Overview

Security issues in modern systems (blockchains, datacenters, deep learning, etc.) result in billions of losses due to hacks and system downtime. This course introduces fundamental techniques (ranging from automated analysis, machine learning, synthesis, zero-knowledge and their combinations) that can be applied in practice so to build more secure and reliable modern systems. All of these techniques are heavily used in practice and form the basis of some of the most the advanced analysis engines built by successful ETH spin-offs (ChainSecurity (acquired by PwC) and DeepCode (acquired by Snyk, a billion dollar security company), as well as other world-class systems.

Objectives

  1. Understand the fundamental techniques used to create modern security and reliability analysis engines that are used worldwide.
  2. Understand how symbolic techniques are combined with machine learning (e.g., deep learning, reinforcement learning) so to create new kinds of learning-based analyzers
  3. Understand how to quantify and fix security and reliability issues in modern deep learning models.
  4. Understand open research questions from both theoretical and practical perspectives.

Part I: Fundamentals of Automated Security Analysis with Applications to Smart Contracts

  • We will introduce fundamental analysis methods: fuzzing (including combinations with reinforcement learning), symbolic execution, predication abstraction, and Datalog.
  • We will show how these methods can be used to build some of the most popular, state-of-the-art automated security analysis and verification systems for blockchain smart contracts (e.g., Securify, VerX).

Part II: Security and Reliability of Datacenter and Network Programs

  • We will show how to ensure that datacenters and ISPs are secured using declarative reasoning methods (e.g., Datalog) as introduced in Part I.
  • We will also show how to automatically synthesize secure configurations (e.g. using SyNET and NetComplete) which lead to desirable behaviors, thus automating the job of the network operator and avoiding critical errors.

Part III: Machine Learning for Automated Security Analysis and Repair

  • We will illustrate how to automatically learn interpretable models expressed in Datalog from billions of lines of code and fixes to this code, which form the basis of new kinds of security analyzers.
  • We will study how to automatically learn to identify security vulnerabilities related to the handling of untrusted inputs (cross-Site scripting, SQL injection, path traversal, remote code execution) from large codebases.
  • We will also cover how to use machine learning models in order to automatically repair software errors (essentially a step towards the machine writing code).

Part IV: Security and Reliability of Deep Learning Models

  • We will study (black box) methods to quantify the robustness of large scale deep learning models.
  • We will study methods to patch and fix deep learning models.
  • We will study methods to monitor the online behavior of deep learning models.

Course Project

The course involve a hands-on programming project where the methods studied in the class will be applied. You can work on the project in a group consisting of at most 2 students. Registration is closed.

The description of the course project can be found here.

Deadlines:
Group registration6PM CEST, March 28, 2021
Project announcement6PM CEST, March 30, 2021
Preliminary deadline (optional)6PM CEST, May 16, 2021
Preliminary feedback 6PM CEST, May 23, 2021
Final deadline6PM CEST, June 6, 2021

Lectures

Use your NETHZ account to access the slides.

No. DateContentSlidesExercisesSolutions Recording
1Feb 23Introduction PDF No Exercise  
2Mar 2Datalog and static analysis PDF PDF PDF PDF
3Mar 9Fuzzing PDF PDF PDF
4Mar 16Linear Temporal Logic PDF PDF PDF
5Mar 23Safety verification PDF No Exercise  
6Mar 30Zkay PDF PDF PDF PDF PDF
7Apr 13Network analysis PDF PDF PDF PDF
8Apr 20Network synthesis PDF PDF PDF PDF
9Apr 27Datalog at DeepCode PDF No Exercise  
10May 4Machine Learning for Program Analysis PDF No Exercise  
11May 11Machine Learning for Bug Detection & Fix PDF No Exercise  
12May 18Black-Box Model Robustness PDF PDF PDF
13May 25Blind Spots and Model Patching PDF PDF ZIP PDF

Past exams

The exam from last year is available here.