Overview

Security issues in modern systems (blockchains, datacenters, deep learning, etc.) result in billions of losses due to hacks and system downtime. This course introduces fundamental techniques (ranging over automated analysis, machine learning, synthesis, zero-knowledge, differential privacy, and their combinations) that can be applied in practice so to build more secure and reliable modern systems. All of these techniques are heavily used in practice and form the basis of some of the most the advanced analysis engines built by successful ETH spin-offs (ChainSecurity (acquired by PwC) and DeepCode (acquired by Snyk, a billion dollar security company), as well as other world-class systems.

Objectives

  1. Understand the fundamental techniques used to create modern security and reliability analysis engines that are used worldwide.
  2. Understand how symbolic techniques are combined with machine learning (e.g., deep learning, reinforcement learning) so to create new kinds of learning-based analyzers
  3. Understand how to quantify and fix security and reliability issues in modern deep learning models.
  4. Understand open research questions from both theoretical and practical perspectives.

Part I: Fundamentals of Automated Security Analysis with Applications to Smart Contracts

  • We will introduce fundamental analysis methods: fuzzing (including combinations with reinforcement learning), symbolic execution, predication abstraction, and Datalog.
  • We will show how these methods can be used to build some of the most popular, state-of-the-art automated security analysis and verification systems for blockchain smart contracts (e.g., Securify, VerX).

Part II: Security and Reliability of Datacenter and Network Programs

  • We will show how to ensure that datacenters and ISPs are secured using declarative reasoning methods (e.g., Datalog) as introduced in Part I.
  • We will also show how to automatically synthesize secure configurations (e.g. using SyNET and NetComplete) which lead to desirable behaviors, thus automating the job of the network operator and avoiding critical errors.

Part III: Machine Learning for Automated Security Analysis and Repair

  • We will illustrate how to automatically learn interpretable models expressed in Datalog from billions of lines of code and fixes to this code, which form the basis of new kinds of security analyzers.
  • We will study how to automatically learn to identify security vulnerabilities related to the handling of untrusted inputs (cross-Site scripting, SQL injection, path traversal, remote code execution) from large codebases.
  • We will also cover how to use machine learning models in order to automatically repair software errors (essentially a step towards the machine writing code).

Part IV: Security and Reliability of Machine Learning Models

  • We will introduce differential privacy, and systematic ways to find violations of differential privacy.
  • We will study (black box) methods to quantify the robustness of large scale deep learning models.

Course Project

The course involve a hands-on programming project where the methods studied in the class will be applied. You can work on the project in a group consisting of at most 2 students. If you do not have a teammate, you can choose to work alone or be matched with another student. The registration was closed.

Project description: PDF. Recording of the project announcement session: .

Deadlines:
Group registration6PM CEST, March 29, 2022
Project announcement6PM CEST, March 31, 2022
Preliminary deadline (optional)6PM CEST, May 9, 2022
Preliminary feedback 6PM CEST, May 13, 2022
Final deadline6PM CEST, June 10, 2022

Lectures

Use your NETHZ account to access the slides. The password to access the recordings is sent in a separate email.

No. DateContentSlidesExercisesSolutions Recording
1Feb 24Course Introduction: Topics and Organization PDF No Exercise  
2Mar 3Datalog and Static Analysis PDF PDF PDF
3Mar 10Fuzzing PDF PDF PDF
4Mar 17Linear Temporal Logic PDF PDF PDF
5Mar 24Safety Verification PDF Course project
6Mar 31Zero-knowledge Proofs PDF PDF PDF PDF PDF
7Apr 7Network Analysis PDF PDF PDF
8Apr 14Network Synthesis PDF PDF PDF PDF
9Apr 28Datalog at DeepCode PDF No Exercise
10May 5Differential Privacy PDF PDF PDF
11May 12Testing for Differential Privacy PDF PDF ZIP PDF ZIP
12May 19Black Box Attacks PDF PDF PDF

Past exams

A previously held exam is available here.