The Summer School 2018 on System Security will take place at Helmholtz Center for Information Security (CISPA) in Saarbrücken from
August 27 – 31, 2018.
The CISPA Summer School 2018 will give you a deep dive into four highly relevant areas of system security. You will
be able to meet and learn from top experts in these fields. During hands-on training sessions you will learn how to
understand, find and exploit vulnerabilities for different platforms (Mobile, Web, and PC) and how to counter these
exploits. Furthermore, you will be able to showcase your own best work in a poster session and discuss them with top
Attacking Android Apps
Mobile apps have become an integral aspect of most of our daily routines and are hence entrusted with some
of the most sensitive private information. In this session, we will cover basics of Android apps’
architecture and then delve into some of the most common security vulnerabilities of apps, their effects,
and their root causes. In addition, we will look into state-of-the-art code analysis techniques for apps and
their challenges in the particular setting of Android’s system design.
Grammar-based Testing & Fuzzing
Testing with randomly generated inputs (“fuzzing”) has shown to be one of the easiest and cost-effective
methods to discover bugs and vulnerabilities. In this session, we show how to build highly effective
fuzzers, using and mining grammars to specify input formats, mutation to alter existing inputs, as well as
exploiting coverage of grammars and code. These principles highly effective in practice – applied on the
first four weeks of running his fuzzer; his tool now is in daily use at Mozilla and has uncovered more than
4,000 bugs so far . We provide sample Python code such that you can apply and experiment with these
techniques right away – on subjects and domains of your choice.
Finding Web Security Flaws
The Web today has grown into a fully-fledged application platform, fueling widely used services like Social
Networks, email clients, or even office applications. In this session, we cover the basic security
principleson the client, showing different attacks allowing an adversary to control the browser of his
victim, such as XSS or CSRF. Moreover, we cover lesser-known classes of flaws, which may allow adversaries
to extract information from their victim. Based on the attack techniques taught in the course itself, you
will then be able to test your newly acquired skills by exploiting vulnerable Web applications.
Crafting Software Exploits
Ever wondered about what use-after-free vulnerabilities, heap spraying, buffer overflows, control-flow
integrity or ASLR are really about? This One-day session covers a wide range of software exploitation
techniques and cutting-edge defenses. We lay the foundation with in-depth knowledge about operating systems
and software-hardware interaction in general. This is followed by a crash course on 64 bit Intel assembly,
which will give you first building blocks for attack techniques against vulnerable software. This ranges
from basic exploitation techniques that piggyback malicious payload to sophosticated code-reuse attacks,
which can change the behavior of a victim program. By the end of this day, you will be able to prove your
fresh skills by cracking a vulnerable software.
Michael Backes (CISPA)
Sven Bugiel (CISPA)
Sebastian Lekies (Google)
Stefan Nürnberger (CISPA)
Siegfried Rasthofer (Fraunhofer SIT)
Christian Rossow (CISPA)
Ben Stock (CISPA)
Andreas Zeller (CISPA)
August 27 - August 31, 2018
CISPA − Helmholtz Center for Information Security
66123 Saarbrücken, Germany
180,- Euro (including public transportation, catering, and social program).
not included in the participation fee, but CISPA is providing support in finding accommodation.
» More Information
How to apply:
fill out the linked PDF below (
) and sent it via email to
Don't forget to attach a Motivation Letter, Curriculum Vitae, Transcript of Records, and University Certificates.
June 15, 2018