Course Calendar

Below is the calendar for this semester course. This is the preliminary schedule, which will be altered as the semester progresses. It is the responsibility of the students to frequently check this web-page for schedule, readings, and assignment changes. As the professor, I will attempt to announce any change to the class, but this web-page should be viewed as authoritative. If you have any questions, please contact me (contact information is available at the course homepage).

Date	Topic	Assignments Due	Readings for Discussion (do readings before class)
01/11/22	Introduction (Slides)	Integrity and Ethics (Due 1/14/22)	Course syllabus link
01/13/22	C Programming Fundamentals (Slides)	Survey Quiz (Due 1/17/22)	Toward Unseating the Unsafe C Programming Language. Paul van Oorschot. IEEE Security and Privacy, (19)2, March-April 2021.link
01/18/22	C Debugging (Virtual) (Slides)	Two-Factor Authentication Questions (Due 2/4/22 - Extra Credit 1/31/22)	GDB Cheat Sheetlink GDB to LLDB command maplink
01/20/22	History of Attacks (Slides)		The Internet Worm Program: An Analysis, Eugene Spafford, Purdue Technical Report, CSD-TR-823, 1988 (Sections 1-3).link College of Engineering (PSU) network disabled in response to sophisticated cyberattacklink
01/25/22	Confused Deputy (Slides)		The Confused Deputy (or why capabilities might have been invented). Norm Hardy. Operating Systems Review, pp. 36-38, Oct. 1988. link
01/27/22	Buffer Overflow Attacks (Slides)		Paul van Oorschot. Tools and Jewels. Section 6.3.link Common Vulnerabilities and Exposures link
02/01/22	Return-oriented Attacks (Slides)		Paul van Oorschot. Tools and Jewels. Section 6.5.link Return-Oriented Programming: Systems, Languages, and Applicationslink Security Focus: BugTraq link
02/03/22	Heap Attacks (Slides)	Attack Quiz (Graded for Participation Only) (Due 2/5/22)	Paul van Oorschot. Tools and Jewels. Section 6.4.link Hackers Hut: Exploiting the Heap (11-11.2) link
02/08/22	Other Attacks on Memory (Slides)		Format String Vulnerability link
02/10/22	Anatomy of an Attack (Slides)		MITRE ATTACK (framework)link MITRE ATTACK: Design and Philosophylink The Risks Digestlink
02/15/22	Producing Exploits 1 (Slides)	Project 2 - Exploits (Due: Phase 1 - 3/1/22; Phase 2 - 3/25/22)	Smashing the Stack for Fun and Profit, Aleph One. Phrack 7(49), 1996link
02/17/22	Producing Exploits 2 (Slides)		Smashing the Stack for Fun and Profit, Aleph One. Phrack 7(49), 1996link
02/22/22	Spatial Errors (Slides)	Quiz 2 - (Graded for Participation Only) (Due 2/25/22)	Secure Programming HOWTO (Chapters 5 and 6)link
02/24/22	Temporal Errors (Slides)		Using Freed Memory link Double Frees link
03/01/22	Research Talk: Validating Safety from Memory Errors (Slides)		Kaiming Huang, Yongzhe Huang, Mathias Payer, Zhiyun Qian, Jack Sampson, Gang Tan, Trent Jaeger. The Taming of the Stack: Isolating Stack Data from Memory Errors. In Proceedings of the 2022 Network and Distributed Systems Symposium (NDSS), February 2022. link
03/03/22	Type Errors (Slides)		One Perfect Bug: Exploiting Type Confusion in Flash (Basic Idea) link
03/08/22	Spring Break - No class
03/10/22	Spring Break - No class
03/15/22	Course Review (Slides)
03/17/22	Midterm
03/22/22	Current Defenses (Slides)		Crispan Cowan, Calton Pu, Dave Maier, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. Proceedings of the 7th USENIX Security Symposium, 1998.link
03/24/22	Control-Flow Integrity (Slides)		Control-Flow Integrity: Precision, Security, and Performance (Section 2.1)link
03/29/22	Software Fault Isolation (Slides)		Software-based Fault Isolation (Notes)link
03/31/22	Privilege Separation (Slides)		Privilege-Separated OpenSSH link
04/05/22	Research Talk: Automating Privilege Separation (Slides)	Project 3 - Program Hardening (Due 4/29/22)	PtrSplit: Supporting General Pointers in Automatic Program Partitioning. S. Liu, G. Tan, and T. Jaeger. In 24th ACM Conference on Computer and Communications Security (CCS), 2017.link
04/07/22	Hardware for Security (Slides)		Memory Tagging Extension: Enhancing memory safety through architecturelink
04/12/22	Dynamic Testing (Slides)		Beginners Guide to Fuzzing: Tutoriallink American Fuzzy Loplink
04/14/22	Static Analysis (Slides)		HP Fortifylink IBM Rationallink LLVM Checkerslink
04/19/22	Symbolic Execution (Slides)		KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems. Cristian Cadar, Daniel Dunbar, Dawson Engler, in Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, 2008. link
04/21/22	Research Talk: Use-Before-Initialization (UBI) Bugs (Slides)		Yizhuo Zhai, Yu Hao, Hang Zhang, Daimeng Wang, Chengyu Song, Zhiyun Qian, Mohsen Lesani, Srikanth V. Krishnamurthy, Paul Yu. UBITect: A Precise and Scalable Method to Detect Use-before-Initialization Bugs in Linux Kernel. Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, November 2020.link
04/26/22	Future of Software Security (Slides)		Jave Information Flow (Jif)link
04/28/22	Final Review (Slides)
05/03/22	Final Exam - 8:00am-9:50am, 105 Wagner