extended version of ICFP 2008 poster.
[3]	Verified Enforcement of Automaton-based Information Release Policies. Nikhil Swamy and Michael Hicks. Technical Report CS-TR-4906, University of Maryland, Department of Computer Science, 2008. Full version of PLAS 08 paper.

2007

[1]	Combining Provenance and Security Policies in a Web-based Document Management System. Brian Corcoran, Nikhil Swamy, and Michael Hicks. In On-line Proceedings of the Workshop on Principles of Provenance (PrOPr), November 2007. http://homepages.inf.ed.ac.uk/jcheney/propr/.
[2]	Automated Detection of Persistent Kernel Control-Flow Attacks. Nick L. Petroni, Jr. and Michael Hicks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), pages 103--115, October 2007.
[3]	Verified Enforcement of Security Policies for Cross-Domain Information Flows. Nikhil Swamy, Michael Hicks, and Simon Tsang. In Proceedings of the 2007 Military Communications Conference (MILCOM), October 2007.
[4]	Mutatis Mutandis: Safe and Flexible Dynamic Software Updating (full version). Gareth Stoyle, Michael Hicks, Gavin Bierman, Peter Sewell, and Iulian Neamtiu. ACM Transactions on Programming Languages and Systems (TOPLAS), 29(4), August 2007. Full version of POPL 05 paper.
[5]	Improving Software Quality with Static Analysis. Jeffrey S. Foster, Michael W. Hicks, and William Pugh. In Proceedings of the ACM Workshop on Program Analysis for Software Tools and Engineering (PASTE), pages 83--84, June 2007.
[6]	Defeating Scripting Attacks with Browser-Enforced Embedded Policies. Trevor Jim, Nikhil Swamy, and Michael Hicks. In Proceedings of the International World Wide Web Conference (WWW), pages 601--610, May 2007.
[7]	Modular Information Hiding and Type Safety for C. Saurabh Srivastava, Michael Hicks, and Jeffrey S. Foster. In Proceedings of the ACM Workshop on Types in Language Design and Implementation (TLDI), pages 3--14, January 2007.

Technical Reports

[1]	Fable: A Language for Enforcing User-defined Security Policies. Nikhil Swamy, Brian J. Corcoran, and Michael Hicks. Technical Report CS-TR-4895, University of Maryland, Department of Computer Science, November 2007. Full version of Oakland 08 paper.
[2]	Automated Detection of Persistent Kernel Control-Flow Attacks. Nick L. Petroni, Jr. and Michael Hicks. Technical Report CS-TR-4880, Department of Computer Science, University of Maryland, October 2007. Extends the CCS 2007 paper with more thorough performance results.
[3]	Contextual Effects for Version-Consistent Dynamic Software Updating and Safe Concurrent Programming (extended version). Iulian Neamtiu, Michael Hicks, Jeffrey S. Foster, and Polyvios Pratikakis. Technical Report CS-TR-4875, University of Maryland, Department of Computer Science, July 2007.
[4]	Appendix to CMod: Modular Information Hiding and Type-Safe Linking for C. Saurabh Srivastava, Michael Hicks, and Jeffrey S. Foster. Technical Report CS-TR-4874, Department of Computer Science, University of Maryland, June 2007.
[5]	Toward Specifying and Validating Cross-Domain Policies. Michael Hicks, Nikhil Swamy, and Simon Tsang. Technical Report CS-TR-4870, Department of Computer Science, University of Maryland, April 2007.

2006

[1]	Safe Manual Memory Management in Cyclone. Nikhil Swamy, Michael Hicks, Greg Morrisett, Dan Grossman, and Trevor Jim. Science of Computer Programming (SCP), 62(2):122--144, October 2006. Special issue on memory management. Expands ISMM conference paper of the same name.
[2]	Existential Label Flow Inference via CFL Reachability. Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. In Kwangkeun Yi, editor, Proceedings of the Static Analysis Symposium (SAS), volume 4134 of Lecture Notes in Computer Science, pages 88--106. Springer-Verlag, August 2006.
[3]	Managing Policy Updates in Security-Typed Languages. Nikhil Swamy, Michael Hicks, Stephen Tse, and Steve Zdancewic. In Proceedings of the Computer Security Foundations Workshop (CSFW), pages 202--216, July 2006.
[4]	Practical Dynamic Software Updating for C. Iulian Neamtiu, Michael Hicks, Gareth Stoyle, and Manuel Oriol. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 72--83, June 2006.
[5]	Context-sensitive Correlation Analysis for Detecting Races. Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 320--331, June 2006.
[6]	Inferring Locking for Atomic Sections. Michael Hicks, Jeffrey S. Foster, and Polyvios Pratikakis. In On-line Proceedings of the ACM SIGPLAN Workshop on Languages, Compilers, and Hardware Support for Transactional Computing (TRANSACT), June 2006. http://www.cs.purdue.edu/homes/jv/events/TRANSACT/transact-06.tgz. Publication Sat, 11 Oct 2025 16:07:06 -0400 The SwitchWare Active Network Architecture. D. Scott Alexander, William A. Arbaugh, Michael Hicks, Pankaj Kakkar, Angelos Keromytis, Jonathan T. Moore, Carl A. Gunter, Scott M. Nettles, and Jonathan M. Smith. IEEE Network Magazine, 12(3):29–36, 1998. Special issue on Active and Controllable Networks. [ .ps ] @article{AlexanderAHKKMGNS98, author = {D. Scott Alexander and William A. Arbaugh and Michael Hicks and Pankaj Kakkar and Angelos Keromytis and Jonathan T. Moore and Carl A. Gunter and Scott M. Nettles and Jonathan M. Smith}, title = {The {SwitchWare} Active Network Architecture}, journal = {{IEEE Network Magazine}}, volume = 12, number = 3, year = 1998, pages = {29-36}, note = {{Special issue on Active and Controllable Networks}} } Publication Sat, 11 Oct 2025 16:07:06 -0400 The SwitchWare Active Network Implementation. D. Scott Alexander, Michael W. Hicks, Pankaj Kakkar, Angelos D. Keromytis, Marianne Shaw, Jonathan T. Moore, Carl A. Gunter, Trevor Jim, Scott M. Nettles, and Jonathan M. Smith. In Notes of the ACM SIGPLAN Workshop on ML, pages 67–76, September 1998. [ .ps ] @inproceedings{AlexanderHKKSMGJNS98, author = {D. Scott Alexander and Michael W. Hicks and Pankaj Kakkar and Angelos D. Keromytis and Marianne Shaw and Jonathan T. Moore and Carl A. Gunter and Trevor Jim and Scott M. Nettles and Jonathan M. Smith}, title = {{The SwitchWare Active Network Implementation}}, booktitle = {Notes of the {ACM} {SIGPLAN} Workshop on {ML}}, month = {September}, year = 1998, pages = {67–76} } Publication Sat, 11 Oct 2025 16:07:06 -0400 Quantifying vulnerability of secret generation using hyper-distributions. Mário S. Alvim, Piotr Mardziel, and Michael Hicks. In Proceedings of the Symposium on Principles of Security and Trust (POST), April 2017. Extended version of short paper that appeared at FCS 2016: http://www.cs.umd.edu/~mwh/papers/stratquant.pdf. Traditional approaches to Quantitative Information Flow (QIF) represent the adversary’s prior knowledge of possible secret values as a single probability distribution. This representation may miss important structure. For instance, representing prior knowledge about passwords of a system’s users in this way overlooks the fact that many users generate passwords using some strategy. Knowledge of such strategies can help the adversary in guessing a secret, so ignoring them may underestimate the secret’s vulnerability. In this paper we explicitly model strategies as distributions on secrets, and generalize the representation of the adversary’s prior knowledge from a distribution on secrets to an environment, which is a distribution on strategies (and, thus, a distribution on distributions on secrets, called a hyper-distribution). By applying information-theoretic techniques to environments we derive several meaningful generalizations of the traditional approach to QIF. In particular, we disentangle the vulnerability of a secret from the vulnerability of the strategies that generate secrets, and thereby distinguish security by aggregation—which relies on the uncertainty over strategies—from security by strategy—which relies on the intrinsic uncertainty within a strategy. We also demonstrate that, in a precise way, no further generalization of prior knowledge (e.g., by using distributions of even higher order) is needed to soundly quantify the vulnerability of the secret. Publication Sat, 11 Oct 2025 16:07:06 -0400 Dynamic Inference of Static Types for Ruby. Jong hoon (David) An, Avik Chaudhuri, Jeffrey S. Foster, and Michael Hicks. Technical Report CS-TR-4965, University of Maryland Department of Computer Science, July 2010. Extended version contains proofs of theorems. There have been several efforts to bring static type inference to object-oriented dynamic languages such as Ruby, Python, and Perl. In our experience, however, such type inference systems are extremely difficult to develop, because dynamic languages are typically complex, poorly specified, and include features, such as `eval` and reflection, that are hard to analyze. In this paper, we introduce constraint-based dynamic type inference, a technique that infers static types based on dynamic program executions. In our approach, we wrap each run-time value to associate it with a type variable, and the wrapper generates constraints on this type variable when the wrapped value is used. This technique avoids many of the often overly conservative approximations of static tools, as constraints are generated based on how values are used during actual program runs. Using wrappers is also easy to implement, since we need only write a constraint resolution algorithm and a transformation to introduce the wrappers. The best part is that we can eat our cake, too: our algorithm will infer sound types as long as it observes every path through each method body—note that the number of such paths may be dramatically smaller than the number of paths through the program as a whole. We have developed Rubydust, an implementation of our algorithm for Ruby. Rubydust takes advantage of Ruby’s dynamic features to implement wrappers as a language library. We applied Rubydust to a number of small programs. We found it to be lightweight and useful: Rubydust discovered 1 real type error, and all other inferred types were correct, and readable. Publication Sat, 11 Oct 2025 16:07:06 -0400 Position Paper: Dynamically Inferred Types for Dynamic Languages. Jong hoon (David) An, Avik Chaudhuri, Jeffrey S. Foster, and Michael Hicks. In Proceedings of the Workshop on Scripts to Programs (STOP), January 2011. Capsule summary of results and future directions of dynamic type inference, as proposed in our POPL 2011 paper. @inproceedings{an2011position, title = {Position Paper: Dynamically Inferred Types for Dynamic Languages}, author = {Jong-hoon (David) An and Avik Chaudhuri and Jeffrey S. Foster and Michael Hicks}, booktitle = {Proceedings of the Workshop on Scripts to Programs (STOP)}, month = jan, year = 2011 } This file was generated by bibtex2html 1.99. Publication Sat, 11 Oct 2025 16:07:06 -0400 The Synergy Between Programming Languages and Cryptography (Dagstuhl Seminar 14492). Gilles Barthe, Michael Hicks, Florian Kerschbaum, and Dominique Unruh. Dagstuhl Reports, 4(12):29–47, 2015. Increasingly, modern cryptography (crypto) has moved beyond the problem of secure communication to a broader consideration of securing computation. The past thirty years have seen a steady progression of both theoretical and practical advances in designing cryptographic protocols for problems such as secure multiparty computation, searching and computing on encrypted data, verifiable storage and computation, statistical data privacy, and more. More recently, the programming-languages (PL) community has begun to tackle the same set of problems, but from a different perspective, focusing on issues such as language design (e.g., new features or type systems), formal methods (e.g., model checking, deductive verification, static and dynamic analysis), compiler optimizations, and analyses of side-channel attacks and information leakage. This seminar helped to cross-fertilize ideas between the PL and crypto communities, exploiting the synergies for advancing the development of secure computing, broadly speaking, and fostering new research directions in and across both communities. Publication Sat, 11 Oct 2025 16:07:06 -0400 Formally Verified Cloud-Scale Authorization. Aleks Chakarov, Jaco Geldenhuys, Matthew Heck, Michael Hicks, Sam Huang, Georges-Axel Jaloyan, Anjali Joshi, K. Rustan M. Leino, Mikael Mayer, Sean McLaughlin, Akhilesh Mritunjai, Clement Pit-Claudel, Sorawee Porncharoenwase, Marianna Rapoport, Cody Roux, Neha Rungta, Robin Salkeld, Matthias Schlaipfer, Daniel Schoepe, Johanna Schwartzentruber, Serdar Tasiran, Aaron Tomb, Jean-Baptiste Tristan, Emina Torlak, Lucas Wagner, Michael W. Whalen, Remy Willems, Tongtong Xiang, Tae Joon Byun, Joshua Cohen, Ruijie Fang, Junyoung Jang, Jakob Rath, Hira Taqdees Syeda, Dominik Wagner, and Yongwei Yuan. In Proceedings of the International Conference on Software Engineering (ICSE), April 2025. Distinguished Paper. All critical systems must evolve to meet the needs of a growing and diversifying user base. But supporting that evolution is challenging at increasing scale: Maintainers must find a way to ensure that each change does only what is intended, and will not inadvertently change behavior for existing users. This paper presents how we addressed this challenge for a cloud-scale authorization engine, invoked 1 billion times per second, by using formal verification. Over a period of four years, we built a new authorization engine, one that behaves functionally the same as its predecessor, using the verification-aware programming language Dafny. We can now confidently deploy enhancements and optimizations while maintaining the highest assurance of both correctness and backward compatibility. We deployed the new engine in 2024 without incident and customers immediately enjoyed a threefold performance improvement. The methodology we followed to build this new engine was not an off-the-shelf application of an existing verification tool, and this paper presents several key insights: 1) Rather than prove correct the existing engine, written in Java, we found it more effective to write a new engine in Dafny, a language built for verification from the ground up, and then compile the result to Java. 2) To ensure performance, debuggability, and to gain trust from stakeholders, we needed to generate readable, idiomatic Java code, essentially a transliteration of the source Dafny. 3) To ensure that the specification matches the system’s actual behavior, we performed extensive differential and shadow testing throughout the development process, ultimately comparing against 10¹5 production samples prior to deployment. Our approach demonstrates how formal verification can be effectively applied to evolve critical legacy software at scale. Publication Sat, 11 Oct 2025 16:07:06 -0400 Does the Bronze Garbage Collector Make Rust Easier to Use? A Controlled Experiment. Michael Coblenz, Michelle Mazurek, and Michael Hicks. In Proceedings of the International Conference on Software Engineering (ICSE), May 2022. Distinguished Paper Award Nominee. Rust is a general-purpose programming language that is both type- and memory-safe. Rust does not use a garbage collector, but rather achieves these properties through a sophisticated, but complex, type system. Doing so makes Rust very efficient, but makes Rust relatively hard to learn and use. We designed Bronze, an optional, library-based garbage collector for Rust. To see whether Bronze could make Rust more usable, we conducted a randomized controlled trial with volunteers from a 633-person class, collecting data from 428 students in total. We found that for a task that required managing complex aliasing, Bronze users were more likely to complete the task in the time available, and those who did so required only about a third as much time (4 hours vs. 12 hours). We found no significant difference in total time, even though Bronze users re-did the task without Bronze afterward. Surveys indicated that ownership, borrowing, and lifetimes were primary causes of the challenges that users faced when using Rust. Publication Sat, 11 Oct 2025 16:07:06 -0400 Cedar: A New Language for Expressive, Fast, Safe, and Analyzable Authorization (Extended Version). Joseph W. Cutler, Craig Disselkoen, Aaron Eline, Shaobo He, Kyle Headley, Michael Hicks, Kesha Hietala, Eleftherios Ioannidis, John Kastner, Anwar Mamat, Darin McAdams, Matt McCutchen, Neha Rungta, Emina Torlak, and Andrew Wells. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), April 2024. Cedar is a new authorization policy language designed to be ergonomic, fast, safe, and analyzable. Rather than embed authorization logic in an application’s code, developers can write that logic as Cedar policies and delegate access decisions to Cedar’s evaluation engine. Cedar’s simple and intuitive syntax supports common authorization use-cases with readable policies, naturally leveraging concepts from role-based, attribute-based, and relation-based access control models. Cedar’s policy structure enables access requests to be decided quickly. Cedar’s policy validator leverages optional typing to help policy writers avoid mistakes, but not get in their way. Cedar’s design has been finely balanced to allow for a sound and complete logical encoding, which enables precise policy analysis, e.g., to ensure that when refactoring a set of policies, the authorized permissions do not change. We have modeled Cedar in the Lean programming language, and used Lean’s proof assistant to prove important properties of Cedar’s design. We have implemented Cedar in Rust, and released it open-source. Comparing Cedar to two open-source languages, OpenFGA and Rego, we find (subjectively) that Cedar has equally or more readable policies, but (objectively) performs far better. Publication Sat, 11 Oct 2025 16:07:06 -0400 Improving the Stability of Type Safety Proofs in Dafny. Joseph W. Cutler, Michael Hicks, and Emina Torlak, January 2024. Dafny Workshop talk. In this extended abstract, we present a method for structuring type soundness proofs in Dafny to improve proof stability. As a case study, we apply the method to proving type soundness for a small expression language, and demonstrate empirically how it improves resource usage metrics known to correlate with stability. Our method can scale to realistic proofs, as demonstrated by its use in the type soundness proof of the Cedar language. Publication Sat, 11 Oct 2025 16:07:06 -0400 A Language for Probabilistically Oblivious Computation. David Darais, Ian Sweet, Chang Liu, and Michael Hicks. Technical Report abs/1711.09305, CoRR, July 2019. An oblivious computation is one that is free of direct and indirect information leaks, e.g., due to observable differences in timing and memory access patterns. This paper presents λ_obliv, a core language whose type system enforces obliviousness. Prior work on type-enforced oblivious computation has focused on deterministic programs. λ_obliv is new in its consideration of programs that implement probabilistic algorithms, such as those involved in cryptography. λ_obliv employs a substructural type system and a novel notion of probability region to ensure that information is not leaked via the distribution of visible events. The use of regions was motivated by a source of unsoundness that we discovered in the type system of ObliVM, a language for implementing state of the art oblivious algorithms and data structures. We prove that λ_obliv’s type system enforces obliviousness and show that it is expressive enough to typecheck advanced tree-based oblivious RAMs. Publication Sat, 11 Oct 2025 16:07:06 -0400 A Language for Probabilistically Oblivious Computation. David Darais, Ian Sweet, Chang Liu, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2020. An oblivious computation is one that is free of direct and indirect information leaks, e.g., due to observable differences in timing and memory access patterns. This paper presents λ_obliv, a core language whose type system enforces obliviousness. Prior work on type-enforced oblivious computation has focused on deterministic programs. λ_obliv is new in its consideration of programs that implement probabilistic algorithms, such as those involved in cryptography. λ_obliv employs a substructural type system and a novel notion of probability region to ensure that information is not leaked via the distribution of visible events. The use of regions was motivated by a source of unsoundness that we discovered in the type system of ObliVM, a language for implementing state of the art oblivious algorithms and data structures. We prove that λ_obliv’s type system enforces obliviousness and show that it is expressive enough to typecheck advanced tree-based oblivious RAMs. Publication Sat, 11 Oct 2025 16:07:06 -0400 How We Built Cedar: A Verification-Guided Approach. Craig Disselkoen, Aaron Eline, Shaobo He, Kyle Headley, Michael Hicks, Kesha Hietala, John Kastner, Anwar Mamat, Matt McCutchen, Neha Rungta, Bhakti Shah, Emina Torlak, and Andrew Wells. In Proceedings of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), July 2024. Industry papers track. This paper presents verification-guided development (VGD), a software development process that we used to develop Cedar, a new policy language for expressive, fast, safe, and analyzable authorization. Developing a system with VGD involves two activities: (1) writing a readable, executable model of the system and proving mechanically-verified properties about it; and (2) writing production code for the system, using extensive differential random testing (DRT) to check that the production code’s behavior matches that of the model, and property-based testing (PBT) to check properties of unmodeled components of the production code. Using VGD for Cedar has been beneficial: we are able to build fast, idiomatic production code and find and fix bugs during the development phase: when carrying out proofs we found and fixed four soundness bugs in Cedar’s policy validator, and when carrying out DRT and PBT we found and fixed 21 bugs in the Cedar parser, evaluator, authorizer, and validator. [ http ] @inproceedings{disselkoen24vgd, title = {How We Built Cedar: A Verification-Guided Approach}, author = {Craig Disselkoen and Aaron Eline and Shaobo He and Kyle Headley and Michael Hicks and Kesha Hietala and John Kastner and Anwar Mamat and Matt McCutchen and Neha Rungta and Bhakti Shah and Emina Torlak and Andrew Wells}, booktitle = {Proceedings of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE)}, note = {Industry papers track}, year = 2024, month = jul } Publication Sat, 11 Oct 2025 16:07:06 -0400 Region-based Memory Management in Cyclone. Dan Grossman, Greg Morrisett, Trevor Jim, Michael Hicks, Yanling Wang, and James Cheney. In Proceedings of the ACM Conference on Programming Language Design and Implementation (PLDI), pages 282–293. ACM, June 2002. Cyclone is a polymorphic, type-safe programming language derived from C . The primary design goals of Cyclone are to let programmers control data representations and memory management without sacrificing type-safety. In this paper, we focus on the region-based memory management of Cyclone and its static typing discipline. The design incorporates several advancements, including support for region subtyping and a coherent integration with stack allocation and a garbage collector. To support separate compilation, Cyclone requires programmers to write some explicit region annotations, but uses a combination of default annotations, local type inference, and a novel treatment of region effects to reduce this burden. As a result, we integrate C idioms in a region-based framework. In our experience, porting legacy C to Cyclone has required altering about 8% of the code; of the changes, only 6% (of the 8%) were region annotations. Publication Sat, 11 Oct 2025 16:07:06 -0400 Adapton: Composable, Demand-Driven Incremental Computation. Matthew Hammer, Yit Phang Khoo, Michael Hicks, and Jeffrey S. Foster. Technical Report CS-TR-5027, Department of Computer Science, the University of Maryland, College Park, July 2013. Many researchers have proposed programming languages that support incremental computation (IC), which allows programs to be efficiently re-executed after a small change to the input. However, existing implementations of such languages have two important drawbacks. First, recomputation is oblivious to specific demands on the program output; that is, if a program input changes, all dependencies will be recomputed, even if an observer no longer requires certain outputs. Second, programs are made incremental as a unit, with little or no support for reusing results outside of their original context, e.g., when reordered. To address these problems, we present lambdaCDDIC, a core calculus that applies a demand-driven semantics to incremental computation, tracking changes in a hierarchical fashion in a novel demanded computation graph. lambdaCDDIC also formalizes an explicit separation between inner, incremental computations and outer observers. This combination ensures lambdaCDDIC programs only recompute computations as demanded by observers, and allows inner computations to be composed more freely. We describe an algorithm for implementing lambdaCDDIC efficiently, and we present AdaptOn, a library for writing lambdaCDDIC-style programs in OCaml. We evaluated AdaptOn on a range of benchmarks, and found that it provides reliable speedups, and in many cases dramatically outperforms prior state-of-the-art IC approaches. Publication Sat, 11 Oct 2025 16:07:06 -0400 Evaluating Dynamic Software Update Safety Using Efficient Systematic Testing. Christopher M. Hayden, Edward K. Smith, Eric A. Hardisty, Michael Hicks, and Jeffrey S. Foster. Technical Report CS-TR-4993, University of Maryland, Department of Computer Science, September 2011. Dynamic software updating (DSU) systems patch programs on the fly without incurring downtime. To avoid failures due to the updating process itself, many DSU systems employ timing restrictions. However, timing restrictions are theoretically imperfect, and their practical effectiveness is an open question. This paper presents the first significant empirical evaluation of three popular timing restrictions: activeness safety (AS), which prevents updates to active functions; confreeness safety (CFS), which only allows modifications to active functions when doing so is provably type-safe; and manual identification of the event-handling loops during which an update may occur. We evaluated these timing restrictions using a series of DSU patches to three programs: OpenSSH, vsftpd, and ngIRCd.We systematically applied updates at each distinct update point reached during execution of a suite of system tests for these programs to determine which updates pass and which fail. We found that all three timing restrictions prevented most failures, but only manual identification allowed none. Further, although CFS and AS allowed many more update points, manual identification still supported updates with minimal delay. Finally, we found that manual identification required the least developer effort. Overall, we conclude that manual identification is most effective. Publication Sat, 11 Oct 2025 16:07:06 -0400 Specifying and Verifying the Correctness of Dynamic Software Updates. Christopher M. Hayden, Stephen Magill, Michael Hicks, Nate Foster, and Jeffrey S. Foster. In Proceedings of the International Conference on Verified Software: Theories, Tools, and Experiments (VSTTE), pages 278–293, January 2012. Dynamic software updating (DSU) systems allow running programs to be patched on-the-fly to add features or fix bugs. While dynamic updates can be tricky to write, techniques for establishing their correctness have received little attention. In this paper, we present the first methodology for automatically verifying the correctness of dynamic updates. Programmers express the desired properties of an updated execution using client-oriented specifications (CO-specs), which can describe a wide range of client-visible behaviors. We verify CO-specs automatically by using off-the-shelf tools to analyze a merged program, which is a combination of the old and new versions of a program, along with the CO-spec. We formalize the merging transformation and prove it correct. We also implemented a C program merger, and applied it to updates for the Redis key-value server and to updates for several synthetic programs. Using the Thor verification tool we could verify many of the synthetic programs, while Otter, a symbolic executor, could analyze every program, often in less than a minute. Both tools were able to detect faulty patches and incurred only a factor-of-four slowdown, on average, compared with analyzing individual versions. Publication Sat, 11 Oct 2025 16:07:06 -0400 Polymonadic Programming. Michael Hicks, Gavin Bierman, Nataliya Guts, Daan Leijen, and Nikhil Swamy. In Proceedings of the Fifth Workshop on Mathematically Structured Functional Programming (MSFP), April 2014. Monads are a popular tool for the working functional programmer to structure effectful computations. This paper presents polymonads, a generalization of monads. Polymonads give the familiar monadic bind the more general type for alla,b. L a ->(a ->M b) ->N b, to compose computations with three different kinds of effects, rather than just one. Polymonads subsume monads and parameterized monads, and can express other constructions, including precise type-and-effect systems and information flow tracking; more generally, polymonads correspond to Tate’s productoid semantic model. We show how to equip a core language (called λ_PM) with syntactic support for programming with polymonads. Type inference and elaboration in λ_PM allows programmers to write polymonadic code directly in an ML-like syntax—our algorithms compute principal types and produce elaborated programs wherein the binds appear explicitly. Furthermore, we prove that the elaboration is coherent: no matter which (type-correct) binds are chosen, the elaborated program’s semantics will be the same. Pleasingly, the inferred types are easy to read: the polymonad laws justify (sometimes dramatic) simplifications, but with no effect on a type’s generality. A prototype implementation of λ_PM is available. Publication Sat, 11 Oct 2025 16:07:06 -0400 PLAN System Security. Michael Hicks. Technical Report MS-CIS-98-25, Department of Computer and Information Science, University of Pennsylvania, April 1998. [ .ps ] @techreport{Hicks98, author = {Michael Hicks}, title = {{PLAN} System Security}, institution = {Department of Computer and Information Science, University of Pennsylvania}, type = {Technical Report}, number = {MS-CIS-98-25}, month = {April}, year = {1998} } This file was generated by bibtex2html 1.99. Publication Sat, 11 Oct 2025 16:07:06 -0400 A Study of Large Object Spaces. Michael Hicks, Luke Hornof, Jonathan T. Moore, and Scott Nettles. In Proceedings of the ACM International Symposium on Memory Management (ISMM), pages 138–145. ACM, October 1998. This paper examines the design space for copying garbage collectors (GCs) in which “large objects” are managed in a separate, non-copy-collected space. We focus on two main issues: how to set the policy for classifying objects as “large” how to manage the large object space We explore these issues experimentally using the Oscar GC testbed. In particular, we vary the threshold size of large objects and also whether the objects may contain pointers. Furthermore, we compare the performance of treadmill collection to that of mark-and-sweep collection for managing the large object space. We find that for some heaps there is a minimum cutoff size below which adding objects to the large object space does not result in a performance improvement, while for others no such cutoff exists. In general, including pointer-containing objects in the large object space seems beneficial. Finally, the exact method used to collect the large object space does not significantly influence overall performance. [ .ps ] @inproceedings{HicksHMN98, author = {Michael Hicks and Luke Hornof and Jonathan T. Moore and Scott Nettles}, title = {A Study of Large Object Spaces}, booktitle = {Proceedings of the {ACM} International Symposium on Memory Management (ISMM)}, pages = {138--145}, year = 1998, publisher = {{ACM}}, month = {October} } This file was generated by bibtex2html 1.99. Publication Sat, 11 Oct 2025 16:07:06 -0400 A Secure PLAN. Michael Hicks and Angelos D. Keromytis. In Stefan Covaci, editor, Proceedings of the First International Working Conference on Active Networks (IWAN), volume 1653 of Lecture Notes in Computer Science, pages 307–314. Springer-Verlag, June 1999. Reprinted with extensions in DARPA Active Networks Conference and Exposition (DANCE) and IEEE Transactions on Systems, Man, and Cybernetics, Part C. Active Networks promise greater flexibility than current networks, but threaten safety and security by virtue of their programmability. In this paper, we describe the design and implementation of a security architecture for the active network PLANet. Security is obtained with a two-level architecture that combines a functionally restricted packet language, PLAN, with an environment of general-purpose service routines governed by trust management. In particular, we employ a technique which expands or contracts a packet’s service environment based on its level of privilege, termed namespace-based security. As an application of our security architecture, we present the design and implementation of an active-network firewall. We find that the addition of the firewall imposes around a 30 percent latency overhead, and as little as a 6.7 percent space overhead to incoming packets. Publication Sat, 11 Oct 2025 16:07:06 -0400 PLAN: A Packet Language for Active Networks. Michael Hicks, Pankaj Kakkar, Jonathan T. Moore, Carl A. Gunter, and Scott Nettles. In Proceedings of the Third ACM SIGPLAN International Conference on Functional Programming Languages (ICFP), pages 86–93. ACM, September 1998. PLAN (Packet Language for Active Networks) is a new language for programs that form the packets of a programmable network. These programs replace the packet headers (which can be viewed as very rudimentary programs) used in current networks. As such, PLAN programs are lightweight and of restricted functionality. These limitations are mitigated by allowing PLAN code to call node-resident service routines written in other, more powerful languages. This two-level architecture, in which PLAN serves as a scripting or `glue’ language for more general services, is the primary contribution of this paper. We have successfully applied the PLAN programming environment to implement an IP-free internetwork. PLAN is based on the simply typed lambda calculus and provides a restricted set of primitives and datatypes. PLAN defines a special construct called a chunk used to describe the remote execution of PLAN programs on other nodes. Primitive operations on chunks are used to provide basic data transport in the network and to support layering of protocols. Remote execution can make debugging difficult, so PLAN provides strong static guarantees to the programmer, such as type safety. A more novel property aimed at protecting network availability is a guarantee that PLAN programs use a bounded amount of network resources. [ .ps ] @inproceedings{HicksKMGN98, author = {Michael Hicks and Pankaj Kakkar and Jonathan T. Moore and Carl A. Gunter and Scott Nettles}, title = {{PLAN}: A Packet Language for Active Networks}, booktitle = {Proceedings of the Third {ACM} {SIGPLAN} International Conference on Functional Programming Languages (ICFP)}, month = {September}, year = 1998, pages = {86–93}, publisher = {ACM} } Publication Sat, 11 Oct 2025 16:07:06 -0400 Network Programming Using PLAN. Michael Hicks, Pankaj Kakkar, Jonathan T. Moore, Carl A. Gunter, and Scott Nettles. In Luca Cardelli, editor, Proceedings of the IEEE Workshop on Internet Programming Languages, volume 1686 of Lecture Notes in Computer Science, pages 127–143. Springer-Verlag, May 1998. We present here a methodology for programming active networks in the environment defined by our new language PLAN (Packet Language for Active Networks). This environment presumes a two-level architecture consisting of: Publication Sat, 11 Oct 2025 16:07:06 -0400 PLANet: An Active Internetwork. Michael Hicks, Jonathan T. Moore, D. Scott Alexander, Carl A. Gunter, and Scott Nettles. In Proceedings of the Eighteenth IEEE Computer and Communication Society INFOCOM Conference, pages 1124–1133. IEEE, March 1999. We present PLANet: an active network architecture and implementation. In addition to a standard suite of Internet-like services, PLANet has two key programmability features: all packets contain programs router functionality may be extended dynamically Packet programs are written in our special purpose programming language PLAN, the Packet Language for Active Networks, while dynamic router extensions are written in OCaml, a dialect of ML. Currently, PLANet routers run as byte-code-interpreted Linux user-space applications, and support Ethernet and IP as link layers. PLANet achieves respectable performance on standard networking operations: on 300 MHz Pentium-II's attached to 100 Mbps Ethernet, PLANet can route 48 Mbps and switch over 5000 packets per second. We demonstrate the utility of PLANet's activeness by showing experimentally how it can non-trivially improve application and aggregate network performance in congested conditions. [ .ps ] @inproceedings{HicksMAGN99, author = {Michael Hicks and Jonathan T. Moore and D. Scott Alexander and Carl A. Gunter and Scott Nettles}, title = {{PLANet}: An Active Internetwork}, booktitle = {Proceedings of the Eighteenth {IEEE} Computer and Communication Society {INFOCOM} Conference}, month = {March}, year = 1999, publisher = {{IEEE}}, pages = {1124--1133} } This file was generated by bibtex2html 1.99. Publication Sat, 11 Oct 2025 16:07:06 -0400 The Measured Cost of Copying Garbage Collection Mechanisms. Michael W. Hicks, Jonathan T. Moore, and Scott M. Nettles. In Proceedings of the ACM SIGPLAN Conference on Functional Programming (ICFP), pages 292–305. ACM, June 1997. We examine the costs and benefits of a variety of copying garbage collection (GC) mechanisms across multiple architectures and programming languages. Our study covers both low-level object representation and copying issues as well as the mechanisms needed to support more advanced techniques such as generational collection, large object spaces, and type-segregated areas. Our experiments are made possible by a novel performance analysis tool, Oscar. Oscar allows us to capture snapshots of programming language heaps that may then be used to replay garbage collections. The replay program is self-contained and written in C, which makes it easy to port to other architectures and to analyze with standard performance analysis tools. Furthermore, it is possible to study additional programming languages simply by instrumenting existing implementations to capture heap snapshots. In general, we found that careful implementation of GC mechanisms can have a significant benefit. For a simple collector, we measured improvements of as much as 95 percent. We then found that while the addition of advanced features can have a sizeable overhead (up to 15 percent), the net benefit is quite positive, resulting in additional gains of up to 42 percent. We also found that results varied depending upon the platform and language. Machine characteristics such as cache arrangements, instruction set (RISC/CISC), and register pool were important. For different languages, average object size seemed to be most important. The results of our experiments demonstrate the usefulness of a tool like Oscar for studying GC performance. Without much overhead, we can easily identify areas where programming language implementors could collaborate with GC implementors to improve GC performance. [ .ps ] @inproceedings{HicksMN97, author = {Michael W. Hicks and Jonathan T. Moore and Scott M. Nettles}, title = {The Measured Cost of Copying Garbage Collection Mechanisms}, booktitle = {Proceedings of the {ACM} {SIGPLAN} Conference on Functional Programming (ICFP)}, year = 1997, publisher = {{ACM}}, pages = {292–305}, month = {June} } Publication Sat, 11 Oct 2025 16:07:06 -0400 Dynamic Software Updating. Michael Hicks and Scott M. Nettles. ACM Transactions on Programming Languages and Systems (TOPLAS), 27(6):1049–1096, November 2005. Many important applications must run continuously and without interruption, yet must be changed to fix bugs or upgrade functionality. No prior general-purpose methodology for dynamic updating achieves a practical balance between flexibility, robustness, low overhead, and ease of use. We present an approach for C-like languages that provides type-safe dynamic updating of native code in an extremely flexible manner (code, data, and types may be updated, at programmer-determined times) and permits the use of automated tools to aid the programmer in the updating process. Our system is based on dynamic patches that contain both the updated code and the code needed to transition from the old version to the new. A novel aspect of our patches is that they consist of verifiable native code (e.g. Proof-Carrying Code or Typed Assembly Language), which is native code accompanied by annotations that allow on-line verification of the code’s safety. We discuss how patches are generated mostly automatically, how they are applied using dynamic-linking technology, and how code is compiled to make it updateable. To concretely illustrate our system, we have implemented a dynamically-updateable web server, FlashEd. We discuss our experience building and maintaining FlashEd, and generalize to present observations about updateable software development. Performance experiments show that for FlashEd, the overhead due to updating is low: typically less than 1 percent. Publication Sat, 11 Oct 2025 16:07:06 -0400 Proving Quantum Programs Correct. Kesha Hietala, Robert Rand, Shih-Han Hung, Liyi Li, and Michael Hicks. In Proceedings of the Conference on Interative Theorem Proving (ITP), June 2021. As quantum computing steadily progresses from theory to practice, programmers are faced with a common problem: How can they be sure that their code does what they intend it to do? This paper presents encouraging results in the application of mechanized proof to the domain of quantum programming in the context of the SQIR development. It verifies the correctness of a range of a quantum algorithms including Simon’s algorithm, Grover’s algorithm and quantum phase estimation, a key component of Shor’s algorithm. In doing so, it aims to highlight both the successes and challenges of formal verification in the quantum context and motivate the theorem proving community to target quantum computing as an application domain. Publication Sat, 11 Oct 2025 16:07:06 -0400 Cyclone: A Safe Dialect of C. Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and Yanling Wang. In Proceedings of the USENIX Annual Technical Conference, pages 275–288. USENIX, June 2002. Cyclone is a safe dialect of C . It has been designed from the ground up to prevent the buffer overflows, format string attacks, and memory management errors that are common in C programs, while retaining C’s syntax and semantics. This paper examines safety violations enabled by C’s design, and shows how Cyclone avoids them, without giving up C’s hallmark control over low-level details such as data representation and memory management. Publication Sat, 11 Oct 2025 16:07:06 -0400 Specifying the PLAN Network Programming Language. Pankaj Kakkar, Michael Hicks, Jonathan T. Moore, and Carl A. Gunter. In Higher Order Operational Techniques in Semantics (HOOTS), volume 26 of Electronic Notes in Theoretical Computer Science, pages 87–104. Elsevier, September 1999. [ .ps ] @inproceedings{KakkarHMG99, author = {Pankaj Kakkar and Michael Hicks and Jonathan T. Moore and Carl A. Gunter}, title = {Specifying the {PLAN} Network Programming Language}, year = 1999, volume = 26, series = {Electronic Notes in Theoretical Computer Science}, booktitle = {Higher Order Operational Techniques in Semantics (HOOTS)}, pages = {87–104}, publisher = {Elsevier}, month = {September} } Publication Sat, 11 Oct 2025 16:07:06 -0400 Directing JavaScript with Arrows (poster summary). Yit Phang Khoo, Michael Hicks, Jeffrey S. Foster, and Vibha Sazawal. In Poster Proceedings of the ACM International Conference on Functional Programming (ICFP), September 2008. Event-driven programming in JavaScript often leads to code that is messy and hard to maintain. We have found arrows, a generalization of monads, to be an elegant solution to this problem. Our arrow-based Arrowlets library makes it easy to compose eventdriven programs in modular units of code. In particular, we show how to implement drag-and-drop modularly using arrows. Publication Sat, 11 Oct 2025 16:07:06 -0400 Directing JavaScript with Arrows (Functional Pearl). Yit Phang Khoo, Michael Hicks, Jeffrey S. Foster, and Vibha Sazawal. Technical Report CS-TR-4923, University of Maryland, Department of Computer Science, August 2008. Extended version of ICFP 2008 poster. JavaScript, being a single-threaded language, makes extensive use of event-driven programming to enable responsive web applications. However, standard approaches to sequencing events are messy, and often lead to code that is difficult to understand and maintain. We have found that arrows, a generalization of monads, are an elegant solution to this problem. Arrows allow us to easily write asynchronous programs in small, modular units of code, and flexibly compose them in many different ways, while nicely abstracting the details of asynchronous program composition. In particular, we show how to use arrows to construct a variety of state machines, such as autoscrollers and drag-and-drop handlers. Publication Sat, 11 Oct 2025 16:07:06 -0400 Path Projection for User-Centered Static Analysis Tools (long version). Yit Phang Khoo, Jeffrey S. Foster, Michael Hicks, and Vibha Sazawal. Technical Report CS-TR-4919, University of Maryland, Department of Computer Science, August 2008. The research and industrial communities have made great strides in developing sophisticated defect detection tools based on static analysis. However, to date most of the work in this area has focused on developing novel static analysis algorithms, and neglected study of other aspects of static analysis tools, in particular user interfaces. In this work, we present a novel user interface toolkit called Path Projection that helps users visualize, navigate, and understand program paths, a common component of many static analysis tools’ error reports. We performed a controlled user study to measure the benefit of Path Projection in triaging error reports from Locksmith, a data race detection tool for C. We found that Path Projection improved participants’ time to complete this task, without affecting accuracy, and that participants felt Path Projection was useful. Publication Sat, 11 Oct 2025 16:07:06 -0400 Expositor: Scriptable Time-Travel Debugging with First-Class Traces. Yit Phang Khoo, Jeffrey S. Foster, and Michael Hicks. Technical Report CS-TR-5021, Department of Computer Science, University of Maryland, College Park, February 2013. [ .pdf ] @techreport{khoo13cs-tr-5021, author = {Yit Phang Khoo and Jeffrey S. Foster and Michael Hicks}, title = {{Expositor: Scriptable Time-Travel Debugging with First-Class Traces}}, institution = {Department of Computer Science, University of Maryland, College Park}, year = {2013}, number = {CS-TR-5021}, month = {February} } Publication Sat, 11 Oct 2025 16:07:06 -0400 Evaluating Fuzz Testing. George T. Klees, Andrew Ruef, Benjamin Cooper, Shiyi Wei, and Michael Hicks. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2018. Winner of the 7th NSA Best Scientific Cybersecurity Paper competition. Fuzz testing has enjoyed great success at discovering security critical bugs in real software. Recently, researchers have devoted significant effort to devising new fuzzing techniques, strategies, and algorithms. Such new ideas are primarily evaluated experimentally so an important question is: What experimental setup is needed to produce trustworthy results? We surveyed the recent research literature and assessed the experimental evaluations carried out by 32 fuzzing papers. We found problems in every evaluation we considered. We then performed our own extensive experimental evaluation using an existing fuzzer. Our results showed that the general problems we found in existing experimental evaluations can indeed translate to actual wrong or misleading assessments. We conclude with some guidelines that we hope will help improve experimental evaluations of fuzz testing algorithms, making reported results more robust. [ http ] @inproceedings{klees2018fuzzeval, author = {George T. Klees and Andrew Ruef and Benjamin Cooper and Shiyi Wei and Michael Hicks}, title = {Evaluating Fuzz Testing}, booktitle = {Proceedings of the {ACM} Conference on Computer and Communications Security (CCS)}, year = {2018}, month = oct, note = {Winner of the 7th NSA \textbf{Best Scientific Cybersecurity Paper} competition} } Publication Sat, 11 Oct 2025 16:07:06 -0400 Verified Compilation of Quantum Oracles. Liyi Li, Finnegan Voichick, Kesha Hietala, Yuxiang Peng, Xiaodi Wu, and Michael Hicks, December 2021. Quantum algorithms often apply classical operations, such as arithmetic or predicate checks, over a quantum superposition of classical data; these so-called oracles are often the largest components of a quantum algorithm. To ease the construction of efficient, correct oracle functions, this paper presents VQO, a high-assurance framework implemented with the Coq proof assistant. The core of VQO is OQASM, the oracle quantum assembly language. OQASM operations move qubits among three different bases via the Quantum Fourier Transform and Hadamard operations, thus admitting important optimizations, but without inducing entanglement and the exponential blowup that comes with it. OQASM’s design enabled us to prove correct VQO’s compilers – from a simple imperative language called OQIMP to OQASM, and from OQASM to SQIR, a general-purpose quantum assembly language – and allowed us to efficiently test properties of OQASM programs using the QuickChick property-based testing framework. We have used VQO to implement oracles used in Shor’s and Grover’s algorithms, as well as several common arithmetic operators. VQO’s oracles have performance comparable to those produced by Quipper, a state-of-the-art but unverified quantum programming platform. [ arXiv ] @misc{li2021verified, title = {Verified Compilation of Quantum Oracles}, author = {Liyi Li and Finnegan Voichick and Kesha Hietala and Yuxiang Peng and Xiaodi Wu and Michael Hicks}, year = {2021}, eprint = {2112.06700}, archiveprefix = {arXiv}, month = dec } Publication Sat, 11 Oct 2025 16:07:06 -0400 Verified Compilation of Quantum Oracles. Liyi Li, Finnegan Voichick, Kesha Hietala, Yuxiang Peng, Xiaodi Wu, and Michael Hicks. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), December 2022. Quantum algorithms often apply classical operations, such as arithmetic or predicate checks, over a quantum superposition of classical data; these so-called oracles are often the largest components of a quantum program. To ease the construction of efficient, correct oracle functions, this paper presents VQO, a high-assurance framework implemented with the Coq proof assistant. The core of VQO is OQASM, the oracle quantum assembly language. OQASM operations move qubits between two different bases via the quantum Fourier transform, thus admitting important optimizations, but without inducing entanglement and the exponential blowup that comes with it. OQASM’s design enabled us to prove correct VQO’s compilers—from a simple imperative language called OQIMP to OQASM, and from OQASM to SQIR, a general-purpose quantum assembly language—and allowed us to efficiently test properties of OQASM programs using the QuickChick property-based testing framework. We have used VQO to implement a variety of arithmetic and geometric operators that are building blocks for important oracles, including those used in Shor’s and Grover’s algorithms. We found that VQO’s QFT-based arithmetic oracles require fewer qubits, sometimes substantially fewer, than those constructed using “classical” gates; VQO’s versions of the latter were nevertheless on par with or better than (in terms of both qubit and gate counts) oracles produced by Quipper, a state-of-the-art but unverified quantum programming platform. [ arXiv ] @inproceedings{li2022verified, title = {Verified Compilation of Quantum Oracles}, author = {Liyi Li and Finnegan Voichick and Kesha Hietala and Yuxiang Peng and Xiaodi Wu and Michael Hicks}, booktitle = {Proceedings of the {ACM} Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA)}, year = {2022}, eprint = {2112.06700}, archiveprefix = {arXiv}, month = dec } Publication Sat, 11 Oct 2025 16:07:06 -0400 A Formal Model of Checked C. Liyi Li, Yiyun Liu, Deena L. Postol, Leonidas Lampropoulos, David Van Horn, and Michael Hicks. In Proceedings of the Computer Security Foundations Symposium (CSF), August 2022. In this work, we present a formal model of Checked C, a dialect of C that aims to enforce spatial memory safety. Our model pays particular attention to the semantics of dynamically sized, potentially null-terminated arrays. We formalize this model in Coq, and prove that any spatial memory safety errors can be blamed on portions of the program labeled unchecked; this is a Checked C feature that supports incremental porting and backward compatibility. Our model develops an operational semantics that uses fat pointers to guarantee spatial safety. However, we formalize a compilation scheme that can yield thin pointers, with bounds information managed using inserted code. We show that the generated code faithfully simulates the original. Finally, we build an executable version of our model in PLT Redex, and use a custom random generator for well-typed and almost-well-typed terms to find inconsistencies between our model and the Clang Checked C implementation. We find this a useful way to co-develop a language (Checked C is still in development) and a core model of it. Publication Sat, 11 Oct 2025 16:07:06 -0400 C to Checked C by 3C. Aravind Machiry, John Kastner, Matt McCutchen, Aaron Eline, Kyle Headley, and Michael Hicks. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), December 2022. Distinguished Paper. Owing to the continued use of C (and C++), spatial safety violations (e.g., buffer overflows) still constitute one of today’s most dangerous and prevalent security vulnerabilities. To combat these violations, Checked C extends C with bounds-enforced checked pointer types. Checked C is essentially a gradually typed spatially safe C—checked pointers are backwards-binary compatible with legacy pointers, and the language allows them to be added piecemeal, rather than necessarily all at once, so that safety retrofitting can be incremental. This paper presents a semi-automated process for porting a legacy C program to Checked C . The process centers on 3C, a static analysis-based annotation tool. 3C employs two novel static analysis algorithms—typ3c and boun3c—to annotate legacy pointers as checked pointers, and to infer array bounds annotations for pointers that need them. 3C performs a root cause analysis to direct a human developer to code that should be refactored; once done, 3C can be re-run to infer further annotations (and updated root causes). Experiments on 11 programs totaling 319KLoC show 3C to be effective at inferring checked pointer types, and experience with previously and newly ported code finds 3C works well when combined with human-driven refactoring. Publication Sat, 11 Oct 2025 16:07:06 -0400 Practical Programmable Packets. Jonathan T. Moore, Michael Hicks, and Scott Nettles. In Proceedings of the Twentieth IEEE Computer and Communication Society INFOCOM Conference, pages 41–50. IEEE, April 2001. We present SNAP (Safe and Nimble Active Packets), a new scheme for programmable (or active) packets centered around a new low-level packet language. Unlike previous active packet approaches, SNAP is practical: namely, adding significant flexibility over IP without compromising safety and security or efficiency. In this work we compare SNAP’s flexibility to other active packet systems, give proof sketches of its novel approach to resource control, and present experimental data showing SNAP attains performance extremely close to that of a software IP router. Publication Sat, 11 Oct 2025 16:07:06 -0400 Chunks in PLAN: Language Support for Programs as Packets. Jonathan T. Moore, Michael Hicks, and Scott M. Nettles. In Proceedings of the 37th Annual Allerton Conference on Communication, Control, and Computing, September 1999. Chunks are a programming construct in PLAN, the Packet Language for Active Networks, comprised of a code segment and a suspended function call. In PLAN, chunks provide support for encapsulation and other packet programming techniques. This paper begins by explaining the semantics and implementation of chunks. We proceed, using several PLAN source code examples, to demonstrate the usefulness of chunks for micro-protocols, asynchronous adaptation, and as units of authentication granularity. Publication Sat, 11 Oct 2025 16:07:06 -0400 Practical Dynamic Software Updating for C (Extended version). Iulian Neamtiu, Michael Hicks, Gareth Stoyle, and Manuel Oriol. Technical Report CS-TR-4790, Department of Computer Science, University of Maryland, March 2006. Extended version of PLDI 06 paper. [ http ] @techreport{neamtiu06dsutr, author = { Iulian Neamtiu and Michael Hicks and Gareth Stoyle and Manuel Oriol}, title = {Practical Dynamic Software Updating for {C} (Extended version)}, institution = {Department of Computer Science, University of Maryland}, number = {CS-TR-4790}, year = 2006, month = {March}, note = {Extended version of PLDI 06 paper}, http = { http://www.cs.umd.edu/projects/dsu/} } Publication Sat, 11 Oct 2025 16:07:06 -0400 LWeb: Information Flow Security for Multi-Tier Web Applications. James Parker, Niki Vazou, and Michael Hicks. In Proceedings of the ACM Conference on Principles of Programming Languages (POPL), January 2019. This paper presents LWeb, a framework for enforcing label-based, information flow policies in database-using web applications. In a nutshell, LWeb marries the LIO Haskell IFC enforcement library with the Yesod web programming framework. The implementation has two parts. First, we extract the core of LIO into a monad transformer (LMonad) and then apply it to Yesod’s core monad. Second, we extend Yesod’s table definition DSL and query functionality to permit defining and enforcing label-based policies on tables and enforcing them during query processing. LWeb’s policy language is expressive, permitting dynamic per-table and per-row policies. We formalize the essence of LWeb in the LWebcalc calculus and mechanize the proof of noninterference in Liquid Haskell. This mechanization constitutes the first metatheoretic proof carried out in Liquid Haskell. We also used LWeb to build a substantial web site hosting the Build it, Break it, Fix it security-oriented programming contest. The site involves 40 data tables and sophisticated policies. Compared to manually checking security policies, LWeb imposes a modest runtime overhead of between 2% to 21%. It reduces the trusted code base from the whole application to just 1% of the application code, and 21% of the code overall (when counting LWeb too). Publication Sat, 11 Oct 2025 16:07:06 -0400 A Formally Certified End-to-End Implementation of Shor’s Factorization Algorithm. Yuxiang Peng, Kesha Hietala, Runzhou Tao, Liyi Li, Robert Rand, Michael Hicks, and Xiaodi Wu. Proceedings of the National Academy of Sciences, 120(21), May 2023. Preprint at https://arxiv.org/abs/2204.07112. Quantum computing technology may soon deliver revolutionary improvements in algorithmic performance, but it is useful only if computed answers are correct. While hardware-level decoherence errors have garnered significant attention, a less recognized obstacle to correctness is that of human programming errors—“bugs.” Techniques familiar to most programmers from the classical domain for avoiding, discovering, and diagnosing bugs do not easily transfer, at scale, to the quantum domain because of its unique characteristics. To address this problem, we have been working to adapt formal methods to quantum programming. With such methods, a programmer writes a mathematical specification alongside the program and semiautomatically proves the program correct with respect to it. The proof’s validity is automatically confirmed certified by a “proof assistant.” Formal methods have successfully yielded high-assurance classical software artifacts, and the underlying technology has produced certified proofs of major mathematical theorems. As a demonstration of the feasibility of applying formal methods to quantum programming, we present a formally certified end-to-end implementation of Shor’s prime factorization algorithm, developed as part of a framework for applying the certified approach to general applications. By leveraging our framework, one can significantly reduce the effects of human errors and obtain a high-assurance implementation of large-scale quantum applications in a principled way. Publication Sat, 11 Oct 2025 16:07:06 -0400 Conferences in an Era of Expensive Carbon. Benjamin Pierce, Michael Hicks, Crista Lopes, and Jens Palsberg. Communications of the ACM, March 2020. Preprint at https://www.cs.umd.edu/~mwh/papers/co2acm.pdf. Air travel is a significant source of greenhouse gas emissions when tallied per traveler. This means that for many scientists, travel to conferences may be a substantial or even dominant part of their individual contribution to climate change. What should ACM do, in recognition of this situation? Two years ago, SIGPLAN convened an ad hoc Climate Committee to research this question; we are its members. After investigating many options and intensive and wide-ranging discussions, we are putting forward two concrete proposals. First, all ACM conferences should publicly account for the greenhouse gases emitted as a result of putting them on. Second, ACM should put a price on carbon in conference budgets, to create pressure on organizers to reduce their footprints. [ http ] @article{pierce20carbon, author = {Benjamin Pierce and Michael Hicks and Crista Lopes and Jens Palsberg}, title = {Conferences in an Era of Expensive Carbon}, journal = {Communications of the {ACM}}, month = mar, year = 2020, note = {Preprint at \url{https://www.cs.umd.edu/~mwh/papers/co2acm.pdf}} } Publication Sat, 11 Oct 2025 16:07:06 -0400 Verified Optimization in a Quantum Intermediate Representation. Kesha Hietala, Robert Rand, Shih-Han Hung, Xiaodi Wu, and Michael Hicks, June 2019. Extended abstract appeared at QPL 2019. We present sqire, a low-level language for quantum computing and verification. sqire uses a global register of quantum bits, allowing easy compilation to and from existing `quantum assembly’ languages and simplifying the verification process. We demonstrate the power of sqire as an intermediate representation of quantum programs by verifying a number of useful optimizations, and we demonstrate sqire’s use as a tool for general verification by proving several quantum programs correct. Publication Sat, 11 Oct 2025 16:07:06 -0400 Formal Verification vs. Quantum Uncertainty. Robert Rand, Kesha Hietala, and Michael Hicks. In Benjamin S. Lerner, Rastislav Bodík, and Shriram Krishnamurthi, editors, 3rd Summit on Advances in Programming Languages (SNAPL 2019), volume 136 of Leibniz International Proceedings in Informatics (LIPIcs), pages 12:1–12:11, Dagstuhl, Germany, May 2019. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik. Quantum programming is hard: Quantum programs are necessarily probabilistic and impossible to examine without disrupting the execution of a program. In response to this challenge, we and a number of other researchers have written tools to verify quantum programs against their intended semantics. This is not enough. Verifying an idealized semantics against a real world quantum program doesn’t allow you to confidently predict the program’s output. In order to have verification that works, you need both an error semantics related to the hardware at hand (this is necessarily low level) and certified compilation to the that same hardware. Once we have these two things, we can talk about an approach to quantum programming where we start by writing and verifying programs at a high level, attempt to verify properties of the compiled code, and repeat as necessary. Publication Sat, 11 Oct 2025 16:07:06 -0400 Wys: A Verified Language Extension for Secure Multi-Party Computations. Aseem Rastogi, Nikhil Swamy, and Michael Hicks. Technical Report abs/1711.06467, CoRR, November 2017. Secure multi-party computation (MPC) enables a set of mutually distrusting parties to cooperatively compute, using a cryptographic protocol, a function over their private data. This paper presents Wys, a new domain-specific language (DSL) implementation for writing MPCs. Wys is a Verified, Domain-Specific Integrated Language Extension (VDSILE), a new kind of embedded DSL hosted in F, a full-featured, verification-oriented programming language. Wys source programs are essentially F programs written against an MPC library, meaning that the programmers can use F’s logic to verify the correctness and security properties of their programs. To reason about the distributed semantics of these programs, we formalize a deep embedding of Wys, also in F. We mechanize the necessary metatheory to prove that the properties verified for the Wys source programs carry over to the distributed, multi-party semantics. Finally, we use F’s extraction mechanism to extract an interpreter that we have proved matches this semantics, yielding a verified implementation. Indeed, Wys is the first DSL to enable formal verification of source MPC programs, and also the first MPC DSL to provide a verified implementation. With Wys^* we have implemented several MPC protocols, including private set intersection, joint median, and an MPC-based card dealing application, and have verified their security and correctness. Publication Sat, 11 Oct 2025 16:07:06 -0400 Build it, break it, fix it: Competing to build secure systems. Andrew Ruef and Michael Hicks. The Next Wave, 21(1):19–23, 2015. We have a long legacy of failing to build secure systems; can a coding competition give us insight into what we can do better? This article presents an overview of the Build-it, Break-it, Fix-it Security-oriented programming competition. [ .pdf ] @article{ruef15bibifiNW, author = {Andrew Ruef and Michael Hicks}, journal = {The Next Wave}, title = {Build it, break it, fix it: Competing to build secure systems}, volume = 21, number = 1, pages = {19–23}, year = 2015, mon = oct } Publication Sat, 11 Oct 2025 16:07:06 -0400 Build It, Break It, Fix It: Contesting Secure Development. Andrew Ruef, Michael Hicks, James Parker, Dave Levin, Michelle L. Mazurek, and Piotr Mardziel. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), October 2016. Typical security contests focus on breaking or mitigating the impact of buggy systems. We present the Build-it, Break-it, Fix-it (BIBIFI) contest, which aims to assess the ability to securely build software, not just break it. In BIBIFI, teams build specified software with the goal of maximizing correctness, performance, and security. The latter is tested when teams attempt to break other teams’ submissions. Winners are chosen from among the best builders and the best breakers. BIBIFI was designed to be open-ended—teams can use any language, tool, process, etc. that they like. As such, contest outcomes shed light on factors that correlate with successfully building secure software and breaking insecure software. During 2015, we ran three contests involving a total of 116 teams and two different programming problems. Quantitative analysis from these contests found that the most efficient build-it submissions used C/C++, but submissions coded in other statically-typed languages were less likely to have a security flaw; build-it teams with diverse programming-language knowledge also produced more secure code. Shorter programs correlated with better scores. Break-it teams that were also successful build-it teams were significantly better at finding security bugs. Publication Sat, 11 Oct 2025 16:07:06 -0400 Fable: A Language for Enforcing User-defined Security Policies. Nikhil Swamy, Brian J. Corcoran, and Michael Hicks. Technical Report CS-TR-4895, University of Maryland, Department of Computer Science, November 2007. Full version of Oakland 08 paper. This paper presents Fable, a core formalism for a programming language in which programmers may specify security policies and reason that these policies are properly enforced. In Fable, security policies can be expressed by associating security labels with the data or actions they protect. Programmers define the semantics of labels in a separate part of the program called the enforcement policy. Fable prevents a policy from being circumvented by allowing labeled terms to be manipulated only within the enforcement policy; application code must treat labeled values abstractly. Together, these features facilitate straightforward proofs that programs implementing a particular policy achieve their high-level security goals. Fable is flexible enough to implement a wide variety of security policies, including access control, information flow, provenance, and security automata. We have implemented Fable as part of the Links web programming language; we call the resulting language SELinks. We report on our experience using SElinks to build two substantial applications, a wiki and an on-line store, equipped with a combination of access control and provenance policies. To our knowledge, no existing framework enables the enforcement of such a wide variety of security policies with an equally high level of assurance. [ .pdf ] @techreport{swamy07fableTR, author = {Nikhil Swamy and Brian J. Corcoran and Michael Hicks}, institution = {University of Maryland, Department of Computer Science}, number = {CS-TR-4895}, title = {Fable: A Language for Enforcing User-defined Security Policies}, year = 2007, month = nov, note = {Full version of Oakland 08 paper} } Publication Sat, 11 Oct 2025 16:07:06 -0400 Verified Enforcement of Automaton-based Information Release Policies. Nikhil Swamy and Michael Hicks. Technical Report CS-TR-4906, University of Maryland, Department of Computer Science, 2008. Full version of PLAS 08 paper. Many organizations specify information release policies to describe the terms under which sensitive information may be released to other organizations. This paper presents a new approach for ensuring that security-critical software correctly enforces its information release policy. Our approach has two parts. First, an information release policy is specified as a security automaton written in a new language called AIR. Second, we enforce an AIR policy by translating it into an API for programs written in Lair, a core formalism for a functional programming language. Lair uses a novel combination of dependent, affine, and singleton types to ensure that the API is used correctly. As a consequence we can certify that programs written in Lair meet the requirements of the original AIR policy specification. Publication Sat, 11 Oct 2025 16:07:06 -0400 Lightweight Monadic Programming in ML. Nikhil Swamy, Nataliya Guts, Daan Leijen, and Michael Hicks. Technical Report MSR-TR-2011-039, Microsoft Research, May 2011. Many useful programming constructions can be expressed as monads. Examples include probabilistic computations, time-varying expressions, parsers, and information flow tracking, not to mention effectful features like state and I/O. In this paper, we present a type-based rewriting algorithm to make programming with arbitrary monads as easy as using ML’s built-in support for state and I/O. Developers write programs using monadic values of type M t as if they were of type t, and our algorithm inserts the necessary binds, units, and monad-to-monad morphisms so that the program typechecks. Our algorithm is based on Jones' qualified types and enjoys three useful properties: (1) principal types, i.e., the rewriting we perform is the most general; (2) coherence, i.e., thanks to the monad and morphism laws, all instances of the principal rewriting have the same semantics; (3) decidability; i.e., the solver for generated constraints will always terminate. Throughout the paper we present simple examples from the domains listed above. Our most complete example, which illustrates the expressive power of our system, proves that ML programs rewritten by our algorithm to use the information flow monad are equivalent to programs in FlowCaml, a domain-specific information flow tracking language. Publication Sat, 11 Oct 2025 16:07:06 -0400 Probabilistic Abstract Interpretation: Sound Inference and Application to Privacy. Jose Manuel Calderón Trilla, Michael Hicks, Stephen Magill, Piotr Mardziel, and Ian Sweet. In Gilles Barthe, Joost-Pieter Katoen, and Alexandra Silva, editors, Foundations of Probabilistic Programming, chapter 11, pages 361–389. Cambridge University Press, November 2020. Bayesian probability models uncertain knowledge and learning from observations. As a defining feature of optimal adversarial behaviour, Bayesian reasoning forms the basis of safety properties in contexts such as privacy and fairness. Probabilistic programming is a convenient implementation of Bayesian reasoning but the adversarial setting imposes obstacles to its use: approximate inference can underestimate adversary knowledge and exact inference is impractical in cases covering large state spaces. By abstracting distributions, the semantics of a probabilistic language, and inference, jointly termed probabilistic abstract interpretation, we demonstrate adversary models both approximate and sound. We apply the techniques to build a privacy protecting monitor and describe how to trade off the precision and computational cost in its implementation all the while remaining sound with respect to privacy risk bounds. [ http ] @incollection{trilla20probprog, title = {Probabilistic Abstract Interpretation: Sound Inference and Application to Privacy}, booktitle = {Foundations of Probabilistic Programming}, author = {Jose Manuel Calder'{o}n Trilla and Michael Hicks and Stephen Magill and Piotr Mardziel and Ian Sweet}, editor = {Gilles Barthe and Joost-Pieter Katoen and Alexandra Silva}, chapter = 11, pages = {361–389}, month = nov, year = 2020, publisher = {Cambridge University Press} } Publication Sat, 11 Oct 2025 16:07:06 -0400 Understanding security mistakes developers make: Qualitative analysis from Build It, Break It, Fix It. Daniel Votipka, Kelsey Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. In Proceedings of the USENIX Security Symposium (USENIX SEC), August 2020. Distinguished Paper. Secure software development is a challenging task requiring consideration of many possible threats and mitigations. This paper investigates how and why programmers, despite a baseline of security experience, make security-relevant errors. To do this, we conducted an in-depth analysis of 94 submissions to a secure-programming contest designed to mimic real-world constraints: correctness, performance, and security. In addition to writing secure code, participants were asked to search for vulnerabilities in other teams’ programs; in total, teams submitted 866 exploits against the submissions we considered. Over an intensive six-month period, we used iterative open coding to manually, but systematically, characterize each submitted project and vulnerability (including vulnerabilities we identified ourselves). We labeled vulnerabilities by type, attacker control allowed, and ease of exploitation, and projects according to security implementation strategy. Several patterns emerged. For example, simple mistakes were least common: only 21% of projects introduced such an error. Conversely, vulnerabilities arising from a misunderstanding of security concepts were significantly more common, appearing in 78% of projects. Our results have implications for improving secure-programming APIs, API documentation, vulnerability-finding tools, and security education. Publication Sat, 11 Oct 2025 16:07:06 -0400 Build It, Break It, Fix It Contests: Motivated Developers Still Make Security Mistakes. Daniel Votipka, Kelsey R. Fulton, James Parker, Matthew Hou, Michelle L. Mazurek, and Michael Hicks. ;login;, 45(4), winter 2020. Secure software development is a challenging task requiring consideration of many possible threats and mitigations. We reviewed code submitted by 94 teams in a secure-programming contest designed to mimic real-world constraints—correctness, performance, and security. We found that the competitors, many of whom were experienced programmers and had just completed a 24-week cybersecurity course sequence with specific instruction on secure coding and cryptography, still introduced several vulnerabilities (182 across all teams), mostly due to misunderstandings of security concepts. We explain our methodology, discuss trends in the types of vulnerabilities introduced, and offer suggestions for avoiding the kinds of problems we encountered. [ http ] @article{votipka20bibifilogin, title = {Build It, Break It, Fix It Contests: Motivated Developers Still Make Security Mistakes}, journal = {;login;}, month = {winter}, year = 2020, volume = {45}, number = {4}, author = {Daniel Votipka and Kelsey R. Fulton and James Parker and Matthew Hou and Michelle L. Mazurek and Michael Hicks} } Publication Sat, 11 Oct 2025 16:07:06 -0400 Fuzzing Configurations of Program Options. Zenong Zhang, George Klees, Eric Wang, Michael Hicks, and Shiyi Wei. ACM Transactions on Software Engineering and Methodology (TOSEM), 32(2), March 2023. A shorter version appeared at the 2022 Fuzzing Workshop. While many real-world programs are shipped with configurations to enable/disable functionalities, fuzzers have mostly been applied to test single configurations of these programs. In this work, we first conduct an empirical study to understand how program configurations affect fuzzing performance. We find that limiting a campaign to a single configuration can result in failing to cover a significant amount of code. We also observe that different program configurations contribute differing amounts of code coverage, challenging the idea that each one can be efficiently fuzzed individually. Motivated by these two observations, we propose ConfigFuzz , which can fuzz configurations along with normal inputs. ConfigFuzz transforms the target program to encode its program options within part of the fuzzable input, so existing fuzzers’ mutation operators can be reused to fuzz program configurations. We instantiate ConfigFuzz on six configurable, common fuzzing targets, and integrate their executions in FuzzBench. In our evaluation, ConfigFuzz outperforms two baseline fuzzers in four targets, while the results are mixed in the other targets due to program size and configuration space. We also analyze the options fuzzed by ConfigFuzz and how they affect the performance. Publication Sat, 11 Oct 2025 16:07:06 -0400 Fat Pointers for Temporal Memory Safety of C. Jie Zhou, John Criswell, and Michael Hicks. In Proceedings of the ACM Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA), April 2023. Temporal memory safety bugs, especially use-after-free and double free bugs, pose a major security threat to C programs. Real-world exploits utilizing these bugs enable attackers to read and write arbitrary memory locations, causing disastrous violations of confidentiality, integrity, and availability. Many previous solutions retrofit temporal memory safety to C, but they all either incur high performance overhead and/or miss detecting certain types of temporal memory safety bugs. In this paper, we propose a temporal memory safety solution that is both efficient and comprehensive. Specifically, we extend Checked C, a spatially-safe extension to C, with temporally-safe pointers. These are implemented by combining two techniques: fat pointers and dynamic key-lock checks. We show that the fat-pointer solution significantly improves running time and memory overhead compared to the disjoint-metadata approach that provides the same level of protection. With empirical program data and hands-on experience porting real-world applications, we also show that our solution is practical in terms of backward compatibility – one of the major complaints about fat pointers. [ arXiv ] @inproceedings{zhou23fatpointers, author = {Jie Zhou and John Criswell and Michael Hicks}, title = {Fat Pointers for Temporal Memory Safety of C}, booktitle = {Proceedings of the {ACM} Conference on Object-Oriented Programming Languages, Systems, and Applications (OOPSLA)}, year = {2023}, eprint = {2208.12900}, archiveprefix = {arXiv}, month = apr } Contact Wed, 01 Oct 2025 00:00:00 +0000 Address: University of Pennsylvania Dept. of Computer & Information Science 3330 Walnut Street Philadelphia, PA 19104 Empirical Security & Privacy, for Humans Mon, 01 Sep 2025 00:00:00 +0000 About Since the development of time-sharing computer systems 50+ years ago, computer scientists have been working on how to secure them. Today, the computer security industry is massive. Participants across government, academia, and industry are making significant investments and producing impressive technology. Given all this, are computer systems actually getting more secure? How would we know? What research and other work is being done to both understand and address the situation? Software Security Thu, 01 Jan 2015 00:00:00 +0000 Overview This course, originally developed in late 2014 and early 2015 for Coursera as part of the University of Maryland’s four-course specialization on cybersecurity, explores the foundations of software security. The course is old enough now that I don’t feel comfortable charging money for it, so it is here hosted for free. All of the videos are collected on a Youtube channel, Software Security.