CMPS 4510 Vulnerability Analysis
Sections 1 and 2 - Fall 2018

Instructor and Contact Information
Instructor: Dr. Melissa Danforth
Office: Sci III 319, 654-3180
Office Hours: M-F 11:45am-12:45pm MTuThF Noon to 1:15pm and by appointment (updated 26 Sep 2018)
Email: or

Moodle website: (Note: This is at Moodle3 on Odin, not Moodle on Sleipnir)

Course meets MW 4:00-5:15pm (lecture) in Sci III 313 and F 4:00-6:30pm (lab) in Sci III 311
(Lecture room changed on 24 Sep 2018)

Catalog Description
Identification and quantification of security weaknesses in programs, systems and networks. Topics include professional ethics, static binary analysis, dynamic binary analysis, anti-analysis techniques, risk assessment, penetration testing, vulnerability classification and mitigation techniques. Prerequisite: CMPS 2240/224 and CMPS 3500/350

Prerequisites by Topic
Knowledge of assembly language
Knowledge of programming languages in C/C++ family
Understanding of computer language translation from source code to binary

Units and Contact Time
4 semester units. 3 units lecture (150 minutes), 1 unit lab (150 minutes).

Class Expectations
As a 4000-level elective course, students are expected to engage in independent learning in this course through reading assignments, case studies, and a group project. Critical thinking, independent evaluation, and troubleshooting are important traits for the cybersecurity profession.

Lectures after the third week will assume that you have completed the reading assignments and will focus on exploring examples and scenarios, including more modern examples and scenarios, related to the topics of the week. Case studies will also analyze more modern examples of vulnerabilities and will be discussed in lectures after the due date.

Plan to spend an average of 8-12 hours outside of class each week on this course. More time may be required in some weeks.

Selected elective for CS

Required Textbook
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Mark Dowd, John McDonald, Justin Schuh. Addison-Wesley, 2007, ISBN-13: 978-0-321-44442-4.

Recommended Textbook and Other Supplemental Materials
Computer Security: Art and Science. Matt Bishop. Addison-Wesley, 2002, ISBN-13: 978-0201440997.
(Note: There is an abridged version of the book available that is titled "Introduction to Computer Security" by Matt Bishop)

Supporting articles and current events relating to the course will be posted on the Moodle site.

Melissa Danforth

Student Learning Outcomes
This course covers the following ACM/IEEE CS2013 (Computer Science) Body of Knowledge student learning outcomes:

ABET Outcome Coverage
The course maps to the following student learning outcomes for Computer Science (CAC/ABET):
An ability to analyze a complex computing problem and to apply principles of computing and other relevant disciplines to identify solutions.
An ability to recognize professional responsibilities and make informed judgements in computing practice based on legal and ethical principles.

Lecture Topics and Rough Schedule (Updated on 28 Sep 2018 to match Moodle)
1Chapter 1 Professional ethics, Classic security goals (confidentiality, integrity, etc.), Threats and threat exposure, Vulnerability categories, Audit overview
1 and 2Chapter 2 Design reviews, Fundamental design flaws, Threat modeling
2 and 3Chapter 3 Operational review, Attack surfaces, Hardening
4 and 5Chapter 4 Review/Audit process, Audit strategies
5 to 7Chapter 5 Memory corruption: buffer overflows, heap overflows, global and static data, shellcode, protection mechanisms
8 to 10Chapter 6 C/C++ language issues, Expression evaluation, Type conversions, Common mistakes
11 to 13Chapter 8 String handling issues, String encodings, Metacharacter handling and injection issues, String functions, Hex encoding
13 and 14Chapter 7 Auditing techniques for source code and binary analysis
15Not in book Hardware vulnerabilities (Spectre, Meltdown, etc.)
15 and 16n/a Project presentations on last lab day and on last day of class

Specific reading assignments for each week will be posted to the Moodle site.

Students are responsible for their own attendance. The topics covered in lecture will be listed on the course website. Lab attendance is not required but is strongly encouraged. If you attend lab and finish your lab work before leaving, you can get it "instantly" graded by coming up and showing me your work.

Civility During Discussions
Over the course of the term, there will be classroom discussions on contentious issues in cybersecurity, such as discussing various approaches to disclosing vulnerabilities. Opinions will differ, sometimes drastically, during these discussions, hence why they are matters of debate within the cybersecurity field. Students are expected to be civil to, and respectful of, one another during these discussions.

Academic Integrity Policy
You may discuss the assignments with others in the class. If the assignment is a group assignment, the group can turn in one assignment for the entire group. If the assignment is an individual assignment, each student must turn in their own work in their own words; no direct copying from any source is allowed. Refer to the Academic Integrity policy in the campus catalog and class schedule for more details. You can also refer to the Academic Integrity policy at the Office of Student Rights and Responsibilities at

Academic Accomodations
To request academic accomodations, please contact the Office of Services for Students with Disabilities (SSD) and bring an accomodations letter from the SSD Office to my office hours or to me after class. Policies from the SSD Office relating to accomodations, such as scheduling policies for using their testng center, must also be followed. For more information about the services and policies of the SSD Office, visit their office to speak with their staff and/or visit their website at

Computer Labs Outside of Class
The CEE/CS Tutoring Center in Sci III 324 is available for use by students in this course outside of class time on a first come, first serve basis. Tutoring is NOT provided for this course, but you can use the computers in the lab if one is available. Priority in the lab is given to students who are completing assignments for CEE/CS courses. See the schedule on the door for hours the lab will be open.

There are also computers available in the CEE/CS Major Study Lounge in Sci III 341 (formerly the CEE/CS Library). This room is only open when faculty members are on campus, e.g. approximately 8am to 5pm on weekdays. If the door is currently locked, see Steve, Erika, myself, or another faculty member to unlock it.

Labs/Homework/Quizzes 35%
Midterm 20%
Project 25%
Final 20%

Grades are posted on Moodle. Note: Moodle does not penalize your grade for any ungraded assignments, so it will show your "current" overall percentage based off the classwork graded to-date.

It is your responsibility to check Moodle for grades and any comments on assignments. If you believe you submitted your assignment on time but the comment field says "assignment not received", contact me.

Lab assignments will be posted on the course website. The labs are due at at 11:55pm on the following Thursday. Partial credit will be given for incomplete labs. Late labs will not be accepted.

You may work on labs in groups of up to 3 students. If you work in a group, only one student needs to submit the assignment, but make sure to put everyone's names on the assignment each week. Only the students whose names are on the assignment will get credit for the lab. If you are in a group but are not the one submitting the assignment to Moodle, you may put a comment in Moodle's Note field indicating who did submit the assignment for your group.

If you attend the lab session on Friday and finish the lab by the end of the session, come show your work to me after you have submitted it to Moodle to get "instantly" graded on Moodle. Make sure to submit it to Moodle first so I have record of your group's work for the lab.

If you do not attend the lab, submit your work to Moodle and I will grade it during my next grading session. Do NOT email your submission as the campus spam system sometimes silently blocks emails.

Homework assignments and due dates will be posted on the course website. Partial credit will be given for incomplete homework submissions. Since we will be discussing many of the homework assignments in class after the due date, late homework submissions will not be accepted.

Assignments must be turned in via the Moodle website. Do NOT email your submission as the campus spam system sometimes silently blocks emails.

Homeworks may be discussed with others in the class, but every student must turn in their own assignments in their own words. Copying from other students, the Internet, previous solutions, the textbook, etc. are all considered violations of the Academic Integrity Policy.

For the case study homework assignments in particular, I expect students to express the concepts in their own words and perform their own analysis of the provided articles. Case studies are a vital part of this course to give more recent information about vulnerabilities and to grade your ability to learn from, and analyze, technical articles. If you are having any difficulty the case studies, or if you would like to discuss the case studies in more depth, please see me during office hours.

Quizzes are on the reading assignments from the textbook. Quizzes will be posted on Moodle and must be completed by the date indicated. Moodle will automatically grade the quiz when it is submitted, although it will hide detailed information until after the quiz closes.

Moodle Submission Guidelines
Submissions must be in LibreOffice/OpenOffice (ODT), DOC, PNG, JPEG, GIF, or PDF format. DOCX files will not be accepted since they do not display properly on Linux. TXT and RTF files have had issues being uploaded to Moodle by students in the past, so I would recommend avoiding those formats.

You may also write your answers in the Moodle Notes section if you can adequately answer them in Moodle's text box. Note that the Moodle text box does not handle metacharacters like < or &. Rather than using those characters, spell it out, e.g. "less-than", "lt", "and", etc. If you have a large number of these characters, it is safer to upload a file rather than use the Moodle text box.

Moodle records the last time you edit the Notes field or upload a file as the submission time for the assignment. You do not need to hit the "Submit for Grading" button for me to see your work.

If you have drawn something out by hand, take a picture or use a scanner and upload the image to Moodle. Please keep the file sizes reasonable, but also make sure the image is legible.

If you submit multiple files, please name them in a fashion that indicates what they contain, e.g. hw1_q2_drawing.jpg, hw2_part1.pdf, hw2_part2.pdf, and so on.

If you have any difficulties submitting to Moodle, contact me or Steve Garcia for help. Emailed submissions are not guaranteed to be accepted since my email volume is so high and the spam detection software can silently drop emails.

All students will be required to complete a source code auditing project as part of this course. Students may work on teams of up to 4 students for the project. Teams will choose a portion of an open-source project to audit.

I strongly suggest choosing an open-source project that is written in C or C++, as that is the family of source code vulnerabilities which we will learn about in this course. Choosing another programming language will mean having to learn about their common coding problems and interpretter/compiler issues on your own, which will make the project much harder.

Each project must have a proposal which lists the nature of the project (e.g. the open-source project selected and which file(s) the team will be auditing), the team members, any previous work any team member has done on the project, and a brief list of tools that will be needed for the project. The proposal will count for a portion of the Project grade.

At the end of the term, each team will be required to prepare a presentation about their project. Project presentations will happen on the last lab day (and last lecture day if needed). A Moodle poll will be set up for teams to select a presentation time slot. The presentation will count for a portion of the Project grade.

A project writeup will also be required at the end of the term. Requirements for the writeup will be posted on Moodle and discussed in class. The writeup will count for the a portion of the Project grade.

All team members will also need to complete a teamwork assessment form. The blank form and an example form will be posted on Moodle. This will count for the remaining portion of the Project grade.

The rubrics used to assess the end-of-term presentation and project writeup will be posted on Moodle.

The midterm will be given on Friday October 19, 2018 during the lab time period.

Monday December 17, 2018 from 2:00-4:30pm in Sci III 311 (NOTE: This is earlier than the class normally meets on Monday so plan accordingly)

If you cannot make the scheduled final time because it conflicts with another final or you have more than two finals scheduled that day, arrange an alternate time with me at least ONE WEEK in advance of the above date.

Prepared By
Melissa Danforth on 27 August 2018

Approval of Course Outline
Approved by CEE/CS Department in Spring 2014
Effective Fall 2016