CS 5963/6963: Applied Software Security Testing

This special topics course will dive into today’s state-of-the-art techniques for uncovering hidden security vulnerabilities in software. Projects will provide hands-on experience with real-world security tools like AFL++ and AddressSanitizer, culminating in a final project where you’ll team up to hunt down, analyze, and report security bugs in a real application or system of your choice.

This class is open to graduate students and upper-level undergraduates. It is recommended you have a solid grasp over topics like software security, systems programming, and C/C++.

Prerequisites CS 3500, with a grade of C- or better.
Lectures MEB 3485, Tuesdays and Thursdays, 9:00–10:00AM
Slides will be posted on the Schedule.
Office Hours By appointment.
Communication We use Piazza for announcements and discussion about assignments and other course material. For administrative issues, email snagy@cs.utah.edu. Assignments will be posted on this site, and collected and graded via Canvas.
Recommended Reading
UofU Cyber Resources


Team Project 35% Students will team up to target an emerging or hard-to-test application of their choice, figure out how to harness it for testing, and unleash security testing on it to uncover its hidden bugs. Students will then triage all found vulnerabilities, assess their severity, and responsibly disclose them to the software’s developers. Teams will showcase their work on the last day of class, and open-source their tools and techniques for the world to use. Get creative and have fun!
Labs 45% Three introductory labs (15% each) designed to build up your skills for the Team Project.
Paper Talks 10% Students will each select 1 paper from the Lecture Schedule to present to the class in a 10–20 minute presentation per paper, with a 10 minute discussion to follow.
Attendance 10% Participate during paper presentations and discussions, ask questions, and make intellectual contributions!

Ethics, Law, and University Policies Warning

To defend a system you need to be able to think like an attacker, and that includes understanding techniques that can be used to compromise security. However, using those techniques in the real world may violate the law or the university’s rules, and it may be unethical. Under some circumstances, even probing for weaknesses may result in severe penalties, up to and including expulsion, civil fines, and jail time. Our policy in CS 5963/6963 is that you must respect the privacy and property rights of others at all times, or else you will fail the course.

Acting lawfully and ethically is your responsibility. Carefully read the Computer Fraud and Abuse Act (CFAA), one of several federal laws that broadly criminalizes computer intrusion (i.e., "hacking"). Understand what the law prohibits—you dont want to end up like this guy. If in doubt, we can refer you to an attorney.

Please review the University's Acceptable Use Policy concerning proper use of information technology, as well as the Student Code. As members of the university, you are required to abide by these (and all other) policies.