Software Security, Spring 2019

Instructor: Ning Zhang, zhang.ning@wustl.edu, public key
Meeting: Mon, Wed: 4:00 pm - 5:30 pm
Classroom: Cupples II / L015
Canvas: https://wustl.instructure.com/courses/13123

Course Description

In this course, students will be introduced to the foundations of software security. We will be exploring different classes of software vulnerabilities, analyzing the fundamental problems behind these vulnerabilities, and studying the methods and techniques to discover, exploit, prevent and mitigate these vulnerabilities. Topics of interest include buffer overflow, integer overflow, type confusion, use-after-free, etc. Throughout the course, we take a defense-in-depth mentality and see how systems can be protected. Students are expected to have a solid understanding of assembly language, C/C++ and operating system.

Recommended Pre-req: CSE 361, feel free to join the class without pre-req as long as you are willing to pick up the low-level system knowledge in the first several weeks of the class.

Textbook

There is no textbook for the class. We will use research papers for some of the topics. However, the following references can be helpful.

Hacking the art of exploitation
Shellcoder's handbook

Grading

There is no exam in this class, evaluation will be based on class participation and final projects.

Research Discussion -- Topic Presentation 15% -- Attendance 5% -- Discussion Participation 20%	40%
Projects -- Background research 10% -- Mid term progress 20% -- Final Presentation and Paper 30%	60%

Schedule

Slides, Lab Assignments and QA are in the WUSTL Canvas system.
Detail Class Schedule (Updates during the semester)
Class Project and Paper Presentation Guideline
Paper discussion signup
Project signup
Working Paper Review
Submitted Paper Review
Final Project Review

week 1 - class intro, security fundamental, low level system
week 2-4 - stack overflow, return-to-libc, ROP, shell shocker lAb
week 5 - project proposal - chalk talk
week 6 - instrumentation
! Project Background due
week 7-8 - fuzzing
week 9 - spring break
week 10 - static Analysis
week 11 - automatic exploit generation, defense and attack techniques
! Mid-term progress Due
week 10 - concurrency lab and discussion
week 11 - more vulnerabilities
week 13 - ctf or project time
week 14 - final project presentation
! Project due

Projects

The class project can be original research or tool development in software security. Class project report should follow the IEEE conference template. The length of survey should sufficient to provide insight into a topic (It often requires more than 6 pages for individual projects). The development should be source controlled using tools, such as git. Students are expected to spend at least six to eight hours on the class labs and projects every week. Some of the ideas for projects are listed below

Building an analysis module that will find any of vulnerable patterns we discuss in class
Improve one of the methods we discussed in class
Apply vulnerability discovery tool to existing system
Building a vulnerability discovery infrastructure using Cloud
YOUR IDEA

Ethics

With greater power, comes greater responsibility. In this course, we will be learning about and exploring some vulnerabilities that could be used to attack systems. Students are expected to behave responsibly and ethically. You may not attack any system prior approval of the site owners, and may not use anything you learn in this class to disrupt services or harm others. If you have any doubts about whether or not something you want to do is ethical and legal, you should check with the course instructor.