CS 69.19/269

Basics of Cyber Exploitation

John Berry, Sergey Bratus, Winter 2025

Syllabus

Preliminary syllabus

The class is currently scheduled for the 3B slot.

TAs

TBD

Office hours: TBD

What this class is about

There is one undeniable fact about computing systems we build today: no matter how hard we try, they cast a long shadow of unintended, unexpected, yet reproducible behaviors. The practice of finding out and programming these behaviors is called exploitation. We will study the patterns and principles of this practice.

Cyber exploitation is an essential discipline for studying what any given system really is and does, as opposed to what people believe it does, and how it can be programmed in unexpected ways. Initially thought to be a mere mix of clever and not-so-clever tricks that second-guessed programmer mistakes, cyber exploitation evolved into a discipline of its own. We will cover its founding examples.

Class materials

Lecture notes, examples, and assignments will be posted here. We will be using the pwn.college platform and some additional local hardware.

Historic inspirations

Once upon a time, there was a series of puzzles for aspiring hackers looking to understand memory corruption in C programs that ran the Internet at that time (and largely still do). This series was exquisitely crafted by Gerardo Richarte (gera), a legendary researcher whose ideas described in short posts to the Bugtraq mailing list had a way of being rediscovered by academics 7–10 years later, in full-length papers.

These exercises were known as ABOs, Advanced Buffer Overflows. They now live at https://github.com/gerasdf/InsecureProgramming.