CS 250: Software Security

Course Description

This is a graduate-level research-oriented course. The goal of this course is to teach graduate students the state-of-the-art techniques and tools and their applications to software security problems, including vulnerabilities and exploits, malware, patching, reverse engineering, and forensics. This course is aimed to balance between lectures, lab assignments and projects, such that the students can grasp the core concepts, gain first-hand experience through lab assignments to reinforce the understanding of these concepts, and further explore unknowns via course projects.

  • Instructor: Heng Yin
  • Email: heng AT cs DOT ucr DOT edu
  • Office: Winston Chung Hall 316
  • Office hours: by appointment
  • Location and Time: Gordon Watkins Hall 2240, M/W 5:00 PM - 6:20 PM

Communication

We will use eLearn for announcements, assignments and grading, and Slack for Q&A and discussions.

Covered Topics

  • Fuzzing
  • Symbolic Execution
  • Exploit Generation
  • Hardening and Patching
  • Binary Code Reverse Engineering
  • Software Supply Chain Security

Paper Review and Presentation

Each student is responsible to present one paper in the class for about 25 minutes and lead the discussion for about 15 minutes. A signup sheet will be provided to select which paper to present (first come first serve). Use your RMail to access it.

Each student is required to write reviews of at least 400 words for all the papers presented by students, before the papers are presented in class. A review must include the following aspects:

  • Describe the problem
  • Explain how previous work solves this problem and why it is insufficient
  • Explain how this paper tackles the problem and why this approach can solve this problem
  • What you like and dislike about this paper
  • List questions you have and would like to discuss in the class.

Lab Assignments

  1. Binary Code Comprehension: Construct simple exploits from binary code.
  2. Experimenting with Symbolic Execution and Fuzzing
  3. Implementing CFI for Binary.

Projects

Each student needs to submit a research proposal and a term paper.

Grading (Adjusted)

  • Class participation: 10%
  • Lab assignments: 30%
  • Presentation: 20%
  • Paper reviews: 10%
  • Term paper: 30% (5% proposal + 25% report)

Resources

I am working on a web-based textbook for software security, which is available here. It is largely based on the lectures from this course. I am updating it while teaching this course.

Schedule

Monday Wednesday
03/31
Syllabus
Binary Code Comprehension
Lab 1: Buffer Overflow Exploit Construction 		04/02
Dynamic Binary Instrumentation
04/07
Dynamic Taint Analysis
Full-System Dynamic Binary Analysis
 04/09
Symbolic Execution
04/14
Fuzzing
 04/16
Exploit Generation
Lab 2: Experimenting with Symbolic Execution and Fuzzing
04/21
Hardening 		04/23
Reassembly
04/28
Static Binary Analysis 		04/30
Binary Code Representation Learning
05/05
SymFit: Making the Common (Concrete) Case Fast for Binary-Code Concolic Execution 		05/07
Marco: A Stochastic and Asynchronous Concolic Explorer
05/12
Angora: Efficient Fuzzing by Principled Search 		05/14
Firm-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation
05/19
Efficient Directed Fuzzing with Selective Path Exploration 		05/21
Gramatron: Effective Grammar-Aware Fuzzing
05/26
BinDSA: Efficient, Precise Binary-Level Pointer Analysis with Context-Sensitive Heap Reconstruction 		05/28
SigmaDiff: Semantics-Aware Deep Graph Matching for Pseudocode Diffing
06/02
CLAP: Learning Transferable Binary Code Representations with Natural Language Supervision 		06/04
Code is not Natural Language: Unlock the Power of Semantics-Oriented Graph Representation for Binary Code Similarity Detection