CS 491: Software Vulnerability Analysis — Fall 2016
Course Description, Goals, and Objectives
This course will cover software vulnerabilities, exploitation techniques, and mitigation measures. It is designed as a projects-based course where you will get hands-on experience finding vulnerabilities and writing exploits.
By the end of the course, you will have a working knowledge of how to find vulnerabilities in software by reading source code as well as reverse engineering binaries. You will learn to use tools like gdb to assist in exploit development.
Prerequisites
Students are expected to enter this course with a basic knowledge of operating systems, data structures, and programming in C and (very basic) C++. Some knowledge of assembly and compilers will be helpful, but the relevant information will be covered in the course or in provided references.
Programming Projects
The programming projects are meant as a way to get hands-on experience exploiting software vulnerabilities. You will find that there is quite a difference between conceptually understanding how to exploit a given vulnerability and actually producing a working exploit.
The programming projects are designed to be done in groups of 2. (Working alone is allowed, but discouraged.) Each project will have both programming and writing components. Both group members are expected to participate fully in both the programming and writing.
You are encouraged to work with different people on each project, but group forming is completely up to you. If you’re having trouble finding a group, I suggest you use the Piazza forum to find one.
Course Materials
Required Texts
There are no required textbooks.
Resources
Here are some resources you may find helpful while working on the projects.
Course Policies
Attendance Policy
Class attendance is not mandatory; however, research indicates that students who attend class are more likely to be successful. You are strongly encouraged to attend every class. Lectures are not recorded and there are no slides. If you are unable to attend class, you should consider asking a classmate to take notes for you.
Missed or Late Work Policy
Projects are due by 23:59 on the day specified on each project page. You have 3 late days that you can use throughout the semester. Each day that a project is late decreases the number of late days you and your partner have left. If you run out of late days, projects turned in late will receive a score of 0. There will be no exceptions to this policy without prior approval from Prof. Checkoway.
Electronic Communication Policy
All electronic communication with course staff should take place on Piazza unless emails are specifically requested by the staff. Course staff may, from time to time, respond to emails, but a response to one email does not guarantee a response to a second. Use Piazza!
Collaboration Policy
You are allowed, and encouraged, to work in groups of size two on all projects. You are free to have different groups for different projects. You are not allowed to work with anyone outside your group. Doing so is academic misconduct.
Academic Integrity Policy
As an academic community, UIC is committed to providing an environment in which research, learning, and scholarship can flourish and in which all endeavors are guided by academic and professional integrity. All members of the campus community–students, staff, faculty, and administrators–share the responsibility of insuring that these standards are upheld so that such an environment exists. Instances of academic misconduct by students will be handled pursuant to the Student Disciplinary Policy.
The following are examples of academic misconduct.
- Claiming someone else’s work as your own.
- Searching for existing solutions to assignments.
- Falsifying program output.
- Working with anyone outside your group, other than course staff.
- Sharing code or solutions with anyone outside your group, other than course staff.
Religious Holidays
As class attendance is not mandatory, students who must miss class due to religious holidays can do so without informing course staff. If a religious holiday will prevent a student from turning in an assignment before its due date, they must notify the faculty member by the tenth day of the semester or five days before the due date, whichever is earlier. The faculty member shall make every reasonable effort to accommodate the student. If the student feels aggrieved, he/she may request remedy through the campus grievance procedure
Academic Deadlines
See the academic calendar.
Grading
Your course grade will be determined entirely projects. There are no exams or other assignments.
Grievance Procedures
UIC is committed to the most fundamental principles of academic freedom, equality of opportunity, and human dignity involving students and employees. Freedom from discrimination is a foundation for all decision making at UIC. Students are encouraged to study the University’s Nondiscrimination Statement. Students are also urged to read the document Public Formal Grievance Procedures. Information on these policies and procedures is available on the University web pages of the Office of Access and Equality.
Course Evaluations
Because student ratings of instructors and courses provide very important feedback to instructors and are also used by administrators in evaluating instructors, it is extremely important for students to complete confidential course evaluations online known as the Campus Program for Student Evaluation of Teaching evaluation. You will receive an email from the Office of Faculty Affairs inviting you to complete your course evaluations and will receive an email confirmation when you have completed each one.
For more information, please refer to the UIC Course Evaluation Handbook.
Results for the “six core questions” will be published on the UIC course evaluation website.