Secure Software Development (WS 2025/26)

Course Number 705008 | Wintersemester 2025/26

Lecturers

Daniel Gruß

Carina Fiedler

Lukas Maar

Ernesto Martinez Garcia

Table of Content

Content

The slides are available here after the end of each lecture. The practicals, an explanation about the lecture, exam hacklets, and old exams can be found here: Material Starting W24, Slides will be uploaded here.  
Date Type Topic Lecturer Material
2025-10-01 10:15 practical Warmup + Organization Ernesto, Stefan slides
2025-10-03 12:00 lecture Intro + Low Level / C++ Objects Daniel slides1, slides2
2025-10-08 10:15 practical Tools 1 Ernesto, Sebastian slides
2025-10-10 12:00 lecture Memory Corruption 1 Ernesto slides
2025-10-12 23:59 deadline Deadline for Warmup Hacklet
2025-10-15 10:15 practical Hacklets 1 (+cont. Tools 1) Ernesto, Sebastian, Simon
2025-10-17 12:00 lecture Memory Corruption 2 Ernesto
2025-10-24 12:00 lecture Exploits and Countermeasures 1 Sebastian
2025-10-31 12:00 lecture Exploits and Countermeasures 2 Sebastian
2025-11-07 12:00 lecture Exploits and Countermeasures 3 Sebastian
2025-11-12 10:15 practical Tools 2 Ernesto / Sebastian
2025-11-14 12:00 lecture Defensive Programming Lorenz
2025-11-16 23:59 deadline Deadline for Hacklets 1
2025-11-19 10:15 practical Hacklets 2 Sebastian, Simon
2025-11-21 12:00 lecture Finding Bugs 1 Stefan
2025-11-26 10:15 practical Defensive Programming Bernd, Stefan
2025-11-28 12:00 lecture Finding Bugs 2 Stefan
2025-12-12 12:00 lecture Exam
2025-12-19 ??:?? lecture Christmas Special
2025-12-21 23:59 deadline Deadline for Hacklets 2
2026-01-18 23:59 deadline Deadline for Defensive Programming
 

Material

This course deals with the design and implementation of secure software. Especially memory corruption vulnerabilities such as buffer overflows, integer overflows or use-after-free bugs can be exploited by an attacker to bypass the intended program behavior and execute arbitrary payload in the worst case. We will look at various runtime mitigation techniques such as ASLR, stack canaries and data execution prevention exist. However, they can often be bypassed by more advanced exploitation techniques. Rather than preventing certain attacks, the ultimate goal is to eliminate memory corruption vulnerabilities and achieve "memory safety". We will discuss methods for debugging and bug discovery as well. The slides are available here after the end of each lecture. The practicals, an explanation about the lecture, exam hacklets, and old exams can be found here: Material

Administrative Information

Previous Knowledge

* x86 assembler basics * Solid knowledge of C/C++ * Some familiarity with the POSIX interface Attention! This is an advanced course building on previous courses from the Bachelor programme, namely: * Information Security course (INP.33504UF and INP.33503UF) * System Level Programming course (705.101) * Operating Systems course (INP.32512UF) If you are an international student, please consider taking the "System Level Programming" course first, which should prepare you well for enjoying this course.

Prerequisites Curriculum

See position in the curriculum

Objective

After this course you understand the concept of "memory safety" and the various memory corruption vulnerabilities (buffer overflow, integer overflows, use-after-free, double free, uninitialized data, type confusion, etc.) violating it. You know how to detect, exploit and mitigate such vulnerabilities in practice. Furthermore, you know about various runtime mitigation techniques and are able to assess their (in)effectiveness in practice. You know the principles of defensive programming and are able to apply them by writing memory-safe code.

Language

English

Teaching Method

Practical assignments, assisted by tutorial sessions. All tutorial sessions will be available online. Some sessions will have the option for physical attendance in the lecture hall.

How to get a grade

The grade consists of practical assignments in combination with oral exams.

Registration

https://online.tugraz.at/tug_online/ee/rest/pages/slc.tm.cp/course-registration/589224

Lecture Dates

Date Begin End Location Event Type Comment
2025/10/15 10:15 11:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/10/17 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/10/22 10:15 11:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/10/24 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/10/29 10:15 11:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/10/31 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/11/05 10:15 11:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/11/07 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/11/14 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/11/19 10:15 11:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/11/21 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/11/26 10:15 11:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/11/28 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/12/05 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/12/12 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2025/12/19 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2026/01/07 10:15 11:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2026/01/09 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2026/01/14 10:15 11:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2026/01/16 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2026/01/21 10:15 11:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2026/01/23 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2026/01/28 10:15 11:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
2026/01/30 12:00 14:00 HS i12 "DynaTrace Hörsaal" Abhaltung VU fix/
More

Lecturers

Daniel Gruß
Daniel
Gruß

Professor

View more
Carina Fiedler
Carina
Fiedler

PhD Student

View more
Lukas Maar
Lukas
Maar

PhD Candidate

View more
Ernesto Martinez Garcia
Ernesto
Martinez Garcia

PhD Student

View more