CS-510 Topics in Software Security

Taught by Mathias Payer. Fall semester 2023, 3 credit course.


Course overview

Unsafe languages like C/C++ are widely used for their great promise of performance. Unfortunately, these languages are prone to a large set of different types of memory and type errors that allow the exploitation of several attack vectors such as code reuse, privilege escalation, or information leaks. On a high level memory and type safety would solve all these problems. Safe languages can (somewhat) cheaply enforce these properties. Unfortunately, these guarantees come at a high cost if retrofitted onto existing languages.

When working with unsafe languages, three fundamental approaches exist to protect against software flaws: formal verification (proving the absence of bugs), software testing (finding bugs), and mitigation (protecting against the exploitation of bugs). In this seminar, we will primarily focus on recent advances in system security by looking at papers from recent top tier conferences.

This seminar explores three areas: the understanding of attack vectors, approaches to software testing, and mitigation strategies. First you need to understand what kind of software flaws exist in low level software and how those flaws can be exploited.

Each student will pick one topic from the list of topics below. The student is expected to organize the material and prepare a presentation of the topic for the other students. The main goals of this seminar are:

  1. understanding and defining the security policy and corresponding guarantees/trade-offs implemented by given work;
  2. reasoning about the power and effectiveness (completeness in regard to attack vectors covered, strength of the guarantees, and effectiveness) of different security policies (and being able to compare between them);
  3. reasoning on the computational and resource cost of mechanisms and possible downsides;
  4. alternative implementations of the policy at other levels of abstraction.
  5. developing skills to present a technical topic in computer science to an audience of peers;
  6. learning how to identify possible research topics and articulating differences to existing related work.

Your grade is based on:

  1. technical presentation of your topic (40%);
  2. writing a one page summary of your presentation with key topics/aspects mentioned during the discussion (20%), writing a one page summary of the discussion of the presentation of a colleague (30%); for both summaries, the suggested layout is 2/3 column summary of the paper, 2/3 column summary of the discussion and 2/3 column with your own reflections;
  3. active participation in class which includes reading the assigned papers and asking questions/participating in the discussions (10%).

Your summaries are expected to be written using the acm two-column format. You must submit them at most one week after the presentations.


The seminar meets Tuesdays from 10:15 to 12:00 in INM203. A draft of the schedule looks as follows but remember that no plan survives contact with reality!

Date Presenter Scribe Topic
19/9 Mathias Payer Introduction
26/9 Leon Windler Annamira O'Toole Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues (SEC'23)
Erchang Ni Duo Xu Mitigating Security Risks in Linux with KLAUS: A Method for Evaluating Patch Correctness (SEC'23)
3/10 Wouter Van Hoof Leon Windler WaVe: a verifiably secure WebAssembly sandboxing runtime (Oakland'23)
Lothaire Aubergeon Stefan Popescu Drone Security and the Mysterious Case of DJI's DroneID (NDSS'23)
10/10 Emilien Duc Antoine Moix Evocatio: Conjuring Bug Capabilities from a Single PoC (CCS'22)
Senne Van Den Broeck Maxime Zammit Medusa Attack: Exploring Security Hazards of In-App QR Code Scanning (SEC'23)
17/10 Johan Belloy Vincenzo Pellegrini BLEDiff: Scalable and Property-Agnostic Noncompliance Checking for BLE Implementations (Oakland'23)
Felix Schoellen Raymond Nasr VIPER: Spotting Syscall-Guard Variables for Data-Only Attacks (SEC'23)
24/10 Annamira O'Toole Senne Van Den Broeck One Server for the Price of Two: Simple and Fast Single-Server Private Information Retrieval (SEC23)
Stefan Popescu Felix Schoellen Are Consumers Willing to Pay for Security and Privacy of IoT Devices? (SEC'23)
31/10 Adrien Rey Wouter Van Hoof WarpAttack: Bypassing CFI through Compiler-Introduced Double-Fetches (Oakland'23)
Han Zheng Zurab Tsinadze DAFL: Directed Grey-box Fuzzing guided by Data Dependency (SEC23)
7/11 Antoine Moix Adrien Rey How IoT Recycling Threatens Your Sensitive Data: Exploring the User-Data Disposal in Used IoT Devices (Oakland'23)
Luca Zunino Han Zheng Improving Logging to Reduce Permission Over-Granting Mistakes (SEC23)
14/11 Maxime Zammit Emilien Duc Bug Hunters' Perspectives on the Challenges and Benefits of the Bug Bounty Ecosystem (SEC'23)
Zurab Tsinadze Emma-Andreea Chirlomez UTOPIA: Automatic Generation of Fuzz Driver using Unit Tests (Oakland'23)
21/11 Vincenzo Pellegrini Ruben Burdin TRUST: A Compilation Framework for In-process Isolation to Protect Safe Rust against Untrusted Code (SEC'23)
Emma-Andreea Chirlomez Erchang Ni LibAFL: A Framework to Build Modular and Reusable Fuzzer (CCS22)
28/11 Pei Weng Michaël Tasev No Linux No Problem: Fast and Correct Windows Binary Fuzzing via Target-embedded Snapshotting (SEC'23)
Duo Xu Aleksandra Bozhinoska Fuzztruction: Using Fault Injection-based Fuzzing to Leverage Implicit Domain Knowledge (SEC'23)
5/12 Raymond Nasr Lothaire Aubergeon Security and Privacy Failures in Popular 2FA Apps (SEC'23)
Ruben Burdin Johan Belloy Taxonomy of Attacks on Open-Source Software Supply Chains (Oakland'23)
12/12 Pietro Moretto Luca Zunino Uncontained: Uncovering Container Confusion in the Linux Kernel (SEC'23)
Aleksandra Bozhinoska Brice Theurillat autofz: Automated Fuzzer Composition at Runtime (SEC23)
19/12 Brice Theurillat Pei Weng FuzzJIT: Oracle-Enhanced Fuzzing for JavaScript Engine JIT Compiler (SEC'23)
Michaël Tasev Pietro Moretto Vulnerability Discovery for All: Experiences of Marginalization in Vulnerability Discovery (SP'23)

Topic presentations

The length of presentations for research papers should be between around 30 minutes, followed by 15 minutes of discussion. You can structure the presentation as follows:

  1. Motivation of the paper (1-2 slides, ~5 minutes)
  2. Key research questions (1-2 slides, ~5 minutes)
  3. Presentation of the core design and implementation of the research paper (4-8 slides, ~10 minutes)
  4. Evaluation of the security policy (2-3 slides, ~5 minutes)
  5. Material for discussion: advantages, disadvantages, limitations of the approach (2-3 slides, ~5 minutes)
  6. Summary slide of the paper: policy, defense property (at which point in memory model), implementation (language, compiler, or runtime)

When preparing the presentation, send a PDF version of your slides to Mathias before your talk.


This list is non-exhaustive and the list may be adapted during class and students may suggest other recent software security papers they are interested in. The open book Software Security: Principles, Policies, and Protection1 provides an overview of many topics but does not go into depth for each policy. Similarly, the Eternal War in Memory2 presents an overview of the software security landscape.

Automated Fuzz Testing

Bugs everywhere


Security Architectures

You can find the papers through DBLP or the corresponding websites:


  1. Software Security: Principles, Policies, and Protection. Mathias Payer↩︎

  2. SoK: Eternal War in Memory. Laszlo Szekeres, Mathias Payer, Tao Wei, and Dawn Song. In Oakland'13: Proc. Int'l Symp. on Security and Privacy, 2013.↩︎