Static analyses are used in various situations, from compiler code optimization to security analysis of Android applications. This course provides the concepts and techniques underlying static program analysis. Topics include forward/backward data-flow analysis, inter-procedural analysis, pointer analysis and call graph construction. A particular focus will be given to recent and advanced techniques such as Android bytecode static analysis for security. The course will mix theory and practice. Students will implement simple analyses and complete a course project.

This course accounts for 5 ECTS and is part of the Master in Information and Computer Sciences at the University of Luxembourg.

Summer semesters 2017, 2018 and 2019.

Our lives and our societies rely on computer programs (software). Every day, we use devices running software written in millions of lines of code because it makes our lives easier. However, the complexity and the size of existing software, added to the fact that humans write most of the software, introduce bugs. Some of these bugs, called vulnerabilities, can be exploited by an attacker to compromise a device or leak information. Have you ever wondered how programmers make their code more robust to avoid introducing vulnerabilities? Have you ever wondered how attackers can find vulnerabilities and exploit them to take control of a remote device on the Internet or of your smartphone? Have you ever wondered how attacker can dump an entire database containing personal information about millions of users? In this course, you will learn both how to defend against vulnerabilities and how to exploit vulnerabilities. This course covers memory corruption vulnerabilities such as buffer or heap overflow, type confusion, or use after free. It also covers more high level vulnerabilities such as SQL injection or confused deputy. The course will mix theory and practice. On the offensive side, you will implement simple programs to exploit vulnerabilities. On the defensive side, you will correct vulnerable programs to prevent exploitation but also learn how to use techniques such as fuzzing to find new vulnerabilities.

This course accounts for 5 ECTS and is part of the Master in Information and Computer Sciences at the University of Luxembourg.

Summer semester 2019.