Master's Thesis — FH Hagenberg, 2015
Secure Code Execution Engine
Built a secure automated grading system for programming assignments in Moodle using isolated Oracle VirtualBox VMs per student.
Role: Researcher, Architect and Developer
Research context
Master's thesis at University of Applied Sciences Hagenberg, Austria (FH OÖ), September 2015. Research identified two critical gaps in automated programming assessment tools: none were integrated with e-learning platforms, and none handled the security risk of executing untrusted student code — file deletion, memory overflow, infinite loops, denial-of-service via threads.
Existing automated graders were built as standalone tools — disconnected from LMS platforms and never designed to handle the security risks of running arbitrary student code. The research tackled both gaps simultaneously: full Moodle integration and execution isolation via per-user virtual machines.
The problem: executing untrusted code
Automated evaluation of programming assignments requires actually running student-submitted code. That code is untrusted by definition — a student may knowingly or unknowingly submit programs that delete files, exhaust memory, spin infinite loops, or open network connections to internal services. Reek (1989) noted this directly: execution of alien code in a live environment may result in damage to or disclosure of the system or data held therein.
The thesis evaluated four isolation approaches before landing on VM-per-user: static analysis (bypassable with reflection), Java Security Manager (same-JVM, no resource limits, removed in Java 21), Unix accounts with ulimit (shared kernel, no per-submission tree limits), and finally full VM isolation — the only approach that closes every vector in the threat model.