This is a graduate-level research-oriented course. The goal of this course is to teach graduate students the state-of-the-art techniques and tools and their applications to software security problems, including vulnerabilities and exploits, malware, patching, reverse engineering, and forensics. This course is aimed to balance between lectures, lab assignments and projects, such that the students can grasp the core concepts, gain first-hand experience through lab assignments to reinforce the understanding of these concepts, and further explore unknowns via course projects.
We will use eLearn for announcements, assignments and grading, and Slack for Q&A and discussions.
Each student is responsible to present one or two papers in the class for about 25 minutes and lead the discussion for about 15 minutes. A signup sheet will be provided to select which paper to present (first come first serve). Use your RMail to access it.
Each student is required to write reviews of at least 400 words for all the papers presented by students, before the papers are presented in class. A review must include the following aspects:
Each student needs to submit a research proposal and a term paper.
I am working on a web-based textbook for software security, which is available here. It is largely based on the lectures from this course. I am updating it while teaching this course.
| Monday | Wednesday |
|---|---|
| 03/30 Syllabus Dynamic Binary Instrumentation |
04/01 Dynamic Binary Instrumentation Dynamic Taint Analysis |
| 04/06 Dynamic Taint Analysis |
04/08 Symbolic Execution |
| 04/13 Symbolic Execution |
04/15 Fuzzing |
| 04/20 Fuzzing |
04/22 Exploit Generation Static Binary Analysis |
| 04/27 Binary Code Similarity and Diffing |
04/29 SymSan: Time and Space Efficient Concolic Execution via Dynamic Data-Flow Analysis SymFit: Making the Common (Concrete) Case Fast for Binary-Code Concolic Execution |
| 05/04 Marco: A Stochastic and Asynchronous Concolic Explorer Agentic Concolic Execution |
05/06 Low-Cost and Comprehensive Non-textual Input Fuzzing with LLM-Synthesized Input Generators Robust, Efficient, and Widely Available Greybox Fuzzing for COTS Binaries with System Call Pattern Feedback |
| 05/11 |
05/13 ELFuzz: Efficient Input Generation via LLM-driven Synthesis Over Fuzzer Space FirmAgent: Leveraging Fuzzing to Assist LLM Agents with IoT Firmware Vulnerability Discovery |
| 05/19 BinDSA: Efficient, Precise Binary-Level Pointer Analysis with Context-Sensitive Heap Reconstruction Trust Me, I Know This Function: Hijacking LLM Static Analysis using Bias |
05/21 DeepDi: Learning a Relational Graph Convolutional Network Model on Instructions for Fast and Accurate Disassembly REVDECODE: Enhancing Binary Function Matching with Context-Aware Graph Representations and Relevance Decoding |
| 05/25 Holiday |
05/27 SigmaDiff: Semantics-Aware Deep Graph Matching for Pseudocode Diffing BINALIGNER: Aligning Binary Code for Cross-Compilation Environment Diffing |
| 06/01 Enhancing Semantic-Aware Binary Diffing with High-Confidence Dynamic Instruction Alignment Beyond Raw Bytes: Towards Large Malware Language Models |
06/03 PATCHAGENT: A Practical Program Repair Agent Mimicking Human Expertise ChainFuzz: Exploiting Upstream Vulnerabilities in Open-Source Supply Chains |