CS 491: Software Vulnerability Analysis — Fall 2016

Instructor: Professor Stephen Checkoway sfc@uic.edu
Lectures: Tuesday and Thursday. 15:30–16:45 in Lincoln Hall 312
Office Hours: Tuesday. 14:00–15:00 in SEO 1236

Course Description, Goals, and Objectives

This course will cover software vulnerabilities, exploitation techniques, and mitigation measures. It is designed as a projects-based course where you will get hands-on experience finding vulnerabilities and writing exploits.

By the end of the course, you will have a working knowledge of how to find vulnerabilities in software by reading source code as well as reverse engineering binaries. You will learn to use tools like gdb to assist in exploit development.


Students are expected to enter this course with a basic knowledge of operating systems, data structures, and programming in C and (very basic) C++. Some knowledge of assembly and compilers will be helpful, but the relevant information will be covered in the course or in provided references.

Programming Projects

The programming projects are meant as a way to get hands-on experience exploiting software vulnerabilities. You will find that there is quite a difference between conceptually understanding how to exploit a given vulnerability and actually producing a working exploit.

The programming projects are designed to be done in groups of 2. (Working alone is allowed, but discouraged.) Each project will have both programming and writing components. Both group members are expected to participate fully in both the programming and writing.

You are encouraged to work with different people on each project, but group forming is completely up to you. If you’re having trouble finding a group, I suggest you use the Piazza forum to find one.

Course Materials

Required Texts

There are no required textbooks.


Here are some resources you may find helpful while working on the projects.

Course Policies

Attendance Policy

Class attendance is not mandatory; however, research indicates that students who attend class are more likely to be successful. You are strongly encouraged to attend every class. Lectures are not recorded and there are no slides. If you are unable to attend class, you should consider asking a classmate to take notes for you.

Missed or Late Work Policy

Projects are due by 23:59 on the day specified on each project page. You have 3 late days that you can use throughout the semester. Each day that a project is late decreases the number of late days you and your partner have left. If you run out of late days, projects turned in late will receive a score of 0. There will be no exceptions to this policy without prior approval from Prof. Checkoway.

Electronic Communication Policy

All electronic communication with course staff should take place on Piazza unless emails are specifically requested by the staff. Course staff may, from time to time, respond to emails, but a response to one email does not guarantee a response to a second. Use Piazza!

Collaboration Policy

You are allowed, and encouraged, to work in groups of size two on all projects. You are free to have different groups for different projects. You are not allowed to work with anyone outside your group. Doing so is academic misconduct.

Academic Integrity Policy

As an academic community, UIC is committed to providing an environment in which research, learning, and scholarship can flourish and in which all endeavors are guided by academic and professional integrity. All members of the campus community–students, staff, faculty, and administrators–share the responsibility of insuring that these standards are upheld so that such an environment exists. Instances of academic misconduct by students will be handled pursuant to the Student Disciplinary Policy.

The following are examples of academic misconduct.

Religious Holidays

As class attendance is not mandatory, students who must miss class due to religious holidays can do so without informing course staff. If a religious holiday will prevent a student from turning in an assignment before its due date, they must notify the faculty member by the tenth day of the semester or five days before the due date, whichever is earlier. The faculty member shall make every reasonable effort to accommodate the student. If the student feels aggrieved, he/she may request remedy through the campus grievance procedure.

Academic Deadlines

See the academic calendar.


Your course grade will be determined entirely projects. There are no exams or other assignments.

Grievance Procedures

UIC is committed to the most fundamental principles of academic freedom, equality of opportunity, and human dignity involving students and employees. Freedom from discrimination is a foundation for all decision making at UIC. Students are encouraged to study the University’s Nondiscrimination Statement. Students are also urged to read the document Public Formal Grievance Procedures. Information on these policies and procedures is available on the University web pages of the Office of Access and Equality.

Course Evaluations

Because student ratings of instructors and courses provide very important feedback to instructors and are also used by administrators in evaluating instructors, it is extremely important for students to complete confidential course evaluations online known as the Campus Program for Student Evaluation of Teaching evaluation. You will receive an email from the Office of Faculty Affairs inviting you to complete your course evaluations and will receive an email confirmation when you have completed each one.

For more information, please refer to the UIC Course Evaluation Handbook.

Results for the “six core questions” will be published on the UIC course evaluation website.