Security Testing

Dear students,

We have published the results of project 2. You can find your results and your passing status on your Personal Status page.

Note: If your results indicate "Legit Submission: 0", we will be in touch with you via e-mail shortly.

Congratulations to all who passed!

Dear all,

[If you had already passed the exam, you can ignore this message].

We have graded the second chance for Test 1. There are two possible results: PASS and FAIL. You can find the results on your Personal Status page as "Second Chance".

If your result is PASS: Congratulations! We do not need any further information.

If your result is FAIL, we have discovered that you have cheated, and you have failed Project 1.

Dear all,

We have uploaded a sample solution for Exercise 12. You can find it in the category Solutions under Information > Material.
You can find your points on your Personal Status page.

We listened to your feedback:

• Points of individual exercises are now displayed.
• We now provide individual feedback on your grading which you can find on your Personal Status or Submissions page.

Dear all,

This is an update to the previous announcement "Test Results".

If you belong to category 2, sign up for a time slot at https://dud-poll.inf.tu-dresden.de/sectest-ws2324-exam1/ but do not use your matriculation number but instead a pseudonym of your choice.

Then, send an e-mail to José and Leon using the following template:

---

Subject: [Security Testing] Pseudonym for Oral Exam
Body:

Pseudonym: <your pseudonym>
Name: <your full name here>

Matriculation number: <your matriculation number here>

---

We have deleted all previously submitted time slots. If you submitted your time slot already, please be sure to submit it again using a pseudonym.

Thanks for your understanding.

Dear all,

We have graded the test. There are two possible outcomes: PASS and FAIL. You can find the results on your Personal Status page.

If your result is PASS: Congratulations! We do not need any additional information from you.

If your result is FAIL, there are two possible reasons for this:

1. You did not attend the test on 24 January.
2. You did attend the test but failed.

If you belong to category 1: You must come to office 2.06 in the main CISPA building (Stuhlsatzenhaus) on Thursday, February 8 at 11:30 for a short oral exam. Allow one hour for this exam, i.e. you will need to stay until 12:30.

If you belong to category 2: You must come to office 2.06 in the main CISPA building (Stuhlsatzenhaus) on Thursday, February 8 between 14:00 and 18:00 for an in-depth oral exam (10 minutes). We ask you to provide your preferred time slot at https://dud-poll.inf.tu-dresden.de/sectest-ws2324-exam1/ until Sunday, February 4, 23:59. Only provide one time slot. If the time slot is already taken by another student, choose a different one. When selecting a time slot, please state your matriculation number in the field "Name".

For both category 1 and category 2: Bring your student ID card and your laptop with your Project 1 submission (alternatively: a print out of your Project 1 submission with line numbers).

Unexcused absences from the oral examination will result in failure of the course.

Dear all,

Today (and only today), you have the chance to evaluate the course. We're looking forward to your feedback!

Please follow this link: https://qualis.uni-saarland.de/eva/?l=147110&p=s0j3d9

Don't delay – fill this out today! Looking forward to see you, and best wishes,

Andreas Zeller

Dear all,

We have uploaded a sample solution for Exercise 11. You can find it in the category Solutions under Information > Material.
You can find your points on your Personal Status page.

We listened to your feedback:

• Points of individual exercises are now displayed.
• We now provide individual feedback on your grading which you can find on your Personal Status or Submissions page.

Dear all,

Dear all,

We have uploaded a sample solution for Exercise 10. You can find it in the category Solutions under Information > Material.
You can find your points on your Personal Status page.

We listened to your feedback:

• Points of individual exercises are now displayed.
• We now provide individual feedback on your grading which you can find on your Personal Status or Submissions page.

Dear students,

We have published the results for project 1. You can find your results and your passing status on your Personal Status page.

We repeated the measurements five times and used the maximum branch coverage achieved by your fuzzer in these five runs for grading, which is in your favor.

Goals:

- Dimension 1: The goal branch coverage is 45%. Reaching at least 45% gives you 5/5 points in this dimension.

- Dimension 2: We introduced 30 bugs into sqlite. If your fuzzer could trigger at least 20 of them, you get 3/3 points.

- Dimension 3: We measured how many syntactically different inputs your fuzzer produces. If your fuzzer could generate at least 1000 syntactically different inputs, you get 2/2 points.

You pass the project if you meet the minimum passing criterion of 30% branch coverage or if you achieved 5/10 points in total.

Happy Fuzzing!

Dear all,

Given several extreme warnings about black ice, tomorrow's in-presence meeting is canceled. The written test on Project 1 will be delayed by one week.

The topic for this week is compiler testing. The chapter is ready for you to study; we will add a short introduction video soon.

Stay safe, everybody -- Andreas Zeller

Dear all,

We have uploaded a sample solution for Exercise 9. You can find it in the category Solutions under Information > Material.
You can find your points on your Personal Status page.

We listened to your feedback:

• Points of individual exercises are now displayed.
• We now provide individual feedback on your grading which you can find on your Personal Status or Submissions page.

Dear all,

as announced in yesterday's lecture, there will be a short (5-10 minutes) written test on Project 1 next week.

The test will take place at the usual location (CISPA Lecture Hall at Stuhlsatzenhaus) during the next lecture (17 January 2024 16:15).

In this test, you will have to answer a couple of simple questions about your implementation, e.g.: "How would you add <insert simple feature here> to your code? Where would you add it?"

The test won't be difficult. The purpose is to make sure that you are the author of your submitted project.

You have to bring the following things:

- Your Student ID Card

- Your Laptop with your Project 1 Code (alternatively: the printout of your Project 1 Code) such that you can look up details in your code.

Dear all,

We have uploaded a sample solution for Exercise 8. You can find it in the category Solutions under Information > Material.
You can find your points on your Personal Status page.

We listened to your feedback:

• Points of individual exercises are now displayed.
• We now provide individual feedback on your grading which you can find on your Personal Status or Submissions page.

Dear all,

We have uploaded a sample solution for Exercise 7. You can find it in the category Solutions under Information > Material.
You can find your points on your Personal Status page.

We listened to your feedback:

• Points of individual exercises are now displayed.
• We now provide individual feedback on your grading which you can find on your Personal Status or Submissions page.

Dear all,

I've uploaded a revision of the Project 1 PDF.

The only change is that we impose a hard execution time limit of **30 minutes** (one core only) on your fuzzer.

From the PDF:

Dear all,

Askbot is the main communication channel for questions and remarks about the exercises and projects of this course. Please check Askbot regularly for any updates. If you post a questions, please make sure to give it an appropriate tag (e.g.: `exercise5-2`) so others can find it.

Thanks!

Leon

Dear all,

We have uploaded a sample solution for Exercise 5. You can find it in the category Solutions under Information > Material.
You can find your points on your Personal Status page.

We listened to your feedback:

• Points of individual exercises are now displayed.
• We now provide individual feedback on your grading which you can find on your Personal Status or Submissions page.

Dear all,

In the coding demo this morning, I was confused by a feature in the Fuzzing Book Coverage class; printing out coverage would put a prefix # before covered lines rather than uncovered ones, as is the standard for coverage tools. This also was used inconsistently in the chapter. Only printing is affected; all other functionality is fine.

I have now changed the code and documentation such that a # always marks uncovered code lines. However, this will only take effect in the next fuzzingbook package (1.2.2). So be aware of the issue when printing out Coverage objects.

Enjoy Python! -- Andreas Zeller

Dear all,

Hi everyone,

In today's lecture, I was puzzled to see that despite specifying a high probability for long numbers...

"<integer>": [("<digit><integer>", opts(prob=0.99)), "<digit>"],

... the fuzzer output would contain only one such long number, with the other <integer>s being single digits.

It turns out that this is on purpose, as the fuzzer limits the expansion length. As soon as the number of nonterminals reaches max_nonterminals, the fuzzer expands the remaining nonterminals with the shortest possible expansion (in our case, <digit>), disregarding all probabilities. You can override this behavior by passing a keyword parameter max_nonterminals to the fuzzer constructor, say max_nonterminals=100. But then you also may get very long expansions, taking some time.

If you want to follow the decisions made by the fuzzer, add log=True as a keyword parameter to the fuzzer constructor, and you'll be able to follow every step.

Enjoy fuzzing – Andreas Zeller

Dear all,

Due to a change of travel on short notice, I will not be able to join the Q&A/lecture this upcoming Wednesday. However:

• For those of you coming for questions and answers, José and Leon, our valiant exercise runners, will be there to answer all your questions. You can ask questions on-site or post them on AskBot.
• For those of you coming to see my live coding, there are nice (and arguably better) videos in the fuzzing book. For the upcoming exercises, please look at Grammar Coverage and Reducing Failure-Inducing Inputs.
• For those of you joining in mainly for the improvisation, check out this compilation of Fuzzing Book bloopers. And yes, I did get a new laptop since. Enjoy!

Hope to see you in person soon again, and keep on fuzzing,

Andreas Zeller

Dear all,

We have released a new fuzzingbook Python package (version 1.2.1). This fixes a nasty bug that would accidentally fix the random seed, making all further random decisions deterministic (i.e., produce the same result every time). This is now fixed.

To update your fuzzingbook package, run

$ pip install --upgrade fuzzingbook

If you want to keep your current fuzzingbook package but work around the bug, insert the following lines after importing from fuzzingbook.

import random
import time
random.seed(time.time())  # make random random again

Thanks a lot to the anonymous student who pointed out the issue!

Best -- Andreas Zeller

Dear all,

Our examination office tells me all UdS students must register for the course in the UdS LSF system by November 30. (LSF course number is 147110). Only if you are registered in LSF on time will you be able to obtain credit points.

(Non-UdS students attending follow a different process and need not register in LSF.)

Don't delay, register today!

Andreas Zeller

Welcome to the "Security Testing" course!

We're currently setting up the infrastructure for the course, and will have a dedicated AskBot and Mattermost chat available for you by next Monday.
Via these channels, you can ask questions about the current exercises, and discuss fuzzing with your fellow students and instructors.

The LSF registration will be open by next week.