Global compiler obfuscation of bytecode applications Christophe Foket Problem Statement Intellectual property embedded in software is difficult to protect since most computer platforms allow the inspection of running programs on a binary instruction level. This type of inspection can expose a vast amount of the algorithms and data used by the program. Traditionally this problem is solved by employing program obfuscation and diversity to increase the workload involved in successfully attacking program instances. Such techniques have been successfully applied in e.g. Skype. Modern trends in software engineering, including component-based design, scripting, virtualization, just-in-time compilation and adaptive resource management complicate the use of effective program obfuscation techniques. These trends mainly contribute to the fact that more and more applications are distributed in bytecode languages such as Java and CLI. Contradictory to what has been achieved for binary code, where the possibilities for applying obfuscating transformations are immense, the possibilities for obfuscating bytecode are however rather limited. Java classes, for example, must adhere to a set of strict rules and must expose a lot of information about their interfaces to the virtual machine. Similar problems can be found in the case of .NET. This leads to some important problems involving IP protection: Due to the locality of most bytecode obfuscation techniques (opaque predicates, control flow flattening), they usually only provide a limited form of protection against reverse engineering attacks. This way, the global decomposition of software into modules and the interaction between those modules is still relatively easy to determine. Because components can be easily identified and isolated and their interfaces are well documented in code, relatively little work is required in lifting certain components from the application and reusing them in other software projects, even without fully understanding the functionality of the lifted component. This particular form of intellectual property theft is further facilitated by the strong cohesion inside and the weak coupling between the components resulting from the component-based software development process. Since component interfaces remain available and components are often called dynamically, it is also relatively easy to set up a code injection attack. When working with binary code, such attacks usually require an infrastructure for rewriting binary code, and are often harder to accomplish due to the lack of available semantical information. In the case for bytecode, these kinds of attacks are facilitated by the fact that all or most of the needed semantic information is readily available. Existing methods for binary code are already able to solve the problems we mentioned above by applying some means of obfuscation or diversification at (post) link time. Since obfuscation is usually the last step the production of executable code, an obfuscator can freely remove all programming conventions and semantic information contained in the source code. That way these techniques can significantly complicate the work of a reverse engineer. Code-injection attacks are particularly difficult to achieve without sufficient metadata and the obfuscation techniques are sometimes even able to void the effects of known exploits such as buffer overruns. To this day we are unaware of the existence of equivalent techniques that have been developed and adopted in the bytecode domain. The principle problem concerning bytecode obfuscation is that the run-time techniques require a significant amount of important meta-information to be available at runtime, which means that most of the design decision made during software development will be reflected in the bytcode, and can therefore be easily retrieved. We are positive that that this problem strongly hinders the adoption of languages such as Java and C# in cases where application security is important. This in turn prevents programmers from using other benefits such as advanced run-time management (garbage collection, JIT-compilation) and more productive hardware-independent application development, associated with these languages. Goals The strategic goals of the PhD proposal encompass the development of effective obfuscation techniques for software distributed in bytecode form and the decoupling of IP-security and source code, thereby increasing programmer productivity. To achieve these goals we set out to develop and embed two types of techniques into different programming environments and virtual machines. The first type of techniques will work on a syntax level and will primarily try to hide the interfaces between different components. These techniques form a first line of defense, making sure that it is difficult to identify and isolate the different software components, thereby hindering possible code injection and code lifting attacks. In developing these techniques we will build on the experience that has already been gathered by the PARIS research group concerning code refactoring. A second kind of techniques will focus on the semantic level. Their goals are to ensure that the internal workings of the different software components, which previously communicated only through a clean set of interfaces, are more dependent on each other when the final product is to be distributed. These techniques form a second line of defense against software attacks, ensuring that both lifted components and newly injected components will not work correctly. To this end we will build on techniques for global, whole program analysis that have been developed by the PARIS research group over the last decade. By developing obfuscation techniques that will be applied after the source code of the program has been written, and before the program is distributed, programmer productivity can be increased. When applying our techniques and using our tools, programmers will no longer have to be concerned with the non-functional aspects involved in software development. Instead they will only have to focus on functional aspects while still being able to use most or all available software engineering techniques. These goals are in line with the HiPEAC FP77 Network of Excellence that states that 90% of the programmers, the so-called productivity programmers, should not be hindered by non-functional aspects such as hardware details and IP protection. The other 10% of programmers, the so-called efficiency programmers, are responsible for providing the necessary tools that will help the productivity programmers in reaching their goals faster and easier. Accomplishing this vision is an important strategic goal of the PARIS research group. Once we have reached this situation, only a select group of efficiency programmers with expert knowledge will have to work on software security mechanisms, which results in a better overall security. A fundamental issue in using languages that compile to bytecode is that some language constructs more than others restrict the extent to which obfuscation can be applied to programs written in those languages. Therefore we will not only develop strong obfuscation techniques, we will also investigate to what extent the different constructs (design patterns, garbage collection, reflection, class loaders, virtual method calls, dynamic type checking, ...) affect the amount of obfuscation that can be achieved. Based on this study, we will make the necessary adjustments to the virtual machine so that the limiting factors can be resolved and obfuscation can be maximized. The strategic goal is thus to develop a programming environment in which programmers do not have to choose between either unmanaged "safe" programming languages like C, or full-featured managed "unsafe" languages like C# and Java, but instead one in which they can choose from a wide array of programming languages and mechanisms, consisting of different subsets of C#. This in turn will increase programmer productivity, since programmers will be able to choose a security level based on their knowledge of software engineering, rather than in terms internal to the underlying efficiency tools.

Virtualization Framework for real-time applications Niels Penneman Problem Statement Consider a future smartphone that combines software-defined radio (SDR) with advanced multimedia features. Control tasks and simple computational tasks are executed on some generic cores, while more compute-intensive tasks run on accelerators, e.g. for baseband processing and video coding. The latter is a soft real-time (soft RT) application, with a refresh rate of 25 Hz and varying bandwidth requirements, because of variations of the complexity in video streams. This application can share the compute cores (e.g. ARM MPCores) and accelerators with other applications. At the same time, it has to be completely isolated from them because of digital rights management (DRM) protection measures. In fact, every multimedia content provider wants to set up their own virtual appliance on the smartphone, which can be developed separately. Furthermore, the SDR modem software stack communicates with different types of networks, partially reusing the same compute cores and accelerators. Since network operators want to prevent users from tampering with their network, the modem software stack also needs to reside in its own, isolated environment. This software stack is a hard RT application, with varying bandwidth and RT requirements because of the diversity of the supported communication standards. The standard to be used is determined dynamically, based on the available channels and their quality, which can vary with every footstep of the user. For example, WLAN deadlines are 16 microseconds, while for 3GPP-LTE they are around 77 microseconds. Next to all these, smartphones also comprise best-effort applications; e.g. address books, calendars, etc. Two trends merge in this application: the extensive combination of hard RT, soft RT and best effort applications within the same device, and the consolidation of hardware, i.e. reducing the number of processors by allowing multiple applications to share the same hardware. Because applications can no longer be isolated from each other, and instead run consolidated on shared hardware, isolation is enforced through system-level virtualization. In other words, multiple applications with their own RTOS may run concurrently in independent virtual machines (VMs). The OSs inside the VMs manage virtual system resources, as assigned to them by the hypervisor. The hypervisor thus manages the physical hardware resources and the RTOSs interact solely with virtual resources. Existing research on RTOSs focuses on systems with a fixed set of system resources. For example, the "State of the Art Assessment" report from April, 2008 of the ACTORS (Adaptivity & Control of Resources in Embedded Systems, a large European research project in FP7) project, mentions exactly once that it is required to know all system resources upfront, to allow correct scheduling of RT applications with a whole bunch of techniques, including but not limited to reservation-based, contract-based or feedback-based schedulers. However, this requirement is not discussed any further. This indicates that until now, all RT schedulers assume a fixed set of system resources. When using multiple, isolated RT schedulers in systems such as the smartphone mentioned earlier, where system resources are assigned by a hypervisor, this assumption no longer holds. The core problem tackled in this project is that, in order to optimally use hardware resources, the hypervisor should adaptively assign them to the different VMs, similar to the way adaptive RT schedulers work within non-virtualized OSs. Existing virtualization solutions for RT systems, such as VirtualLogix VLX and Open Kernel Labs OKL4, mainly focus on isolation of VMs, while using paravirtualization techniques to reduce software overhead and capture RT behavior. However, these solutions do not support fully adaptive resource assignment, as used in advanced RT schedulers. Additionally, the use of paravirtualization limits the extent to which virtual appliances can be developed independently. Goals The main goal of the proposed doctoral research project is the development of techniques enabling RT application designers to use system-level virtualization. More specifically, they will be able to benefit from adaptive resource management on the hypervisor level. More specifically, the goal is to extend reservation-based scheduling techniques for application-OS situations to an application-OS-hypervisor environment. We will develop new interfaces between OSs and hypervisors to allow negotiation of resource usage through contracts. By focusing on contract-based techniques, we can adapt the advantage that contracts can be specified in the control domain, rather than in the domain of system resources. This is beneficial for the developers of RT applications: as they are viewing the system from the control domain perspective, they can now focus on their core task with increased productivity. This statement is in line with the vision of two relevant European Networks of Excellence, HiPEAC and Artist2. They posit that RT programmers have to be able to work in their own domain, and that tools should hide implementation details as much as possible, and hence automate implementation. The realization of this vision is also part of the strategic goals of the PARIS research group, in which this research project will be carried out. The PARIS group proposes virtualization as one of the most important paradigms for the near future, in the implementation of economically profitable ICT systems. The interface between OSs and VMs to negotiate contracts will be implemented using device drivers. Doing so avoids the drawbacks of paravirtualization. In the near future, even embedded systems will provide sufficient hardware support for full virtualization. Companies like ARM are planning to release such support soon, just as Intel and AMD have done before. The goal of this research project is not to develop new techniques for RT scheduling. Instead, we strive to allow reuse of the best, existing RT scheduling techniques for fixed, dedicated hardware, in isolated RT scheduling domains which share hardware through system-level virtualization. Many large European FP7 research projects such as FRESCOR, ACTORS and eMuCo encompass a broad spectrum of RT scheduling techniques, applications and systems with overly generic interfaces. As a result, their implementations often incur a lot of overhead. This project will focus on the specific case explained in the problem statement, in order to ensure that the newly developed solutions not only work conceptually, but also efficient enough to ensure practical usability. However, we will reuse some techniques from those research projects, and make sure our newly developed techniques are compatible as much as possible with existing techniques. An important condition for our research is that the advantages of virtualization concerning dynamic resource management should be exploitable to the fullest extent. In the context of RT systems we do not know of the existence of any such systems. The main challenge is that existing ways to specify contracts are still based on WCET measurements for fixed hardware resources. Therefore, all contract requests from the applications towards the OS come down to decision problems. If these requests would be made in terms of a combination of resources, the scheduler has to determine the assignments resulting in optimal usage of the available resources. Hence, we have optimization problems, which are generally more complex than decision problems.