Yearly Report 2016


Faculty Members

  • Damianos Chatziantoniou
  • Dimitris Mitropoulos
  • Panos (Panagiotis) Louridas
  • Diomidis Spinellis

Senior Researchers

  • Stefanos Georgiou
  • Thodoris Sotiropoulos
  • Marios Fragkoulis
  • Maria Kechagia

Associate Researchers

  • Antonios Gkortzis
  • Tushar Sharma
  • Konstantina Dritsa
  • Konstantinos Stroggylos


  • Alexandros Lattas
  • Vitalis Salis
  • Christos Oikonomou

Overview in numbers

New Publications Number
Monographs and Edited Volumes 1
Journal Articles 10
Book Chapters 3
Conference Publications 6
Technical Reports 1
White Papers 0
Magazine Articles 0
Working Papers 0
Datasets 0
Total New Publications 21
New Projects 1
Ongoing Projects 1
Completed Projects 0
Faculty Members 4
Senior Researchers 4
Associate Researchers 4
Researchers 3
Total Members 15
New Members 2
Ongoing PhDs 6
Completed PhDs 0
New Seminars
New Seminars 6

New Publications

Monographs and Edited Volumes

    • Diomidis Spinellis. Effective Debugging: 52 Specific Ways to Debug Software and Systems. Addison-Wesley Professional, Boston, MA, 2016. ISBN 978-0134394794.

Journal Articles

    • Diomidis Spinellis. The changing role of the software architect. IEEE Software, 33(6):4–6, November 2016.
    • Diomidis Spinellis. Serving professionals. IEEE Software, 33(2):4–6, Mar/Apr 2016.
    • Diomidis Spinellis. Reflecting on quality. IEEE Software, 33(4):4–5, July 2016. Also republished in Computing Edge (November 2016).
    • Diomidis Spinellis. Managing a software business. IEEE Software, 33(5):4–7, September 2016.
    • Diomidis Spinellis. Developer, debug thyself. IEEE Software, 33(1):3–5, Jan/Feb 2016.
    • Diomidis Spinellis. Being a DevOps developer. IEEE Software, 33(3):4–5, May/Jun 2016. Also republished in Computing Edge (July 2016).
    • Diomidis Spinellis. A DIY Lego controller: a low-cost way to program Lego machines. IEEE Spectrum, 53(11):21–22, November 2016.
    • Dimitris Mitropoulos, Konstantinos Stroggylos, Diomidis Spinellis, and Angelos D. Keromytis. How to train your browser: preventing XSS attacks using contextual script fingerprints. ACM Transactions on Privacy and Security, 19(1):2:1–2:31, July 2016.
    • Marios Fragkoulis, Diomidis Spinellis, and Panos Louridas. PiCO QL: a software library for runtime interactive queries on program data. SoftwareX, 5:134–138, 2016.
    • Vaggelis Atlidakis, Jeremy Andrus, Roxana Geambasu, Dimitris Mitropoulos, and Jason Nieh. POSIX has become outdated. USENIX ;login: Magazine, Fall 2016.

Book Chapters

    • Diomidis Spinellis. Tools! tools! we need tools! In Tim Menzies, Laurie Williams, and Thomas Zimmermann, editors, Perspectives on Data Science for Software Engineering, pages 143–148. Morgan Kaufmann, 2016.
    • Dimitris Mitropoulos. Securing software. In Phillip A. Laplante, editor, Encyclopedia of Computer Science and Technology, Second Edition. CRC Press, Taylor and Francis Group, 2016.
    • Vassilios Karakoidas. Domain-specific languages. In Phillip A. Laplante, editor, Encyclopedia of Computer Science and Technology, Second Edition. CRC Press, Taylor and Francis Group, 2016.

Conference Publications

    • Diomidis Spinellis, Panos Louridas, and Maria Kechagia. The evolution of C programming practices: a study of the Unix operating system 1973–2015. In Willem Visser and Laurie Williams, editors, ICSE '16: Proceedings of the 38th International Conference on Software Engineering. New York, May 2016. Association for Computing Machinery.
    • Tushar Sharma, Marios Fragkoulis, and Diomidis Spinellis. Does your configuration code smell? In Proceedings of the 13th International Conference on Mining Software Repositories, 189–200. ACM, 2016.
    • A. Gkortzis, S. Rizou, and D. Spinellis. An empirical analysis of vulnerabilities in virtualization technologies. In 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom), 533–538. IEEE, Dec 2016.
    • Dimitris Gavrilis, Vangelis Nomikos, Konstantinos Kravvaritis, Stavros Angelis, Christos Papatheodorou, and Panos Constantopoulos. More: A micro-service oriented aggregator. In Metadata and Semantics Research - 10th International Conference, MTSR 2016, Göttingen, Germany, November 22-25, 2016, Proceedings, 15–26. 2016.
    • Damianos Chatziantoniou and Florents Tselai. The data management entity: A simple abstraction to facilitate big data systems interoperability. In Proceedings of the Workshops of the EDBT/ICDT 2016 Joint Conference, EDBT/ICDT Workshops 2016, Bordeaux, France, March 15, 2016. 2016.
    • Vaggelis Atlidakis, Jeremy Andrus, Roxana Geambasu, Dimitris Mitropoulos, and Jason Nieh. POSIX abstractions in modern operating systems: the old, the new, and the missing. In Proceedings of the 11th European Conference on Computer Systems (EuroSys '16), 19:1–19:17. ACM, 2016.

Technical Reports

    • Roxana Geambasu, Dimitris Mitropoulos, Simha Sethumadhavan, Junfeng Yang, Angelos Stravrou, Dan Fleck, Matthew Elder, and Azzedine Benameur. Maintaining enterprise resiliency via kaleidoscopic adaption and transformation of software services (MEERKATS). Technical Report, Air Force Research Laboratory, Sensors Directorate, Wright-Patterson, Air Force Base, OH 45433-7320, Air Force Materiel Command, United States Air Force, April 2016.


New Projects

    • Action II - The "Meta-Life" of JavaScript

Ongoing Projects

    • SENECA - Software ENgineering in Enterprise Cloud Applications

New Members

    • Alexandros Lattas
    • Nikiforos Botis
    • Vitalis Salis

Ongoing PhDs

    • Vaggelis Atlidakis Topic: Structure and Feedback in Cloud Service API Fuzzing
    • Antonios Gkortzis Topic: Secure Systems on Cloud Computing Infrastructures
    • Stefanos Georgiou Topic: Energy and Run-Time Performance Practices in Software Engineering
    • Tushar Sharma Topic: Software Engineering in Enterprise Cloud Applications
    • Marios Fragkoulis Topic: Technologies for main memory data analysis
    • Maria Kechagia Topic: Tools and Techniques for Reliable Application Programming Interfaces


      Designite - A Software Design Quality Assessment Tool

      Date: 07 March 2016
      Presenter: Tushar Sharma

      Poor design quality and huge technical debt are common issues perceived in real-life software projects. Design smells are indicators of poor design quality and the volume of design smells found could be treated as the design debt of the software system. The existing smell detection tools focus largely on implementation smells and do not reveal a comprehensive set of smells that arise at design level. In this talk, I present Designite - a software design quality assessment tool. It supports comprehensive design smells detection and provides a detailed metrics analysis. Further, it offers various features to help identify issues contributing to design debt and improve the design quality of the analyzed software system.

      Tushar will present a corresponding paper at BRIDGE: First International Workshop on Bringing Architecture Design Thinking into Developers' Daily Activities (Bridge'16), which is co-located with the 38th International Conference on Software Engineering, May 14 - 22, 2016.

      Analyzing and understanding in depth malicious browser extensions

      Date: 30 June 2016
      Presenter: Alexandros Kapravelos

      In this talk I’m going to present Hulk, a dynamic analysis system that detects malicious behavior in browser extensions by monitoring their execution and corresponding network activity. Hulk’s novelty derives from how it elicits malicious behavior in extensions with dynamic pages that adapt to an extension’s expectations in web page structure and content and by fuzzing extensions event handlers. The second part of the talk is going to be focused on a particular malicious activity deriving from browser extensions: ad injection. In our experiments we found that ad injection is affecting more than 5% of the daily unique IP addresses accessing Google, affecting this way tens of millions of users around the globe.

      Alexandros Kapravelos is an Assistant Professor in the Department of Computer Science at North Carolina State University. His research interests lie in the area of computer security and he is particularly interested in browser security and building systems that solve security problems. In the past, he was the lead developer of Wepawet, a publicly available system that detects drive-by downloads with the use of an emulated browser, and Revolver, a system that detects evasive drive-by download attempts. He is currently interested in internet-wide attacks that compromise the users’ security, building scalable systems to protect users and improving privacy on the web.

      IT Greening

      Date: 20 July 2016
      Presenter: Ioannis Kamitsos

      This talk will focus on a few recent research results on greening of the Information and Communication Technology. In the first part, I will demonstrate how resource pooling can be exploited to optimize the tradeoff between two intrinsically conflicting objectives in cloud computing – energy consumption and delay performance. I will then present how we extend our optimal energy conserving techniques to the case of DSL broadband access and show how our approach results in a more energy efficient and stable DSL operation compared to existing Broadband Forum power saving policies. Finally, I will demonstrate an analytic framework that helps data center operators minimize day-to-day operational costs (such as electricity and bandwidth costs), based on processing jobs characteristics, as well as optimally expand their data center network based on predictions of future operational costs.

      Ioannis Kamitsos is a Senior Software Engineer with Bloomberg LP, New York. He received the Diploma degree in electrical and computer engineering from the National Technical University of Athens, Greece, in 2006, and the M.A. and Ph.D. degrees from Princeton University, Princeton, NJ, USA, in 2009 and 2012, respectively. During the summer of 2010, he interned at the Standards and RF Laboratory, Samsung Telecommunications America, Richardson, TX, USA. His research interests include optimization theory, optimal control, and machine learning/big data analytics.

      Augur: Incorporating Hidden Dependencies and Variable Granularity in Change Impact Analysis.

      Date: 12 October 2016
      Presenter: Tushar Sharma

      Software change impact analysis (CIA) methods enable developers to understand potential impacts of a code change so that the change can be executed confidently without affecting reliability of the software. However, existing CIA approaches do not support CIA for all source code granularities. Additionally, they lack support for inter-granular change impact queries and hidden dependencies. In this presentation, I introduce Augur, an automated static code analysis-based CIA approach that addresses these shortcomings. Augur infers and maintains semantic and environment dependencies along with data and control dependencies between source code entities across granularities. Additionally, Augur uses Change Impact Query Language, a novel query language for impact analysis proposed in this paper, to support inter-granular CIA queries with batch querying feature.

      Remove and Prevent: Dealing with Bugs in Software and Systems"

      Date: 09 November 2016
      Presenter: Diomidis Spinellis

      Finding and fixing errors in computing systems is an important and difficult task. Often debugging consumes most of the time in a developer’s workday; obtaining the required experience can take a lifetime. The talk categorizes, explains, and illustrates methods, strategies, techniques, and tools that can be used to pinpoint elusive and pestering bugs. The talk's aim is to provide an overview of the complete debugging landscape: from general principles, high level strategies, and behavioral traits to concrete techniques, handy tools, and nifty tricks.

      How to Train Your Browser: Preventing XSS Attacks Using Contextual Script Fingerprints

      Date: 14 December 2016
      Presenter: Dimitris Mitropoulos

      Cross-Site Scripting (XSS) is one of the most common web application vulnerabilities. It is therefore sometimes referred to as the “buffer overflow of the web.” Drawing a parallel from the current state of practice in preventing unauthorized native code execution (the typical goal in a code injection), we propose a script whitelisting approach to tame JavaScript-driven XSS attacks. Our scheme involves a transparent script interception layer placed in the browser’s JavaScript engine. This layer is designed to detect every script that reaches the browser, from every possible route, and compare it to a list of valid scripts for the site or page being accessed; scripts not on the list are prevented from executing. To avoid the false positives caused by minor syntactic changes (e.g., due to dynamic code generation), our layer uses the concept of contextual fingerprints when comparing scripts.

      Contextual fingerprints are identifiers that represent specific elements of a script and its execution context. Fingerprints can be easily enriched with new elements, if needed, to enhance the proposed method’s robustness. The list can be populated by the website’s administrators or a trusted third party. To verify our approach, we have developed a prototype and tested it successfully against an extensive array of attacks that were performed on more than 50 real-world vulnerable web applications. We measured the browsing performance overhead of the proposed solution on eight websites that make heavy use of JavaScript. Our mechanism imposed an average overhead of 11.1% on the execution time of the JavaScript engine. When measured as part of a full browsing session, and for all tested websites, the overhead introduced by our layer was less than 0.05%. When script elements are altered or new scripts are added on the server side, a new fingerprint generation phase is required. To examine the temporal aspect of contextual fingerprints, we performed a short-term and a long-term experiment based on the same websites. The former, showed that in a short period of time (10 days), for seven of eight websites, the majority of valid fingerprints stay the same (more than 92% on average). The latter, though, indicated that, in the long run, the number of fingerprints that do not change is reduced. Both experiments can be seen as one of the first attempts to study the feasibility of a whitelisting approach for the web.

Note: Data before 2017 may refer to grandparented work conducted by BALab's members at its progenitor laboratory, ISTLab.