Software Vulnerabilities and Security Fall 2022
Software Vulnerabilities and Security is a graduate course covering common software programming, configuration, and design mistakes, and how to avoid them. The goals of the course are the following:
- Examine major vulnerability classes introduced in various software domains and levels of the software stack
- Understand effective techniques for defending against exploitation in situ
- Understand approaches for detecting the presence of vulnerabilities during development and deployment
- Gain hands-on experience in attacking and defending vulnerable software
Examples of topics covered by this course include:
- Web security
- Memory corruption
- Reverse engineering and binary analysis
- Static and dynamic vulnerability discovery
- Malware analysis and triage
Meetings
- Class meets Mondays and Thursdays 11:45–13:25 in Snell Library 005
- Office hours Mondays 15:00–16:00 and Fridays 13:30–14:30 in 609 ISEC
- TA hours TBD
Grading
Grades for this course will be assigned based on the completion of assignments. Points will also be awarded for in-class participation. Final grades may be subject to a curve.
Each assignment will focus on programming a solution for exploiting or defending a particular software vulnerability class. Students will have 1-2 weeks to complete each assignment. Assignments are expected to be completed in groups of 4, and groups will change throughout the semester. Late assignments will be accepted, with the caveat that grading will be penalized by a full letter grade for each 24-hour period following the submission deadline that an assignment is late. Re-grades of assignments may be permitted, but each successive re-grade will be penalized by a full letter grade. The assignment with the lowest score will be dropped from the final grade calculation.
Grades posted in Canvas are intended for feedback, but do not necessarily represent your final grade.
| Component | Contribution |
|---|---|
| Assignments | 95% |
| Participation | 5% |
Prerequisites
This course requires programming maturity. You can expect that the assignments will involve non-trivial programming, in some cases using low-level OS or library APIs. If you don’t satisfy this prerequisite, you should only take this class after you have done so.
Some assignments will require access to an x86/x86_64 system. If you do not directly have access to such a system, it is your responsibility to acquire this access. Mainstream clouds such as AWS or GCE offer low-cost or free tiers that are suitable for this purpose.
In addition, practical familiarity with the following topics or the ability to refer to other references and documentation for these topics is also strongly encouraged:
- Programming languages: Shell scripting (Bash), a systems language (C, C++, Rust), a scripting language (Python, Ruby), JavaScript
- Container stacks (OCI, Docker)
If you aren’t familiar with these technologies or are uncomfortable referring to available documentation on your own, you will likely have significant difficulty with this course.
Policies
Cheating. Work submitted for grading must represent your own effort. Group work is not allowed unless specifically stated otherwise. Similarly, use of third-party content (for code, whether as a library, service, or in source form) is only permissible in the context of the allowances explicitly made as part of a problem statement. “Use” in this context refers not only to copying in the cut-and-paste sense, but any content derived from third-party work. A non-exhaustive list of plagiarism examples include:
- Copying third-party code verbatim that was published in an online source code repository, forum, or other reference site such as GitHub, GitLab, Stack Overflow, Wikipedia, or similar
- Adapting an algorithm found in third-party code published online
- Collaborating on code with other students, such as adapting code written by another student or working together on a shared code base at any point
While referring to third-party code can be helpful in devising your own solution, it is also extremely dangerous as it is all too easy to plagiarize without realizing it. (It is for exactly this reason that viewing source code published online that may be relevant to a product is almost always strictly forbidden in corporate settings due to intellectual property concerns.) While discussing course material with other students is encouraged, it is strongly recommended that students refrain from viewing any third-party source code.
Cheating damages the reputation of the university as well as the grades of students who participate in the course in good faith. As such, there will be zero tolerance for cheating in this course. Students that participate in this course must acknowledge that they have read and understood the University Academic Integrity Policy. All cheating cases will be brought to the Khoury Academic Integrity Committee and to OSCCR on the first offense. Finally, all students found to be cheating will receive a failing grade on the first offense.
Reference Material. There is no official textbook for this course. Instead, we will rely on lectures and readings. If you need to brush up on background material on algorithms, architecture, systems, or networks, strongly reconsider whether you satisfy the course prerequisites.
Due to the fast pace of the field, much information is only available online and thus referring to third-party online sources is encouraged. However, keep in mind that referring to third-party source code is permissible only within the constraints of the class and university academic integrity policies.
Online Discussion. Online discussion and questions relevant to the course will be handled through Canvas. For private questions only, feel free to contact me via email. A best effort attempt will be made to respond to messages within 24 hours on weekdays during normal working hours. To ensure a timely response, do not wait to ask questions until the night before a submission deadline.
Ethics. This course covers sensitive material that includes information on how to exploit vulnerable software. Attack-oriented work must be restricted to the computing resources provided. Alternatively, students can perform this work using personal resources so long as other computing resources are not affected.
In particular, attacks performed against University resources or the open Internet are expressly prohibited. Students should also be familiar with the University Appropriate Use policy.
Schedule
| Date | Module | Topic |
|---|---|---|
| Thu Sep 08 | Introduction | Course Overview |
| Mon Sep 12 | Web Security | Cross-Site Scripting |
| Thu Sep 15 | Web Security | Cross-Site Scripting |
| Mon Sep 19 | Web Security | Server-Side Request Forgery |
| Thu Sep 22 | Web Security | Server-Side Request Forgery |
| Mon Sep 26 | Web Security | Insecure Deserialization |
| Thu Sep 29 | Web Security | Insecure Deserialization |
| Mon Oct 03 | Web Security | Authentication Bypass |
| Thu Oct 06 | Web Security | Authentication Bypass |
| Mon Oct 10 | --- | Indigenous Peoples Day |
| Thu Oct 13 | Memory Safety | Stack Protector Bypass |
| Mon Oct 17 | Memory Safety | Stack Protector Bypass |
| Thu Oct 20 | Memory Safety | Stack Protector Bypass |
| Mon Oct 24 | Memory Safety | Use After Free |
| Thu Oct 27 | Memory Safety | Use After Free |
| Mon Oct 31 | Memory Safety | Data Races |
| Thu Nov 03 | Memory Safety | Data Races |
| Mon Nov 07 | Vulnerability Discovery | Fuzz Testing |
| Thu Nov 10 | Vulnerability Discovery | Fuzz Testing |
| Mon Nov 14 | Vulnerability Discovery | Reverse Engineering |
| Thu Nov 17 | Vulnerability Discovery | Reverse Engineering |
| Mon Nov 21 | Vulnerability Discovery | Reverse Engineering |
| Thu Nov 24 | --- | Thanksgiving |
| Mon Nov 28 | Malware | Sandbox Analysis |
| Thu Dec 01 | Malware | Sandbox Analysis |
| Mon Dec 05 | Malware | Command and Control |
| Thu Dec 08 | Malware | Command and Control |
| Mon Dec 12 | Malware | Lateral Movement |
| Thu Dec 15 | Malware | Lateral Movement |