About |

I am the Cecilia Fitler Moore Professor in the Computer and Information Science Department and the Director of the Schlein Center for Cybersecurity at the University of Pennsylvania, and I am an Amazon Scholar and an ACM Fellow.

From 2022-2025 I was a Senior Principal Scientist at Amazon Web Services. I am also a Professor Emeritus (active 2002-2022) of the Computer Science Department and UMIACS at the University of Maryland, College Park.

Research

I’m looking for new PhD students to join my lab in 2026!

My research focuses on improving software availability, reliability, and security through programming languages and software engineering techniques.

Ongoing projects

I am currently exploring two main directions. First, I am working on ways to efficiently build high-quality and secure software, with a particular focus on fuzz testing and property-based testing. These techniques are effective at spotting bugs, improving software quality, while also being usable and scalable. I am currently exploring how GenAI-driven coding can improve, and be improved by, these techniques. In my first couple of years at Amazon, I worked on property-based testing for the Cedar authorization language (more below), and when I was at UMD, I developed methodologies for evaluating fuzz testers, benchmarking them, and combining them with property-based testing.

The second broad area I am exploring is Cyber Public Health, which is an effort to take lessons from public health practices and institutions and apply them to improving the practice of cybersecurity. As we have been reading about in my class, it can be difficult to connect cybersecurity innovations to their impact because we lack good data about relevant outcomes. I am starting to talk with Penn colleagues in business, law, policy, and health about how we can change this state of affairs. A key concern in all this is the human user, so I am also engaging with experts in the Usable Security and Privacy community.

Other recent work

Here is an overview of other recent projects.

Cedar is a domain-specific language for writing authorization policies. I co-led (with Emina Torlak) its development while at AWS. It is the core of Amazon Verified Permissions and is now in use by big tech companies like MongoDB and CloudFlare, and startups like StrongDM. You can read more about Cedar in its scientific paper, and check out the code on GitHub
Verification-guided development (VGD) is an approach to developing secure, high-assurance software, combining formal proof and property-based testing. We used this approach for Cedar, and all of our proofs and tests are open-source. I speak about VGD as part of this talk at the DARPA Resilience meeting.
Secure programming: I helped develop Checked C, a memory-safe extension to C for legacy code migration; and conceived and conducted Build it, Break it, Fix it contests to evaluate secure development practices; and working with safe languages like Rust. (We might try to bring these back, with an eye toward AI-driven coding!)
Quantum computation: I led efforts to create verified compiler stacks for quantum programs, including VOQC, and develop robust quantum programs for near-term devices.

Other projects include dynamic software updating ( Kitsune, Rubah), information flow control (LWeb, Prob), languages for expressing secure multiparty computations ( Wysteria, Symphony) as well as authenticated data structures and compiler-optimized oblivious RAM (Lobliv), incremental computation (Adapton), type systems for Ruby (Diamondback Ruby), symbolic execution (Otter), data race detection ( LockSmith), and the memory-safe C dialect Cyclone.

Here is my current vita. My research page lists publications, my resource group, and activities.

Teaching

Current: Empirical Security & Privacy, for Humans (UPenn CIS 7000-010, Fall 2025)
Recent (UMD): Organization of Programming Languages (CMSC 330, multiple semesters); Program Analysis and Understanding (CMSC 631, multiple semesters); Software Security MOOC (now free, originally on Coursera)
Past (UMD): Build it, Break it, Fix it contest (CMSC 388N); Mechanized Proof and Verified Software (CMSC 838G); Cybersecurity Lab (CMSC 498L); Operating Systems (CMSC 412)

Service, professional activities

Editor in Chief: Proceedings of the ACM on Programming Languages (PACMPL) (2023-2028); Associate Editor for TOPLAS (2012-2016)
ACM SIGPLAN: Chair (2015-2018), Past Chair (2018-2021); POPL Steering Committee Chair (2018-2021); Founder and Editor of PL Perspectives blog (2019-2021)
Recent program committees: CSF, OOPSLA, S&P, POPL, PLDI (Area Chair), CCS (Area Chair), ASPLOS, SecDev, and many others
Past roles: Co-PC Chair for CSF 2015-2016, SecDev 2016; inaugural Director of Maryland Cybersecurity Center (2011-2013); CTO of startup Correct Computation, Inc (2018-2021); founder and director of PLUM, the lab for Programming Languages research at the University of Maryland.

Mike Hicks