Secure Software Development (WS 2025/26)
Table of Content
Content
This course deals with the design and implementation of secure software. Especially memory corruption vulnerabilities such as buffer overflows, integer overflows or use-after-free bugs can be exploited by an attacker to bypass the intended program behavior and execute arbitrary payload in the worst case. We will look at various runtime mitigation techniques such as ASLR, stack canaries and data execution prevention exist. However, they can often be bypassed by more advanced exploitation techniques. Rather than preventing certain attacks, the ultimate goal is to eliminate memory corruption vulnerabilities and achieve "memory safety". In practical assignments, the students detect and exploit various memory corruption vulnerabilities hidden in small programs called "hacklets" in a competition style. Furthermore, the students design and implement their own programs following defensive coding principles in order to avoid such vulnerabilities.Administrative Information
Previous Knowledge
* x86 assembler basics * Solid knowledge of C/C++ * Some familiarity with the POSIX interface Attention! This is an advanced course building on previous courses from the Bachelor programme, namely: * Information Security course (INP.33504UF and INP.33503UF) * System Level Programming course (705.101) * Operating Systems course (INP.32512UF) If you are an international student, please consider taking the "System Level Programming" course first, which should prepare you well for enjoying this course.Prerequisites Curriculum
See position in the curriculumObjective
After this course you understand the concept of "memory safety" and the various memory corruption vulnerabilities (buffer overflow, integer overflows, use-after-free, double free, uninitialized data, type confusion, etc.) violating it. You know how to detect, exploit and mitigate such vulnerabilities in practice. Furthermore, you know about various runtime mitigation techniques and are able to assess their (in)effectiveness in practice. You know the principles of defensive programming and are able to apply them by writing memory-safe code.Language
EnglishTeaching Method
Practical assignments, assisted by tutorial sessions. All tutorial sessions will be available online. Some sessions will have the option for physical attendance in the lecture hall.How to get a grade
The grade consists of practical assignments in combination with oral exams.Registration
https://online.tugraz.at/tug_online/ee/rest/pages/slc.tm.cp/course-registration/589224Lecture Dates
| Date | Begin | End | Location | Event | Type | Comment |
|---|---|---|---|---|---|---|
| 2025/10/01 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/10/03 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/10/08 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/10/10 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/10/10 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/10/15 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/10/17 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/10/22 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/10/24 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/10/29 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/10/31 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/11/05 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/11/07 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/11/14 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/11/19 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/11/21 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/11/26 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/11/28 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/12/05 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/12/12 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2025/12/19 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2026/01/07 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2026/01/09 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2026/01/14 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2026/01/16 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2026/01/21 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2026/01/23 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2026/01/28 | 10:15 | 11:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
| 2026/01/30 | 12:00 | 14:00 | HS i12 "DynaTrace Hörsaal" | Abhaltung | VU | fix/ |
