About

Stephen McCamant is an associate professor in the Department of Computer Science & Engineering at the University of Minnesota Twin Cities. His research focuses on applications of program analysis for software security and correctness, with particular emphasis on analyzing software at the binary (executable) level. His work utilizes decision procedures and symbolic execution to address issues such as binary transformation, instruction-level hardening and isolation, dynamic binary translation, information flow, and taint analysis. McCamant joined the department in 2012, having previously served as a postdoctoral scholar and research scientist at the University of California, Berkeley, and as a senior scientist at GammaTech, Inc. He earned his M.S. and Ph.D. in computer science from MIT and his B.A. from the University of California, Berkeley.

Research topics

• Computer Science
• Parallel computing
• Programming language
• Theoretical computer science
• Embedded system
• Operating system
• Mathematics
• Archaeology
• Geography
• Software engineering
• Computer network
• Computer architecture

Selected publications

• Supporting Secured Integration of Microarchitectural Defenses

  ArXiv.org · 2026-01-08

  articleOpen access

  There has been a plethora of microarchitectural-level attacks leading to many proposed countermeasures. This has created an unexpected and unaddressed security issue where naive integration of those defenses can potentially lead to security vulnerabilities. This occurs when one defense changes an aspect of a microarchitecture that is crucial for the security of another defense. We refer to this problem as a microarchitectural defense assumption violation} (MDAV). We propose a two-step methodology to screen for potential MDAVs in the early-stage of integration. The first step is to design and integrate a composed model, guided by bounded model checking of security properties. The second step is to implement the model concretely on a simulator and to evaluate with simulated attacks. As a contribution supporting the first step, we propose an event-based modeling framework, called Maestro, for testing and evaluating microarchitectural models with integrated defenses. In our evaluation, Maestro reveals MDAVs (8), supports compact expression (~15x Alloy LoC ratio), enables semantic composability and eliminates performance degradations (>100x). As a contribution supporting the second step, we use an event-based simulator (GEM5) for investigating integrated microarchitectural defenses. We show that a covert channel attack is possible on a naively integrated implementation of some state-of-the-art defenses, and a repaired implementation using our integration methodology is resilient to the attack.

  PublisherOA PDF

• Supporting Secured Integration of Microarchitectural Defenses

  arXiv (Cornell University) · 2026-01-08

  preprintOpen access

  There has been a plethora of microarchitectural-level attacks leading to many proposed countermeasures. This has created an unexpected and unaddressed security issue where naive integration of those defenses can potentially lead to security vulnerabilities. This occurs when one defense changes an aspect of a microarchitecture that is crucial for the security of another defense. We refer to this problem as a microarchitectural defense assumption violation} (MDAV). We propose a two-step methodology to screen for potential MDAVs in the early-stage of integration. The first step is to design and integrate a composed model, guided by bounded model checking of security properties. The second step is to implement the model concretely on a simulator and to evaluate with simulated attacks. As a contribution supporting the first step, we propose an event-based modeling framework, called Maestro, for testing and evaluating microarchitectural models with integrated defenses. In our evaluation, Maestro reveals MDAVs (8), supports compact expression (~15x Alloy LoC ratio), enables semantic composability and eliminates performance degradations (>100x). As a contribution supporting the second step, we use an event-based simulator (GEM5) for investigating integrated microarchitectural defenses. We show that a covert channel attack is possible on a naively integrated implementation of some state-of-the-art defenses, and a repaired implementation using our integration methodology is resilient to the attack.

  PublisherDOI

• DeCOS: Data-Efficient Reinforcement Learning for Compiler Optimization Selection Ignited by LLM

  2025-06-08

  article
  PublisherDOI

• Shield Bash: Abusing Defensive Coherence State Retrieval to Break Timing Obfuscation

  ArXiv.org · 2025-04-14

  preprintOpen access

  Microarchitectural attacks are a significant concern, leading to many hardware-based defense proposals. However, different defenses target different classes of attacks, and their impact on each other has not been fully considered. To raise awareness of this problem, we study an interaction between two state-of-the art defenses in this paper, timing obfuscations of remote cache lines (TORC) and delaying speculative changes to remote cache lines (DSRC). TORC mitigates cache-hit based attacks and DSRC mitigates speculative coherence state change attacks. We observe that DSRC enables coherence information to be retrieved into the processor core, where it is out of the reach of timing obfuscations to protect. This creates an unforeseen consequence that redo operations can be triggered within the core to detect the presence or absence of remote cache lines, which constitutes a security vulnerability. We demonstrate that a new covert channel attack is possible using this vulnerability. We propose two ways to mitigate the attack, whose performance varies depending on an application's cache usage. One way is to never send remote exclusive coherence state (E) information to the core even if it is created. The other way is to never create a remote E state, which is responsible for triggering redos. We demonstrate the timing difference caused by this microarchitectural defense assumption violation using GEM5 simulations. Performance evaluation on SPECrate 2017 and PARSEC benchmarks of the two fixes show less than 32\% average overhead across both sets of benchmarks. The repair which prevented the creation of remote E state had less than 2.8% average overhead.

  PublisherOA PDFDOI

• Improving Automated Program Verification for Java Programs with Fuzzing

  2025-11-16

  articleSenior author
  PublisherDOI

• Generator-Based Fuzzers with Type-Based Targeted Mutation

  arXiv (Cornell University) · 2024-06-04

  preprintOpen access

  As with any fuzzer, directing Generator-Based Fuzzers (GBF) to reach particular code targets can increase the fuzzer's effectiveness. In previous work, coverage-guided fuzzers used a mix of static analysis, taint analysis, and constraint-solving approaches to address this problem. However, none of these techniques were particularly crafted for GBF where input generators are used to construct program inputs. The observation is that input generators carry information about the input structure that is naturally present through the typing composition of the program input. In this paper, we introduce a type-based mutation heuristic, along with constant string lookup, for Java GBF. Our key intuition is that if one can identify which sub-part (types) of the input will likely influence the branching decision, then focusing on mutating the choices of the generators constructing these types is likely to achieve the desired coverages. We used our technique to fuzz AWSLambda applications. Results compared to a baseline GBF tool show an almost 20\% average improvement in application coverage, and larger improvements when third-party code is included.

  PublisherOA PDFDOI

• Non-Fusion Based Coherent Cache Randomization Using Cross-Domain Accesses

  2024-06-28

  article

  Randomization has proven to be a effective defense against conflict-based side-channel attacks in a shared cache. It improves security by assigning a unique randomization scheme to each security domain, e.g., though a different hashing function. However, if two domains have shared data, the domains must be fused in order to guarantee correctness (i.e., data coherence). Such domain fusion significantly reduces the effectiveness of randomization and weakens its security protection.

  PublisherDOI

• Structural Test Input Generation for 3-Address Code Coverage Using Path-Merged Symbolic Execution

  2023-05-01 · 2 citations

  article

  Test input generation is one of the key applications of symbolic execution (SE). However, being a path-sensitive technique, SE often faces path explosion even when creating a branch-adequate test suite. Path-merging symbolic execution (PM-SE) alleviates the path explosion problem by summarizing regions of code into disjunctive constraints, thus traversing at once a set of paths with the same prefixes. Previous work has shown that PM-SE can reduce run-time up to 38%, though these improvements can be impaired if the summarized code results in complex constraints or introduces additional symbols that increase the number of branching points in the later execution.Considering these trade-offs, examining the ability of PM-SE to generate branch-adequate test inputs is an open research problem. This paper investigates it by developing a technique that extracts structural coverage-related queries from disjoint constraints. Using this approach, we extend PM-SE to generate branch-adequate test inputs.Experiments compare the effectiveness and efficiency of test input generation by SE and PM-SE techniques. Results show that those techniques are complementary. For some programs, PM-SE yields faster coverage, with fewer generated tests, while for others, SE performs better. In addition, each technique covers branches that the other fails to discover.

  PublisherDOI

• Java Ranger: Supporting String and Array Operations in Java Ranger (Competition Contribution)

  Lecture notes in computer science · 2023-01-01 · 6 citations

  book-chapterOpen access

  Abstract Java Ranger is a path-merging tool for Java Programs. It identifies branching regions of code and summarizes them by generating a disjunctive logical constraint that describes the behavior of the code region. Previously, Java Ranger showed that a reduction of 70% of execution paths is possible when used to merge branching regions of code that support numeric constraints. In this paper, we describe the support of two additional features since participation in SV-COMP 2020: symbolic array and symbolic string operations. Finally, we present a preliminary evaluation of the effect of the structure of the disjunctive constraint on the solver’s performance. Results suggest that certain constraint structures can speed up the performance of Java Ranger.

  PublisherOA PDFDOI

• PREDATOR: A Cache Side-Channel Attack Detector Based on Precise Event Monitoring

  2022-09-01 · 5 citations

  article

  Recent work has demonstrated the security risk associated with micro-architecture side-channels. The cache timing side-channel is a particularly popular target due to its availability and high leakage bandwidth. Existing proposals for defending cache side-channel attacks either degrade cache performance and/or limit cache sharing, hence, should only be invoked when the system is under attack. A lightweight monitoring mechanism that detects malicious micro-architecture manipulation in realistic environments is essential for the judicious deployment of these defense mechanisms.In this paper, we propose PREDATOR, a cache side-channel attack detector that identifies cache events caused by an attacker. To detect side-channel attacks in noisy environments, we take advantage of the observation that, unlike non-specific noises, an active attacker alters victim’s micro-architectural states on security critical accesses and thus causes the victim extra cache events on those accesses. PREDATOR uses precise performance counters to collect detailed victim’s access information and analyzes location-based deviations. PREDATOR is capable of detecting five different attacks with high accuracy and limited performance overhead in complex noisy execution environments. PREDATOR remains effective even when the attacker slows the attack rate by 256 times. Furthermore, PREDATOR is able to accurately report details about the attack such as the instruction that accesses the attacked data. In the case of GnuPG RSA [20], PREDATOR can pinpoint the square/multiply operations in the Modulo-Reduce algorithm; and in the case of OpenSSL AES [45], it can identify the accesses to the T <inf xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">e</inf> -Table.

  PublisherDOI

Recent grants

• TWC: Small: Confidentiality Measurement of Complex Computations using Quantitative Information Flow

  NSF · $496k · 2015–2019

Frequent coauthors

• Antonia Zhai

  University of Minnesota

  30 shared

• Pen-Chung Yew

  22 shared

• Wenwen Wang

  17 shared

• Vaibhav Sharma

  Graphic Era University

  17 shared

• Dawn Song

  16 shared

• Michael D. Ernst

  Seattle University

  14 shared

• Pongsin Poosankam

  University of California, Berkeley

  11 shared

• Minjun Wu

  Twin Cities Orthopedics

  10 shared

Labs

• Stephen McCamantPI

Awards & honors

• HeapBuster: Automatically Exploiting Heap Vulnerabilities
• SATC: CORE: Small: MOSE: Automated Detection of Module-Speci…