CS356 Software Exploitation

Instructor information

Instructor: W. Michael Petullo
Office location: 210 Wing Technology Center
Office hours: Monday, Tuesday, Wednesday, and Thursday 2:10 p.m–3:00 and by appt.
Telephone: (608) 785-6817
Email: wpetullo@uwlax.edu

Catalog description

This course examines techniques for exploiting vulnerable software. Topics include binary reverse engineering, source code analysis, intrusion, and exploitation. The course will also discuss matters of reconnaissance, privilege escalation, lateral movement, obfuscation, and exfiltration. Students are expected to write low-level exploits using modern tools and deploy them against vulnerable services in a laboratory environment.

Prerequisites

CS270 and CS340

Time and location

Tuesday and Thursday at 11:00 a.m.–12:25 p.m. Class meets in Centennial 1401.

Student learning objectives

This course follows the Computer Science Department’s learning objectives for CS356, which are listed below. The course schedule indicates the objectives covered by each lesson.

  1. Understand the operational sequence employed by cyber attacks, including reconnaissance, intrusion, exploitation, privilege elevation, lateral movement, obfuscation, and exfiltration.

  2. Understand opportunities for reconnaissance and exploitation presented by network software.

  3. Overcome countermeasures to exploit buffer overflows and other memory errors.

  4. Understand how to write shellcode.

  5. Understand techniques to exploit web-based software.

  6. Apply program analysis tools to find programming errors in software.

  7. Understand how to perform binary reverse engineering of software.

Textbook

(2008). Hacking: The Art of Exploitation. No Starch Press.

Classroom standards

Please be prepared to take notes using a pen and paper, or use discipline while taking digital notes. Do not use the Internet for personal reasons during class. Do bring a laptop or other device capable of running the compilers and other tools we use in class; any lecture might include hands-on exercises.

Perform your assigned reading and other preparation before arriving for class. I will expect you to participate in class discussions, and I might call on you to contribute.

You are reminded of Board of Regents’ Student Academic Disciplinary Procedures concerning academic integrity. Cheating undermines the integrity of this university and shows disrespect towards the work of your classmates. Starting coursework early will help you to avoid the temptation of cheating. Plagiarism or cheating in any form may result in a failing grade, and might also warrant harsher disciplinary action. “Students are responsible for the honest completion and representation of their work, for the appropriate citation of sources, and for respect of others’ academic endeavors.”

On perseverance and the scientific method

You will inevitably encounter problems while trying to complete your coursework. Sometimes you will be led astray by the confusing interfaces that our software applications present, and other times you will simply make an error. When something goes wrong, try to fix the problem! Make small, incremental changes, and observe their effects. Most importantly, think about how systems work, and then consider why the error you are observing might have arisen. Occasionally, you should stop what you are doing and start from scratch. Learning how to better troubleshoot should be a beneficial side effect of this course.

Graded events

Homework will be submitted through Aquinas, a grading system that provides immediate feedback. Refer to the course schedule for the sequence of homework assignments, exams, and the final exam. Your running grade will be available through Aquinas.

Event Portion of grade
Homework 33% (3% per assignment)
Exams 37% (18½% per exam)
Instructor points 5%
Final exam 25%

Grade scale

Grades are assigned based on the following scale.

Range Grade
93–100% A
89–92% AB
83–88% B
79–82% BC
70–78% C
60–69% D
0–59% F

Late policy

Assignments are due the moment class starts. Late assignments will lose points according to the table below.

Tardiness Penalty
Up to 24 hours late 15% reduction
24–48 hours late 30% reduction
More than 48 hours late No credit

If some external circumstance might cause you to be late, then you must notify your instructor in writing and before the assignment deadline in order to be considered for an exception. The act of notification does not automatically grant you an exception.