CSE509 Spring 2007. Computer Security

Note: If you would like to do a different class project, feel free to come discuss you project ideas with me.

In this project, you will audit open-source software projects for security bugs. You can complete the project in three ways: finding bugs, writing patches, and writing exploits. The number of bugs you must find depends on the size of your team:

Team SizeTotal Points

Each task earns points as follows (you can submit a patch and develop an exploit for the same bug, if you want):

Find bug1
+ Write patch1
+ Write exploit5

Each team member is required to demo one exploit to me at the end of the semester (you may work together to develop the exploits, but each member must demo a separate exploit). Note that simply causing the program to crash from malformed input (which is a denial-of-service attack), is not sufficient to count for your exploit demo, although I will give 1 point (instead of 5) for developing such an attack. You should send bug reports (and possibly patches) to the authors of the programs you audit. Your final report should include copies of all the bug reports you make and, whenever possible, a copy of the email from the authors acknowledging that you found a real, exploitable security bug.

Deadlines are:
DateTaskWeight of Grade
5/10Demo exploit20
5/14Final report80
You should email me to make a demo appointment on or before 5/10.

You can use Freshmeat and SourceForge to find projects to audit.

The following code auditing tools may be helpful