Security Aspects in Software Development

Course Number 705024 and 705025 | Wintersemester 2019/20

Content

The course provides insights into the security aspects of software developed in C and C++. This includes the ability to recognize and classify bugs, (efficiently) find bugs, exploit bugs, fix bugs, and prevent bugs in the first place.

In the lecture part, we provide the theory behind these topics and we learn about state-of-the-art techniques and how they work.

In the first part of the practical exercises, you have to find and exploit bugs in (vulnerable) code we provide (so-called hacklets). In the second part of the practical exercises, you write your own secure code and we will try to find and exploit bugs in your code (Hint: we shall not succeed if you want to pass the course).

Material

The slides are available here after the end of each lecture.

Date Topic Additional Information
04.10.2019 Introduction + Low Level Slides
11.10.2019 Slides
18.10.2019 Slides
25.10.2019 Slides
04.11.2019 Slides
08.11.2019 Slides
15.11.2019 Slides
22.11.2019 Slides
29.11.2019 Slides
06.12.2019 Slides
13.12.2019 Slides
Holidays
10.01.2020 Slides
17.01.2020 Slides
24.01.2020 Slides

Older slides can be found here

Administrative Information

Communication

Newsgroup tu-graz.lv.sicherheitsaspekte

E-mail sicherheitsaspekte@iaik.tugraz.at

 

Lecture Challenges (VO)

During the lecture, we will present small “Lecture Challenges” as a bonus. These challenges are optional, but solving them results in bonus points for the VO exam.

The Challenges

The aim of the challenges is to dig deeper into a certain topic of the respective lecture. Thus, it is advisable to try to complete the challenge soon after the lecture.

The description of the challenges can always be found in the lecture slides as well as in https://sasd.is.attacking.systems.

Submission

All challenges have to be submitted to https://sasd.is.attacking.systems, the SASD CTF platform.

Rules

  • Challenges have to be solved on your own
  • All challenges have to be submitted to https://sasd.is.attacking.systems, only submitted challenges count
  • The bonus points are only valid for the first two exam dates
  • To get the bonus points, you have to write your username on the exam sheet
  • You cannot get positive with bonus points, i.e., bonus points only count if you are already positive

Administrative Information – Practicals (KU)

 

Timetable

Date Topic Additional Information
02.10.2019 Introduction + Assignment 0 – Warmup i12, Slides-00, Slides-01
09.10.2019 Hands-on Tutorial Seminar room, Material
09.10.2019 LosFuzzys Beginner’s Tutorial Seminar room, optional, in the evening
16.10.2019 Assignment 1 – Hacklets + Tutorium ROP I i12
18.10.2019, 23.59 Deadline Warmup
23.10.2019 Tutorium ROP II i12
30.10.2019 LosFuzzys i12, optional
06.11.2019 Question Hour Hacklets Seminar room
13.11.2019 Question Hour Hacklets Seminar room
15.11.2019, 23.59 Deadline Hacklets
20.11.2019 Assignment 2 – Defensive Programming i12
22.11.2019, 23.59 Deadline Hacklets 2nd Chance
27.11.2019 Tutorium Defensive I i12
04.12.2019 Tutorium Defensive II i12
11.12.2019 Question Hour Defensive Programming Seminar room
Holidays
08.01.2020 Question Hour Defensive Programming Seminar room
10.01.2020, 23.59 Deadline Defensive Programming
17.01.2020, 23.59 Deadline Defensive Programming 2nd Chance
22+23.01.2020 Oral Exams Seminar room, mandatory

 

Grading

The practicals are divided into three parts:

  • assignment0: Warmup
  • assignment1: Hacklets
  • assignment2: Defensive programming

You need to be positive for each assignment individually to pass the course. This means you need to achieve at least 50% of the assignments points.

Your final mark consists of:

  • Points for each assignment
    • Bonus points count only if you have achieved 50% of the assignments points
  • Oral exam performance

Your final grade is calculated by:

(percentage(assignment1) + percentage(assignment2))/2 * percentage(OralExam)

 

Marks

Percentage Grade
> 90% Sehr gut (1)
78.5% – 90% Gut (2)
67.5% – 78.49% Befriedigend (3)
50% – 67.49% Genügend (4)
< 50% Nicht genügend (5)

 

Oral exam

After the deadline of all assignments, there will be an oral exam. The oral exam is mandatory. You will have the option to select one of the multiple time slots where you need to be able to answer questions to each assignment and task that you fulfilled.

However, insufficient answers will yield to point deduction that can even yield to a negative grade. We will provide more information on what you need to know for the oral exam for each assignment individually.

 

Plagiarism

We encourage discussions with other students and really appreciate that. However, we do not tolerate any plagiarism at all. We will check all submissions for plagiarism. All affected students will receive 0 points and a Ungültig/Täuschung with all its consequences.

Thus, do not give away your source code to other students. You are responsible for protecting your source code from unintended access of others. In the end, we do not want you to copy code and solutions. We want you to learn and understand the topics for yourself!

 

Second chance

If you fail one assignment but you pass the other, there is the option to take a second chance. The second chance mode means that you have the possibility to get a positive grade by an extended deadline and an individual, extended oral exam:

  • Only for one assignment
  • Extended deadline
  • Extended oral exam
  • Points above 50% are divided by two for this assignment

We do not recommend the second chance mode and advice you to start early with the assignments to receive a positive grade in the first place.

 

Practicals – Framework

Upstream Repository

All assignments are pushed to the following upstream repository: https://extgit.iaik.tugraz.at/sase/practicals/2019/exercise2019-upstream.git. Merge this upstream repository into your local repository to receive the assignments and optional patches or fixes, as follows:

git remote add upstream https://extgit.iaik.tugraz.at/sase/practicals/2019/exercise2019-upstream.git
git pull upstream master

 

Your Repository

As soon as the deadline for the course registration closes, you are given access to a git repository in our teaching git where you have to push your submission. This will happen around 14.10.2019. Until then, please use an empty local repository by following these instructions:

mkdir sasd2019
cd sasd2019
git init
git remote add upstream https://extgit.iaik.tugraz.at/sase/practicals/2019/exercise2019-upstream.git
git pull upstream master

 

Final submission / Tags

Your final submission must be tagged correctly with a git tag. The tag label starts with the assignment, followed by a dash and a number.

As an example, assignment1-1 is the label for the first assignment. As you are not able to delete tags, you can always update your final submission by increasing the appended number, e.g. assignment1-15. In the end, the tag with the highest number before the deadline counts.

 

Test system

Your submissions will be tested automatically by our test system. Thus, you need to respect and meet file naming constraints of the individual assignments. Otherwise, the tests will all fail and you will receive 0 points for the assignment.

Soon, you will receive binary feedback for each task group that you have submitted. You will know if the project compiles and if your implemented functions will behave correctly or if your submitted solution is correct. The test system will use the reference image for its evaluation.

 

Reference image

We provide you a Docker reference image. The reference image is based on Ubuntu and contains pre-installed tools and compilers that help you throughout the assignments. The Docker image can be used via the docker.sh script located in the upstream repository. To fetch it, execute git pull upstream master

To get the latest Docker image, execute ./docker.sh update

To run Docker in the current directory, execute ./docker.sh run

To run Docker in a different directory named <path>, execute ./docker.sh run <path>

If you run this script inside a hacklet directory, it automatically executes the execute-permission.sh script which runs your exploit with correct permissions.

Practicals – Assignments

Assignment 0 – Warmup

In this assignment, you shall solve an introductory hacklet to get started. While this assignment is mandatory, you do not get any points. Instead, by solving it you show your intent to actually do this course. If you do not solve it, you won’t get a grade.

Submission tag: assignment0

Deadline: 18.10.2019, 23.59

Lecture Dates

Date Begin End Location Event Type Comment
2019/10/16 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/10/18 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2019/10/18 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2019/10/23 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/10/25 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2019/10/30 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/11/06 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/11/06 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/11/08 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2019/11/13 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/11/13 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/11/15 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2019/11/20 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/11/22 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2019/11/22 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2019/11/27 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/11/29 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2019/12/04 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/12/06 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2019/12/11 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2019/12/11 17:00 19:00 HS i1 Aufbau u. Vorbereitung VO fix/
2019/12/13 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2020/01/08 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2020/01/10 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2020/01/15 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2020/01/17 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/

Lecturers

Daniel Gruß
Daniel
Gruß

Assistant Professor

View more
Moritz Lipp
Moritz
Lipp

PhD Candidate

View more
Michael Schwarz
Michael
Schwarz

PhD Candidate

View more
Martin Schwarzl
Martin
Schwarzl

PhD Student

View more
Samuel Weiser
Samuel
Weiser

PhD Candidate

View more