Software Security covers advanced techniques in software vulnerability assessment, discovery and mitigation. These include: common patterns in software vulnerabilities, such as stack-based buffer overflow, format string vulnerabilities, and heap-based vulnerabilities; exploitation techniques such as code injection, return-oriented-programming; techniques for vulnerability discovery, such as program binaries reverse engineering, fuzzing and symbolic execution; and mitigation techniques such
as memory protection mechanisms, input sanitation, and control flow integrity protection. The course features hands-on lectures and labs to analyse software vulnerabilities, both in the source code and in program binaries, and design and implement appropriate mitigation techniques.
Learning Outcomes
Upon successful completion, students will have the knowledge and skills to:
- Demonstrate a thorough understanding of common sources of vulnerabilities in software.
- Demonstrate a thorough understanding in exploitation techniques against software vulnerabilities and defensive techniques against these exploitations.
- Demonstrate proficiency in software reverse engineering.
- Demonstrate proficiency in vulnerability discovery processes, from both source code and binary.
- Apply the vulnerability discovery techniques to real-world software, analyse their vulnerabilities and design and implement appropriate mitigation techniques.
Research-Led Teaching
This course covers both foundational and advanced topics in binary analysis and exploitation, including state-of-the-art exploitation techniques and vulnerability discovery techniques taught by researchers and practitioners in the field.
Examination Material or equipment
All examination materials are permitted.
Required Resources
Main textbooks:
- [DA19] Dennis Andriesse. Practical Binary Analysis - Build Your Own Linux Tools for Binary Instrumentation, Analysis and Disassembly. No starch press, 2019.
- [WD19] Wenliang Du. Computer Security: A Hands-on Approach. 2nd edition, 2019.
Other references:
- [CA07] Chris Anley, Felix Lindner, and John Heasman. The Shellcoder’s Handbook. 2nd edition, Wiley, 2007.
- [AH12] Andrew Honig and Michael Sikorski. Practical Malware Analysis. No starch press, 2012.
- Research papers and online references - to be provided in due course.
The labs will use extensively various tools. These will be provided as virtual machine (VM) images. Links to download these VMs will be provided during the labs.
Recommended Resources
Whether you are on campus or studying online, there are a variety of online platforms you will use to participate in your study program. These could include videos for lectures and other instruction, two-way video conferencing for interactive learning, email and other messaging tools for communication, interactive web apps for formative and collaborative activities, print and/or photo/scan for handwritten work and drawings, and home-based assessment.
ANU outlines recommended student system requirements to ensure you are able to participate fully in your learning. Other information is also available about the various Learning Platforms you may use.
Staff Feedback
Students will be given feedback in the following forms in this course:
- written comments
- verbal comments
- feedback to whole class, groups, individuals, focus group etc
Student Feedback
ANU is committed to the demonstration of educational excellence and regularly seeks feedback from students. Students are encouraged to offer feedback directly to their Course Convener or through their College and Course representatives (if applicable). Feedback can also be provided to Course Conveners and teachers via the Student Experience of Learning & Teaching (SELT) feedback program. SELT surveys are confidential and also provide the Colleges and ANU Executive with opportunities to recognise excellent teaching, and opportunities for improvement.
Other Information
Workload.
130 hours of student learning time across the semester includes:
• 5 hours scheduled time each week (3 lectures and one 2-hour lab) for 12 weeks.
• Students are expected to spend an average of 5-6 hours per week outside of scheduled labs practicing programming which includes:
• work on assignments, practice exercises, online activities, group meetings, and reading.
The use of Generative AI Tools (e.g., ChatGPT) is permitted in this course, given that proper citation and prompts are provided, along with a description of how the tool contributed to the assignment. Guidelines regarding appropriate citation and use can be found on the ANU library website (https://libguides.anu.edu.au/generative-ai ). Marks will reflect the contribution of the student rather than the contribution of the tools. Further guidance on appropriate use should be directed to the course convener.
Class Schedule
| Week/Session | Summary of Activities | Assessment |
|---|---|---|
| 1 | Basics of x86/x64 assembly; linux internals and binary formats. | |
| 2 | Basic binary analysis | Online quiz |
| 3 | Disassembly and simple code injection | Assignment 1 released |
| 4 | Advanced binary analysis | |
| 5 | Stack-based exploitation | Assignment 1 due |
| 6 | Return-oriented programming | |
| 7 | Heap exploitation (part 1) | |
| 8 | Heap exploitation (part 2) | Assignment 2 released |
| 9 | Binary instrumentation | |
| 10 | Fuzzing | Assignment 2 due |
| 11 | Symbolic execution: basic concepts and tools | |
| 12 | Vulnerability discovery and exploit generation (guest lectures) |
Tutorial Registration
ANU utilises MyTimetable to enable students to view the timetable for their enrolled courses, browse, then self-allocate to small teaching activities / tutorials so they can better plan their time. Find out more on the Timetable webpage.Assessment Summary
| Assessment task | Value | Due Date | Return of assessment | Learning Outcomes |
|---|---|---|---|---|
| Quiz | 5 % | 06/03/2025 | 13/03/2025 | 3,4 |
| Assignment 1 | 15 % | 20/03/2025 | 31/03/2025 | 1,3,4 |
| Mid Semester Test | 25 % | * | * | 1,3,4 |
| Assignment 2 | 25 % | 08/05/2025 | 26/05/2025 | 1,2,3,4,5 |
| Final Examination | 30 % | * | * | 1,2,3,4,5 |
* If the Due Date and Return of Assessment date are blank, see the Assessment Tab for specific Assessment Task details
Policies
ANU has educational policies, procedures and guidelines , which are designed to ensure that staff and students are aware of the University’s academic standards, and implement them. Students are expected to have read the Academic Integrity Rule before the commencement of their course. Other key policies and guidelines include:
- Academic Integrity Policy and Procedure
- Student Assessment (Coursework) Policy and Procedure
- Extenuating Circumstances Application
- Student Surveys and Evaluations
- Deferred Examinations
- Student Complaint Resolution Policy and Procedure
- Code of practice for teaching and learning
Assessment Requirements
The ANU is using Turnitin to enhance student citation and referencing techniques, and to assess assignment submissions as a component of the University's approach to managing Academic Integrity. For additional information regarding Turnitin please visit the Academic Skills website. In rare cases where online submission using Turnitin software is not technically possible; or where not using Turnitin software has been justified by the Course Convener and approved by the Associate Dean (Education) on the basis of the teaching model being employed; students shall submit assessment online via ‘Wattle’ outside of Turnitin, or failing that in hard copy, or through a combination of submission methods as approved by the Associate Dean (Education). The submission method is detailed below.
Moderation of Assessment
Marks that are allocated during Semester are to be considered provisional until formalised by the College examiners meeting at the end of each Semester. If appropriate, some moderation of marks might be applied prior to final results being released.
Examination(s)
The final examination will be a computer-based examination, taking the form of a CTF challenge.
Assessment Task 1
Learning Outcomes: 3,4
Quiz
This quiz will test your basic knowledge of x86/x64 assembly and ELF binary format. It will take the form of an online quiz hosted on Wattle. It is a lightweight assessment item intended to prepare students for the more advanced material in the following weeks.
Results and feedback will be provided prior to the Census date.
Assessment Task 2
Learning Outcomes: 1,3,4
Assignment 1
This assignment will feature problems related to binary analysis techniques. It will use a 'capture the flag' (CTF) format, where a successful exploitation would result in a unique 'flag' (that can be any random text). Students will be assessed based on the correctness of the submitted flag, modified program binaries (when applicable), and a brief written response for each question.
Assessment Task 3
Learning Outcomes: 1,3,4
Mid Semester Test
This mid semester test covers topics related to software reverse engineering and binary analysis.
The test will take place around Week 6/Week 7 -- exact details of the timing and the venue will be provided in Week 4.
The first part is an in-person test, to be held in a computer lab.
- The format of the test is in the Capture-the-Flag (CTF) style, similar to Assignment 1.
- During the test, students will perform hands on reverse engineering and binary analysis to uncover hidden flags in the given questions and submit them through an online platform.
- Students are allowed to bring any printed material, but no personal communication devices or computers are allowed.
- Access to specific online reference materials will be through lab computers.
The second part is a short written report
- In your report explain your solution/s
- Submit your report within 24 hours after the in-person test through an online platform.
Assessment Task 4
Learning Outcomes: 1,2,3,4,5
Assignment 2
This assignment will feature problems related to vulnerability analysis and exploitation techniques.
- This assignment uses the same CTF format as in Assignment 1, but there is a greater emphasis on demonstrating a deeper understanding on the sources of vulnerability in software and the exploitation methods.
- Each student is required to submit a detailed written report demonstrating their approach to solving the problems.
Assessment Task 5
Learning Outcomes: 1,2,3,4,5
Final Examination
The final examination will take the form of a CTF challenge, in the same format as the Mid Semester Test, and covers topics related to vulnerability discovery and exploitation.
The format of the test is in the Capture-the-Flag (CTF) style, similar to Assignment 1.
Part 1: During the exam, students will perform hands on vulnerability analysis and exploitation to uncover hidden flags in the given questions and submit them through an online platform.
This is an in-person exam, to be held in a computer lab.
Students are allowed to bring any printed material, but no personal communication devices or computers are allowed.
Access to specific online reference materials will be available through the lab computers.
Part 2: Students are required to submit a short written report explaining their solutions within 24 hours after the in-person exam.
Academic Integrity
Academic integrity is a core part of the ANU culture as a community of scholars. The University’s students are an integral part of that community. The academic integrity principle commits all students to engage in academic work in ways that are consistent with, and actively support, academic integrity, and to uphold this commitment by behaving honestly, responsibly and ethically, and with respect and fairness, in scholarly practice.
The University expects all staff and students to be familiar with the academic integrity principle, the Academic Integrity Rule 2021, the Policy: Student Academic Integrity and Procedure: Student Academic Integrity, and to uphold high standards of academic integrity to ensure the quality and value of our qualifications.
The Academic Integrity Rule 2021 is a legal document that the University uses to promote academic integrity, and manage breaches of the academic integrity principle. The Policy and Procedure support the Rule by outlining overarching principles, responsibilities and processes. The Academic Integrity Rule 2021 commences on 1 December 2021 and applies to courses commencing on or after that date, as well as to research conduct occurring on or after that date. Prior to this, the Academic Misconduct Rule 2015 applies.
The University commits to assisting all students to understand how to engage in academic work in ways that are consistent with, and actively support academic integrity. All coursework students must complete the online Academic Integrity Module (Epigeum), and Higher Degree Research (HDR) students are required to complete research integrity training. The Academic Integrity website provides information about services available to assist students with their assignments, examinations and other learning activities, as well as understanding and upholding academic integrity.
Online Submission
You will be required to electronically sign a declaration as part of the submission of your assignment. Please keep a copy of the assignment for your records.
For Assignment 2, unless an exemption has been approved by the Associate Dean (Education), submission of the written component of must be done through Turnitin.
Hardcopy Submission
For some forms of assessment (hand written assignments, art works, laboratory notes, etc.) hard copy submission is appropriate when approved by the Associate Dean (Education). Hard copy submissions must utilise the Assignment Cover Sheet. Please keep a copy of tasks completed for your records.
Late Submission
Late submission not permitted. For each assessment item, unless otherwise approved by the course convener, a late submission will receive a 100% penalty of the possible mark for the assignment.
Referencing Requirements
The Academic Skills website has information to assist you with your writing and assessments. The website includes information about Academic Integrity including referencing requirements for different disciplines. There is also information on Plagiarism and different ways to use source material. Any use of artificial intelligence must be properly referenced. Failure to properly cite use of Generative AI will be considered a breach of academic integrity.
Extensions and Penalties
Extensions and late submission of assessment pieces are covered by the Student Assessment (Coursework) Policy and Procedure. Extensions may be granted for assessment pieces that are not examinations or take-home examinations. If you need an extension, you must request an extension in writing on or before the due date. If you have documented and appropriate medical evidence that demonstrates you were not able to request an extension on or before the due date, you may be able to request it after the due date.
Privacy Notice
The ANU has made a number of third party, online, databases available for students to use. Use of each online database is conditional on student end users first agreeing to the database licensor’s terms of service and/or privacy policy. Students should read these carefully. In some cases student end users will be required to register an account with the database licensor and submit personal information, including their: first name; last name; ANU email address; and other information.In cases where student end users are asked to submit ‘content’ to a database, such as an assignment or short answers, the database licensor may only use the student’s ‘content’ in accordance with the terms of service – including any (copyright) licence the student grants to the database licensor. Any personal information or content a student submits may be stored by the licensor, potentially offshore, and will be used to process the database service in accordance with the licensors terms of service and/or privacy policy.
If any student chooses not to agree to the database licensor’s terms of service or privacy policy, the student will not be able to access and use the database. In these circumstances students should contact their lecturer to enquire about alternative arrangements that are available.
Distribution of grades policy
Academic Quality Assurance Committee monitors the performance of students, including attrition, further study and employment rates and grade distribution, and College reports on quality assurance processes for assessment activities, including alignment with national and international disciplinary and interdisciplinary standards, as well as qualification type learning outcomes.
Since first semester 1994, ANU uses a grading scale for all courses. This grading scale is used by all academic areas of the University.
Support for students
The University offers students support through several different services. You may contact the services listed below directly or seek advice from your Course Convener, Student Administrators, or your College and Course representatives (if applicable).
- ANU Health, safety & wellbeing for medical services, counselling, mental health and spiritual support
- ANU Accessibility for students with a disability or ongoing or chronic illness
- ANU Dean of Students for confidential, impartial advice and help to resolve problems between students and the academic or administrative areas of the University
- ANU Academic Skills supports you make your own decisions about how you learn and manage your workload.
- ANU Counselling promotes, supports and enhances mental health and wellbeing within the University student community.
- ANUSA supports and represents all ANU students
Convener
|
|
|||
Research Interestscomputational logic, formal methods, cyber security |
||||
Dr Alwen Tiu
|
|
|
||||||
Instructor
|
|
|
|||
Research Interestscomputational logic, formal methods, cyber security |
||||
Dr Adrian Herrera
|
|
|
Instructor
|
|
|
|||
Research Interestscomputational logic, formal methods, cyber security |
||||
Dr Alwen Tiu
|
|
|
||||||