Software Security, Autumn 2021

This course is taught by Erik Poll.

Make sure you are registered in Osiris, which will then also register you in Brightspace. If you don't log in to Brightspace often, then you will miss announcement there, so in that case configure your Brightspace account to have announcements forwarded to you by email.

Apart from the normal, 6EC version (ISOFSE) of this course, there is also a legacy, 5EC version (IMC051). Register for the 6EC version and if there is a convincing reason why you should take the 5EC one come and talk to me after the lecture.


Basic programming skills, incl. familiarity with C and some standard OO language like Java or C#. In more detail:


Software is the most important root cause behind most IT security problems: things can get hacked because they contain software! This course addresses two questions:

Techniques to prevent or detect problems include threat modeling, checklists and coding standards, code reviews, "safe" programming languages, LangSec (language-theoretic security), fuzzing and other forms of security testing (aka DAST), static analysis tools and source code analyzers (aka SAST), information flow analysis (incl. tainting), and program verification as the most extreme form of static analysis.

The focus of this course is not on pen-testing or hacking to find vulnerabilities, as in the bachelor courses 'Hacking in C' and 'Web Security'. Instead the focus is on (addressing) the underlying causes and general techniques to improve the security of software.

Lectures & obligatory reading material

Lectures: Fridays 13:30-15:15 in HG0.062; starting Nov 12 in SP1 (Spinoza building)

The description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes the slides, some academic research papers listed below, and the following textbook material:

day slides Mandatory reading & mini-assignments
Sept 10
  • To read: Secure Software Lifecycle, CyBok chapter by Williams, 2019.
  • To do: have a look at the latest US-CERT Bulletin and the CVE Twitter feed to get a feel for the scale of software security problems.
  • To do: search the CVE list or NIST's Vulnerability Database for flaws in the browser you are using to view this webpage and for the PDF viewer you are using to look at the slides. (These use the same list of vulnerabilities, but NIST's webpage has better search options.) For some of the vulnerabilities, check how the CVSS score was determined. You can also search for known flaws in the other applications or operating systems that you commonly use, and maybe double-check that these are automatically patched.
Sept 17
  • To read: Sections 3.1 & 3.2 of the lecture notes
  • To read: SoK: Eternal War in Memory by Szekeres et al., IEEE Symposium on Security & Privacy, 2013. You can skip Section VII.
  • To do: have a look at some CVEs that involve buffer overflows, integer overflows, and format strings, to get an idea of the sheer numbers, the kind of software affected, etc. Maybe playing around with the exact search terms will give more complete results.
  • To remind yourself of the HeartBleed bug, the most famous example of a buffer overread attack, this xkcd cartoon might be useful. Or this youtube movie, if you dislike cartoons.
Sept 24
1st assignment: PREfast. Deadline: Sept 30

      Feedback on PREfast assignment

Oct 1
Group fuzzing project. Deadline: Nov 30
Oct 8
  • Guest lecture: Penetration Testing by Ralph Moonen of Secura
      (slides in Brightspace)
Oct 8
Oct 15
Oct 22
  • Guest lecture: Automated Vulnerability testing by Frans van Buul of Microfocus
      (slides in Brightspace)
Oct 22
Oct 29 & Nov 5: no lectures (midterm break/exam period) The lecture-free period may be a good time to read the CyBok chapter on Software Security, also listed at mandatory reading material.
Nov 12 To read:
  • Lecture notes on secure input and output handling.
  • the OWASP Top 10 [PDF,HTML] NB there might be a new 2021 edition of the OWASP Top 10 coming out in the autumn.
    (For more background on XXE than the brief description in the OWASP Top 10 document, this video gives a nice explanation.)
Some interesting things to look at:
Nov 19
Nov 26
Dec 3
Dec 10
Dec 17
Jan 14
  • Exam
The exam is closed book, and covers the material treated in class (and in the slides), the course lecture notes, the papers listed above, and the projects.
Mock exam


The course will be graded based on a written exam. The group project work can earn you a bonus point. The other exercises, to be done individually or in pairs, are not graded but are mandatory. You MUST seriously participate in the project and do all the other exercises to take the exam, and there are not options to resit these.

The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

Optional background reading

For additional background info I can recommend: