Program Analysis
Summer semester 2024, in-person and Moodle.
Tuesday 10:00 – 12:00, MC 1/30-31 (Lectures)
Wednesday 8:00 – 10:00, MC 1/30-31 (Exercises)
Goals
Students will learn various concepts, techniques, and tools in the area of program analysis, including reverse engineering and binary analysis. They will also gain understanding of static and dynamic analysis, as well as trade-offs in soundness, completeness, and precision of various analysis techniques. They will be able to describe various aspects of program analysis, and assess and adapt existing program analysis techniques to new problem domains.
Content
The lecture covers various topics as an introduction to program analysis from a practical point of view, while also covering its underlying mathematical foundation in terms of what programs can be analyzed, and how accurate the analyses will be. Topics include, but are not limited to:
- Static and Dynamic Program Analysis
- Basic Reverse Engineering
- Binary Instrumentation
- Control Flow Analysis
- Data Flow Analysis and Abstract Interpretation
- Symbolic Execution and Axiomatic Semantics
- Operational Semantics
- Taint Tracking
- Program Slicing
Requirements
No mandatory course requirements. Basic understanding of systems programming (assembly and C), boolean logic, set algebra, and some comprehension of mathematical formulas is helpful for the course.
Language
English. Questions in German are perfectly OK, answers will be given in English.
We want to encourage you to be comfortable using English and to become fluent in it. Naturally, we will not penalize (minor) typographical mistakes and grammar as long as your answers are comprehensible.
Assignments
During the course, there will be exercises/assignments. They are complementary to the lecture material and help in deepening your understanding in the topics covered in the lecture.
Unless specified otherwise, assignments and lab work needs to be performed and submitted individually. For individual assignments, any form of unsolicited collaboration or plagiarism will not be tolerated, will result in the immediate disqualification of the involved students from that particular assignment, and may result in disciplinary action by the university.
Please see also the guidelines on good scientific practice by RUB.
Exam
Written, see Moodle for dates and times.
Grading
Exam (100%), bonus of up to 10% from assignments possible.
An additional 5% bonus can be obtained for participating in online discussions about the reading material and answering fellow students‘ technical questions.
Software Security
Winter semester 2023/2024: in-person and Moodle.
Wednesdays 10:00 – 12:00, HZO 70 (Lectures)
Wednesdays 14:00 – 16:00, IC 03/112 (Exercises)
Goals
At the end of this course, students will be able to:
- classify and describe vulnerabilities and protection mechanisms of software systems
- analyze and reason about protection mechanisms for modern software systems
- identify vulnerabilities in software systems
- develop proofs of concept exploits/verifications to show the existence of a vulnerability in a software system
- understand how to write code defensively to reduce the risk of vulnerabilities
Content
The course covers the area of software security and vulnerability discovery and vulnerability verification, focusing on:
- Assembly and Disassembly, Shellcode
- Binary Reverse Engineering and Debugging
- Sandboxing
- Memory and Type Safety/Errors
- Information Leakage
- Vulnerability Exploitation/Verification, Buffer and Heap Overflows
- Code Re-use Attacks, e.g., Return Oriented Programming
- Race Conditions
- Format String Vulnerabilities
- Exploit/Verification Synthesis and Automated Exploitation/Verification
- Kernel Security
- Defensive Programming
Requirements
Completed bachelor courses „System Security“ and „Operating System Security“ or equivalent courses.
Language
English. Questions in German are perfectly OK, answers will be given in English.
We want to encourage you to be comfortable using English and to become fluent in it. Naturally, we will not penalize (minor) typographical mistakes and grammar as long as your answers are comprehensible.
Assignments
During the course, there will be exercises/assignments. They are complementary to the lecture material and help in deepening your understanding in the topics covered in the lecture.
Unless specified otherwise, assignments and lab work needs to be performed and submitted individually. For individual assignments, any form of unsolicited collaboration or plagiarism will not be tolerated, will result in the immediate disqualification of the involved students from that particular assignment, and may result in disciplinary action by the university.
Please see also the guidelines on good scientific practice by RUB.
Project
Throughout the course, you need to complete a project that is composed of solving a variety of security challenges that require you to reverse engineer software, discover vulnerabilities, and show that you can take control over the program by leveraging these vulnerabilities. You need to document your solutions appropriately.
Different from the exercises, the grading of the project is at the end of the course and you do not receive information about how to solve specific steps of the project.
Exam
There is no final exam at the end of the semester. Your overall grade is composed of the exercises and the course project.
Grading
30% Exercises/Assignments
70% Project
Up to an additional 10% bonus can be received for participating in online discussions about the reading material and answering fellow students‘ questions.
Format
In-person lectures and exercise session only (not hybrid). Additional material provided on Moodle.