Catalin Birjoveanu's Teaching

Software Security - 2025

Instructor:
Cătălin Bîrjoveanu (catalin.birjoveanu@uaic.ro)

Objectives:

Understanding the role that software plays
- in providing security
- as source of insecurity
Understanding typical threats and vulnerabilities that make software less secure
Understanding what are the underlying causes of threats and vulnerabilities in software and how to avoid them
Understanding techniques, guidelines, principles, and tools to make software more secure

Topics:

Set-UID Privileged Programs and Attacks
Environment Variables and Attacks
Shellshock Attack
Security in the Software Development Life Cycle
Buffer Overflow Attacks
Shellcode Injection Attacks
Return-to-libc and ROP Attacks
Format String Attacks
Race Condition Attacks
SQL Injection Attacks
Cross-Site Scripting Attacks
Software Security Principles

Attacks Lab:

Lab exercises that help to understand the software security principles discussed in course and apply those principles to solve real problems using Linux operating system. The focus of the exercises is to analyze software systems for finding the security vulnerabilities, to exploit the vulnerabilities, and apply the prevention techniques that can help defend against such attacks. The studied vulnerabilities are: Attack Vectors on Set-UID Programs, Attacks through Environment Variables, Shellshock, Shellcode Injections, Return-to-libc, Format Strings, Race Conditions, SQL Injections, Cross-Site Scripting.

Lecture Notes	References
Set-UID Privileged Programs and Attacks	Wenliang Du, Computer Security: A Hands-on Approach, 2022, Chapters 1, 2.
Environment Variables and Attacks	Wenliang Du, Computer Security: A Hands-on Approach, 2022, Chapter 3.
Shellshock Attack	Wenliang Du, Computer Security: A Hands-on Approach, 2022, Chapter 16.
Buffer Overflow Attacks	Michael Howard, David LeBlanc, John Viega, 24 Deadly Sins of Software Security, 2009. BlueBorne Attacks, 2017. Ticketbleed Attack, 2017.
Shellcode Injection Attacks	Wenliang Du, Computer Security: A Hands-on Approach, 2022, Chapter 4. Aleph One, Smashing The Stack For Fun And Profit, 1996.
Return-to-libc and ROP Attacks	Wenliang Du, Computer Security: A Hands-on Approach, 2022, Chapter 5.
Protection Mechanisms Against Buffer Overflow Attacks	Ulfar Erlingsson, Yves Younan, Frank Piessens, Low-Level Software Security by Example, Springer, 2010.
Format String Attacks	Wenliang Du, Computer Security: A Hands-on Approach, 2022, Chapters 6.
Software Security Vulnerabilities
Race Condition Attacks	Wenliang Du, Computer Security: A Hands-on Approach, 2022, Chapters 7.
SQL Injection Attacks	Justin Clarke, SQL Injection Attacks and Defense, 2nd Edition, Elsevier, 2012.
Cross-Site Scripting (XSS) Attacks	Dafydd Stuttard, Marcus Pinto, The Web Application Hacker's Handbook - Finding and Exploiting Security Flaws, 2nd Edition, John Wiley & Sons, 2011, Chapter 12. Mike West, Joe Medley, Content Security Policy, 2020. W3C Web Application Security Working Group, Content Security Policy Level 3, 2025.

Attacks Lab	References
Set-UID Privileged Programs	Set-UID Privileged Programs and Attacks, Lecture Notes.
Attacks on Set-UID Privileged Programs
Attacks through Environment Variables	Environment Variables and Attacks, Lecture Notes.
Shellshock Attack	Shellshock Attack, Lecture Notes.
Exercises
Shellcode Injection Attacks	Shellcode Injection Attacks, Lecture Notes.
Protection Mechanisms Against Buffer Overflow Attacks	Protection Mechanisms Against Buffer Overflow Attacks, Lecture Notes.
Return-to-libc Attacks	Return-to-libc and ROP Attacks, Lecture Notes.
Race Condition Attacks	Race Condition Attacks, Lecture Notes.
Defeating dash Protection
SQL Injection Attacks	SQL Injection Attacks, Lecture Notes.
Cross-Site Scripting (XSS) Attacks	Cross-Site Scripting (XSS) Attacks, Lecture Notes.
Scores/Grades