Mike Hicks

I am the Cecilia Fitler Moore Professor in the Computer and Information Science Department and the Director of the Schlein Center for Cybersecurity at the University of Pennsylvania, and I am an Amazon Scholar and an ACM Fellow.

From 2022-2025 I was a Senior Principal Scientist at Amazon Web Services. I am also a Professor Emeritus (active 2002-2022) of the Computer Science Department and UMIACS at the University of Maryland, College Park.

Research

My research focuses on improving software availability, reliability, and security through programming languages and software engineering techniques. Recent work includes

• Cedar, a domain-specific language for writing authorization policies. I co-led (with Emina Torlak) its development while at AWS. It is the core of Amazon Verified Permissions and is now in use by big tech companies like MongoDB and CloudFlare, and small ones like StrongDM. You can read more about Cedar in its scientific paper, and check out the code on GitHub.
• Verification-guided development, an approach to developing secure, high-assurance software, combining formal proof and property-based testing. I speak about it as part of this talk at the DARPA Resilience meeting.

In the recent past, I have worked on:

• Secure programming: Developing Checked C, a memory-safe extension to C for legacy code migration; conducting Build it, Break it, Fix it contests to evaluate secure development practices; and working with safe languages like Rust
• Fuzz testing: Developing methodologies for evaluating fuzz testers and combining coverage-guided fuzzing with property-based testing
• Quantum computation: Creating verified compiler stacks for quantum programs, including VOQC, and developing robust quantum programs for near-term devices

Other projects include dynamic software updating ( Kitsune, Rubah), information flow control (LWeb, Prob), languages for expressing secure multiparty computations ( Wysteria, Symphony) as well as authenticated data structures and compiler-optimized oblivious RAM (Lobliv), incremental computation (Adapton), type systems for Ruby (Diamondback Ruby), symbolic execution (Otter), data race detection ( LockSmith), and the memory-safe C dialect Cyclone.

Here is my current vita. My research page lists publications, my resource group, and activities.

Teaching

• Current: Empirical Security & Privacy, for Humans (UPenn CIS 7000, Fall 2025)
• Recent (UMD): Organization of Programming Languages (CMSC 330, multiple semesters); Program Analysis and Understanding (CMSC 631, multiple semesters); Software Security MOOC (now free, originally on Coursera)
• Past (UMD): Build it, Break it, Fix it contest (CMSC 388N); Mechanized Proof and Verified Software (CMSC 838G); Cybersecurity Lab (CMSC 498L); Operating Systems (CMSC 412)

Service, professional activities

• Editor in Chief: Proceedings of the ACM on Programming Languages (PACMPL) (2023-2028); Associate Editor for TOPLAS (2012-2016)
• ACM SIGPLAN: Chair (2015-2018), Past Chair (2018-2021); POPL Steering Committee Chair (2018-2021); Founder and Editor of PL Perspectives blog (2019-2021)
• Recent program committees: CSF, OOPSLA, S&P, POPL, PLDI (Area Chair), CCS (Area Chair), ASPLOS, SecDev, and many others
• Past roles: Co-PC Chair for CSF 2015-2016, SecDev 2016; inaugural Director of Maryland Cybersecurity Center (2011-2013); CTO of startup Correct Computation, Inc (2018-2021); founder and director of PLUM, the lab for Programming Languages research at the University of Maryland.