Syllabus

Overview
Intended audience
1. Prerequisites
Course outline
Grading policies
Textbook and other resources
Course mechanics
Teaching with COVID-19 considerations
1. Alternating mode of lectures
2. Interactive sessions
Highlighted university policies
Territorial acknowledgement

This syllabus is a guideline for the course and not a contract. As such, its terms may be altered when doing so is, in the opinion of the instructor(s), in the best interests of the class.

Overview

This course provides an in-depth introduction to the state-of-the-art research on software security through the lens of program analysis, i.e., powerful techniques that can

discover vulnerabilities automatically, or
assist program hardening of with analysis results.

You will apply what we learn and discuss in the course by

playing a Capture-The-Flag (CTF) challenge and
coding a mini research project with options include (but are not limited to)
- extending the LLVM IR Bindings for Rust-based Analyzers (LIBRA) framework
- extending the Rust-SMT Transpiler (Rusmart)
- anything you are interested in or aligns with your research interests.

Students completing this course should

have a basic understanding of the software security research landscape,
be familiar with state-of-the-practice tools in program analysis toolbox, and
know how to critically read and judge a research work in software security.

Intended audience

Thesis-based or research-based graduate students, including both Master and PhD students.

Prerequisites

Familiarity with C and Rust (or C++) programming, and general security concepts / principles.

Course outline

Module - Introduction to Software Security

May 09: Lecture: Course logistics
May 16: Lecture: Memory corruption; Teaching TBD; Paper #1; Paper #2; Paper #3

Module - Toolbox for Program Analysis

May 30: Lecture: Declarative programming; Teaching TBD; Paper #1; Paper #2; Paper #3
Jun 06: Lecture: Abstract interpretation; Teaching TBD; Paper #1; Paper #2; Paper #3
Jun 13: Lecture: Symbolic execution; Teaching TBD; Paper #1; Paper #2; Paper #3

Module - Formal Program Reasoning

Jul 04: Lecture: Type systems; Teaching TBD; Paper #1; Paper #2; Paper #3
Jul 11: Lecture: Program logics; Teaching TBD; Paper #1; Paper #2; Paper #3
Jul 18: Lecture: Concurrency bugs; Teaching TBD; Paper #1; Paper #2; Paper #3

Module - Conclusion

Jul 25: InteractiveFinal project presentation

Grading policies

Score composition

Grades will be calculated as follows:

Paper presentation: (20%)
Capture-the-Flag: (30%)
Research project: (50%)

Please consult the course weekly schedule for assessment deadlines and assignments for details.

Late submissions

Late submissions are generally not accepted, i.e., any late submission will result in a 0 mark in that assignment component, unless there are long-lasting problems that impairs your ability to complete the assignments on time. You must notify your instructor(s) well before the due date of any severe, long-lasting problems that prevent you from completing an assignment on time.

Reappraisal policy

If you have an assignment that you would like to have reappraised, please email the instructor to submit a formal request. Include a clear justification for your claims. The appeals deadline is one week after the respective graded item is first made available.

For students auditing this course

Students who are auditing this course are encouraged to complete all assignments similar to grade-seeking students. To pass this course in auditing, the minimal requirements are

perform one paper presentation and
score at least 50% (overall) for the whole CTF exercise suite.

Textbook and other resources

No textbook is needed for this course.

You are highly encouraged to read papers from top-tier security conferences, including:

Course mechanics

Working remotely: The CSCF offers a help page regarding CS and campus VPNs.
Email: Important course information will generally be posted to the course website. For personal matters, such as an illness, please email the instructors directly. We will only reply back to email from your uwaterloo.ca email address, for privacy rules.

Teaching with COVID-19 considerations

Alternating mode of lectures

The course will flip between online mode (i.e., with recorded lectures) and on-campus mode (i.e., with live lectures) in accordance with University policies and recommendations. Unfortunately due to the evolving nature of the pandemic, we are unable to guarantee on which portion of the course will be covered in which mode. Pay attention to announcements on this website for latest news during the term.

In online mode:

We will meet over Zoom.

In on-campus mode:

Live lectures will be conducted in the scheduled time and classroom.
All live lectures will be recorded and posted to LEARN for students who are unable to attend.
If the instructors are unable to conduct a live lecture on campus, we might do a live session over Zoom or use pre-recorded videos.
Instructor and TA office hours might be conducted on-campus but the teaching team will be available in virtual meeting rooms as well.

Only the style of lecturing will be different in the two modes. Other course components such as assignments, timelines, and the course content are not expected to change in general.

Interactive sessions

There will be six interactive sessions throughout this course, roughly one in every two weeks. See schedule for exact dates of these interactive sessions and the topics to be covered.

These sessions are an experiment in the the flipped classroom approach and as such, augment the lectures (some of which are recordings from a previous term). We encourage students to attend the interactive sessions, but attendance is voluntary and optional. The sessions will be recorded and made available via LEARN. The session will start with a brief recap, contain interactive exercises and allow students to ask questions. Questions may also be posted before the session on Piazza.

Highlighted university policies

Security information

In this course, you will be exposed to information about security problems and vulnerabilities with computing systems and networks. To be clear, you are not to use this or any other similar information to test the security of, break into, compromise, or otherwise attack, any system or network without the express consent of the owner. In particular, you will comply with all applicable laws and UW policies, including, but not limited to, the following:

Violations will be treated severely, and with zero tolerance.

Academic integrity

Students are encouraged to talk to one another, to the TAs, to the instructor(s), or to anyone else about any of the assignments. Any assistance, though, must be limited to discussion of the problem and sketching general approaches to a solution. Each student must write his or her own solutions, including code and documentation if appropriate, for the assignments. Consulting another student’s solution is prohibited, and submitted solutions may not be copied from any source. In particular, submitting assignments copied in whole or in part from assignment submissions to a previous offering of this course, or from any offering of any other course, is forbidden, even if a student is resubmitting his or her own work. These and any other forms of collaboration on assignments constitute cheating. If you have any questions about whether some activity constitutes cheating, please ask the instructor(s).

The general Faculty and University policy:

Academic integrity: In order to maintain a culture of academic integrity, members of the University of Waterloo community are expected to promote honesty, trust, fairness, respect and responsibility. Check the Office of Academic Integrity’s website for more information.
Grievance: A student who believes that a decision affecting some aspect of his/her university life has been unfair or unreasonable may have grounds for initiating a grievance. Read Policy 70 — Student Petitions and Grievances, Section 4. When in doubt please be certain to contact the department’s administrative assistant who will provide further assistance.
Discipline: A student is expected to know what constitutes academic integrity, to avoid committing academic offenses, and to take responsibility for his/her actions. A student who is unsure whether an action constitutes an offense, or who needs help in learning how to avoid offenses (e.g., plagiarism, cheating) or about “rules” for group work/collaboration should seek guidance from the course professor, academic advisor, or the Undergraduate Associate Dean. For information on categories of offenses and types of penalties, students should refer to Policy 71 — Student Discipline. For typical penalties, check Guidelines for the Assessment of Penalties.
Avoiding academic offenses: Most students are unaware of the line between acceptable and unacceptable academic behaviour, especially when discussing assignments with classmates and using the work of other students. For information on commonly misunderstood academic offenses and how to avoid them, students should refer to the Faculty of Mathematics Cheating and Student Academic Discipline Policy.
Appeals: A decision made or a penalty imposed under Policy 70, Student Petitions and Grievances (other than a petition) or Policy 71, Student Discipline may be appealed if there is a ground. A student who believes he/she has a ground for an appeal should refer to Policy 72 — Student Appeals.

Diversity

It is our intent that students from all diverse backgrounds and perspectives be well served by this course, and that students’ learning needs be addressed both in and out of class. We recognize the immense value of the diversity in identities, perspectives, and contributions that students bring, and the benefit it has on our educational environment. Your suggestions are encouraged and appreciated. Please let us know ways to improve the effectiveness of the course for you personally or for other students or student groups. In particular:

We will gladly honour your request to address you by an alternate/preferred name or gender pronoun. Please advise us of this preference early in the semester so we may make appropriate changes to our records.
We will honour your religious holidays and celebrations. Please inform of us these at the start of the course.
We will follow AccessAbility Services guidelines and protocols on how to best support students with different learning needs.

Note for Students with Disabilities: AccessAbility Services, located in Needles Hall North, Room 1401, collaborates with all academic departments to arrange appropriate accommodations for students with disabilities without compromising the academic integrity of the curriculum. If you require academic accommodations to lessen the impact of your disability, please register with AccessAbility at the beginning of each academic term.

Mental health support

The Faculty of Math encourages students to seek out mental health support if needed.

On-campus Resources:

Campus Wellness
Counselling Services: email or 519-888-4567 ext 32655
MATES: one-to-one peer support program offered by Federation of Students (FEDS) and Counselling Services: email
Health Services: located across the creek from the Student Life Centre, 519-888-4096

Off-campus Resources:

Good2Talk (24/7): Free confidential help line for post-secondary students, 1-866-925-5454
Here 24/7: Mental Health and Crisis Service Team, 1-844-437-3247
OK2BME: set of support services for lesbian, gay, bisexual, transgender or questioning teens in Waterloo, 519-884-0000 ext 213

Territorial acknowledgement

We acknowledge that we live and work on the traditional territory of the Attawandaron (Neutral), Anishinaabeg, and Haudenosaunee peoples. The University of Waterloo is situated on the Haldimand Tract, the land promised to the Six Nations that includes ten kilometres on each side of the Grand River.