This schedule is an estimate. It may be updated based on the actual pacing of the course material.

DateTopicAssignment
Week 1
Mon 12 Jan

Overview / Malware Terminology

 [ 
slides: intrologistics
| screencapture (browser  or download mp4 webm audio ) ]
  • malware, generally
  • course overview, logistics
  • (if time) x86-64 assembly review
References:
Wed 14 Jan

x86 asm

 [ 
slides: asm(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • AT&T, Intel syntax
  • official sources for instruction info
  • some x86-64 nits
References:
Fri 16 Jan

x86 asm 2 / executable formats

 [ 
slides: asm(pdf)exec-encoding(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • misc ASM things (label(%rip); segmentation)
  • official sources for calling convention info
  • ELF executable format (start)
References:
RE1 released
Week 2
Mon 19 Jan
(no class)
Wed 21 Jan

executable formats / x86-64 encoding

 [ 
slides: exec-encoding(pdf)x8664-encoding(pdf)
| screencapture (browser  or download mp4 webm audio ) ]

  • ELF executable format (finish)

  • reverse engineering: strings
  • Ghidra as example
  • annotation, tricky cases for disassembly
Quiz week02 (quiz for week 2) released, due 2026-01-26 11:45
Fri 23 Jan

x86-64 encoding / Reverse engineering tools

 [ 
slides: exec-encoding(pdf)re-tools(pdf)x8664-encoding(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • dynamic linking realities
    • procedure linkage table
    • global offset table
  • control flow graphs
  • intermediate representation

  • decompiling

  • x86-64 encoding
RE1 due by 11:59pm
RE2 released
Week 3
Mon 26 Jan

Virus

 [ 
slides: x8664-encoding(pdf)virus(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • x86-64 encoding (finish)
  • virus example: Vienna
Quiz week02 (quiz for week 2) due 11:45 (released 2026-01-21)
Wed 28 Jan

Virus 2

 [ 
slides: virus(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • options for viruses/worms:
  • where to put code
    • appending, replacing
    • “cavities” in executables
    • system files, bootloaders
  • how to get to code to run
    • bootloaders
Quiz week03 (quiz for week 3) released, due 2026-02-02 11:45
Fri 30 Jan

Heuristic detection

 [ 
slides: virus(pdf)heur-detect(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • how to get to code to run
    • replacing jumps, returns
    • dynamic linking information
    • default start-up program
  • whitelisting
  • signatures as regexes
RE2 due by 11:59pm
TRICKY released
Week 4
Mon 02 Feb

Signatures

 [ 
slides: heur-detect(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • state machines for pattern matching
  • combining patterns
  • heuristic matching on “weird” executables
Quiz week03 (quiz for week 3) due 11:45 (released 2026-01-28)
Wed 04 Feb

Heuristic/behavioral detection / Anti-signature/analysis techniques

 [ 
slides: heur-detect(pdf)antianti(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • behavior monitoring
  • obfuscation techniques to hide flow-control
    • merging/splitting functions
    • Tigress’s flatten pattern
  • “encrypted” code
Quiz week04 (quiz for week 4) released, due 2026-02-09 11:45
Fri 06 Feb

Anti-signature/analysis techniques

 [ 
slides: antianti(pdf)re-tools(pdf)
| screencapture (browser  or download mp4 webm audio ) ]

The first 100 seconds of audio were not recorded in lecture; the lecture recording linked above has a rerecording of that audio; that audio has been rerecorded the video spliced together.

You can alterantely obtain a recording of just the part that was recorded in lecture: screencapture mp4

  • “encrypted” code and decrypter generators
  • emulation as analysis tool
  • anti-emulation/virtualization techniques
TRICKY due by 11:59pm
LEX released
Week 5
Mon 09 Feb

Anti-signature/analysis techniques

 [ 
slides: antianti(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • “mutation engines”
  • anti-debugging techniques (start)
    • code checksumming
Quiz week04 (quiz for week 4) due 11:45 (released 2026-02-04)
Wed 11 Feb

Anti-debugging / Command injection / Taint tracking

 [ 
slides: antianti(pdf)command-inj(pdf)taint(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • anti-debugging techniques (finish)
    • emulation-based obfuscation

  • rootkit-style malware

  • review: command injection vulnerabilities
  • taint tracking (start)
Quiz week05 (quiz for week 5) released, due 2026-02-16 11:45
Fri 13 Feb

taint tracking / buffer overflows

 [ 
slides: taint(pdf)overflow-basic(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • traint tracking (finish)
  • buffer overflows
LEX due by 11:59pm
OBFUSCATE released
Week 6
Mon 16 Feb

Stack smashing 1: Jump to stack / Shellcode

 [ 
slides: overflow-smash(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • stack smashing pattern
Quiz week05 (quiz for week 5) due 11:45 (released 2026-02-11)
Wed 18 Feb

Stack smashing 2: Shellcode restrictions / Stack Canaries

 [ 
slides: overflow-smash(pdf)mitigate-stack(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • stack smashing pattern (finish)

  • dealing with restrictions on shellcode

  • stack canaries
  • (if time) information disclosure, shadow stacks
Quiz week06 (quiz for week 6) released, due 2026-02-23 11:45
Fri 20 Feb

Pointer subterfuge 1

 [ 
slides: overflow-subterfuge(pdf)
| screencapture (browser  or download mp4 webm audio ) ]

(Reiss out of town)

  • pointers on the stack
  • “write gadgets”
  • targets for write gadgets
    • global offset table
    • VTables (start)
OBFUSCATE due by 11:59pm
OVER released
Week 7
Mon 23 Feb

Pointer subterfuge 2

 [ 
slides: overflow-subterfuge(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • targets for write gadgets
    • VTables (finish)
      • exercise
  • arc injection
  • ntpd exploit example
  • exercise
Quiz week06 (quiz for week 6) due 11:45 (released 2026-02-18)
Wed 25 Feb

information disclosure / guard pages / write XOR execute

 [ 
slides: mitigate-stack(pdf)mitigate-memprotect(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • information disclosure
  • memory protection, guard pages
  • RELRO
  • write XOR execute
Quiz week07 (quiz for week 7) released, due 2026-03-09 11:45
Fri 27 Feb

More buffer overflow mitigations (ASLR)

 [ 
slides: mitigate-aslr(pdf)
| screencapture (browser  or download mp4 webm audio ) ]
  • ASLR: making addresses hard to predict
    • limits on entropy
    • things that must be kept together
OVER due by 11:59pm
SUBTERFUGE (tentative writeup) released
Week 9
Mon 02 Mar
(no class)
Wed 04 Mar
(no class)
Fri 06 Mar
(no class)
Week 8
Mon 09 Mar

Return oritented programming 1

 [ 
slides: rop
 ]
  • idea of using gadgets
  • chaining gadgets together
Quiz week07 (quiz for week 7) due 11:45 (released 2026-02-25)
Wed 11 Mar

return-oriented programming 2

 [ 
slides: rop
 ]
  • finding gadgets automatically
  • automatic chain generation
  • gadgets without RET
Quiz week09 (quiz for week 09) released, due 2026-03-16 11:45
Fri 13 Mar

return-oriented programming 3

 [ 
slides: rop
 ]
SUBTERFUGE (tentative writeup) due by 11:59pm
ROP (tentative writeup) released
Week 10
Mon 16 Mar

heap structure exploits / UAF intro

 [ 
slides: overflow-heapuaf
 ]
  • overflows on the heap (preview)
    • into other objects (sudo example)
    • into heap metadata
  • interlude: use-after-free introduction
Quiz week09 (quiz for week 09) due 11:45 (released 2026-03-11)
Wed 18 Mar

memory-safe languages 1

 [ 
slides: betterpl
 ]

(Reiss out of town)

  • why people like C/C++
  • Rust intro
  • ownership rule
Quiz week10 (quiz for week 10) released, due 2026-03-23 11:45
Fri 20 Mar

memory-safe languages 2

 [ 
slides: betterpl
 ]

(Reiss out of town)

  • Rust borrowing

  • escape hatch in Rust; smart pointers

ROP (tentative writeup) due by 11:59pm
RUST (tentative writeup) released
Week 11
Mon 23 Mar

memory-safe languages 3

 [ 
slides: betterpl
 ]

( Reiss out of town)

  • Rc (reference counting)
  • RefCell (dynamic borrow tracking)
Quiz week10 (quiz for week 10) due 11:45 (released 2026-03-18)
Wed 25 Mar

heap structure exploits / use-after-free

 [ 
slides: overflow-heapuaf
 ]
  • consistency and the heap
  • pointer subterfuge via heap metadata
  • double-free vulnerabilities
  • use-after-free
    • prevalence
    • using type confusion
Quiz week11 (quiz for week 11) released, due 2026-03-30 11:45
Fri 27 Mar

use-after-free / integer overflow

 [ 
slides: uafoverflow-int
 ]

  • use-after free exercises / examples

  • integer overflow

RUST (tentative writeup) due by 11:59pm
UAF (tentative writeup) released
Week 12
Mon 30 Mar

coverage-guided (fuzz-)testing

 [ 
slides: testing
 ]
  • greybox fuzz testing
Quiz week11 (quiz for week 11) due 11:45 (released 2026-03-25)
Wed 01 Apr

symbolic/concolic execution 1

 [ 
slides: symbolic
 ]
  • symbolic execution idea
    • solving equations
  • splitting execution on if statements
  • collecting/solving for constraints
  • automatic overflows
  • optimizing symbolic execution in practice
Quiz week12 (quiz for week 12) released, due 2026-04-06 11:45
Fri 03 Apr

static analysis / sandboxing 0

 [ 
slides: symbolicstatic
 ]
  • briefly static analysis — tracking approximations
    • example for use-after-free
    • points-to analysis difficulty
  • sandboxing idea
  • problem of applications doing too much
  • privilege seperation intro
UAF (tentative writeup) due by 11:59pm
FUZZ (tentative writeup) released
Week 13
Mon 06 Apr

sandboxing 1

 [ 
slides: sandbox
 ]
  • challenges with selecting system call filters
  • privilege seperation con’t
    • example interface
    • limits on what it does/does not mitigate
Quiz week12 (quiz for week 12) due 11:45 (released 2026-04-01)
Wed 08 Apr

sandboxing 2

 [ 
slides: sandbox
 ]

  • limiting naming — chroot, Linux namespaces

  • sandbox escapes (start)

Quiz week13 (quiz for week 13) released, due 2026-04-13 11:45
Fri 10 Apr

sandboxing 3

 [ 
slides: sandbox
 ]
  • sandbox escapes (finish)
  • whole-application sandboxing
  • usability issues with mobile permissions
  • sandboxing without OS help
FUZZ (tentative writeup) due by 11:59pm
SANDBOX (tentative writeup) released
Week 14
Mon 13 Apr

fast? bounds checking 1

 [ 
slides: bounds
 ]
  • “fat” pointers (pointer has objcet bounds)
  • baggy bounds checking (lookup object bounds)
Quiz week13 (quiz for week 13) due 11:45 (released 2026-04-08)
Wed 15 Apr

fast? bounds checking 2

 [ 
slides: bounds
 ]
  • baggy bounds checking (con’t)
  • AddressSanitizer
  • comparing bounds checking
Quiz week14 (quiz for week 14) released, due 2026-04-20 11:45
Fri 17 Apr

control-flow integrity 1

 [ 
slides: cfi
 ]
SANDBOX (tentative writeup) due by 11:59pm
Week 15
Mon 20 Apr

control flow integrity 2

 [ 
slides: cfiweb
 ]
Quiz week14 (quiz for week 14) due 11:45 (released 2026-04-15)
Wed 22 Apr

same-origin policy and XSS mitigation

 [ 
slides: web
 ]
Quiz week15 (quiz for week 15) released, due 2026-04-27 11:45
Fri 24 Apr

same-origin policy and XSS mitigation

 [ 
slides: web
 ]
Week 16
Mon 27 Apr

Exam review

Quiz week15 (quiz for week 15) due 11:45 (released 2026-04-22)
Wed 29 Apr
(no class)
Week 17
Fri 08 May

Final exam

2PM-5PM.

CHALLENGE due by 1:30pm; no late submissions accepted (tentative writeup)