CISPA Summer School 2018: System Security

The Summer School 2018 on System Security will take place at CISPA - Helmholtz Center i.G. in Saarbruecken from August 27-31, 2018.

The CISPA Summer School 2018 will give you a deep dive into four highly relevant areas of system security. You will be able to meet and learn from top experts in these fields. During hands-on training sessions you will learn how to understand, find and exploit vulnerabilities for different platforms (Mobile, Web, and PC) and how to counter these exploits. Furthermore, you will be able to showcase your own best work in a poster session and discuss them with top researchers.
When: August 27 - August 31, 2018
Where: CISPA - Helmholtz Center i.G.
Stuhlsatzenhaus 5
66123 Saarbruecken
Participation fee: 180,- € (including public transportation, catering, social program). 
Accommodation: not included in the participation fee, but CISPA is providing support in finding accommodation. For more information click here.

Application deadline: June 15, 2018

Register now! 



Attacking Android Apps


Mobile apps have become an integral aspect of most of our daily routines and are hence entrusted with some of the most sensitive private information. In this session, we will cover basics of Android apps’ architecture and then delve into some of the most common security vulnerabilities of apps, their effects, and their root causes. In addition, we will look into state-of-the-art code analysis techniques for apps and their challenges in the particular setting of Android’s system design.

Grammar-based Testing & Fuzzing


Testing with randomly generated inputs (“fuzzing”) has shown to be one of the easiest and cost-effective methods to discover bugs and vulnerabilities.  In this session, we show how to build highly effective fuzzers, using and mining grammars to specify input formats, mutation to alter existing inputs, as well as exploiting coverage of grammars and code.  These principles highly effective in practice – applied on the Mozilla and Chrome JavaScript interpreters, a fuzzing student of ours netted 50,000$ in bug bounties in the first four weeks of running his fuzzer; his tool now is in daily use at Mozilla and has uncovered more than 4,000 bugs so far .  We provide sample Python code such that you can apply and experiment with these techniques right away – on subjects and domains of your choice.

Finding Web Security Flaws

The Web today has grown into a fully-fledged application platform, fueling widely used services like Social Networks, email clients, or even office applications. In this session, we cover the basic security principleson the client, showing different attacks allowing an adversary to control the browser of his victim, such as XSS or CSRF. Moreover, we cover lesser-known classes of flaws, which may allow adversaries to extract information from their victim. Based on the attack techniques taught in the course itself, you will then be able to test your newly acquired skills by exploiting vulnerable Web applications.

Crafting Software Exploits

Ever wondered about what use-after-free vulnerabilities, heap spraying, buffer overflows, control-flow integrity or ASLR are really about? This One-day session covers a wide range of software exploitation techniques and cutting-edge defenses. We lay the foundation with in-depth knowledge about operating systems and software-hardware interaction in general. This is followed by a crash course on 64 bit Intel assembly, which will give you first building blocks for attack techniques against vulnerable software. This ranges from basic exploitation techniques that piggyback malicious payload to sophosticated code-reuse attacks, which can change the behavior of a victim program. By the end of this day, you will be able to prove your fresh skills by cracking a vulnerable software.

For more information, please send an email to