Program analysis for cybersecurity [INFOM227]

Learning outcomes

At the end of this course, the student will be able to:

•     Describe and explain the principles of different static program analysis methods.
•     Describe and explain the principles of different dynamic program analysis methods.
•     Select an appropriate static program analysis strategy based on the cybersecurity objectives.
•     Perform a dynamic program analysis by applying an appropriate fuzzing approach.

Objectives

The objective of this course is to introduce the student to the main static and dynamic analysis methods in order to identify potential problems related to cybersecurity.

Content

The course aims to introduce the different aspects of static and dynamic analysis for cybersecurity and secure software development. The content includes on the one hand the different types of static analysis: data-flow analysis and abstract interpretation (framework, termination, correction, widening, ...), inter-procedural analysis and control-flow analysis and analysis in the presence of pointers. These types of analysis will be illustrated through two practical applications: API misuse detection and project dependency analysis. On the other hand, the course includes an introduction to dynamic analysis using fuzzing: lexical fuzzing, syntactic fuzzing and semantic fuzzing. Finally, we will see how to implement these different types of analysis within an application development cycle.