Physik-Department, TUM | LV 0000004553 im SS 2018

Basisdaten

LV-Art

Praktikum

Umfang

6 SWS

betreuende Organisation

Informatik 4 - Lehrstuhl für Software & Systems Engineering (Prof. Pretschner)

Dozent(inn)en

Leitung/Koordination: Alexander Pretschner

Termine

Mi, 14:00–15:30, MI 01.11.018
sowie 2 einzelne oder verschobene Termine

iCalendar

	Datum und Zeit	Raum und Anmerkung
!	Do, 08.02.2018, 11:00–12:00	Boltzmannstr. 3 preliminary meeting
!	Di, 17.04.2018, 14:00–16:00	Boltzmannstr. 3
	Mi, 02.05.2018, 14:00–15:30	Boltzmannstr. 3
	Mi, 16.05.2018, 14:00–15:30	Boltzmannstr. 3
	Mi, 30.05.2018, 14:00–15:30	Boltzmannstr. 3
	Mi, 13.06.2018, 14:00–15:30	Boltzmannstr. 3
	Mi, 27.06.2018, 14:00–15:30	Boltzmannstr. 3
	Mi, 11.07.2018, 14:00–15:30	Boltzmannstr. 3

Zuordnung zu Modulen

IN2106: Master-Praktikum / Advanced Practical Course
Dieses Modul ist in den folgenden Katalogen enthalten:
- weitere Module aus anderen Fachrichtungen

weitere Informationen

Lehrveranstaltungen sind neben Prüfungen Bausteine von Modulen. Beachten Sie daher, dass Sie Informationen zu den Lehrinhalten und insbesondere zu Prüfungs- und Studienleistungen in der Regel nur auf Modulebene erhalten können (siehe Abschnitt "Zuordnung zu Modulen" oben).

ergänzende Hinweise	As today’s software grow rapidly in size, so does the possibility of vulnerabilities in them, security or otherwise. Fortunately for security professionals, the automated vulnerability management tools at our disposal have also seen significant progress in the past few decades. However, there is still a long way to go for these tools to catch-up with the growing complexity of multi-component software and the tactful crackers in the wild. As of now, we mainly consider two vulnerability discovery techniques – whitebox fuzzing [1] and blackbox fuzzing [2]. Whitebox fuzzing (or symbolic execution) is a powerful way to analyze programs by executing using “symbolic” values instead of concrete values, and exploring as many paths as possible. It is also useful in generating inputs (exploits) that lead to potential vulnerabilities in a program [3]. Blackbox fuzzing is a smart variation of random testing that uses a few manually provided inputs and mutates them to trigger previously unseen behaviour in the program. However, whitebox fuzzing suffers from path-explosion and constraint solving issues while fuzzing is infamous for low coverage because it cannot pass “hard” conditional statements in programs. In this practical course, we will aim to hack popular whitebox and blackbox fuzzers [4, 5, 6], such that we may overcome their individual flaws and spot more vulnerabilities than before. Using our open-source tools (some of them, in-house) and systematic instructions, our participant teams will compete to find as many vulnerabilities as possible in as many vulnerable open-source programs as possible.
Links	E-Learning-Kurs (z. B. Moodle) TUMonline-Eintrag

ergänzende Hinweise

As today’s software grow rapidly in size, so does the possibility of vulnerabilities in them, security or otherwise. Fortunately for security professionals, the automated vulnerability management tools at our disposal have also seen significant progress in the past few decades. However, there is still a long way to go for these tools to catch-up with the growing complexity of multi-component software and the tactful crackers in the wild. As of now, we mainly consider two vulnerability discovery techniques – whitebox fuzzing [1] and blackbox fuzzing [2]. Whitebox fuzzing (or symbolic execution) is a powerful way to analyze programs by executing using “symbolic” values instead of concrete values, and exploring as many paths as possible. It is also useful in generating inputs (exploits) that lead to potential vulnerabilities in a program [3]. Blackbox fuzzing is a smart variation of random testing that uses a few manually provided inputs and mutates them to trigger previously unseen behaviour in the program. However, whitebox fuzzing suffers from path-explosion and constraint solving issues while fuzzing is infamous for low coverage because it cannot pass “hard” conditional statements in programs. In this practical course, we will aim to hack popular whitebox and blackbox fuzzers [4, 5, 6], such that we may overcome their individual flaws and spot more vulnerabilities than before. Using our open-source tools (some of them, in-house) and systematic instructions, our participant teams will compete to find as many vulnerabilities as possible in as many vulnerable open-source programs as possible.

Links

E-Learning-Kurs (z. B. Moodle)
TUMonline-Eintrag

Diese Webseite wird nicht mehr aktualisiert.

Master Praktikum - Hacking Greybox Fuzzers to Spot Software Vulnerabilities (IN2106, IN4232)

Lehrveranstaltung 0000004553 im SS 2018

Basisdaten

Zuordnung zu Modulen

weitere Informationen