Software Protection Techniques
A.Y. 2025/2026
Learning objectives
This course we will explore the foundations of software security. We will consider important software vulnerabilities and attacks that exploit them -- such as buffer overflows, heap overflow and use after free -- and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques such as symbolic execution and fuzzing.
Expected learning outcomes
Successful learners in this course will typically be able to apply basic low attack techniques such as buffer overflow, heap overflow. Moreover he/she will be able to understand the state-of-the-art of the defensive techniques along with such specific program testing and program analysis techniques for discovering memory errors in C/C++ languages. The student should have completed junior-level undergraduate work in a technical field, have some familiarity with programming, ideally in C/C++, and have prior exposure to algorithms.
Lesson period: Second four month period
Assessment methods: Esame
Assessment result: voto verbalizzato in trentesimi
Single course
This course can be attended as a single course.
Course syllabus and organization
Single session
Responsible
Lesson period
Second four month period
Course syllabus
Low‑Level attack: Buffer Overflow (Stack‑Based) - Parte 1
Low‑Level attack: Buffer Overflow (Stack‑Based) - Parte 2 (laboratorio pratico)
Low‑Level attack: Heap Overflow su Metadata
Low‑Level attack: Use‑After‑Free (UAF)
Difesa low‑level: Memory safety e Type safety
Difesa low‑level: Canary, ASLR, DEP e Return‑Oriented Programming (ROP)
Difesa low‑level: Return‑Oriented Programming (ROP), ROP Gadgets
Difesa low‑level: Control Flow Integrity (CFI)
Program Analysis per scopi di sicurezza
Program Analysis: Fuzzing
Program Analysis: Symbolic Execution
Side Channel Attacks: Meltdown & Spectre
Low‑Level attack: Buffer Overflow (Stack‑Based) - Parte 2 (laboratorio pratico)
Low‑Level attack: Heap Overflow su Metadata
Low‑Level attack: Use‑After‑Free (UAF)
Difesa low‑level: Memory safety e Type safety
Difesa low‑level: Canary, ASLR, DEP e Return‑Oriented Programming (ROP)
Difesa low‑level: Return‑Oriented Programming (ROP), ROP Gadgets
Difesa low‑level: Control Flow Integrity (CFI)
Program Analysis per scopi di sicurezza
Program Analysis: Fuzzing
Program Analysis: Symbolic Execution
Side Channel Attacks: Meltdown & Spectre
Prerequisites for admission
To get the most out of the course, students are expected to meet the following prerequisites:
- Ability to independently manage a Linux/Windows/macOS system
- Ability to write programs in C
- Familiarity with using an emulator such as QEMU or VMware
- Completion of an introductory course in Security
- Ability to independently manage a Linux/Windows/macOS system
- Ability to write programs in C
- Familiarity with using an emulator such as QEMU or VMware
- Completion of an introductory course in Security
Teaching methods
- Strong emphasis on practical, hands-on learning: students directly experiment with real low-level vulnerabilities such as buffer overflows, heap overflows, and use-after-free, along with key defense techniques (e.g., memory safety, spatial safety).
- Laboratory exercises: integrated with lectures to allow hands-on application of the studied techniques, including exploit development, debugging, and vulnerability mitigation.
- Study of advanced program analysis techniques, such as symbolic execution and fuzzing, covered from both theoretical and practical perspectives.
- Active participation and regular attendance are recommended, due to the highly practical nature of the course and the central role of lab activities.
- Integrated theoretical and practical approach, ensuring a solid understanding of both foundational concepts and their real-world applications in software protection.
- Laboratory exercises: integrated with lectures to allow hands-on application of the studied techniques, including exploit development, debugging, and vulnerability mitigation.
- Study of advanced program analysis techniques, such as symbolic execution and fuzzing, covered from both theoretical and practical perspectives.
- Active participation and regular attendance are recommended, due to the highly practical nature of the course and the central role of lab activities.
- Integrated theoretical and practical approach, ensuring a solid understanding of both foundational concepts and their real-world applications in software protection.
Teaching Resources
- Slides based on the Aleph One paper introducing the concept of buffer overflow
- The Shellcoder's Handbook, a standard reference manual for exploit development and shellcode writing
- Cheat sheets for GDB, Peda, Pwntools, and input handling techniques used in lab sessions
- Repositories dedicated to heap overflow, heap overflow on metadata, and Use‑After‑Free techniques
- Materials on low-level defense mechanisms: memory safety, type safety, and low-fat pointers
- Documentation on protection mechanisms such as canary, ASLR, DEP, ROP, ROP gadgets, and ROP bypass strategies
- Article on Control Flow Integrity (CFI) and a paper discussing how to bypass Intel CET using Counterfeit Object‑oriented Programming
- Introductory content on software testing for security, symbolic execution, and fuzzing
- Papers on fuzzing techniques (including LibAFL) and guides on using tools like KLEE for symbolic execution
- Materials on side-channel attacks, specifically Meltdown & Spectre
- The Shellcoder's Handbook, a standard reference manual for exploit development and shellcode writing
- Cheat sheets for GDB, Peda, Pwntools, and input handling techniques used in lab sessions
- Repositories dedicated to heap overflow, heap overflow on metadata, and Use‑After‑Free techniques
- Materials on low-level defense mechanisms: memory safety, type safety, and low-fat pointers
- Documentation on protection mechanisms such as canary, ASLR, DEP, ROP, ROP gadgets, and ROP bypass strategies
- Article on Control Flow Integrity (CFI) and a paper discussing how to bypass Intel CET using Counterfeit Object‑oriented Programming
- Introductory content on software testing for security, symbolic execution, and fuzzing
- Papers on fuzzing techniques (including LibAFL) and guides on using tools like KLEE for symbolic execution
- Materials on side-channel attacks, specifically Meltdown & Spectre
Assessment methods and Criteria
The exam consists of two parts:
Lab: involves solving exercises similar to those covered during the course;
Theory: consists of a written or oral test on the course topics.
The final grade will be the average of the two scores.
Lab: involves solving exercises similar to those covered during the course;
Theory: consists of a written or oral test on the course topics.
The final grade will be the average of the two scores.
INF/01 - INFORMATICS - University credits: 6
Lessons: 42 hours
Professors:
Bruschi Danilo Mauro, Lanzi Andrea
Professor(s)
Reception:
send an email to danilo[dot]bruschi[at]unimi[dot]it
Room 8011, Via Celoria 18