Stephen McCamant
Associate Professor
Department of Computer Science & Engineering
4-192 Keller Hall (mailing address) / 4-225E Keller Hall (office location)
200 Union St. SE.
University of Minnesota (Twin Cities)
Minneapolis, MN, 55455
This home page:
Office hours: Mondays 1-2pm, or by appointment (please email). Office hours are online via the Zoom room 841-859-7517


In the spring I'll be teaching a special-topics course about binary reverse engineering; this flyer has more details.

We've released an updated version of the Flowcheck tool, with better compatibility with modern Linux systems.

We've promulgated a technical report from my project with Qiuchen Yan on Conservative Signed/Unsigned Type Inference for Binaries using Minimum Cut.


Since the fall of 2012 I've been on the faculty here at the University of Minnesota. For the 2008-2012 academic years I was a postdoc and project scientist at the University of California, Berkeley.

I got my M.S. and Ph.D. at MIT, working with Michael Ernst (now at the University of Washington) and the Program Analysis Group. During this time I also spent the summer of 2005 at Microsoft Research in Redmond, working with Trishul Chilimbi on using dynamically-collected points-to sets to improve the efficiency of software model checking.

Prior to that I got my undergraduate B.A. in computer science at the University of California, Berkeley; while there, I worked with the Harmonia research group and helped out at the Open Computing Facility, among other things.

Though I've spent enough time in California and the East Coast to see some of their advantages as well, I am by birth a midwesterner: I was born and raised in Chicago and Evanston, Illinois. My mother's side of the family was from Minneapolis and I still have family here.


My primary research interest is applications of program analysis techniques for software security and correctness. This includes binary analysis and transformation, hybrids of dynamic and static analysis including symbolic execution, information flow and taint analysis, instruction-level hardening and isolation, and applications of decision procedures and proof-assistant tools.

FuzzBALL is a binary-level symbolic execution tool built on top of the BitBlaze platform. We've used it in several past projects and its source code is now available on GitHub.

Some of my previous projects have their own web sites:


Some recent publications:

“Bit-Vector Model Counting using Statistical Estimation.” Seonmo Kim and Stephen McCamant. In 24th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), April 2018. Available via SpringerLink open access.

“Finding Substitutable Binary Code for Reverse Engineering by Synthesizing Adapters.” Vaibhav Sharma, Kesha Hietala, and Stephen McCamant. In 11th IEEE Conference on Software Testing, Validation and Verification (ICST), April 2018. Available via IEEE Xplore.

“Fast DBT Using Intelligently Learned Rules.” Wenwen Wang, Stephen McCamant, Antonia Zhai, and Pen-Chung Yew. In 23rd ACM International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), March 2018. Available via ACM DL.

“Fast PokeEMU: Scaling Generated Instruction Tests Using Aggregation and State Feedback.” Qiuchen Yan and Stephen McCamant. In 14th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments (VEE), (co-located with ASPLOS), March 2018. Available via ACM DL.

“The Effect of Instruction Padding on SFI Overhead.” Navid Emamdoost and Stephen McCamant. In Workshop on Binary Analysis Research (BAR), co-located with NDSS, February 2018. Available via NDSS conference.

“Veritesting Challenges in Symbolic Execution of Java.” Vaibhav Sharma, Michael W. Whalen, Stephen McCamant, and Willem Visser. In Java Pathfinder Workshop, November 2017. Available via ACM DL.

See also DBLP, Google Scholar.

Most of my older papers from MIT (2002-2008) are available here on the PAG group's site, and my papers from my postdoc UC Berkeley (2008-2012) are available from the BitBlaze publications list.

Prospective Students

I'm looking forward to meeting and potentially working with current and prospective Minnesota students whose research interests overlap with mine, including software security, binary analysis, symbolic execution, and testing and correctness. If you're a current student, please stop by my office (or email for an appointment) and introduce yourself.

If you're a prospective graduate student with interests in these areas, I encourage you to apply to Minnesota. Information about the application process is available from the department. I'd also be interested in corresponding with prospective grad students by email to discuss your and my research interests; David Evans has some good advice on how to do this productively.


Spring 2020: CSci 2021, Machine Architecture and Organization

Spring 2020: CSci 5980/8980, Manual and Automated Binary Reverse Engineering

Fall 2019: CSci 5271, Introduction to Computer Security

Spring 2019: CSci 5271, Introduction to Computer Security

Fall 2018: CSci 2021, Machine Architecture and Organization

Spring 2018: CSci 8271, Security and Privacy in Computing

Fall 2017: CSci 5271, Introduction to Computer Security

Spring 2016: CSci 2021, Machine Architecture and Organization

Fall 2015: CSci 5271, Introduction to Computer Security

Spring 2015: CSci 2021, Machine Architecture and Organization (personal copy of old site)

Fall 2014: CSci 5271, Introduction to Computer Security (personal copy of old site)

Spring 2014: CSci 8271, Security and Privacy in Computing (personal copy of old site)

Fall 2013: CSci 5271, Introduction to Computer Security (personal copy of old site)

Spring 2013: CSci 8980-1, Program Analysis For Security (personal copy of old site)

Course materials available for reuse:


During the spring of 2007, I worked as a TA in 6.001. My tutorial notes from the semester are available.

If you're developing or testing tools that operate on C source code, you might want to reuse my single-file versions of open-source programs.

As an exercise while teaching myself the ACL2 system, I proved a personal favorite result from pure mathematics, Goodstein's theorem. Here's the (uncommented) proof script.

Last updated: September 28th, 2020