This special topics course will dive into today’s state-of-the-art techniques for uncovering hidden security vulnerabilities in software. Introductory fuzzing exercises will provide hands-on experience with industry-popular security tools such as AFL+ and AddressSanitizer, culminating in a final project where you’ll work to hunt down, analyze, and report security bugs in a real-world application or system of your choice.
This class is open to graduate students and upper-level undergraduates. It is recommended you have a solid grasp over topics like software security, systems programming, and C/C++.
Learning Outcomes: At the end of the course, students will be able to:
Professor | |
Prerequisites | CS 3500, with a grade of C- or better. |
Lectures |
WEB L114, Mondays and Wednesdays, 1:25–2:45PM
Slides will be posted on the Schedule.
|
Office Hours | Office hours will be held Mondays and Wednesdays from 2:45–3:30PM (following lecture) in MEB 3446. If you have a time conflict, email the professor to set up an alternative appointment. |
Communication |
|
Recommended Reading |
|
UofU Cyber Resources | |
Labs | 45% | Three introductory solo labs (15% each) designed to build up your skills for the Final Project. |
Final Project | 35% | Students will team up in groups of up to four (or optionally work solo) to target an emerging or hard-to-test application of their choice, figure out how to harness it for testing, and unleash security testing on it to uncover its hidden bugs. Students will then triage all found vulnerabilities, assess their severity, and responsibly disclose them to the software’s developers. Teams will showcase their work on the last day of class, and open-source their tools and techniques for the world to use. Get creative and have fun! |
Presentations | 10% | Students will each select one paper from the Schedule to present to the class in a 5-minute presentation, with an audience discussion to follow. |
Participation | 10% | Participate during paper discussions, ask questions, and make intellectual contributions! |
Assignment due dates are strict, and no late submissions will be accepted. The instructor may grant individual extensions, but only under extraordinary circumstances. We strongly recommend that you get started and attend office hours early.
We are here to provide a nurturing environment for everyone enrolled in the course. However, violations of Utah's Standards of Academic Integrity, such as cheating or unacceptable collaboration, will result in appropriate disciplinary action such as a failing grade on the assignment, failure in the course, probation, suspension, or dismissal from the University. Cheating is when you copy, with or without modification, someone else’s work that is not meant to be publicly accessible. Unacceptable collaboration is the knowing exposure of your own answers, or the use of someone else’s answers.
At the same time, we encourage students to help each other learn the course material. As in most courses, there is a boundary separating these two situations. You may give or receive help on any of the concepts covered in lecture. You are allowed to consult with other students about the conceptualization of a project, or the general approach for solving problems. However, all work, whether in scrap or final form, must be done by you (or your project partners, where applicable).
If you have any questions as to what constitutes unacceptable collaboration or exploitation of prior work, please talk to a member of the course staff right away. You are expected to exercise reasonable precautions to protect your own work, including not posting solutions publicly (e.g., public GitHub repos) and not sharing code outside of your group.
To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university’s rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy in CS 5963/6963 is that you must respect the privacy and property rights of others at all times, or else you will fail the course.
Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), one of several federal laws that broadly criminalizes computer intrusion (i.e., "hacking"). Understand what the law prohibits—you dont want to end up like this guy. If in doubt, we can refer you to an attorney.
Please review the University's Acceptable Use Policy concerning proper use of information technology, as well as the Student Code. As members of the university, you are required to abide by these (and all other) policies.
1. The Americans with Disabilities Act. The University of Utah seeks to provide equal access to its programs, services, and activities for people with disabilities. If you will need accommodations in this class, reasonable prior notice needs to be given to the Center for Disability & Access, 162 Olpin Union Building, 801-581-5020. CDS will work with you and the instructor to make arrangements for accommodations. All written information in this course can be made available in an alternative format with prior notification to the Center for Disability & Access. Given the nature of this course, attendance is required and adjustments cannot be granted to allow non-attendance. However, if you need to seek an ADA accommodation to request an exception to this attendance policy due to a disability, please contact the Center for Disability and Access (CDA). CDA will work with us to determine what, if any, ADA accommodations are reasonable and appropriate.
2. University Safety Statement. The University of Utah values the safety of all campus community members. To report suspicious activity or to request a courtesy escort, call campus police at 801-585-COPS (801-585-2677). You will receive important emergency alerts and safety messages regarding campus safety via text message. For more information regarding safety and to view available training resources, including helpful videos, visit safeu.utah.edu.
3. Addressing Sexual Misconduct. Title IX makes it clear that violence and harassment based on sex and gender (which Includes sexual orientation and gender identity/expression) is a civil rights offense subject to the same kinds of accountability and the same kinds of support applied to offenses against other protected categories such as race, national origin, color, religion, age, status as a person with a disability, veteran’s status or genetic information. If you or someone you know has been harassed or assaulted, you are encouraged to report it to the Title IX Coordinator in the Office of Equal Opportunity and Affirmative Action, 135 Park Building, 801-581-8365, or the Office of the Dean of Students, 270 Union Building, 801-581-7066. For support and confidential consultation, contact the Center for Student Wellness, 426 SSB, 801-581-7776. To report to the police, contact the Department of Public Safety, 801-585-COPS (801-585-2677).