Secure Software Development (WS 2024/25)
Table of Content
Content
The slides are available here after the end of each lecture. The practicals, an explanation about the lecture, exam hacklets, and old exams can be found here: MaterialStarting W24, Slides will be uploaded here.
Date | Type | Topic | Lecturer | Material |
---|---|---|---|---|
2024-10-02 10:15 | KU | Warmup + Organization | Stefan, Sebastian | Slides |
2024-10-04 12:00 | VO | Organization + Intro | Daniel | |
2024-10-09 10:15 | KU | Tools 1 | Sebastian | Slides |
2024-10-11 12:00 | VO | Low Level / C++ Objects | Daniel | |
2024-10-11 23:59 | KU | Deadline for Warmup Hacklet | ||
2024-10-16 10:15 | KU | Hacklets 1 | Sebastian | |
2024-10-18 12:00 | VO | Memory Corruption 1 | Lukas | |
2024-10-25 12:00 | VO | Memory Corruption 2 | Lukas | |
2024-11-08 12:00 | VO | Exploits | Sebastian | |
2024-11-15 12:00 | VO | Finding Bugs 1 | Stefan | |
2024-11-17 23:59 | KU | Deadline for Hacklets 1 | ||
2024-11-20 10:15 | KU | Hacklets 2 | Sebastian | |
2024-11-22 12:00 | VO | Finding Bugs 2 | Stefan | |
2024-11-27 10:15 | KU | Defensive Programming | Bernd, Lorenz | Slides |
2024-11-29 12:00 | VO | Defensive Programming | Lorenz | |
2024-12-06 12:00 | VO | Countermeasures | Lorenz | |
2024-12-13 12:00 | VO | Exam | ||
2024-12 TBD | VO | Christmas Special (?) | ||
2024-12-22 23:59 | KU | Deadline for Hacklets 2 | ||
2025-01-14 23:59 | KU | Deadline for Defensive Programming |
Material
This course deals with the design and implementation of secure software. Especially memory corruption vulnerabilities such as buffer overflows, integer overflows or use-after-free bugs can be exploited by an attacker to bypass the intended program behavior and execute arbitrary payload in the worst case. We will look at various runtime mitigation techniques such as ASLR, stack canaries and data execution prevention exist. However, they can often be bypassed by more advanced exploitation techniques. Rather than preventing certain attacks, the ultimate goal is to eliminate memory corruption vulnerabilities and achieve "memory safety". We will discuss methods for debugging and bug discovery as well. The slides are available here after the end of each lecture. The practicals, an explanation about the lecture, exam hacklets, and old exams can be found here: MaterialAdministrative Information
Previous Knowledge
Information Security course (INP.33504UF and INP.33503UF)Prerequisites Curriculum
See position in the curriculumObjective
After this course you understand the concept of "memory safety" and the various memory corruption vulnerabilities (buffer overflow, integer overflows, use-after-free, double free, uninitialized data, type confusion, etc.) violating it. You know how to detect, exploit and mitigate such vulnerabilities. Furthermore, you know about various runtime mitigation techniques and are able to assess their (in)effectiveness in practice. You know the principles of defensive programming.Language
EnglishTeaching Method
In person + online supportHow to get a grade
Written and Oral Exam (possibly virtual). Some detailed and applied questions may be provided before the oral exam. In the oral exam students must be able to produce a full solution to these.Registration
https://online.tugraz.at/tug_online/ee/rest/pages/slc.tm.cp/course-registration/528188