About

Andrew Myers is the Class of 1912 Professor of Engineering in the Department of Computer Science at Cornell University, where he also serves as the Director of Graduate Studies in the Field of Computer Science. His research addresses the challenge of building trustworthy software systems by developing simple, high-level abstractions that provide programmers with strong guarantees about critical cross-cutting concerns such as security, distribution, extensibility, and persistence. He leads several active projects including Viaduct, which automatically compiles high-level code to secure cryptographic protocols, and SCIF, a language designed for building secure smart contracts. His work also includes the development of hardware description languages like S(p)ecVerilog and PDL for processors that control timing channels, as well as Fabric, a language and system for secure, distributed computation, sharing, and storage built on Jif, an extended version of Java that enforces security and privacy through information flow control. Other notable projects include SHErrLoc, a static holistic error locator, and Constrain, a JavaScript constraint-based system for drawing animated figures.

Research topics

• Computer Security
• Computer Science
• Computer network
• Programming language
• Embedded system
• Distributed computing
• Operating system
• Real-time computing
• World Wide Web

Selected publications

• Towards differentiable beam dynamics modeling in BLAST/ImpactX

  Desy publication database (The Deutsches Elektronen-Synchrotron) · 2026-01-29

  articleOpen access

  Differentiable simulations are in demand in accelerator physics, demonstrating order-of-magnitude improvements for complex tasks such as many-parameter optimization for accelerator working points and reconstruction of hard-to-measure quantities. At its core, a differentiable simulation does not only solve a forward problem, but additionally provides gradients of output parameters (e.g. beam parameters) with respect to input parameters (e.g. beamline or source parameters). How to effectively program large dynamic simulations differentiably is still an open question, but there is general consensus that a “single-source” approach aided by automatic differentiation (AD) is desirable. Addressing this, there are a) emerging domain-specific languages in machine learning that are intrinsically differentiable, and b) highly-performing & scalable, general-purpose languages like ISO C++ of existing codes. The challenge of approach a) is syntax specialization, which can limit ease of implementation & performance for physics algorithms, while b) requires additional work for AD. Performance is important for modeling high-order beam dynamics and collective effects in accelerators. We compare the fast, modern codes ImpactX (C++/Python) and Cheetah (PyTorch) using traditional, gradient-free modeling. We then show progress in introducing single-source differentiability in ImpactX using modern compiler techniques, producing performant executables for gradient-based and gradient-free modeling.

  PublisherDOI

• An Algebraic Approach to Asymmetric Delegation and Polymorphic Label Inference (Technical Report)

  ArXiv.org · 2025-04-29

  preprintOpen accessSenior author

  Language-based information flow control (IFC) enables reasoning about and enforcing security policies in decentralized applications. While information flow properties are relatively extensional and compositional, designing expressive systems that enforce such properties remains challenging. In particular, it can be difficult to use IFC labels to model certain security assumptions, such as semi-honest agents. Motivated by these modeling limitations, we study the algebraic semantics of lattice-based IFC label models, and propose a semantic framework that allows formalizing asymmetric delegation, which is partial delegation of confidentiality or integrity. Our framework supports downgrading of information and ensures their safety through nonmalleable information flow (NMIF). To demonstrate the practicality of our framework, we design and implement a novel algorithm that statically checks NMIF and a label inference procedure that efficiently supports bounded label polymorphism, allowing users to write code generic with respect to labels.

  PublisherOA PDFDOI

• An Algebraic Approach to Asymmetric Delegation and Polymorphic Label Inference

  Lecture notes in computer science · 2025-10-11

  book-chapterSenior author
  PublisherDOI

• Sequential Specifications for Precise Hardware Exceptions

  2025-12-11

  articleOpen access

  Modern processors are difficult to implement because pipelining makes them inherently parallel. A promising new approach, demonstrated in the PDL hardware description language, is to compile a high-level sequential specification into an efficient pipelined implementation. This high-level approach makes design-space exploration and reasoning easier. However, previous work on this approach does not support features needed for operating systems: hardware exceptions like traps and interrupts. The inherently non-sequential nature of these features makes it challenging to give them a sequential specification. They often require flushing the pipeline, writing to control state registers (CSRs), or resetting pipeline state. In this work, we develop XPDL, which extends PDL to support hardware exceptions. With this extension, logic for precise exceptions can be synthesized from a high-level specification, while maintaining the appealing properties of PDL. Using RISC-V processor designs, we demonstrate that XPDL flexibly supports exceptions with no impact on CPI (Cycles per Instructions), and minor overhead over frequency and area, and argue that the implementation preserves the one-instruction-at-a-time semantics of PDL.

  PublisherOA PDFDOI

• Secure Synthesis of Distributed Cryptographic Applications

  2024-07-08 · 3 citations

  articleSenior author

  Developing secure distributed systems is difficult, and even harder when advanced cryptography must be used to achieve security goals. Following prior work, we advocate using secure program partitioning to synthesize cryptographic applications: instead of implementing a system of communicating processes, the programmer implements a centralized, sequential program, which is automatically compiled into a secure distributed version that uses cryptography. While this approach is promising, formal results for the security of such compilers are limited in scope. In particular, no security proof yet simultaneously addresses subtleties essential for robust, efficient applications: multiple cryptographic mechanisms, malicious corruption, and asynchronous communication. In this work, we develop a compiler security proof that handles these subtleties. Our proof relies on a novel unification of simulation-based security, information-flow control, choreographic programming, and sequentialization techniques for concurrent programs. While our proof targets hybrid protocols, which abstract cryptographic mechanisms as idealized functionalities, our approach offers a clear path toward leveraging Universal Composability to obtain end-to-end, modular security results with fully instantiated cryptographic mechanisms. Finally, following prior observations about simulation-based security, we prove that our result guarantees robust hyperproperty preservation, an important criterion for compiler correctness that preserves all source-level security properties in target programs.

  PublisherDOI

• An Array Intermediate Language for Mixed Cryptography

  arXiv (Cornell University) · 2024-09-03

  preprintOpen accessSenior author

  We introduce AIRduct, a new array-based intermediate representation designed to support generating efficient code for interactive programs employing multiple cryptographic mechanisms. AIRduct is intended as an IR for the Viaduct compiler, which can synthesize secure, distributed programs with an extensible suite of cryptography. Therefore, AIRduct supports an extensible variety of cryptographic mechanisms, including MPC and ZKP.

  PublisherOA PDFDOI

• A Language for Smart Contracts with Secure Control Flow (Technical Report)

  arXiv (Cornell University) · 2024-07-01

  preprintOpen access

  Smart contracts are frequently vulnerable to control-flow attacks based on confused deputies, reentrancy, and incorrect error handling. These attacks exploit the complexity of interactions among multiple possibly unknown contracts. Existing best practices to prevent vulnerabilities rely on code patterns and heuristics that produce both false positives and false negatives. Even with extensive audits and heuristic tools, new vulnerabilities continue to arise, routinely costing tens of millions of dollars. We introduce SCIF, a language for secure smart contracts, that addresses these classes of control-flow attacks. By extending secure information flow mechanisms in a principled way, SCIF enforces both classic end-to-end information flow security and new security restrictions on control flow, even when SCIF contracts interact with malicious non-SCIF code. SCIF is implemented as a compiler to Solidity. We show how SCIF can secure contracts with minimal overhead through case studies of applications with intricate security reasoning and a large corpus of insecure code.

  PublisherOA PDFDOI

• Secure Synthesis of Distributed Cryptographic Applications (Technical Report)

  arXiv (Cornell University) · 2024-01-06 · 1 citations

  preprintOpen accessSenior author

  Developing secure distributed systems is difficult, and even harder when advanced cryptography must be used to achieve security goals. Following prior work, we advocate using secure program partitioning to synthesize cryptographic applications: instead of implementing a system of communicating processes, the programmer implements a centralized, sequential program, which is automatically compiled into a secure distributed version that uses cryptography. While this approach is promising, formal results for the security of such compilers are limited in scope. In particular, no security proof yet simultaneously addresses subtleties essential for robust, efficient applications: multiple cryptographic mechanisms, malicious corruption, and asynchronous communication. In this work, we develop a compiler security proof that handles these subtleties. Our proof relies on a novel unification of simulation-based security, information-flow control, choreographic programming, and sequentialization techniques for concurrent programs. While our proof targets hybrid protocols, which abstract cryptographic mechanisms as idealized functionalities, our approach offers a clear path toward leveraging Universal Composability to obtain end-to-end, modular security results with fully instantiated cryptographic mechanisms. Finally, following prior observations about simulation-based security, we prove that our result guarantees robust hyperproperty preservation, an important criterion for compiler correctness that preserves all source-level security properties in target programs.

  PublisherOA PDFDOI

• Charlotte: Reformulating Blockchains into a Web of Composable Attested Data Structures for Cross-Domain Applications

  ACM Transactions on Computer Systems · 2023 · 3 citations

  Senior authorCorresponding
  • Computer Science
  • Computer Science
  • Computer Security

  Cross-domain applications are rapidly adopting blockchain techniques for immutability, availability, integrity, and interoperability. However, for most applications, global consensus is unnecessary and may not even provide sufficient guarantees. We propose a new distributed data structure: Attested Data Structures (ADS), which generalize not only blockchains but also many other structures used by distributed applications. As in blockchains, data in ADSs is immutable and self-authenticating. ADSs go further by supporting application-defined proofs ( attestations ). Attestations enable applications to plug in their own mechanisms to ensure availability and integrity. We present Charlotte , a framework for composable ADSs. Charlotte deconstructs conventional blockchains into more primitive mechanisms. Charlotte can be used to construct blockchains but does not impose the usual global-ordering overhead. Charlotte offers a flexible foundation for interacting applications that define their own policies for availability and integrity. Unlike traditional distributed systems, Charlotte supports heterogeneous trust: different observers have their own beliefs about who might fail, and how. Nevertheless, each observer has a consistent, available view of data. Charlotte’s data structures are interoperable and composable : applications and data structures can operate fully independently or can share data when desired. Charlotte defines a language-independent format for data blocks and a network API for servers. To demonstrate Charlotte’s flexibility, we implement several integrity mechanisms, including consensus and proof of work. We explore the power of disentangling availability and integrity mechanisms in prototype applications. The results suggest that Charlotte can be used to build flexible, fast, composable applications with strong guarantees.

  PublisherDOI

• Analgesic onset and efficacy of a fast-acting formulation of acetaminophen in a postoperative dental impaction pain model

  Figshare · 2023-12-21

  datasetOpen access1st authorCorresponding

  Speed of onset can be critical to an analgesic’s efficacy treating acute pain. To enhance onset, a new oral acetaminophen formulation intended to be fast acting was developed. Two studies evaluated analgesic onset, efficacy, and safety of this fast-acting acetaminophen (FA-acetaminophen) tablet relative to commercial acetaminophen caplets (ES-acetaminophen) and commercial ibuprofen liquid-filled gelatin capsules (LG-ibuprofen). Two single-center, single-dose, inpatient, randomized, double-blind, triple-dummy, placebo-controlled, parallel group design clinical trials were conducted using the postoperative dental impaction pain model. Subjects were healthy men and women aged 17 to 50 years experiencing moderate-to-severe pain after surgical extraction of at least 3 impacted third molars. In both studies, 4 treatment groups were evaluated: 1000 mg acetaminophen as two 500 mg FA-acetaminophen tablets, 1000 mg as two 500 mg ES-acetaminophen caplets, 400 mg ibuprofen as two 200 mg LG-ibuprofen capsules, and placebo. To maintain blinding, each subject received 6 units of study medication. Times to confirmed perceptible pain relief (TCPR) and meaningful pain relief (TMPR) were obtained using the double-stopwatch method. Pain intensity and relief were measured over 6 hours following drug administration using a 0-10 numerical rating scale. Time to use of rescue medication (naproxen sodium) and subject global evaluations of study medications at 6 hours were collected. Pharmacokinetic blood sampling and safety assessments were performed. Studies 1 and 2 enrolled 240 and 420 subjects, respectively. No clinically important differences among treatment groups were observed for any demographic or baseline characteristics. Efficacy results showed all active treatments statistically superior to placebo. In Study 1, TCPR was statistically significantly shorter for FA-acetaminophen compared to ES-acetaminophen and LG-ibuprofen. In Study 2, no statistically significant differences in TCPR were noted across the active treatment groups. In Study 1, FA-acetaminophen 1000 mg provided significantly shorter TMPR compared with LG-ibuprofen but not compared with ES-acetaminophen. In Study 2, no significant differences in TMPR were noted across the active treatment groups. In both Study 1 and 2 at 15 min after administration of study drug, PID and PAR scores were greater for FA-acetaminophen than LG-ibuprofen. Both studies suggested FA-acetaminophen had faster onset of action compared to ES-acetaminophen and LG-Ibuprofen. In light of the difference in TCPR and TMPR results between Study 1 and 2, an additional study is needed to further investigate time to analgesic onset of FA-acetaminophen compared with ES-acetaminophen and LG-Ibuprofen. Study 1: NCT02735122; Study 2: NCT03224403

  PublisherDOI

Recent grants

• CT-ISG: Diaspora: A Secure, Reliable Federated Execution Platform and Object Store

  NSF · $357k · 2006–2009

• Integrating Security and Fault Tolerance in Distributed Systems

  NSF · $1.6M · 2004–2009

• TC: Medium: Higher-Level Abstractions for Trustworthy Federated Systems

  NSF · $1.1M · 2010–2015

• SaTC: CORE: Large: Viaduct: A Framework for Automatically Synthesizing Cryptographic Protocols

  NSF · $2.5M · 2017–2023

• CSR: Small: Protocols and Languages for Low-Coordination Consistent Geodistributed Transactions

  NSF · $487k · 2017–2022

Frequent coauthors

• Jed Liu

  27 shared

• Barbara Liskov

  IIT@MIT

  24 shared

• Danfeng Zhang

  22 shared

• G. Edward Suh

  22 shared

• Stephen Chong

  21 shared

• Owen Arden

  20 shared

• Lantian Zheng

  Google (United States)

  18 shared

• Steve Zdancewic

  University of Pennsylvania

  15 shared

Labs

• Fabric ProjectPI

  High-level programming language for building open distributed applications with strong security.

Education

• Ph.D., electrical engineering and computer science

  MIT

  1999

Awards & honors

• Sloan Research Fellowship (2002)
• ACM Fellow (2013)