Introduction to Software Security
What Problems Are We Solving in Software Security?
Software security is a broad and dynamic field. To help us focus, I’ll use two DARPA competitions as motivating examples:
Cyber Grand Challenge (CGC) – 2016
Launched in 2014 with a final showdown in 2016, CGC focused on fully automated vulnerability discovery, patching, and exploit generation—all at the binary level.
Key goals:
- Automatically identify vulnerabilities in binary code
- Automatically patch those vulnerabilities
- Generate exploits to demonstrate proof of vulnerabilities
Why binary?
Because in the real world, especially with proprietary systems, we often don’t have access to source code.
AIxCC – Ongoing
A newer competition focused on incorporating AI—particularly large language models (LLMs)—into vulnerability discovery and patching, this time at the source code level.
It emphasizes:
- Automatically identifying and patching vulnerabilities in open-source software
- Improving the security of code widely used by the community
This reflects a growing concern with software supply chain security, where many applications depend on open-source components.
These two events capture the heart of what we’ll explore in this course: the techniques, tools, and research used to secure software—both at the binary and source code level.
Topics
- Binary exploitation
- Vulnerability discovery
- Fuzzing and symbolic execution
- Binary patching
- Software supply chain security
- AI applications in security
Labs
- Lab 1: Buffer Overflow Exploits
- Lab 2: Fuzzing and Symbolic Execution
- Lab 3: Control Flow Integrity