CS412 Software Security

Mathias Payer -- Spring semester 2019, 6 ECTS course.

Course overview

This course focuses on software security fundamentals, secure coding guidelines and principles, and advanced software security concepts. Students will learn to assess and understand threats, learn how to design and implement secure software systems, and get hands-on experience with common security pitfalls.

The course consists of three lectures per week (45 minutes each), a two hour lab, and a one hour practice session for Q&A. Refer to the EPFL CS412 Moodle for Q&A, information about the project, and other discussions.

Book for the course: Software Security: Principles, Policies, and Protection

Course objectives

Software running on current systems is exploited by attackers despite many deployed defence mechanisms and best practices for developing new software. In this course students will learn about current security threats, attack vectors, and defence mechanisms on current systems. The students will work with real world problems and technical challenges of security mechanisms (both in the design and implementation of programming languages, compilers, and runtime systems).

Learning outcomes

Students who complete the course will have demonstrated the ability to do the following:


  1. Course introduction (2019/02/19)
  2. Basic principles (2019/02/26)
  3. Secure software lifecycle (2019/03/05) [1]
  4. Reverse engineering (2019/03/05)
  5. Security policies (2019/03/12) [2], [3], [4] [5] [6]
  6. Software bugs (2019/03/19)
  7. Attack vectors (2019/03/19)
  8. Mitigations (2019/03/26)
  9. Midterm (2019/04/02, 10:15 -- 11:15)
  10. Advanced mitigations (2019/04/02) [9], [10] [13] [14]
  11. Testing: Sanitization (2019/04/09) [11]
  12. Testing: Fuzzing (2019/04/16)
  13. Guest lecture: Cyber Threat Intelligence (by Marc Doudiet, FUB) (2019/04/30)
  14. Web security (2019/05/07)
  15. Mobile security (2019/05/14)
  16. Summary (2019/05/14)
  17. Project presentations (2019/05/21)
  18. Exam preparation and Q&A (Friday, 2019/05/24 10:00 to 12:00 in BC160)
  19. Exam (10:15 -- 12:15) (2019/05/28)


Course policies

This course will be run under the "reasonable adults" policy wherein it is assumed that all students are reasonable adults that want to benefit the most of the course by attending the course regularly, completing the homework assignments and projects on time, asking questions during the course and if they run into problems, and checking back with the instructor and the TA regularly to ensure good progress.

In short: (i) you are expected to attend all classes (modulo good reasons), (ii) you are supposed to hand in all work before the deadlines (late hand-ins receive no credit), (iii) if you need special treatment or have special circumstances, talk to the instructor or TA.

References and Reading Assignments

[1]Butler W. Lampson. Protection. ACM Operating Systems'74
[2]Laszlo Szekeres, Mathias Payer, Tao Wei, Dawn Song. SoK: The Eternal War in Memory. IEEE S&P'13
[3]Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. Everything You Want to Know About Pointer-Based Checking. SNAPL'15
[4]Michael Hicks. What is memory safety? Blogpost'14.
[5]Trevor Jim, Greg Morrisett, Dan Grossman, Michael Hicks, James Cheney, and Yanling Wang. Cyclone: A Safe Dialect of C. ATC'02
[6]Yuseok Jeon, Priyam Biswas, Scott A. Carr, Byoungyoung Lee, and Mathias Payer. HexType: Efficient Detection of Type Confusion Errors for C++. CCS'17
[7]Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. Making information flow explicit in HiStar. OSDI'06
[8]Daniel J. Bernstein. Some thoughts on security after ten years of qmail 1.0. Technical Report'07
[9]Nathan Burow, Scott A. Carr, Joseph Nash, Per Larsen, Michael Franz, Stefan Brunthaler, and Mathias Payer. Control-Flow Integrity: Protection, Security, and Performance. ACM CSUR '17, (slides)
[10]Nathan Burow, Xingping Zhang, and Mathias Payer. SoK: Shining Light on Shadow Stacks. IEEE Security and Privacy '19
[11]Konstantin Serebryany, Derek Bruening, Alexander Potapenko, and Dmitry Vyukov. AddressSanitizer: A Fast Address Sanity Checker. Usenix ATC '12
[12]Charles Reis, Adam Barth, and Carlos Pizano. Browser Security: Lessens from Google Chrome. ACM Queue '09
[13]Oshri Sela and Shlomi Levin. Breaking CFI: Exploiting CVE-2015-5122 using COOP.
[14]Metasploit CVE-2015-5122 exploit.