Course Information

  • Instructor: Sang Kil Cha
  • Time: (Tue./Thu.) 10:30 ~ 11:45
  • Location: N1 #110
  • TAs:
    • 김수민
    • 한형석
    • 조현성
    • 이승수
  • Grading:
    • 5% Reading critique
    • 20% Homework
    • 40% Project
    • 15% Midterm
    • 20% Final

This course provides an in-depth study of attacks and defenses in software. The major themes this course will teach include memory safety vulnerabilities, control-flow hijacking, malicious software, web attacks, binary-level program analysis techniques, and software model checking. We will offer significant hands-on experience on each topic: students will work on CTF (Capture The Flag) style hacking challenges during the semester.

Late Submission Policy

Late assignments will be assessed a late penalty of 10% per day.

Final Project Report Submission Guideline

  • Submit a single ZIP file per team. The ZIP file should contain your final report (in PDF) and any code/implementation.
  • Use ACM sig proceedings templates for your final report: link
  • Maximum 6 pages (two columns).
  • It should roughly have the following format:
    • Introduction: show motivation.
    • Problem definition: what are you trying to solve? why is it important?
    • Proposed method: why is it better than the state of the art?
    • Evaluation: list of questions your experiments are designed to answer.
    • Conclusion.

Schedule

(subject to change)

Date Topic Reading Notes
08/29/2017 Introduction to software security [Thompson/CACM1984]
08/31/2017 Assembly (x86) Overview [Machine-Level Representation of Programs] HW1 out
09/05/2017 Control Hijack [Smashing the Stack for Fun and Profit]
[WYSINWYX: What You See Is Not What You eXecute]*
*Reading Critique #1
09/07/2017 Format String & Integer Overflow [Exploiting Format String Vulnerabilities]
[Basic Integer Overflows]
[Dietz/ICSE2012]
09/12/2017 Data Execution Prevention [The Advanced Return-into-Lib(c) Exploits]
[Shacham/CCS2007]*
Reading Critique #1 due
*Reading Critique #2 out
09/14/2017 ROP [Checkoway/CCS2010]
[Schwartz/USENIXSEC2011]
HW1 due
HW2 out
09/19/2017 ASLR [Shacham/CCS2004]
[Giuffrida/USENIXSEC2012]
Reading Critique #2 due
Project team assignment due
09/21/2017 Canary and Memory Disclosure [Snow/Oakland2013]
[Backes/USENIXSEC2014]
09/26/2017 Modern Defenses [Davi/NDSS2015]
[Backes/CCS2014]
[Braden/NDSS2016]
[Crane/Oakland2015]
09/28/2017 Runtime Monitoring [Schneider/TISSEC2000]*
[Nethercote/PLDI2007]
[Serebryany/ATC2012]
*Reading Critique #3 out
10/03/2017 (개천절) National Foundation Day HW2 due
Project proposal due
10/05/2017 (추석) Chuseok
10/10/2017 Control Flow Integrity [Abadi/CCS2005]
[Carlini/USENIXSEC2015]
[Conti/CCS2015]
10/12/2017 Midterm Overview Reading Critique #3 due
10/17/2017 No Class (midterm week)
10/19/2017 Midterm 09:00-11:45
10/24/2017 Type Confusion [Lee/USENIXSEC2015]
[Ratanaworabhan/USENIXSEC2009]
10/26/2017 Heap Hardening [Malloc Des-Maleficarum]
[Novark/CCS2010]*
*Reading Critique #4 out
10/31/2017 No Class (Meeting with instructors)
11/02/2017 No Class (Meeting with instructors) Reading Critique #4 due
11/05/2017 Project checkpoint due
11/07/2017 Heap Hardening II [Berger/PLDI2006]
[Akritidis/USENIXSEC2010]
HW3 out
11/09/2017 Obfuscation [Linn/CCS2003]
[Kruegel/USENIXSEC2004]
[Yadegari/Oakland2015]
11/14/2017 Platform-Independent Programs [Cha/CCS2010]
11/16/2017 Data Exploits [Chen/USENIXSEC2005]*
[Hu/USENIXSEC2015]
*Reading Critique #5 out
11/21/2017 Symbolic Execution, Taint Analysis [Schwartz/Oakland2010]
[Cadar/CCS2006]
[Godefroid/NDSS2008]
HW3 due
11/23/2017 Fuzzing [Cha/Oakland2012]
[Woo/CCS2013]
[Li/FSE2017]
Reading Critique #5 due
11/28/2017 Recap & Final Overview
11/30/2017 Project Presentation (1)
12/05/2017 Project Presentation (2) [Evaluation Sheet]
12/07/2017 No Class (Undergraduate admission)
12/12/2017 No Class (final week)
12/14/2017 Final Exam
Final Project Report Deadline