This course focuses on software security fundamentals, secure coding guidelines and principles, and advanced security concepts spanning software, hardware, and embedded systems. Students will learn to assess and understand threats, design and implement secure systems, and gain hands-on experience with common security pitfalls. The course additionally covers hardware and embedded-systems security, including firmware security, trusted execution environments, memory-mapped I/O, peripheral attacks, and security challenges in resource-constrained systems. Finally, the course introduces agentic AI–assisted security, where autonomous and semi-autonomous agents are used for vulnerability discovery, automated program and firmware analysis, intelligent fuzzing, policy reasoning, and adaptive defense—highlighting both the capabilities and risks of agent-driven security systems.
The schedule is tentative and may change. All code used in class will be made available on GitHub, if not already open-source.
Week 1: Welcome and Gentle Introduction to CTFs.
Weeks 1–3: Attack Modeling
Weeks 4–5: Access Control, Privilege Escalation, and Linux Security Modules.
Weeks 6–7: Automatic Vulnerability Discovery using Reasoning (Continuation from Embedded Systems Fall 25 Course)
Week 8: Midterm Presentations
Weeks 8–12: Automatic Vulnerability Discovery using Agentic AI
Weeks 13-15: Fault Injection + Paper Survey
Weeks 16–17: Side Channel Analysis + Paper Survey
Week 18: Final Presentations
There are no exams for this course. Your grade will be decided based on your course project (70%) and paper presentations (30%). The course project will be evaluated based on the novelty of the project, the quality of the artifact, and the project report. Students should ensure the novelty of the project by doing a literature survey. Your grade will be severely impacted if there is existing work on the proposed idea. Moreover, artifact submission is necessary; however, it is fine to submit a Work-In-Progress, given appropriate justification.
Alternatively, students may participate in the real MITRE eCTF; in this case, grades will be determined using a hybrid team- and individual-based evaluation to ensure fairness. Specifically, 40% of the grade will be based on the team’s final official eCTF rank, 40% on documented individual technical contributions, and 20% on an individual reflection report. Individual contributions must be explicitly acknowledged by the team captain through a signed contribution statement and corroborated with concrete artifacts such as Git commits, design documents, exploit or defense implementations, testing or fuzzing infrastructure, and related technical evidence; captain acknowledgment alone is necessary but not sufficient for full credit. Each student must also submit a short technical reflection describing their specific contributions, design decisions, security insights, and lessons learned. In cases of unclear or minimal contribution, the instructor reserves the right to adjust individual grades independently of team rank, including reviewing repositories, logs, peer feedback, or conducting interviews if needed. Students cannot receive full credit without verifiable technical contributions.
Students are permitted to use Generative AI (GenAI) tools as part of their coursework. However, if a student chooses to do so, it is their responsibility to verify the accuracy of any information or claims produced by the AI. Any errors, hallucinations, or misleading outputs from such tools remain the sole responsibility of the student. For homework assignments, students are required to submit relevant chat logs or interactions with the GenAI system along with their work. These logs should clearly show how the tool was used in the completion of the assignment. Students should not rely on GenAI tools as an “answering oracle.” Instead, these tools are to be used as helpful assistants to support learning, research, and problem-solving efforts, not as a substitute for the student’s own understanding and work.
Penn State welcomes students with disabilities into the University’s educational programs. Every Penn State campus has an office for students with disabilities. The Student Disability Resources website provides contact information for every Penn State campus. For further information, please visit the Student Disability Resources website.
In order to receive consideration for reasonable accommodations, you must contact the appropriate disability services office at the campus where you are officially enrolled, participate in an intake interview, and provide documentation. If the documentation supports your request for reasonable accommodations, your campus’s disability services office will provide you with an accommodation letter. Please share this letter with your instructors and discuss the accommodations with them as early in your courses as possible. You must follow this process for every semester that you request accommodations.
Many students at Penn State face personal challenges or have psychological needs that may interfere with their academic progress, social development, or emotional well-being. The university offers a variety of confidential services to help you through difficult times, including individual and group counseling, crisis intervention, consultations, online chats, and mental health screenings. These services are provided by staff who welcome all students and embrace a philosophy respectful of clients’ cultural and religious backgrounds, and sensitive to differences in race, ability, gender identity, and sexual orientation.
Penn State takes great pride in fostering a diverse and inclusive environment for students, faculty, and staff. Acts of intolerance, discrimination, or harassment due to age, ancestry, color, disability, gender, gender identity, national origin, race, religious belief, sexual orientation, or veteran status are not tolerated and can be reported through Educational Equity via the Report Bias webpage.