Credits: Many slides are inspired or taken from other excellent courses in software security, including notes from Lujo Bauer, Anupam Datta, Dan Boneh, and Giovanni Vigna.

Schedule subject to change. Please check back regularly.
Date Topic Reading Notes
8/29 Introduction and Course Overview slides
8/31 Machine Code Execution - Basic Instructions x86 Assembly Guide slides(updated)
survey
9/5 No Class - University Holiday
9/7 Machine Code - Procedures, Reversing
Basics of exploitation
Smashing the Stack for Fun and Profit
Paul Makowski's blog post on what has changed since the paper was written
Exploiting Format String Vulnerabilities
slides
slides
9/12 OS Protection: ASLR and DEP On the Effectiveness of Address Space Randomization
ASLR Smack and Laugh Reference
Extra: Design of ASLR in PAX
slides
HW 1 Out
9/14 Return-oriented programming (Ed Schwartz) The Geometry of Innocent Flesh on the Bone: Return-to-libc without Function Calls (on the x86)
Q: Exploit Hardening Made Easy
slides
Project Phase 1 due
9/19 Fixing C: Fixing Unsafe Language Features Backwards-Compatible Array Bound Checking for C with Very Low Overhead
Control Flow Integrity (you must be on campus or use the CMU VPN to view this file without paying.)
slides
slides
9/21 Integer Vulnerabilities and Defenses Type Systems Sections 1-4
Efficient and Accurate Detection of Integer-based Attacks
Extra: CCured in the real world
slides
HW 1 due
9/26 Web Intro and Client-Side Web Security Wikipedia on XSS
Robust Defenses for Cross-Site Request Forgery
Extra: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense
slides
slides
9/28 Server-Side Web Security xkcd slides
10/3 Project Presentations Project Phase 2 due
HW 2 out
10/5 Guest Lecture: Trusted Computing (Jon McCune) Bootstrapping Trust in Commodity Computers slides
10/10 Information Flow Language-based Information Flow Security
All you ever wanted to know about dynamic taint analysis and symbolic execution
slides
slides
HW 2 due
10/12 Information Flow: Applications Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones
slides
slides
Information flow reading also covers symbolic execution
10/17 Review
10/19 Midterm
10/24 Applications of Symbolic execution Proof Carrying Code
Automated Exploit Generation
slides
10/26 Malware Attacks Dynamic Analysis of Malicious Code
BitShred: Feature Hashing Malware For Scalable Triage and Semantic Analysis
slides
slides
Project Phase 3 due
10/31 Not everything is safety: Timing Attacks Remote timing attacks are practical
Timing Analysis of Keystrokes and Timing Attacks on SSH
slides
slides
HW 3 out
11/2 Group status reports
11/7 Guest Lecture: Limin Jia
11/9 No Class HW 3 due
Extra HW out
11/14 Separation and Isolation Efficient Software-Based Fault Isolation, by Wahbe et al.
Enforceable Security Policies
slides
11/16 Separation and Separation Challenges Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
slides
11/21 Static Analysis Bugs as deviant behavior: A general approach to inferring errors in system code
Checking System Rules Using System-Specific, Programmer-written Compiler Extensions
Extra: A paper by Dawson Engler explaining why commercialization is hard: A few billion lines of code later: using static analysis to find bugs in the real world.
slides
Extra HW due
11/23 No Class - University Holiday
11/28 Model Checking and Security Model Checking 1 Millions Lines of C Code
Semantics-aware Malware Detection
slides
Project Phase 4 due
11/30 Software Security and IDS Bouncer: Securing Software by Blocking Bad Input
Creating Vulnerability Signatures Using Weakest Preconditions
slides
12/5 Wrap up
12/7 Final Presentations Final papers due:
Dec 20th 1pm EDT
by email