Michael Hicks

E-mail: (GPG key)
Twitter: @michael_w_hicks
Phone/Fax: +1-301-405-2710 / +1-301-405-6707

3417 A.V. Williams Building (in 3400 suite)

(Quadrant F8, Building 115 in the linked map)


Dept. of Computer Science

8223 Paint Branch Dr.

University of Maryland

College Park, MD 20742

Publications PL Enthusiast (Blog)
CMSC 838G MOOC on Software Security

I am a professor in the Computer Science Department and UMIACS at the University of Maryland, College Park. With Jeff Foster and David Van Horn I direct PLUM, the lab for Programming Languages research at the University of Maryland. I am also affiliated with the Maryland Cybersecurity Center (MC2), and was formerly its Director (see our video!). You may find it interesting to read about how we manage PLUM.

Here is my current vita and a list of my publications, organized by year and by category.

I received my Ph.D. in Computer and Information Science from the University of Pennsylvania in August 2001, and I spent one year as a post-doctoral associate affiliated with the Information Assurance Institute of the Computer Science Department at Cornell University. During academic 2008 - 2009, I was on sabbatical in Cambridge, England. From September to November I was at Microsoft Research and from December to August 2009 I was at the University of Cambridge Computer Laboratory. I was the director of MC2 from October 2011 to 2013. 

How fast can you type? (My best so far is 108 wpm.)

Submit a paper to IEEE SecDev!


My primary research interest is to develop and evaluate techniques to improve software availability, reliability, and security. I am currently working on a number of projects.
Secure Programming - How do we build software that is secure? We have been developing a contest, called build-it, break-it, fix-it whose aim to test how well students can build software securely. Our hope is to offer this contest several times, at scale, and then draw larger lessons from the data we gather from the process and outcomes.
Protecting against side channel attacks - How do we avoid leaking information via observable behavior? We are developing novel static analyses and type systems to identify when a program might be leaking sensitive information via its running time, space usage, address/IO trace, and more.
Quantifying Information Flow - means to enforce security policies through programming languages and analyses that carefully consider (and quantify) information flows. We have implemented approaches using probabilistic abstract interpretation for protecting static and time-varying secrets, and we are currently generalizing these ideas to database queries.
Blending Programming Languages and Cryptography - means of implementing privacy-preserving or integrity-assuring computation through the combination of programming languages and cryptographic techniques. I have looked at languages and analyses for secure multiparty computation, most notably a new programming language called Wysteria, and developed novel mechanisms for cloud-based computations involving general-purpose authenticated data structures and compiler-optimized oblivious RAM.
Demand-driven incremental computation - general-purpose techniques for updating the output of a computation as a result of small changes to its input. Our approach, called Adapton, considers the demand for output when deciding to propagate changes, resulting in potentially very large performance improvements.
Dynamic Software Updating - means to safely, efficiently, and flexibly update running code. We have developed general-purpose methods for updating C and Java programs, and are currently considering means to update controllers in software-defined networks. Our system for dynamically updating C code is called Kitsune and our system for Java is called Rubah; the code and benchmarks for both are freely available. Earlier work and papers are described here.

Previously, I was involved in Expositor, a library for writing dynamic analyses to assist in debugging, taking advantage of record/replay support. I also worked on Diamondback Ruby, static and hybrid static/dynamic type system for the Ruby scripting language. I was involved with the development of Otter, a symbolic executor for C programs. I also worked on LockSmith, a static analysis tool for proving the absence of race conditions in C programs, and a novel user interface technique applied to it called Path Projection, which is a browser-based UI toolkit for presenting, navigating, and querying paths emitted as static analysis results. I was a core developer of Cyclone, a safe dialect of C. I have also looked at means for customized, language-enforced security policies, implemented in a web programming language, SELinks, and automatically inserted by a compiler called Coco. I have an interest in systems and networking as well, and for a while I worked on measurement-aware data transport and kernel-based rootkit detection. Links to all past projects may be found on the PLUM home page.

Research Group

Current students/postdocs:
Piotr Mardziel (postdoc, previously PhD student)
James Parker (research programmer, previously MS student)
Chang Liu (co-advised with Elaine Shi)
Andrew Miller (co-advised with Jon Katz and Elaine Shi)
Andrew Ruef
Shiyi Wei (postdoc)

Previous students/postdocs:
Aseem Rastogi Language-based Techniques for Practical and Trustworthy Secure Multi-Party Computations
Researcher, Microsoft Research India, starting June 2016
Luís Pina*** Practical Dynamic Software Updating (for Java)
Post-doc, Imperial College, London, under Cristian Cadar, since March 2015

Karla Saur* Dynamic Upgrades for High Availability Systems
Researcher, Intel Labs, since September 2015
Piotr Mardziel Modeling, Measuring, and Limiting Adversary Knowledge
Post-doc, UMD, since January 2015
James Parker (MS) LMonad: Information Flow Control for Haskell Web Applications
Research programmer, UMD, since January 2015
Khoo Yit Phang* User-centered Program Analysis Tools
Software Engineer, MathWorks since August 2013
Chris Hayden* Clear, Correct, and Efficient Dynamic Software Updates
Software Engineer at SocialCode since Dec. 2015 (at WaPo Labs/Trove 2012-2015)
Justin McCann Automating Performance Diagnosis in Networked Systems
Avere Systems since July 2012
Martin Ma* Improving Program Testing and Understanding via Symbolic Execution
Software Engineer, Google, since 2013 (previously at Amazon)
Saurabh Srivastava* Satisfiability-based Program Reasoning and Program Synthesis
Founder, 20n, since 2013 (previously a post-doc at Berkeley)
Pavlos Papageorgiou The Measurement Manager: Modular and Efficient End-to-end Measurement Services
Software Engineer, Google, since December 2008
Iulian Neamtiu Practical Dynamic Software Updating
Assoc. Prof, NJIT, since Fall 2015 (at UC Riverside, 2008-2015).
Polyvios Pratikakis* Sound, precise, and efficient static race detection for multithreaded programs
Researcher, Institute of Computer Science, FORTH (Crete, Greece), since Spring 2010 (previously a post-doc at CNRS/VERIMAG)
Nikhil Swamy Language-based Enforcement of User-defined Security Policies as Applied to Multi-tier Web Applications
Researcher, Microsoft Research, Redmond, since Fall 2008
Nick Petroni** Property-based Integrity Monitoring of Operating System Kernels
Research scientist, IDA/CCS 2008-2015. Now at a startup.
Matthew Hammer (postdoc) Assistant Professor, University of Colorado, Boulder, since August 2015
Nataliya Guts (postdoc)
Stephen Magill (postdoc) Research scientist, Galois, since 2014 (at IDA/CCS, 2012-2014)
Manuel Oriol (postdoc) Principal Scientist at ABB Switzerland Ltd. since Fall 2011

Senior Lecturer, University of York (UK), since Fall 2008
Ted Smith (undergrad)* A grad student at UMass Amherst in the PLASMA group since August 2013

* co-advised with Jeff Foster ** co-advised with Bill Arbaugh *** co-advised with Luís Veiga

I have also worked with Avik Chaudhuri, Mike Furr, David An, and Elnatan Reisner (advised by Jeff Foster), Adam Bender (advised by Bobby Bhattacharjee), Jaime Spacco (advised by Bill Pugh), and Suriya Subramanian (advised by Kathryn McKinley at UT Austin). I have previously advised Jonathan Turpie (now at Amazon), Brian Corcoran (now at Palantir), Eric Hardisty, and James Rose (now at Google). I've also worked with post-grad Patrick Jenkins, undergrad Jeff Meister, and high school students, Ted Smith (from Walt Whitman High), and Matt McCutchen and Cody Burton (both from Montgomery Blair). Both Ted and Matt later became undergraduate students in our Department; all three are now in graduate school (at UMass, MIT CSAIL, and MIT Physics, respectively).


Professional Activities

I the current Chair of ACM SIGPLAN (since July 2015); I am an Associate Editor for TOPLAS (since Feb 2012); and I have served (or am serving) on the program committees for

2016 PLDI, CSF (PC co-chair), USENIX ASE, SecDev (PC chair)
2015 IEEE S&P, CSF (PC co-chair), SNAPL
2012 POPL (program chair), HotSWUp
2011 TLDI, HotSWUp (co-organizer), OOPSLA
2010 ESOP, PLDI (ERC and tutorials chair), ICFP (PC and local arrangements), PASTE
2007 PLAS (general and program chair), OOPSLA, COORDINATION, PLDI
2006 FTfJP, PLAS, SPACE, OOPS (part of SAC 2006)
2003 IWAN, USE
2002 IWAN, USE
2001 IWAN
ATYlogo Support Wikipedia