Security Testing

Dear all,

We are constantly striving to provide great courses. But for this, we need your feedback: What did you like? Where can we still improve? So, after today's lecture, please take a moment to fill out this form:

    https://qualis.uni-saarland.de/eva/?l=133523&p=ity7hg

Evaluation is open until Thursday February 3, so don't delay!

Looking forward to hear from you,

Andreas + Marius + Leon

Dear Students,

We have published the results for project 1. You can find your results and your passing status on your Personal Status page.

We have decided to provide only the points because we could lose information for your final grade when grading the project which could result in a worse result for you.

You passed the project with 50 Points. Your fuzzer was evaluated with respect to the coverage on miniircd, its capability to find seeded bugs in miniircd, and how well the fuzzer generalized to two other IRC server implementations measured in the coverage it achieves.

For the grading, we have adjusted the weights for each part as follows:

• 50% Coverage on miniircd.
• 30% Bug finding capability.
• 20% How well your fuzzer generalizes.

Besides, we have dropped the criterium that you need to achieve 50% in each part.

Dear students,

If you submitted your Project 1 for trial evaluation, you can now find the median (across 5 runs) statement coverage percentage that your fuzzer achieved on miniircd on your Personal Status page. Note that a percentage of at least 70% coverage indicates that your fuzzer meets the minimum passing criterium.

Dear Students,

We have published Exercise 7. You can find it under Information > Material. Please read the chapter on Mutation-based Fuzzing and Greybox Fuzzing for this exercise.

The Zip file contains the required files for this exercise. The sheet.pdf contains the tasks you should try to solve.

We ask you to submit your solutions via the CMS on your Personal Status page. You have time until 19. December 23:59 to upload your solutions as a Zip file. Note that we cannot evaluate delayed submissions.

Dear Students,

We will offer a trial evaluation run of Project 1. The purpose is to give you feedback on whether you have already achieved the guaranteed passing criterium for this project by reporting the code coverage your fuzzer achieved on miniircd on our setup.

This is a voluntary offer which does not affect your final grade. You are free to participate or not to participate.

To participate, we ask you to submit your solutions via the CMS on your Personal Status page under “Project 1 Trial Run” until 15. December 23:59. Note that we cannot evaluate delayed submissions.

Dear Students,

We have published exercise 6. You can find it under Information > Material. Please read the chapter on Grammar Mining for this exercise.

The Zip file contains the required files for this exercise. The sheet.pdf contains the tasks you should try to solve.

We ask you to submit your solutions via the CMS on your Personal Status page. You have time until 12. December 23:59 to upload your solutions as a Zip file. Note that we cannot evaluate delayed submissions.

Dear students,

note that the registration period for this course ends tomorrow.

Please make sure to sign up for the lecture by tomorrow at LSF or, if your course of studies is not currently supported by LSF, by contacting your examination office, and sending the completed registration PDF to leon.bettscheider@cispa.de or marius.smytzek@cispa.de with subject line [Security Testing Registration].

Dear Students,

We have published exercise 5. You can find it under Information > Material. Please read the chapter on Code Coverage for this exercise.

The Zip file contains the required files for this exercise. The sheet.pdf contains the tasks you should try to solve.

We ask you to submit your solutions via the CMS on your Personal Status page. You have time until 5. December 23:59 to upload your solutions as a Zip file. Note that we cannot evaluate delayed submissions.

Dear all,

In light of new COVID-related regulations regarding access to CISPA and the general call for reducing physical contacts, our next lectures will be online-only via Zoom.

You can join the lecture every Tuesday at 16:15 using the "Zoom" link in the "Information" menu at top of the course CMS site. Presentations during the lecture will be recorded (and included into the book).

We hope to return to physical lectures as the COVID situation improves. You can do your part by

• getting vaccine and/or booster shots (with your doctor or at one of the Saarland mobile vaccination sites)
• reducing physical contacts
• wearing masks
• maintaining personal hygiene

and encouraging others to do so, too.

Stay safe, stay healthy, and see you on Tuesday.

Andreas Zeller

Dear Students,
We have uploaded a script to validate whether your submission was corrupted by compressing it. You can find it under Information > Material in the category Exercises. Run the script as following:

    $ python3 Submission_Validation_Script.py <path_to_you_submission_as_a_zip_file>

Hi everyone,

We just moved the latest version of The Fuzzing Book out of beta. So, from now on, to read the book, you can directly go to

    www.fuzzingbook.org

We will continuously update chapters with videos, quizzes, and more before giving them out as reading assignments.

To install the code package, you can now simply use

    pip install fuzzingbook

to obtain version 1.0 (with support for and requiring Python 3.9).

This is the same code as already contained in the previous 1.0rc2 package, so if you already installed that one, there's nothing you need to do. Still, please let us know if you encounter any problems.

Keep up the good work -- your friendly course instructors

Dear Students,

There was a mistake in exercise 0-3b. The code for this exercise should be:

The new uploaded revision of the exercise fixes this problem.

Dear Students,

We have published the first exercise (0). You can find it under Information > Material in the category exercises.

The Zip file compresses the required files for this exercise. The sheet.pdf contains the tasks you should try to solve.

We ask you to submit your solutions via the CMS on your Personal Status page. You have time until 31. October 24:00 to upload your solutions as a Zip file. Note that we cannot evaluate delayed submissions.

Dear all,

Thanks for attending today's lecture! This was our first hybrid lecture, and given all the things that could have gone wrong, we feel it went rather well :-) For those of you who could not attend, we have recorded the part with all the important announcements and questions:

• https://youtu.be/4euWi0Snopw

We also have started adding videos to the chapters assigned to you for reading (this week: Introduction to Testing). As of now, you will find all chapters with videos on

• https://beta.fuzzingbook.org

which is the site we use for testing before things get moved to the "official" site at www.fuzzingbook.org. In a week from now, our tests for fuzzingbook 1.0 will be complete and from then on, both sites should be synchronized.

Our first exercise sheet will go out by tomorrow, letting you get acquainted with Python and Jupyter.

Enjoy the read!

Andreas

Dear students,

welcome back on campus. Lectures and courses can be held again in presence. But whoever participates in such an event at the university must provide the 3G verification, which means either complete vaccination, recovery or a negative test (twice a week). Therefore, we ask you to read the following information carefully, because an official control can be expected at any time.

The 3G verification is done by using and truthfully stating it in the Staysio-App  . If you are unable to enroll yourself via smartphone, use this web form: 

[https://www.uni-saarland.de/fileadmin/upload/page/coronavirus/Alternativformular-Staysio.pdf]

It can be filled out and printed online beforehand and must be submitted to the instructor(s) prior to the event. It will then be kept for four weeks in accordance with our data protection declaration and then destroyed.

If you have a smartphone but cannot download the app

If you are unable to download the Staysio App, in particular due to a foreign account in the Playstore or Appstore, you can also use this web application: https://www.staysio.de/#/visitor

1.       Scan the posted QR code with a QR reader app that you have installed on your cell phone With modern devices, this function is often integrated directly into the camera. Open the linked website that is displayed to you

2.       In the opened page you are asked if you want to install the app or continue to the web registration. If you choose the web registration, you will be redirected to the registration form.

3.       Create your contact details and those of your accompanying person(s) once. The created contacts will be saved on your smartphone for future visits

4.       If all persons are registered, you can register all of them with the corresponding button. The logout is automatically performed overnight.

 Please constantly check the official information on the website of Saarland University

https://www.uni-saarland.de/en/division/ls/informationen-zum-semesterbetrieb/winter-semester-2021-22.html

All the best,

The CS Department

Welcome to the "Security Testing" course! We very much look forward meeting you every Tuesday at 16:15 – either

• in person (CISPA Stuhlsatzenhaus, lecture hall 0.05 – preferred), or
• via Zoom (log in to https://cms.cispa.saarland/fuzzing2122/ and follow Information→Zoom in the top-level menu)

In this first meeting (and we hope that many of you will join us in person!), we are going to introduce you to the organization of the course, and happily take and address all your questions. Note that the discussion meetings will not be recorded.

Here are some first steps for you to get started for the course:

1. Check out the book: Go to The Fuzzing Book (beta version) and check out the first chapter "Introduction to Software Testing". We will update all chapters with introduction videos in the next days, so you can read and watch :-)
2. Toy with the code: From any chapter, select "Resources → Edit as Notebook" in the top menu, and enter a Jupyter Notebook where you can interact with the code as you like.
3. Get the program code: Follow the instructions on how to install the code and get started with Python. However, instead of "pip install fuzzingbook", however, please use
       $ pip install --extra-index-url https://test.pypi.org/simple/ fuzzingbook==1.0rc2
   and you should get an all-new FuzzingBook 1.0 package that auto-installs all dependencies and is updated for Python 3.9.
   (We will release this package into the official pip channel in a week from now, so "pip install fuzzingbook" will get you the same as the above)

If you need help, we offer a Mattermost channel where you can find chat rooms for all sorts of questions regarding the course, exercises, and projects.

• Log in to https://cms.cispa.saarland/fuzzing2122/ and follow Information→Mattermost in the top-level menu.
• To join, log in to https://cms.cispa.saarland/fuzzing2122/ and check Information→Materials for an invite link.

And of course, there always is the course page with all news and links:

• Look at the course page: https://cms.cispa.saarland/fuzzing2122/

Looking forward to work with you, and see you soon!

Andreas + Leon + Marius