Syllabus - CSE 466 "System Security" Fall 2025

Course Info

Course Numbers: CSE 466 (75180 and 75181)
Meeting Times: Tuesday, 4:30pm--5:45pm (BYAC270)
Meeting Times: Thursday, 4:30pm--5:45pm (BYAC270)
Course Discord: Join the pwn.college discord

Instructors

Instructor: Robert Wasinger
Discord Handle: robwaz
Email: rwasinger@asu.edu

Instructor: Michael Tompkins
Discord Handle: frqmod
Email: mctompk1@asu.edu

Instructor: Tiffany Bao
Discord Handle: tiffanyb
Email: tbao@asu.edu

TAs

Name: Sam Zhu
Discord Handle: sjzhu

Name: Zack Smith
Discord Handle: donkey

Name: Ahmad Samara
Discord Handle: sammy177

Course Description

This course will explore a number ways that the Security of Computer Systems can fail. Security is a complicated thing: it is only as strong as its weakest link, and a small, single mistake can often bring down otherwise extremely secure software. Taking the intuition that, to build secure systems in the future, one must understand how security can break, we will cover a number of different failure modes of computer systems, including application security and operating system security. Each lecture will consist of an introduction to a new topic, examples of real-world effects of security failures related to the topic, and an assignment for students to explore these concepts.

These assignments will be very thorough, and by the end, students will have an intuitive understanding on how to exploit these vulnerabilities, and will have the building blocks needed to prevent them, both in the lab and in the real world.

This course will feature a flipped-classroom model. Lectures are pre-recorded and class time is intended to be spent expanding upon the pre-recorded lecture content with live demonstrations focusing on answering conceptual questions surrounding the current module.

Recommended Textbook

There is no recommended textbook for this course. Any reading material assigned will be from publicly-available sources on the internet.

Prerequisites

This course will be EXTREMELY challenging, and students are expected to learn some of the necessary technologies on their own time.

This course requires a good understanding of low-level computer architecture (for example, students should understand x86 assembly) and low-level programming languages (specifically, C), and good command of a high-level programming language (specifically, Python). You should have a very good background in operating systems (especially Linux or UNIX variants). If you do not have these skills, or do not plan on acquiring them very early in the course, you will have a hard time. A good approximation of the type of material that you will be faced with is the first six levels of the Vortex wargame.

Schedule

The listing below is the tentative module progression of the course.

Module 1: Program Security

Dates
Start	Tuesday August 21, 2025 @ 18:00
Checkpoint	Sunday August 31, 2025 @ 23:59
Due	Sunday September 7, 2025 @ 23:59

Module 2: Advanced Reverse Engineering

Dates
Start	Friday August 29, 2025 @ 18:00
Checkpoint	Sunday September 7, 2025 @ 23:59
Due	Sunday September 14, 2025 @ 23:59

Module 3: Return Oriented Programming

Dates
Start	Friday September 12, 2025 @ 18:00
Checkpoint	Sunday September 21, 2025 @ 23:59
Due	Sunday September 28, 2025 @ 23:59

Module 4: Dynamic Alocator Misuse

Dates
Start	Friday September 26, 2025 @ 18:00
Checkpoint	Sunday October 5, 2025 @ 23:59
Due	Sunday October 12, 2025 @ 23:59

Module 5: Program Exploitation

Dates
Start	Friday October 10, 2025 @ 18:00
Checkpoint	Sunday October 19, 2025 @ 23:59
Due	Sunday October 26, 2025 @ 23:59

Module 6: Race Conditions

Dates
Start	Friday October 24, 2025 @ 18:00
Checkpoint	Sunday November 2, 2025 @ 23:59
Due	Sunday November 2, 2025 @ 23:59

Module 8: Sandbox Escapes

Dates
Start	Friday October 31, 2025 @ 18:00
Checkpoint	Sunday November 9, 2025 @ 23:59
Due	Sunday November 9, 2025 @ 23:59

Module 6: Kernel Security

Dates
Start	Friday November 7, 2025 @ 18:00
Checkpoint	Sunday November 16, 2025 @ 23:59
Due	Sunday November 16, 2025 @ 23:59

Module 9: Microarchitecture Exploitation

Dates
Start	Friday November 14, 2025 @ 18:00
Checkpoint	Sunday December 23, 2025 @ 23:59
Due	Sunday November 30, 2025 @ 23:59

Module 10: System Exploitation

Dates
Start	Friday November 28, 2025 @ 18:00
Checkpoint	Sunday December 7, 2025 @ 23:59
Due	Monday December 15, 2025 @ 12:00

Course Communication

All announcements and communications for the class will take place on the discord, with announcements in the #announcements and discussion in the #text class-specific channel. Students are required to be on this discord.

Student may use the discord to ask questions or seek clarifications, and the TA, Instructor, or other students can answer. Note that sharing full solution scripts or answers is expressly prohibited, but otherwise, collaboration on the way to the solution is allowed.

Questions may be directly messaged to the instructors.

Name	Discord Handle
Robert Wasinger	robwaz
Michael Tompkins	frqmod
Tiffany Bao	tiffanyb

Before directly messaging your question, please consider asking it in the course channel instead. This way, the entire class will benefit from your question.

Office Hours

Office hours will be held weekly. All students are encouraged to attend office hours for in-person assistance.

When	Course Role	Name	Discord Handle	Where
Monday 4:30 - 5:30	TA	Zack Smith	donkey	BYENG M1-09
Tuesday 9:30 - 10:30	Instructor	Tiffany Bao	tiffanyb	Zoom
Wednesday 4:30 - 5:30	TA	Sam Zhu	sjzhu	BYENG M1-09
Friday 4:30 - 5:30	TA	Sammy Samara	sammy177	BYENG M1-09
TBD	Instructor	Robert Wasinger	robwaz	TBD
TBD	Instructor	Michael Thompkins	frqmod	TBD

Assignments

Students performance will be evaluated on between 7 and 14 homework equally weighted assignments (the modules), where each assignment will consist of between 10 and 100 challenge problems.

Assessment

Component	Weight
Assignments	80%
Midterm Exam	10%
Final Exam	10%
Extra Credit Cap	5%

Challenge-based assignments with flags as rewards.

Each assignment will consist of a large amount of varied, but related challenges, and will be live for between one and two weeks. Solving these challenges may require the use or implementation of fairly complex hacking tools. Solving each individual challenge will grant a challenge-specific passcode, called a "flag". The maximum number of flags possible to score for an assignment is equal to the maximum number of challenges in the assignment.

The existence of flags means that there is no wrong way to solve a challenge. If you tricked the challenge into giving you the valid flag, good job.

Exams

There will be two in-class, handwritten exams this semester. These exams are designed to assess your conceptual understanding of the mechanisms underlying the vulnerabilities studied throughout the course. Exams will be closed-book, and no laptops, tablets, or other electronic devices will be permitted. However, you may bring one cheat sheet: a single 8.5" x 11" sheet of paper with notes on both sides.

Students must attend class during the week of an exam on the day assigned to the section in which they are registered. Exam dates will be announced as early as possible, but please plan ahead based on the tentative schedule below.

Tentative Midterm Dates

• Tuesday 10/21
• Thursday 10/23

Extra credit: Helping Others

This course encourages collaboration. We have recruited the help of a reputation bot on the discord to this end. Students can thank other students by reacting to helpful messages with the :upvote: emojji on the Discord server. Whenever you get thanked this way by a student in a public discord channel, the reputation bot will also react with a thanks emoji and log the interaction. Extra credit for receiving thanks is logarithmic (5 * log_50_(thanks)), for up to 5% extra credit at 50 thanks received. Abuse of this system is considered a violation of academic integrity.

Extra credit: Memes

Are you a meemer? Meme, and earn grades! If you post an on-topic meme in the #memes channel and we emoji-react to acknowledge it, you will get 0.5% extra credit, to your final grade, per week (A week begins on Sunday and ends the following Monday at midnight MST). In order to foster a good learning community, and encourage creative thinking around the material, you may receive extra credit each week for sharing educational memes in the course discord. It is important to note that memes must be relevant, educational, and non-offensive. No excessively spicy memes please. The course discord bot will acknowledge credited memes with an :upvote: emoji if the meme is approved by the course staff. Good memes might be reviewed in class. Meme extra credit will be at most 5% of your grade.

Help and meme extra credit are hard-capped at a combined 5%!

More Extra Credit: Bug Bounty Program

Any responsibly-disclosed serious security issues in course infrastructure will earn an extra 1 to 25 "bug bounty" percentage points to their final grade, depending on the severity of the issue. Blatantly spurious reports may earn a negative percentage report of up to -5 percentage points. Allowances will be made for honest mistakes leading to a spurious bug bounty filing, but please don't waste our time on purpose.

Collaboration Policy

Collaboration is highly encouraged in this course. However, there is a delicate balance between being excessively helpful, and learning. The purpose of course collaboration is understanding concepts. As such, questions and answers should be focused on concepts, and not how to solve challenge X.

The challenges explore important concepts, and so it is fine to discuss the challenges. However, you may not discuss full or significant portions of a challenge's solution. Furthermore, you may not intentionally solve challenges as a group. The assignments must still be solved individually.

Feel free to discuss ideas important to the challenge, or tools which may be useful.

If there is any confusion, just ask! We try to assume good intentions, but egregious violations will result an academic integrity violation.

Final Grade Calculation

The final grade will be calculated by averaging the grades of each homework assignment, equally weighted, then adding extra credit. Percentages will be translated to letter grades with the following initial cutoffs:

Percentage Grade	Letter Grade
>= 100	A+
>= 93	A
>= 90	A-
>= 88	B+
>= 83	B
>= 80	B-
>= 78	C+
>= 70	C
< 70	E

With the exception of the cutoff for A+, these cutoffs can be curved downward in the event that students do worse than expected.

Special Accommodations

Students requesting disability accommodations should register with the Disability Resource Center (DRC) and present the instructor with appropriate documentation from the DRC.

Plagiarism and Cheating

Plagiarism or any form of cheating in assignments or projects is subject to serious academic penalty. To understand your responsibilities as a student read: ASU Student Code of Conduct and ASU Student Academic Integrity Policy. There is a zero tolerance policy in this class: any violation of the academic integrity policy will result in a zero on the assignment and the violation will be reported to the Dean’s office. Plagiarism is taken very seriously in this course.

Examples of academic integrity violations include (but are not limited to):

• Sharing code with a fellow student (even if it’s only a few lines).
• Collaborating on code with a fellow student (unless explicitly allowed).
• Using another student's solution to solve a challenge and get a flag.
• Sharing a flag with another student (NEVER ALLOWED UNDER ANY CIRCUMSTANCES).

Posting your assignment solutions online is expressly forbidden, and will be considered a violation of the academic integrity policy. Note that this includes working out of a public Github repository. The Github Student Developer Pack provides unlimited private repositories while you are a student, making it easy to begin with a private GitHub repository.

Syllabus Update

Information in the syllabus may be subject to change with reasonable advance notice and an announcement on discord.

Misc

Syllabus copyright 2025 Robert Wasinger, along with all lectures and course-related written materials. During this course students are prohibited from making audio, video, digital, or other recordings during class, or selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of the faculty member teaching this course.

Be reasonable.

Title IX is a federal law that provides that no person be excluded on the basis of sex from participation in, be denied benefits of, or be subjected to discrimination under any education program or activity. Both Title IX and university policy make clear that sexual violence and harassment based on sex is prohibited. An individual who believes they have been subjected to sexual violence or harassed on the basis of sex can seek support, including counseling and academic support, from the university. If you or someone you know has been harassed on the basis of sex or sexually assaulted, you can find information and resources at https://sexualviolenceprevention.asu.edu/faqs.

As a mandated reporter, I am obligated to report any information I become aware of regarding alleged acts of sexual discrimination, including sexual violence and dating violence. ASU Counseling Services, https://eoss.asu.edu/counseling, is available if you wish discuss any concerns confidentially and privately.