CS 250: Software Security

Course Description

This is a graduate-level research-oriented course. The goal of this course is to teach graduate students the state-of-the-art techniques and tools and their applications to software security problems, including vulnerabilities and exploits, malware, patching, reverse engineering, and forensics. This course is aimed to balance between lectures, lab assignments and projects, such that the students can grasp the core concepts, gain first-hand experience through lab assignments to reinforce the understanding of these concepts, and further explore unknowns via course projects.

  • Instructor: Heng Yin
  • Email: heng AT cs DOT ucr DOT edu
  • Office: Winston Chung Hall 316
  • Office hours: Tuesday 11:00 AM - 12:00 PM
  • Location and Time: Student Success Center 125, M/W 2:00 PM - 3:20 PM

Communication

We will use eLearn for announcements, assignments and grading, and Slack for Q&A and discussions.

Covered Topics

  • Fuzzing
  • Symbolic Execution
  • Exploit Generation
  • Hardening and Patching
  • Binary Code Reverse Engineering
  • Software Supply Chain Security

Paper Review and Presentation

Each student is responsible to present one or two papers in the class for about 25 minutes and lead the discussion for about 15 minutes. A signup sheet will be provided to select which paper to present (first come first serve). Use your RMail to access it.

Each student is required to write reviews of at least 400 words for all the papers presented by students, before the papers are presented in class. A review must include the following aspects:

  • Describe the problem
  • Explain how previous work solves this problem and why it is insufficient
  • Explain how this paper tackles the problem and why this approach can solve this problem
  • What you like and dislike about this paper
  • List questions you have and would like to discuss in the class.

Project Assignments

  1. Experimenting with Symbolic Execution
  2. Experimenting with Fuzzing.

Research Project

Each student needs to submit a research proposal and a term paper.

Grading (Adjusted)

  • Class participation: 10%
  • Project assignments: 30%
  • Presentation: 20%
  • Paper reviews: 10%
  • Term paper: 30% (5% proposal + 25% report)

Resources

I am working on a web-based textbook for software security, which is available here. It is largely based on the lectures from this course. I am updating it while teaching this course.

Schedule

Monday Wednesday
03/30
Syllabus
Dynamic Binary Instrumentation
04/01
Dynamic Binary Instrumentation
Dynamic Taint Analysis
04/06
Dynamic Taint Analysis
04/08
Symbolic Execution
04/13
Symbolic Execution
04/15
Fuzzing
04/20
Fuzzing
04/22
Exploit Generation
Static Binary Analysis
04/27
Binary Code Similarity and Diffing
04/29
SymSan: Time and Space Efficient Concolic Execution via Dynamic Data-Flow Analysis
SymFit: Making the Common (Concrete) Case Fast for Binary-Code Concolic Execution
05/04
Marco: A Stochastic and Asynchronous Concolic Explorer
Agentic Concolic Execution
05/06
Low-Cost and Comprehensive Non-textual Input Fuzzing with LLM-Synthesized Input Generators
Robust, Efficient, and Widely Available Greybox Fuzzing for COTS Binaries with System Call Pattern Feedback
05/11
05/13
ELFuzz: Efficient Input Generation via LLM-driven Synthesis Over Fuzzer Space
FirmAgent: Leveraging Fuzzing to Assist LLM Agents with IoT Firmware Vulnerability Discovery
05/19
BinDSA: Efficient, Precise Binary-Level Pointer Analysis with Context-Sensitive Heap Reconstruction
Trust Me, I Know This Function: Hijacking LLM Static Analysis using Bias
05/21
DeepDi: Learning a Relational Graph Convolutional Network Model on Instructions for Fast and Accurate Disassembly
REVDECODE: Enhancing Binary Function Matching with Context-Aware Graph Representations and Relevance Decoding
05/25
Holiday
05/27
SigmaDiff: Semantics-Aware Deep Graph Matching for Pseudocode Diffing
BINALIGNER: Aligning Binary Code for Cross-Compilation Environment Diffing
06/01
Enhancing Semantic-Aware Binary Diffing with High-Confidence Dynamic Instruction Alignment
Beyond Raw Bytes: Towards Large Malware Language Models
06/03
PATCHAGENT: A Practical Program Repair Agent Mimicking Human Expertise
ChainFuzz: Exploiting Upstream Vulnerabilities in Open-Source Supply Chains