My research is about automatically making binary programs more secure (given different attack models). For example, I have worked on the compiler-level generation of binary code to output programs that are less vulnerable to timing-based side channel attacks, and on rewriting binary code at link-time to make it more resistant against patch-based attacks. I have also worked on other techniques to protect software against different types of attacks: Multi-Variant Execution Environments (MVEEs) to protect software against exploits, on finding bugs and security vulnerabilities in systems code bases (such as Linux, OpenSSL, etc.), anti-debugging techniques to delay some forms of reverse engineering, etc.

Finding bugs and vulnerabilities. Code in large code bases often depends on implicit assumptions and rules to function correctly. For example, it is not always documented which locks protect which shared resources, or which specific return values are considered to be errors and which not. I am interested in automatically deducing such rules, and then (statically) finding violations against those (deduced) rules. For example, with ESSS (Error Specification through Structural Similarities) we first automatically deduce what the error specifications are for functions (without needing to depend on any application-specific a priori knowledge), and then we find code locations where error checks are either missing or inconsistent with those specifications.

Multi-Variant Execution. Legacy code bases written in an unsafe language, will contain vulnerabilities which can be exploited in different ways. Multi-Variant Execution allows mitigating and preventing entire classes of exploits for these vulnerabilities. A monitor executes the same program multiple times (in parallel) on the same input. Rather than run these programs in an identical fashion, the multi-variant execution environment enforces structural diversity between the variants. This diversity is constructed in such a way that under normal inputs, all variants behave identically; but when an attacker feeds malicious inputs to the program, the behavior of the variants diverges. The monitor detects this divergence, and halts the execution before malicious system calls are executed. Making multi-variant execution environments support larger classes of programs while keeping the overhead small is an active research topic. In our group we work on improving the ReMon Multi-Variant Execution Environment.

Protection against patch-based attacks. The problem of patch-based attacks is that of Patch Tuesday/Exploit Wednesday. Here a security update is released, after which hackers try to find the vulnerability in the unpatched program by analyzing the difference between the original version of the program and the patched version. If this can be done fast enough, attackers can exploit this vulnerability with the mass of users that has not yet applied this patch. Applying software diversity increases the effort for attacker to find the original vulnerability, thus increasing the time window in which a user running unpatched code is safe from such exploitation. I try to mitigate these using software diversity. This is a technique where an application instance is transformed into syntactically different, but semantically equivalent instance. I do this at link time using the binary link time rewriting framework Diablo.

Protection against side-channel attacks. Differences in the execution time of a program can give an attacker additional information on the internal state of a cryptographic algorithm, potentially leading to the compromise of secret information. I researched mitigating side-channels on modern x86 processors. I worked on a compiler-based toolflow to apply if-conversion to cryptographical code in order to eliminate control-flow related side-channels. Furthermore, using the division instruction as an example of a variable-latency instruction on the x86 architecture, I evaluated different techniques to mitigate data-flow related timing side-channels.

1. Inference of Error Specifications and Bug Detection Using Structural Similarities [Code]
   Niels Dossche, Bart Coppens
   accepted at USENIX Security '24, 2024
2. Sharing is Caring: Secure and Efficient Shared Memory Support for MVEEs [Code]
   Jonas Vinck, Bert Abrath, Bart Coppens, Alexios Voulimeneas, Bjorn De Sutter, Stijn Volckaert
   EuroSys, 2022
3. Multi-Variant Execution
   Bart Coppens, Bjorn De Sutter, Stijn Volckaert
   Book chapter, 'The Continuing Arms Race: Code-Reuse Attacks and Defences', ACM Books / Morgan & Claypool Publishers, 2018
4. Taming Parallelism in a Multi-Variant Execution Environment [Code]
   Stijn Volckaert, Bart Coppens, Bjorn De Sutter, Koen De Bosschere, Per Larsen, Michael Franz
   EuroSys, 2017
5. Secure and Efficient Application Monitoring and Replication [Code]
   Stijn Volckaert, Bart Coppens, Alexios Voulimeneas, Andrei Homescu, Per Larsen, Bjorn De Sutter, Michael Franz
   USENIX Annual Technical Conference (ATC), 2016
6. Cloning your Gadgets: Complete ROP Attack Immunity with Multi-Variant Execution [Code]
   Stijn Volckaert, Bart Coppens, Bjorn De Sutter
   IEEE Transactions on Dependable and Secure Computing (TDSC), 2016
7. Compiler mitigations for time attacks on modern x86 processors
   Jeroen Van Cleemput, Bart Coppens, Bjorn De Sutter
   ACM Transactions on Architecture and Code Optimization (TACO), 2012
8. Practical Mitigations for Timing-Based Side-Channel Attacks on Modern x86 Processors
   Bart Coppens, Ingrid Verbauwhede, Koen De Bosschere and Bjorn De Sutter
   IEEE Symposium on Security and Privacy (Oakland, S&P), 2009

1. Design, implementation, and automation of a risk management approach for Man-at-the-End software protection
   Cataldo Basile, Bjorn De Sutter, Daniele Canavese, Leonardo Regano, Bart Coppens
   Computers & Security, 2023
2. ApkDiff: Matching Android App Versions Based on Class Structure [Code]
   Robbe De Ghein, Bert Abrath, Bjorn De Sutter, Bart Coppens
   CheckMATE, 2022
3. Flexible Software Protection [Code]
   Jens Van den Broeck, Bart Coppens, Bjorn De Sutter
   Computers & Security, 2022
4. Obfuscated Integration of Software Protections [Code]
   Jens Van den Broeck, Bart Coppens, Bjorn De Sutter
   International Journal of Information Security, 2021
5. Resilient Self-Debugging Software Protection [Code]
   Bert Abrath, Bart Coppens, Ilja Nevolin, Bjorn De Sutter
   Workshop on Software Attacks and Defenses (SAD), 2020
6. Code Renewability for Native Software Protection [Code]
   Bert Abrath, Bart Coppens, Jens Van den Broeck, Brecht Wyseur, Alessandro Cabutto, Paolo Falcarin, Bjorn De Sutter
   ACM Transactions on Privacy and Security, 2020
7. ΔBreakpad: Diversified Binary Crash Reporting [Code]
   Bert Abrath, Bart Coppens, Mohit Mishra, Jens Van den Broeck, Bjorn De Sutter
   IEEE Transactions on Dependable and Secure Computing (TDSC), 2020
8. Understanding the Behaviour of Hackers while Performing Attack Tasks in a Professional Setting and in a Public Challenge
   Mariano Ceccato, Paolo Tonella, Cataldo Basile, Paolo Falcarin, Marco Torchiano, Bart Coppens, Bjorn De Sutter
   Empirical Software Engineering (EMSE), 2019
9. How Professional Hackers Understand Protected Code while Performing Attack Tasks
   Mariano Ceccato, Paolo Tonella, Aldo Basile, Bart Coppens, Bjorn De Sutter, Paolo Falcarin, Marco Torchiano
   International Conference on Program Comprehension (ICPC), 2017
10. Tightly-coupled self-debugging software protection [Code]
    Bert Abrath, Bart Coppens, Stijn Volckaert, Joris Wijnant, Bjorn De Sutter
    Workshop on Software Security, Protection, and Reverse Engineering (SSPREW), 2016
11. Reactive Attestation: Automatic Detection and Reaction to Software Tampering Attacks [Remote attestation code]
    Alessio Viticchié, Cataldo Basile, Andrea Avancini, Mariano Ceccato, Bert Abrath, Bart Coppens
    International Workshop on Software Protection (SPRO), 2016
12. SOFIA: Software and control flow integrity architecture
    Ruan de Clercq, Ronald De Keulenaer, Bart Coppens, Bohan Yang, Pieter Maene, Koen De Bosschere, Bart Preneel, Bjorn De Sutter, Ingrid Verbauwhede
    Design, Automation and Test in Europe (DATE), 2016
13. Obfuscating Windows DLLs
    Bert Abrath, Bart Coppens, Stijn Volckaert, Bjorn De Sutter
    International Workshop on Software Protection (SPRO), 2015
14. Software Protection with Code Mobility [Code]
    Alessandro Cabutto, Paolo Falcarin, Bert Abrath, Bart Coppens, Bjorn De Sutter
    Workshop on Moving Target Defense (MTD), 2016
15. Program Variation for Software Security
    Bart Coppens
    PhD thesis, Ghent University, 2013
16. Feedback-driven binary code diversification [Code]
    Bart Coppens, Bjorn De Sutter, Jonas Maebe
    ACM Transactions on Architecture and Code Optimization (TACO), 2013
17. Protecting Your Software Updates
    Bart Coppens, Bjorn De Sutter, Koen De Bosschere
    IEEE Security & Privacy magazine, 2013
18. A Novel Obfuscation: Class Hierarchy Flattening
    Christophe Foket, Bjorn De Sutter, Bart Coppens, and Koen De Bosschere
    International Symposium on Foundations & Practice of Security (FPS), 2012
19. DNS Tunneling for Network Penetration [Code]
    Daan Raman, Bjorn De Sutter, Bart Coppens, Stijn Volckaert, Koen De Bosschere, Pieter Danhieux, Erik Van Buggenhout
    International Conference on Information Security and Cryptology (ICISC), 2012

1. An Efficient Algorithm for the Generation of Planar Polycyclic Hydrocarbons with a Given Boundary [Code integrated in CaGe]
   Gunnar Brinkmann and Bart Coppens
   MATCH Communications in Mathematical and in Computer Chemistry, 2008
2. Grenzen van Patches [Code]
   Bart Coppens
   Master's Thesis in Computer Science ('Licentiaat Informatica') (Dutch), 2007