Program analysis for cybersecurity

Presentation
Teaching
Organisation
Courses concerned

Learning outcomes

At the end of this course, the student will be able to:

Describe and explain the principles of different static program analysis methods.
Describe and explain the principles of different dynamic program analysis methods.
Select an appropriate static program analysis strategy based on the cybersecurity objectives.
Perform a dynamic program analysis by applying an appropriate fuzzing approach.

Goals

The objective of this course is to introduce the student to the main static and dynamic analysis methods in order to identify potential problems related to cybersecurity.

Content

The course aims to introduce the different aspects of static and dynamic analysis for cybersecurity and secure software development. The content includes on the one hand the different types of static analysis: data-flow analysis and abstract interpretation (framework, termination, correction, widening, ...), inter-procedural analysis and control-flow analysis and analysis in the presence of pointers. These types of analysis will be illustrated through two practical applications: API misuse detection and project dependency analysis. On the other hand, the course includes an introduction to dynamic analysis using fuzzing: lexical fuzzing, syntactic fuzzing and semantic fuzzing. Finally, we will see how to implement these different types of analysis within an application development cycle.

Assessment method

The evaluation is based on the completion of a project.

Sources, references and any support material

Nielson, Flemming, Hanne R. Nielson, and Chris Hankin. "Principles of program analysis." Springer Science & Business Media, 2004.
Zeller, Andreas, Rahul Gopinath, Marcel Böhme, Gordon Fraser, and Christian Holler. "The fuzzing book." 2019.
Hejderup, J., Beller, M., Triantafyllou, K. et al. “PRÄZI: from package-based to call-based dependency networks.” Empirical Software Engineering 27, 102 (2022). https://doi.org/10.1007/s10664-021-10071-9
Amann, Sven, Hoan Anh Nguyen, Sarah Nadi, Tien N. Nguyen, and Mira Mezini. "A systematic evaluation of static api-misuse detectors." IEEE Transactions on Software Engineering 45, no. 12 (2018). https://doi.org/10.1109/TSE.2018.2827384

Language of instruction

Anglais

Training	Study programme	Block	Credits
Master 120 en sciences informatiques, à finalité spécialisée en data science	Standard	0	5
Master 120 en sciences informatiques, à finalité spécialisée en software engineering	Standard	0	5
Master 60 en sciences informatiques	Standard	0	5
Master 60 en sciences informatiques	Standard	1	5
Master 120 en sciences informatiques, à finalité spécialisée en data science	Standard	2	5
Master 120 en sciences informatiques, à finalité spécialisée en software engineering	Standard	2	5