Software Security, Autumn 2020

This course is taught by Erik Poll. It is part of the TRU/e Master specialisation in Cyber Security. More background on goals, prerequisites, etc. at the bottom of this web page.

Make sure you are registered in Osiris, which will then also register you in Brightspace. Beware that there is a 6EC version (ISOFSE) and a 5EC version (IMC051) of this course. The 5 EC version is for students doing the TRU/e Cyber Security specialisation.

For TU/e students: if you somehow cannot register for the course (yet), send me an email, so that I can make sure email announcements via Brightspace reach you. A pdf with links to the online lectures has been sent over the security mailing list, so make sure you get on that list (via this web form)!

Lectures & obligatory reading material

Lectures: Fridays 10:30-12:15

NB the description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes the slides, some academic research papers listed below, and the following textbook material:

  • Recording of last year's lecture is in Brightspace.
  • day slides Mandatory reading & mini-assignments
    Sept 4
    • To read: Secure Software Lifecycle, CyBok chapter by Williams, 2019.
    • To do: have a look at the latest US-CERT Bulletin and the CVE Twitter feed to get a feel for the scale of software security problems.
    • To do: search the CVE list or NIST's Vulnerability Database for flaws in the browser you are using to view this webpage, and check out how CVSS score was determined. You can also search for known flaws in the other applications or operating systems that you commonly use, and maybe double-check that you are applying patches automatically.
    Sept 11
    • To read: Sections 3.1 & 3.2 of the lecture notes
    • To read: SoK: Eternal War in Memory by Szekeres et al., IEEE Symposium on Security & Privacy, 2013 - You can skip Section VII.
    • To do: have a look at some CVEs that involve buffer overflows, integer overflows, and format strings, to get an idea of the sheer numbers, the kind of software affected, etc. Maybe playing around with the exact search terms will give more complete results.
    • To remind yourself of the HeartBleed bug, the most famous example of a buffer overread attack, this xkcd cartoon might be useful. Or this youtube movie, if you dislike cartoons.
    Sept 18
    1st assignment (individual or in pairs): PREfast. Deadline: Thursday Sept 24, 23:59 Some generic feedback
    Sept 25 SAGE and the 'coverage-guided graybox fuzzing' approaches mentioned in Payer's article (more in particular afl) will be discussed next week.
    Group fuzzing project. Deadline: Nov 30
    Oct 2
    Oct 9
    Oct 16 To read: Some interesting things to look at:
    Oct 23 & 30 : no lectures (midterm break/exam period) The lecture-free period may be a good time to read the CyBok chapter on Software Security, also listed at mandatory reading material. One of the topics mentioned, race conditions (aka TOCTOU), will still be discussed in weeks to come.
    Nov 6 Guest lectures by Secura
    • Pen-testing, by Geert Smelt
    • Red Teaming for Operational Technologies, by Ben Brücker
    • Slides are in Brightspace.
    Nov 13
    Nov 20
    Nov 27
    • Q&A about last week's lecture on Android Information Flow and TOCTOU.
    • Discussion fuzzing project
    • (6EC version only)
      Program Verification (slides)
    Dec 3
    • (6EC version only) Another online lab session to work on the verification assignment
    Dec 4
    Dec 11
    Dec 18 NB in Brightspace Virtual Classroom, not in Discord.
    Jan 22
    • Exam at 12:45
    Location: de Vereeniging (or for students with right to extra time: HG00.0065 in Huygens Building) BUT CHECK LOCATION IN THE OFFICIAL SCHEDULE
    The exam is closed book, and covers the material treated in class (and in the slides), the course lecture notes, the papers listed above, and the projects.
    Mock exam
    March 30
    • Resit exam at 12:45 - see official schedule for location(s)


    Basic programming skills, incl. familiarity with C and Java. In more detail:


    Software is the root cause behind most IT security problems. This course addresses two questions: Common security problems include memory corruption, integer overflows, various injection attacks (command injection, SQL injection, XSS, deserialisation attacks ...), race conditions... The LangSec paradigm explains some of these underlying root causes, namely buggy or unintended parsing of many input languages, which are often too complex, too expressive, or ill-specified.

    Techniques to prevent or detect problems include threat modeling, checklists and coding standards, code reviews, "safe" programming languages, LangSec (language-theoretic security), fuzzing and other forms of security testing, static analysis tools and source code analyzers, information flow analysis (incl. tainting), program verification, and proof-carrying code.

    The focus of this course is not on pen-testing or hacking to find vulnerabilities, as in the RU bachelor courses 'Hacking in C' and 'Web Security', but more on (addressing) the underlying causes and general techniques to improve the security of software.


    The course will be graded based on a written exam. The group project work can earn you a bonus point. The individual exercises are not graded. You MUST seriously participate in the project work to take the exam, and do all individual exercises.

    The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

    Optional background reading

    For additional background info I can recommend: