Secure Software Development (WS 2024/25)

Course Number 705022 | Wintersemester 2024/25

Content

The slides are available here after the end of each lecture. The practicals, an explanation about the lecture, exam hacklets, and old exams can be found here: Material

Starting W24, Slides will be uploaded here.

Date Type Topic Lecturer Material
2024-10-02 10:15 KU Warmup + Organization Stefan, Sebastian Slides
2024-10-04 12:00 VO Organization + Intro Daniel
2024-10-09 10:15 KU Tools 1 Sebastian Slides
2024-10-11 12:00 VO Low Level / C++ Objects Daniel
2024-10-11 23:59 KU Deadline for Warmup Hacklet
2024-10-16 10:15 KU Hacklets 1 Sebastian
2024-10-18 12:00 VO Memory Corruption 1 Lukas
2024-10-25 12:00 VO Memory Corruption 2 Lukas
2024-11-08 12:00 VO Exploits Sebastian
2024-11-15 12:00 VO Finding Bugs 1 Stefan
2024-11-17 23:59 KU Deadline for Hacklets 1
2024-11-20 10:15 KU Hacklets 2 Sebastian
2024-11-22 12:00 VO Finding Bugs 2 Stefan
2024-11-27 10:15 KU Defensive Programming Bernd, Lorenz Slides
2024-11-29 12:00 VO Defensive Programming Lorenz
2024-12-06 12:00 VO Countermeasures Lorenz
2024-12-13 12:00 VO Exam
2024-12 TBD VO Christmas Special (?)
2024-12-22 23:59 KU Deadline for Hacklets 2
2025-01-14 23:59 KU Deadline for Defensive Programming
 

Material

This course deals with the design and implementation of secure software. Especially memory corruption vulnerabilities such as buffer overflows, integer overflows or use-after-free bugs can be exploited by an attacker to bypass the intended program behavior and execute arbitrary payload in the worst case. We will look at various runtime mitigation techniques such as ASLR, stack canaries and data execution prevention exist. However, they can often be bypassed by more advanced exploitation techniques. Rather than preventing certain attacks, the ultimate goal is to eliminate memory corruption vulnerabilities and achieve "memory safety". We will discuss methods for debugging and bug discovery as well. The slides are available here after the end of each lecture. The practicals, an explanation about the lecture, exam hacklets, and old exams can be found here: Material

Administrative Information

Previous Knowledge

Information Security course (INP.33504UF and INP.33503UF)

Prerequisites Curriculum

See position in the curriculum

Objective

After this course you understand the concept of "memory safety" and the various memory corruption vulnerabilities (buffer overflow, integer overflows, use-after-free, double free, uninitialized data, type confusion, etc.) violating it. You know how to detect, exploit and mitigate such vulnerabilities. Furthermore, you know about various runtime mitigation techniques and are able to assess their (in)effectiveness in practice. You know the principles of defensive programming.

Language

English

Teaching Method

In person + online support

How to get a grade

Written and Oral Exam (possibly virtual). Some detailed and applied questions may be provided before the oral exam. In the oral exam students must be able to produce a full solution to these.

Registration

https://online.tugraz.at/tug_online/ee/rest/pages/slc.tm.cp/course-registration/528188

Lecturers

Daniel Gruß
Daniel
Gruß

Professor

View more
Vedad Hadžić
Vedad
Hadžić

PhD Candidate

View more
Lukas Maar
Lukas
Maar

PhD Student

View more
Marcel Nageler
Marcel
Nageler

PhD Student

View more
Stefan Gast
Stefan
Gast

PhD Student

View more