Bjorn De Sutter: PhD students
Current PhD students

Bart Coppens Christophe Foket Niels Penneman Panagiotis Theocharis Jeroen Van Cleemput Stijn Volckaert
Compiler Techniques
for Software Protection:
Software Diversity
Global compiler
obfuscation of
bytecode applications
Virtualization framework
for real-time applications
Virtual Platform and Tool
Flow for Smart Cameras
Efficient Protection against
information leaks in VMs
Online Anti-tampering Techniques

Compiler Techniques for Software Diversity & Software Protection

Bart Coppens

Problem Statement


Global compiler obfuscation of bytecode applications

Christophe Foket

Problem Statement

Intellectual property embedded in software is difficult to protect since most computer platforms allow the inspection of running programs on a binary instruction level. This type of inspection can expose a vast amount of the algorithms and data used by the program. Traditionally this problem is solved by employing program obfuscation and diversity to increase the workload involved in successfully attacking program instances. Such techniques have been successfully applied in e.g. Skype.

Modern trends in software engineering, including component-based design, scripting, virtualization, just-in-time compilation and adaptive resource management complicate the use of effective program obfuscation techniques. These trends mainly contribute to the fact that more and more applications are distributed in bytecode languages such as Java and CLI. Contradictory to what has been achieved for binary code, where the possibilities for applying obfuscating transformations are immense, the possibilities for obfuscating bytecode are however rather limited. Java classes, for example, must adhere to a set of strict rules and must expose a lot of information about their interfaces to the virtual machine. Similar problems can be found in the case of .NET. This leads to some important problems involving IP protection:

Due to the locality of most bytecode obfuscation techniques (opaque predicates, control flow flattening), they usually only provide a limited form of protection against reverse engineering attacks. This way, the global decomposition of software into modules and the interaction between those modules is still relatively easy to determine.

Because components can be easily identified and isolated and their interfaces are well documented in code, relatively little work is required in lifting certain components from the application and reusing them in other software projects, even without fully understanding the functionality of the lifted component. This particular form of intellectual property theft is further facilitated by the strong cohesion inside and the weak coupling between the components resulting from the component-based software development process.

Since component interfaces remain available and components are often called dynamically, it is also relatively easy to set up a code injection attack. When working with binary code, such attacks usually require an infrastructure for rewriting binary code, and are often harder to accomplish due to the lack of available semantical information. In the case for bytecode, these kinds of attacks are facilitated by the fact that all or most of the needed semantic information is readily available.

Existing methods for binary code are already able to solve the problems we mentioned above by applying some means of obfuscation or diversification at (post) link time. Since obfuscation is usually the last step the production of executable code, an obfuscator can freely remove all programming conventions and semantic information contained in the source code. That way these techniques can significantly complicate the work of a reverse engineer. Code-injection attacks are particularly difficult to achieve without sufficient metadata and the obfuscation techniques are sometimes even able to void the effects of known exploits such as buffer overruns. To this day we are unaware of the existence of equivalent techniques that have been developed and adopted in the bytecode domain.

The principle problem concerning bytecode obfuscation is that the run-time techniques require a significant amount of important meta-information to be available at runtime, which means that most of the design decision made during software development will be reflected in the bytcode, and can therefore be easily retrieved.

We are positive that that this problem strongly hinders the adoption of languages such as Java and C# in cases where application security is important. This in turn prevents programmers from using other benefits such as advanced run-time management (garbage collection, JIT-compilation) and more productive hardware-independent application development, associated with these languages.


The strategic goals of the PhD proposal encompass the development of effective obfuscation techniques for software distributed in bytecode form and the decoupling of IP-security and source code, thereby increasing programmer productivity.

To achieve these goals we set out to develop and embed two types of techniques into different programming environments and virtual machines. The first type of techniques will work on a syntax level and will primarily try to hide the interfaces between different components. These techniques form a first line of defense, making sure that it is difficult to identify and isolate the different software components, thereby hindering possible code injection and code lifting attacks. In developing these techniques we will build on the experience that has already been gathered by the PARIS research group concerning code refactoring.

A second kind of techniques will focus on the semantic level. Their goals are to ensure that the internal workings of the different software components, which previously communicated only through a clean set of interfaces, are more dependent on each other when the final product is to be distributed. These techniques form a second line of defense against software attacks, ensuring that both lifted components and newly injected components will not work correctly. To this end we will build on techniques for global, whole program analysis that have been developed by the PARIS research group over the last decade.

By developing obfuscation techniques that will be applied after the source code of the program has been written, and before the program is distributed, programmer productivity can be increased. When applying our techniques and using our tools, programmers will no longer have to be concerned with the non-functional aspects involved in software development. Instead they will only have to focus on functional aspects while still being able to use most or all available software engineering techniques. These goals are in line with the HiPEAC FP77 Network of Excellence that states that 90% of the programmers, the so-called productivity programmers, should not be hindered by non-functional aspects such as hardware details and IP protection. The other 10% of programmers, the so-called efficiency programmers, are responsible for providing the necessary tools that will help the productivity programmers in reaching their goals faster and easier. Accomplishing this vision is an important strategic goal of the PARIS research group. Once we have reached this situation, only a select group of efficiency programmers with expert knowledge will have to work on software security mechanisms, which results in a better overall security.

A fundamental issue in using languages that compile to bytecode is that some language constructs more than others restrict the extent to which obfuscation can be applied to programs written in those languages. Therefore we will not only develop strong obfuscation techniques, we will also investigate to what extent the different constructs (design patterns, garbage collection, reflection, class loaders, virtual method calls, dynamic type checking, ...) affect the amount of obfuscation that can be achieved. Based on this study, we will make the necessary adjustments to the virtual machine so that the limiting factors can be resolved and obfuscation can be maximized. The strategic goal is thus to develop a programming environment in which programmers do not have to choose between either unmanaged "safe" programming languages like C, or full-featured managed "unsafe" languages like C# and Java, but instead one in which they can choose from a wide array of programming languages and mechanisms, consisting of different subsets of C#. This in turn will increase programmer productivity, since programmers will be able to choose a security level based on their knowledge of software engineering, rather than in terms internal to the underlying efficiency tools.

Virtualization Framework for real-time applications

Niels Penneman

Problem Statement

Consider a future smartphone that combines software-defined radio (SDR) with advanced multimedia features. Control tasks and simple computational tasks are executed on some generic cores, while more compute-intensive tasks run on accelerators, e.g. for baseband processing and video coding. The latter is a soft real-time (soft RT) application, with a refresh rate of 25 Hz and varying bandwidth requirements, because of variations of the complexity in video streams. This application can share the compute cores (e.g. ARM MPCores) and accelerators with other applications. At the same time, it has to be completely isolated from them because of digital rights management (DRM) protection measures. In fact, every multimedia content provider wants to set up their own virtual appliance on the smartphone, which can be developed separately. Furthermore, the SDR modem software stack communicates with different types of networks, partially reusing the same compute cores and accelerators. Since network operators want to prevent users from tampering with their network, the modem software stack also needs to reside in its own, isolated environment. This software stack is a hard RT application, with varying bandwidth and RT requirements because of the diversity of the supported communication standards. The standard to be used is determined dynamically, based on the available channels and their quality, which can vary with every footstep of the user. For example, WLAN deadlines are 16 microseconds, while for 3GPP-LTE they are around 77 microseconds. Next to all these, smartphones also comprise best-effort applications; e.g. address books, calendars, etc.

Two trends merge in this application: the extensive combination of hard RT, soft RT and best effort applications within the same device, and the consolidation of hardware, i.e. reducing the number of processors by allowing multiple applications to share the same hardware. Because applications can no longer be isolated from each other, and instead run consolidated on shared hardware, isolation is enforced through system-level virtualization. In other words, multiple applications with their own RTOS may run concurrently in independent virtual machines (VMs). The OSs inside the VMs manage virtual system resources, as assigned to them by the hypervisor. The hypervisor thus manages the physical hardware resources and the RTOSs interact solely with virtual resources.

Existing research on RTOSs focuses on systems with a fixed set of system resources. For example, the "State of the Art Assessment" report from April, 2008 of the ACTORS (Adaptivity & Control of Resources in Embedded Systems, a large European research project in FP7) project, mentions exactly once that it is required to know all system resources upfront, to allow correct scheduling of RT applications with a whole bunch of techniques, including but not limited to reservation-based, contract-based or feedback-based schedulers. However, this requirement is not discussed any further. This indicates that until now, all RT schedulers assume a fixed set of system resources. When using multiple, isolated RT schedulers in systems such as the smartphone mentioned earlier, where system resources are assigned by a hypervisor, this assumption no longer holds.

The core problem tackled in this project is that, in order to optimally use hardware resources, the hypervisor should adaptively assign them to the different VMs, similar to the way adaptive RT schedulers work within non-virtualized OSs.

Existing virtualization solutions for RT systems, such as VirtualLogix VLX and Open Kernel Labs OKL4, mainly focus on isolation of VMs, while using paravirtualization techniques to reduce software overhead and capture RT behavior. However, these solutions do not support fully adaptive resource assignment, as used in advanced RT schedulers. Additionally, the use of paravirtualization limits the extent to which virtual appliances can be developed independently.


The main goal of the proposed doctoral research project is the development of techniques enabling RT application designers to use system-level virtualization. More specifically, they will be able to benefit from adaptive resource management on the hypervisor level.

More specifically, the goal is to extend reservation-based scheduling techniques for application-OS situations to an application-OS-hypervisor environment. We will develop new interfaces between OSs and hypervisors to allow negotiation of resource usage through contracts. By focusing on contract-based techniques, we can adapt the advantage that contracts can be specified in the control domain, rather than in the domain of system resources. This is beneficial for the developers of RT applications: as they are viewing the system from the control domain perspective, they can now focus on their core task with increased productivity. This statement is in line with the vision of two relevant European Networks of Excellence, HiPEAC and Artist2. They posit that RT programmers have to be able to work in their own domain, and that tools should hide implementation details as much as possible, and hence automate implementation. The realization of this vision is also part of the strategic goals of the PARIS research group, in which this research project will be carried out. The PARIS group proposes virtualization as one of the most important paradigms for the near future, in the implementation of economically profitable ICT systems.

The interface between OSs and VMs to negotiate contracts will be implemented using device drivers. Doing so avoids the drawbacks of paravirtualization. In the near future, even embedded systems will provide sufficient hardware support for full virtualization. Companies like ARM are planning to release such support soon, just as Intel and AMD have done before.

The goal of this research project is not to develop new techniques for RT scheduling. Instead, we strive to allow reuse of the best, existing RT scheduling techniques for fixed, dedicated hardware, in isolated RT scheduling domains which share hardware through system-level virtualization.

Many large European FP7 research projects such as FRESCOR, ACTORS and eMuCo encompass a broad spectrum of RT scheduling techniques, applications and systems with overly generic interfaces. As a result, their implementations often incur a lot of overhead. This project will focus on the specific case explained in the problem statement, in order to ensure that the newly developed solutions not only work conceptually, but also efficient enough to ensure practical usability. However, we will reuse some techniques from those research projects, and make sure our newly developed techniques are compatible as much as possible with existing techniques.

An important condition for our research is that the advantages of virtualization concerning dynamic resource management should be exploitable to the fullest extent. In the context of RT systems we do not know of the existence of any such systems.

The main challenge is that existing ways to specify contracts are still based on WCET measurements for fixed hardware resources. Therefore, all contract requests from the applications towards the OS come down to decision problems. If these requests would be made in terms of a combination of resources, the scheduler has to determine the assignments resulting in optimal usage of the available resources. Hence, we have optimization problems, which are generally more complex than decision problems.

Virtual Platform and Tool Flow for Smart Cameras

Panagiotis Theocharis

Problem Statement

Large camera networks are being employed for a variety of applications: traffic monitoring and license plate recognition, crowd and public safety monitoring, crop inspection for the management of pesticides in precision agriculture, home safety systems for elderly people, etc. The number of cameras in such networks is increasing up to the point where humans cannot inspect all video streams themselves. Instead, complex video processing algorithms analyse the streams.

However, as the number of cameras keeps growing, it is becoming impossible to run these complex algorithms on centralized servers, because the necessary bandwidth is lacking to transmit all raw video streams to the servers and because such communication is too costly in terms of power consumption on battery-operated devices. For these reasons, there is a need for so-called smart cameras that efficiently perform significant parts of the video processing internally, and then communicate only condensed information plus the relevant parts of the raw video streams, such as the license plate numbers and positions on the road, instead of whole video streams of passing cars.

Processing the video inside a camera is far from trivial, however. Because of the complexity of the algorithms to be executed, and because of packaging requirements, and, for wireless devices, autonomy requirements, the processing devices in the cameras need to provide high performance at low power consumption. Traditionally, such requirements have been met with application-specific hardware designs such as ASICs or ASIPs. But in the case of smart cameras, where each (niche) application features its own sub-algorithms with its own characteristics, the potential markets for ASICs are often too small to be economically viable. Similarly, the markets are too small to support the effort of retargeting subalgorithms implemented in software to a wide variety of processing devices such as different ASIPs. This problem is aggravated by the fact that many algorithms are still under active development, such as for object tracking in changing weather circumstances, and will likely keep evolving significantly over the coming decade. Such ongoing rapid developments force smart camera builders to keep investing in new software and hardware combinations, which is not sustainable for small, niche markets.

Fundamentally, the problem is that the software and hardware components developed today for smart cameras are not reusable over a wide range over smart camera applications. As an example, consider the applications for license plate detection. Different cameras and processing units are used in parking garages, toll bridges, speed guns, and public safety camera networks. To the best of our knowledge, there is very little reuse of software between those applications. If application source code is reused, at least it has to be retargeted to the different hardware platforms.

Furthermore, really good hardware and software combinations, cheap or expensive, are still lacking. Existing smart camera designs focus on particular, fixed tasks that are performed continuously in exactly the same manner. The lack of flexibility in such designs has major disadvantages. For example, automated license plate detection for toll bridges will typically require much more computing power during a dark winter evening traffic jam than on a sunny Sunday morning. However, if the camera lacks the capability to switch between different operating modes or to rebalance the processing load over its processing devices, it will burn a lot of energy when no peak performance is required. This lack of flexibility is all the more problematic because future hardware designs, as in many application domains other than smart cameras, will consist of heterogeneous multicore processors. In such designs, support for adaptation to newly installed applications, to different combinations of running applications, and to different operation modes is critical to achieving high power efficiency.

Two fundamental problems for a more widespread use of smart camera networks are (1) their cost in terms of software development and in terms of hardware development, and (2) the lack of flexibility in existing designs. All of them result from the lack of a flexible platform that enables the integration and reuse of independently developed software and hardware components and a more dynamic management of applications and computing resources.


The strategic goals of this research project are (1) to design and to develop a smart camera computing platform that enables the integration and reuse of independently developed software and hardware components and the flexible management of resources, thus opening up larger markets for those components and increasing the productivity of software developers and the flexibility of the applications, (2) to design and to develop appropriate processing units in support of this platform, driven by a number of concrete smart camera applications, to demonstrate that such a platform can meet the performance and power requirements while enabling hardware-independent programming.

These goals fit within the widespread vision on emerging technologies in the European system software and computer architecture community. In particular, the platform that we will design and develop will (1) feature heterogeneous multi-accelerator architecture to meet the performance and power constraints for complex smart camera video processing algorithms; (2) enable component-based design using those accelerators to increase the hardware market size and to contribute to market horizontalization; (3) rely on virtualization to increase programmer productivity, to create larger markets for software components of smart camera systems, to support dynamic resource management, to ease the maintenance of camera networks, to facilitate deploying new, improved software during a network's lifetime and to enable the continuous adding of new cameras to existing networks of older camera types; and (4) rely on split compilation, i.e. dynamic compilation supported by meta-data provided by static code analyses, to optimize the efficiency and effectiveness of the dynamic compilation.

The above concepts are envisioned to solve many problems in a wide range of computing system domains. Hence other domains will also be able to benefit from the methodology and supporting tool flow used to instantiate hardware designs within a platform and to integrate software and hardware components. This follows from the fact that the technical challenges in the methodology and the tool flow that we will overcome also occur in other applications domains. These challenges include (1) enabling the development of families of domain-specific accelerators that provide at the same time the required performance and efficiency, and ease of compilation in split (design-time vs. install-time or run-time) compilation environments; (2) automating the optimal mapping of complex applications on concrete multicore or multi-accelerator platforms built through component-based design; and (3) providing the programmer with a hardware-independent programming environment.

This proposed research fits nicely in the strategic goals of the PARIS research group at Ghent University. These goals include the development of more productive programming environments that enable programmers to solely focus on the functionality of their applications, largely ignoring non-functional characteristics such as performance and code size. Reaching this goal requires the development of appropriate system software tools such as compilers and run-time systems that free the programmers, system designers and system maintainers from existing responsibilities and tasks. PARIS has a long tradition of designing and developing such tools. Virtualization is now playing a central role in this research, as it does in this PhD research proposal.

This research project is also in line with the recent insights that computing systems research should be vertical research in the sense that all the layers that make up a computing system stack with all its levels should be handled not in isolation of each other, but as one whole system, in which all actions are performed at exactly the right level, with all levels interacting in many ways. These levels range from the application software at the top, through the system software in the middle, to the hardware at the bottom.

To that extent, this research project will be driven by smart camera applications developed in the IPI research group at Ghent University and at IMEC. These applications are (1) Tracking of Vehicles in Tunnels and (2) Optimal Viewpoint Selection, and video compression. As these and other applications such as elderly living assistance will be facilitated by the proposed research and become cheaper, our project goals are clearly in line with the priorities of the 1st, 2nd and 3rd strategic VRWB cluster concerning transport, home care, wireless networks and safety.

Efficient Protection against information leaks in virtual machines

Jeroen Van Cleemput

Problem Statement

After the breakthrough of process virtualization with Java and .net, system virtualization is also making strong headway with products as VMWare, Xen, VirtualBox and Android. In datacenters it is mainly used for consolidating server hardware. On desktops and laptops however, it is used to facilitate system administration and finally on embedded systems security and isolation are the main advantages. For example on a cell phone, system virtualization can be used to make sure user application can't harm the communication subsystem, despite the fact that both are running on the same processor. Virtualization is increasingly applied to applications that require extra security measures, like bank transactions and processing confidential data.

Few people however question the safety risks of this extra software layer. Security measures using the traditional protection domains like user and kernel mode don't apply anymore when those domains are used inside a virtual machine running as a user mode program on top of the operating system. With the lack of a trusted computing base (TCB), which can not be guaranteed for this kind of system virtualization, all protection domains within the VM are equally vulnerable as other programs.

Besides the security problems with compromised VMs described above, even trusted VMs can pose security related problems. Simple experiments demonstrate how carefully secured code can be optimized by a Just-In-Time compiler or binary translator, effectively removing the security measures. Such effects could in their turn lead to information leaks between VMs, just as they have existed for a long time between different user mode programs. Indeed VMs have separated virtual resources, but they till share the physical resources (processors, memory, disks…), which can serve as covert communication channels through which VMs can observe each other. This, in combination with detailed knowledge about the workload of the other machine, is in some cases sufficient to obtain secured information like the hamming weight of and encryption key. An information leak like that isn't fundamentally different from similar leaks between processes on the same operating system. The use of VMs however deprives the user and applications of the possibility to check with which other applications resources are shared. They make the problem even worse.

Securing critical software is an expensive and complex process because it requires thorough knowledge about the TCB, which consists of the underlying hardware, system software and the possible covert communication channels. The used security measures are by consequence not easily portable to other hardware or system software. This further increases the cost of securing software. Designing software requires a lot of effort from the programmer, which reduces productivity and thus increases the cost of producing software. As already mentioned above, current VMs only add extra problems.

All this shows that the use of virtualization, initially famed for its isolation possibilities, is in fact far from evident in a secure environment. The fundamental problem is that the application programmer is responsible for securing his software against information leaks through covert channels in physical hardware components, while he only has the virtual components of the VM to work with. These headaches for the programmer lower his productivity, thus making software unnecessarily expensive, and moreover still not guaranteed safe.


The goal of this project is to develop virtual machines that are free of information leaks through covert communication channels. Consequently security measures don't have to be taken on application level, they are agreed upon in a contract between the virtual machine and the user. This way we want to obtain safer, more efficient software and increase the productivity of the programmer.

More precisely we want to increase the productivity of the programmer by separating security requirements from implementation details of the sofware. Instead of obligating the programmer to apply security measures in algorithms, source code or programming tools, we will develop a contract based approach that will allow the programmer to specify his security needs, completely independent of the domain specific development tools. This specification will be in terms of security requirements only and not in terms of properties of the underlying hardware. Translation between the different domains, i.e. from the security domain to the hardware domain, will be the responsibility of the VM. This way applications and contracts are portable and can be used easily. The main challenge (and innovation) for the project is to define a practical, usable and sufficiently abstract contract specification and in particular the automatic translation from abstract contracts to security mechanisms on the software-hardware interface.

In the manner outlined we will bundle the complexity associated with securing information leaks in the VM. This fits in the European and worldwide shared vision that 90% of the programmers work as so-called productivity programmers in their own domain-specific environment, without having to worry about hardware-dependent implementation details. The remaining 10% of the programmers are the efficiency programmers, who need to supply the productivity programmers with the necessary tools. The project proposed here is clearly part of the solution to reach that ideal situation, which is also a strategic goal of the PARIS research group. Once this situation is established, only the efficiency programmers, as experts, will have to worry about security measures. Eventually this will lead to more secure software. The challenge in this area is to identify the best security measures to mitigate information leaks, and that are suitable for use in VMs with Just-In-Time compilation.

Finally moving the responsibility of security to the VM offers the possibility to produce more efficient software. For that we will make the security measures adaptive. Where a programmer needs to assume the worst case scenario, i.e. his software will always share resources with hostile applications that try to steal sensitive information through the shared resources, a VM has runtime information about the execution of the program, like the knowledge that there no other application is executing on the same processor. In that case sensitive information doesn't need to be protected and the VM can use all means to accelerate the application. For this we will need to develop innovative strategies that dynamically use the best suited security measures at any time, based on the security contracts and the current state of the system.

We will first develop active and then passive security measures. Passive security measures are completely developed and implemented within the VM, so every application running on the VM can enjoy complete security. For the active security measures, applications and VM will work together to reduce the security overhead. New applications will have to specify which parts need to be secured and on what level. We will supply programmers of the necessary tools to simplify and automate this process, for example by using offline analysis tools.

These goals are clearly in line with the fifth VRWB cluster and are priorities for user friendly and safe advanced ICT networks.

CGRA compilation and design-space exploration

Stijn Volckaert

Problem Statement


Current Master Students
Henry De Veende
Dries Maertens

Past Master Students

Bruno De Bus
Ludo Van Put
Dominique Chanet
Matias Madou
Frederik Vandeputte
Bertrand Anckaert
Jeroen Van Cleemput
Christophe Foket
Kristof Smits
Dieter Govaerts
Luk Claes
Daan Mervielde
Wim Hillewaert
Joachim De Witte
Dieter Houthooft
Thomas Spranghers
Stijn Volckaert
Wim Vander Schelden
Daan Raman
Tim De Baets
Peter Van Bouwel
Sarah Elshal
Niels Penneman