Course Description

This course studies the nature of software bugs and security vulnerabilities arising in complex application domains and surveys specialized program analysis + automated testing techniques for identifying such issues proactively. The course will take a tour of various domains such as mobile systems, databases, web browsers, distributed and networked systems, autonomous vehicles, and smart contracts. For each domain, the class will review case studies of high-impact software bugs that have manifested in production and will then discuss state-of-the-art research techniques that aim to uncover such bugs automatically. Apart from the literature review, students will engage significantly with software system design + engineering via hands-on assignments and a semester-long project; these activities will involve working with real-world applications and analysis tools for one or more domains.

Logistics

Spring 2023, 12 units
Class: Tue/Thu 5pm-6:20pm in WEH 3203

Professor Rohan Padhye
Office hours: TBD in TCS 325
Email: rohanpadhye@cmu.edu
Headshot of Professor Rohan Padhye

Should I take this course?

Note: This is not a traditional lecture-based course. Classes will often consist of group discussions and student-led presentations, based on assigned readings of research papers, online articles, or case studies on open-source software.

Learning Objectives

Students completing this course should be able to:

Prerequisites

This course is open to PhD and Masters students interested in software engineering, program analysis, and/or security. The course assumes some background in understanding the source of common software bugs (e.g., buffer overflows) and dealing with program representations (e.g., abstract syntax trees) or automated testing tools (e.g., fuzzing). Any one of the following courses serve as sufficient prerequisites: 18-335/732 (Secure Software Systems), 14-735 (Secure Coding), 17-355/665/819 (Program Analysis), 15-411/611 (Compiler Design), 15-414 (Bug Catching), 15-330/18-330/18-730 (Intro to Computer Security). 14-741/18-631 (Intro to Information Security) may also be sufficient, depending on background or related coursework. If you have taken a course equivalent to any of the listed pre-requisites in a different institution, or if you think you may have the required background based on other experiences (e.g., participating in CTFs or working in industry), please register and contact the instructor via email.

Degree Requirements Fulfilled

Masters: TBD. Contact the instructor to request.

PhD students: TBD. Contact the instructor to request.

Syllabus

Course Topics

Tentatively, the course will cover the following topics and associated readings.

Assessments (Tentative)

40% across two hands-on assignments, 30% final project, 15% pre-class reading responses, 15% in-class participation

Schedule

The following schedule of topics is tentative and will be updated in real time during the semester.

Date Topic Reading/Material Assignments Due Optional Reading
Jan 17
Jan 19
Jan 24
Jan 26
Jan 31
Feb 2
Feb 7
Feb 9
Feb 14
Feb 16
Feb 21
Feb 23
Feb 28
Mar 2
Mar 7 & 9 Spring break; no class
Mar 14
Mar 16
Mar 21
Mar 23
Mar 28
Mar 30
Apr 4
Apr 6
Apr 11
Apr 13 Spring carnival; no class
Apr 18
Apr 20
Apr 25
Apr 27
TBD (May 1--8) Final Presentations Project Reports