CS356 Software Exploitation
|Instructor:||W. Michael Petullo|
|Office location:||210 Wing Technology Center|
|Office hours:||Monday, Tuesday, Wednesday, and Thursday 2:10 p.m–3:00 and by appt.|
This course examines techniques for exploiting vulnerable software. Topics include binary reverse engineering, source code analysis, intrusion, and exploitation. The course will also discuss matters of reconnaissance, privilege escalation, lateral movement, obfuscation, and exfiltration. Students are expected to write low-level exploits using modern tools and deploy them against vulnerable services in a laboratory environment.
CS270 and CS340
Time and location
Tuesday and Thursday at 11:00 a.m.–12:25 p.m. Class meets in Centennial 1401.
Student learning objectives
This course follows the Computer Science Department’s learning objectives for CS356, which are listed below. The course schedule indicates the objectives covered by each lesson.
Understand the operational sequence employed by cyber attacks, including reconnaissance, intrusion, exploitation, privilege elevation, lateral movement, obfuscation, and exfiltration.
Understand opportunities for reconnaissance and exploitation presented by network software.
Overcome countermeasures to exploit buffer overflows and other memory errors.
Understand how to write shellcode.
Understand techniques to exploit web-based software.
Apply program analysis tools to find programming errors in software.
Understand how to perform binary reverse engineering of software.
Please be prepared to take notes using a pen and paper, or use discipline while taking digital notes. Do not use the Internet for personal reasons during class. Do bring a laptop or other device capable of running the compilers and other tools we use in class; any lecture might include hands-on exercises.
Perform your assigned reading and other preparation before arriving for class. I will expect you to participate in class discussions, and I might call on you to contribute.
You are reminded of Board of Regents’ Student Academic Disciplinary Procedures concerning academic integrity. Cheating undermines the integrity of this university and shows disrespect towards the work of your classmates. Starting coursework early will help you to avoid the temptation of cheating. Plagiarism or cheating in any form may result in a failing grade, and might also warrant harsher disciplinary action. “Students are responsible for the honest completion and representation of their work, for the appropriate citation of sources, and for respect of others’ academic endeavors.”
On perseverance and the scientific method
You will inevitably encounter problems while trying to complete your coursework. Sometimes you will be led astray by the confusing interfaces that our software applications present, and other times you will simply make an error. When something goes wrong, try to fix the problem! Make small, incremental changes, and observe their effects. Most importantly, think about how systems work, and then consider why the error you are observing might have arisen. Occasionally, you should stop what you are doing and start from scratch. Learning how to better troubleshoot should be a beneficial side effect of this course.
Homework will be submitted through Aquinas, a grading system that provides immediate feedback. Refer to the course schedule for the sequence of homework assignments, exams, and the final exam. Your running grade will be available through Aquinas.
|Event||Portion of grade|
|Homework||33% (3% per assignment)|
|Exams||37% (18½% per exam)|
Grades are assigned based on the following scale.
Assignments are due the moment class starts. Late assignments will lose points according to the table below.
|Up to 24 hours late||15% reduction|
|24–48 hours late||30% reduction|
|More than 48 hours late||No credit|
If some external circumstance might cause you to be late, then you must notify your instructor in writing and before the assignment deadline in order to be considered for an exception. The act of notification does not automatically grant you an exception.