CS 5963/6963: Applied Software Security Testing

This special topics course will dive into today’s state-of-the-art techniques for uncovering hidden security vulnerabilities in software. Introductory fuzzing exercises will provide hands-on experience with industry-popular security tools such as AFL+ and AddressSanitizer, culminating in a final project where you’ll work to hunt down, analyze, and report security bugs in a real-world application or system of your choice.

This class is open to graduate students and upper-level undergraduates. It is recommended you have a solid grasp over topics like software security, systems programming, and C/C++.

Learning Outcomes: At the end of the course, students will be able to:

Design, implement, and deploy automated testing techniques to improve vulnerability on large and complex software systems.
Assess the effectiveness of automated testing techniques and identify why they are well- or ill-suited to specific codebases.
Distill testing outcomes into actionable remediation information for developers.
Identify opportunities to adapt automated testing to emerging and/or unconventional classes of software or systems.
Pinpoint testing obstacles and synthesize strategies to overcome them.
Appreciate that testing underpins modern software quality assurance by discussing the advantages of proactive and post-deployment software testing efforts.

Professor	Stefan Nagy
Prerequisites	CS 3500, with a grade of C- or better.
Lectures	WEB L114, Mondays and Wednesdays, 1:25–2:45PM Slides will be posted on the Schedule.
Office Hours	Office hours will be held Mondays and Wednesdays from 2:45–3:30PM (following lecture) in MEB 3446. If you have a time conflict, email the professor to set up an alternative appointment.
Communication	We use Piazza for announcements and discussion about assignments and other course material. Assignments will be posted on this site, and collected and graded via Canvas. For administrative issues, email snagy@cs.utah.edu.
Recommended Reading	The Fuzzing Book by Zeller, Gopinath, Böhme, Fraser, and Holler Fuzzing Against the Machine by Antonio Nappa and Blazquez The Art, Science, and Engineering of Fuzzing by Manès, Han, Han, Cha, Egele, Schwartz, and Woo Introduction to Computer Security by Goodrich and Tamassia Security Engineering by Ross Anderson
UofU Cyber Resources	The UtahSec Cyber Security Club The Utah Software Security Group Professor Nagy's FuTURES³ Lab Professor Xu's research group Professor Garcia's research group Professor Soni's research group Professor Zhang's research group Professor Patil's research group Professor Kasera's research group

Grading

Labs	45%	Three introductory solo labs (15% each) designed to build up your skills for the Final Project.
Final Project	35%	Students will team up in groups of up to four (or optionally work solo) to target an emerging or hard-to-test application of their choice, figure out how to harness it for testing, and unleash security testing on it to uncover its hidden bugs. Students will then triage all found vulnerabilities, assess their severity, and responsibly disclose them to the software’s developers. Teams will showcase their work on the last day of class, and open-source their tools and techniques for the world to use. Get creative and have fun!
Presentations	10%	Students will each select one paper from the Schedule to present to the class in a 5-minute presentation, with an audience discussion to follow.
Participation	10%	Participate during paper discussions, ask questions, and make intellectual contributions!

Late Assignments Policy

Assignment due dates are strict, and no late submissions will be accepted. The instructor may grant individual extensions, but only under extraordinary circumstances. We strongly recommend that you get started and attend office hours early.

Collaboration and Academic Integrity

We are here to provide a nurturing environment for everyone enrolled in the course. However, violations of Utah's Standards of Academic Integrity, such as cheating or unacceptable collaboration, will result in appropriate disciplinary action such as a failing grade on the assignment, failure in the course, probation, suspension, or dismissal from the University. Cheating is when you copy, with or without modification, someone else’s work that is not meant to be publicly accessible. Unacceptable collaboration is the knowing exposure of your own answers, or the use of someone else’s answers.

At the same time, we encourage students to help each other learn the course material. As in most courses, there is a boundary separating these two situations. You may give or receive help on any of the concepts covered in lecture. You are allowed to consult with other students about the conceptualization of a project, or the general approach for solving problems. However, all work, whether in scrap or final form, must be done by you (or your project partners, where applicable).

If you have any questions as to what constitutes unacceptable collaboration or exploitation of prior work, please talk to a member of the course staff right away. You are expected to exercise reasonable precautions to protect your own work, including not posting solutions publicly (e.g., public GitHub repos) and not sharing code outside of your group.

Ethical and Lawful Use of Technology

To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university’s rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy in CS 5963/6963 is that you must respect the privacy and property rights of others at all times, or else you will fail the course.

Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), one of several federal laws that broadly criminalizes computer intrusion (i.e., "hacking"). Understand what the law prohibits—you dont want to end up like this guy. If in doubt, we can refer you to an attorney.

Please review the University's Acceptable Use Policy concerning proper use of information technology, as well as the Student Code. As members of the university, you are required to abide by these (and all other) policies.

University Policies

1. The Americans with Disabilities Act. The University of Utah seeks to provide equal access to its programs, services, and activities for people with disabilities. If you will need accommodations in this class, reasonable prior notice needs to be given to the Center for Disability & Access, 162 Olpin Union Building, 801-581-5020. CDS will work with you and the instructor to make arrangements for accommodations. All written information in this course can be made available in an alternative format with prior notification to the Center for Disability & Access. Given the nature of this course, attendance is required and adjustments cannot be granted to allow non-attendance. However, if you need to seek an ADA accommodation to request an exception to this attendance policy due to a disability, please contact the Center for Disability and Access (CDA). CDA will work with us to determine what, if any, ADA accommodations are reasonable and appropriate.

2. University Safety Statement. The University of Utah values the safety of all campus community members. To report suspicious activity or to request a courtesy escort, call campus police at 801-585-COPS (801-585-2677). You will receive important emergency alerts and safety messages regarding campus safety via text message. For more information regarding safety and to view available training resources, including helpful videos, visit safeu.utah.edu.

3. Addressing Sexual Misconduct. Title IX makes it clear that violence and harassment based on sex and gender (which Includes sexual orientation and gender identity/expression) is a civil rights offense subject to the same kinds of accountability and the same kinds of support applied to offenses against other protected categories such as race, national origin, color, religion, age, status as a person with a disability, veteran’s status or genetic information. If you or someone you know has been harassed or assaulted, you are encouraged to report it to the Title IX Coordinator in the Office of Equal Opportunity and Affirmative Action, 135 Park Building, 801-581-8365, or the Office of the Dean of Students, 270 Union Building, 801-581-7066. For support and confidential consultation, contact the Center for Student Wellness, 426 SSB, 801-581-7776. To report to the police, contact the Department of Public Safety, 801-585-COPS (801-585-2677).