Chandler Camarena - Hardware Security Researcher

About

Formal methods meet
real hardware

// whoami

identity "Hardware Security Researcher"

institution "Eötvös Loránd University (ELTE)"

fellowship "Fulbright Scholar 2024–2025"

clearance "TS/SCI (lapsed · reinstatement eligible)"

available "Phoenix, AZ (Aug 2026) · open to relocation"

I work at the intersection of formal methods, compiler infrastructure, and microarchitectural security. My research asks one question from multiple angles: what does hardware expose to software that the abstraction layer promises will not be observable - and how do we formally characterize, verify, and close that gap?

My M.Sc. thesis formalized trust-boundary information leakage as a confidentiality invariant violation over compiler-visible ABI semantics - syntactically correct, UB-free programs that violate system-level security guarantees through object representation and padding behavior. The formal machinery maps directly to Caroline Trippel's hardware-software security contracts framework, just instantiated at the compiler layer rather than the hardware layer.

My current research, ISA-Silent Channels, extends this to the ISA boundary. The RISC-V formal specification defines what instructions do architecturally. It says nothing about what microarchitectural state - cache timing, branch predictor history, TLB effects - becomes observable as a side effect. I am formalizing that gap and demonstrating it with cache-timing tooling, targeting a HASP workshop paper.

Before research: six years as an Information Systems Security Officer in the Air National Guard (TS/SCI), including TEMPEST enforcement and COMSEC/KMI management. ASU Summa Cum Laude, GPA 3.81. CLS Russian. PhD applicant targeting 2027.

Location

Budapest, Hungary → Phoenix, AZ (Aug 2026)

linkedin.com/in/chandler-camarena

chandler@chandlercamarena.com

GitHub

github.com/ChandlerCamarena

Thesis Repository

clang-padding-leakage-checker

Research Focus

Hardware-software security contracts · Microarchitectural side channels · Formal methods · LLVM/Clang static analysis

Target Venues

HASP · ISCA · MICRO · ASPLOS

Research & Projects

What I'm building

ISA-Silent Channels Active - 2026

Independent Research · Target: HASP @ ISCA/MICRO

The RISC-V ISA formal specification defines what instructions do architecturally. It says nothing about what microarchitectural state becomes observable as a timing side effect. Two architecturally equivalent instruction sequences can be microarchitecturally distinguishable through cache timing - yet the ISA formal model has no predicate capturing this distinction. That gap is where every Spectre-class attack lives.

Formal half: characterizing at least three classes of ISA underspecification in the RISC-V Sail model, using notation consistent with Trippel's axiomatic hardware-software contracts framework
Attack tooling half: cache-timing tool demonstrating each formally identified class - formal model tells you where to look, working attack proves you were right
Extends the formal methodology from the M.Sc. thesis from the compiler-ABI layer to the ISA-microarchitecture boundary
Target output: HASP workshop paper (co-located with ISCA/MICRO 2027)

RISC-V Sail Formal Methods C Cache Timing Flush+Reload Microarchitecture

M.Sc. Thesis - Clang/LLVM Trust-Boundary Security Analysis Complete - 2026

ELTE Faculty of Informatics · Advisor: Prof. Zoltán Porkoláb · open source ↗

Formalized trust-boundary information leakage as a confidentiality invariant violation over compiler-visible ABI semantics. Programs can be syntactically correct, undefined-behavior free, and still violate system-level security invariants through object representation and padding behavior - a semantic class the type system cannot enforce.

Formal contribution: SemanticMisconfig(P) ⟺ WellFormed(P) ∧ ¬UB(P) ∧ ¬I(P) - the gap between language-level correctness and system-level confidentiality
Evidence lattice (E0–E3) with monotonicity properties for calibrated diagnostic confidence - identical formal structure to Trippel's CheckMate methodology
Clang-Tidy implementation using RecordLayout metadata, annotation-driven boundary modeling, and AST-level initialization heuristics
Evaluated on zlib, libuv, raylib, Chipmunk2D - validated true positives, correct suppressions, zero false positives on real-world findings

LLVM Clang clang-tidy CodeChecker C/C++ x86-64 SysV ABI Python

Linux Device-Tree Hardening Complete - 2024

ASU Capstone · Sponsor: General Dynamics Mission Systems

Bootloader-stage mechanism to selectively disable hardware devices in the Linux device tree on a secure mobile platform, reducing attack surface before userspace initialization. A hardware-software boundary security problem: enforcing a source-level security policy across cross-compilation toolchains, U-Boot, and embedded Linux internals.

Cross-compilation toolchains targeting embedded Linux on secure mobile hardware
Device-tree manipulation at bootloader stage to minimize hardware attack surface
Direct exposure to the semantic gap between policy specification and deployed binary behavior on real hardware

Linux U-Boot Device Tree Cross-compilation C Secure Boot

Education

Academic foundation

Eötvös Loránd University

M.Sc. Computer Science · Expected July 2026

Fulbright U.S. Student Scholar 2024–2025

Self-funded continuation through thesis completion 2025–2026

Budapest, Hungary

Advisor: Prof. Zoltán Porkoláb

Dept. of Software Technology and Methodology

Thesis: Detecting and Explaining Cryptographic Misuse in C/C++ via LLVM/Clang

Arizona State University

B.S. Computer Science (Cybersecurity) · May 2024

Summa Cum Laude - GPA 3.81 / 4.00

Tempe, AZ

U.S. State Department Critical Language Scholar - Russian (2023)

Capstone: Linux Device-Tree Hardening (GDMS)

Awards & Fellowships

Recognition & credentials

2024-2025

U.S. Department of State

Fulbright U.S. Student Scholar

Competitive federal fellowship funding graduate research abroad. Selected to conduct M.Sc. research at Eotvos Lorand University (ELTE) Budapest, one of Central Europe's leading research universities. Fulbright is the U.S. government's flagship international exchange program.

2023

U.S. Department of State

Critical Language Scholarship (CLS) - Russian

Highly competitive language immersion award granted to fewer than 550 Americans annually across all languages. Selected for Russian based on demonstrated academic merit and national security relevance.

2024

Arizona State University

Summa Cum Laude - B.S. Computer Science

Graduated with highest academic distinction. GPA 3.81 / 4.00.

Experience

Where I've worked

May 2026 –
ongoing

Independent Research

ISA-Silent Channels - Hardware Security Researcher

Formalizing microarchitectural observability gaps in the RISC-V ISA specification and demonstrating them with cache-timing tooling. Formal characterization of where the ISA Sail model is silent about observable side effects - the structural property underlying Spectre-class attacks. Targeting a HASP workshop paper.

2025 – 2026

ELTE, Budapest · Fulbright Scholar (2024–2025)

M.Sc. Thesis Researcher - Compiler Security

Built a formal model of trust-boundary information leakage grounded in C/C++ object representation semantics and ABI layout behavior. Implemented a complete Clang-Tidy static analysis module with CodeChecker integration, evaluated on open-source C libraries with manual validation of all emitted diagnostics. Zero false positives in real-world findings.

Aug 2023 –
May 2024

ASU · GDMS Sponsor

Capstone Researcher - Hardware-Software Security

Built a bootloader-stage device-tree hardening mechanism for a secure mobile platform, reducing hardware attack surface before userspace initialization. Worked across cross-compilation toolchains, U-Boot, and embedded Linux internals - direct exposure to the semantic gap between source-level security policy and deployed binary behavior on real hardware.

Oct 2018 –
Oct 2024

Arizona Air National Guard · 161st ARW

Information Systems Security Officer (ISSO) · TS/SCI

Six years executing security authorization and compliance for mission-critical operational systems. NIST 800-53 controls, ATO packages, POA&M management, and incident coordination. TEMPEST enforcement per AFMANs - controlling electromagnetic emanation risks from hardware systems. COMSEC management including KMI operations and cryptographic material accountability. Separated as Senior Airman; TS/SCI voluntarily relinquished Aug 2024 (reinstatement eligible).

Technical Skills

Tools & concepts

Languages

C C++ Python

Compiler & IR

LLVM Clang Clang-Tidy CodeChecker Static Program Analysis

Hardware Security

Cache Side-Channel Analysis Microarchitecture Trust Boundary Modeling TEMPEST TEE / Secure Enclave

Formal Methods

Security Invariant Design Evidence Lattices Information Flow Theory ISA Formal Specification (Sail) ABI Reasoning

Architecture

RISC-V x86-64 SysV ABI Speculative Execution Cache Hierarchy Branch Prediction

Security & Systems

NIST 800-53 COMSEC / KMI Linux Kernel Cross-compilation Secure Boot

Contact

Let's connect

I'm actively looking for hardware security research and compiler security engineering roles starting August 2026 - in Phoenix, remote, or Bay Area. Particularly interested in positions at the hardware-software security boundary: formal verification, microarchitectural security research, compiler security, or hardware security architecture.

If you're working on problems at the intersection of formal methods, compiler infrastructure, and hardware security - I'd genuinely love to talk.

Send an email ↗

mail chandler@chandlercamarena.com → li linkedin.com/in/chandler-camarena → gh github.com/ChandlerCamarena → proj clang-padding-leakage-checker →

ChandlerCamarena

Formal methods meetreal hardware