CS 6956 Software and System Security

Overview

Course Description. This is a graduate-level research-oriented course, which covers both classic and cutting-edge topics in the area of software security. It provides the students with a good understanding of software problems in not only traditional binary executables but also emerging mobile applications, cyber-physical systems and Blockchain platforms.

Course Outcomes. We will read and discuss research papers to grasp the core concepts of various analysis and defense techniques that improve software security. Students will further gain hands-on experience through using security analysis tools and be prepared to explore new research problems.

  • Instructor: Mu Zhang

  • Email: muzhang AT cs DOT utah DOT edu

  • Office: MEB 2168

  • Office hours: by appointment

  • Location and Time: WEB 1248 and Zoom on Canvas, TuTh 3:40PM -- 5:00PM

Grading

  • Paper Presentation: 15%

  • Paper reviews: 15%

  • Lab assignments: 30%

  • Project: 30%

  • Class Participation: 10%

Paper Review and Presentation

  • Each student is required to present one paper in the class for about 15 minutes and lead the discussion.

  • Each student is required to write reviews of at least 300 words for all the papers presented by students, before the papers are presented in class.

Lab Assignments

  • Lab 1: Buffer Overflow Attacks. Implement simple exploits to trigger vulnerabilities in binary code.

  • Lab 2: Static Program Analysis. Develop a simple Soot transform to reveal API usage in Android apps.

  • Lab 3: Symbolic Execution. Write simple angr scripts to find vulnerabilities.

Projects

A list of suggested projects will be provided. Students may also propose their own projects. Projects can be done individually or by groups. Each group should not exceed 2 students. In the project report, clearly state each member's contribution.

Example project directions:

1. building custom analysis tools (for Android apps, smart home IoT apps, industrial controller code, smart contract code, etc.)

2. studying app security (e.g., security mechanisms and their limitations) based upon existing tools

3. launching proof-of-concept attacks against modern software systems

Schedule