If you’re a CS major at the University of Waterloo, you might have heard about CS 453. I’ll let you make sense of the banter image however you want. I’m just here to recount my experience with the course in Spring 2025.

The course is exactly as its name suggests, you learn about software security and systems security. I decided to take the course because hacking sounds cool and I’ve never had the chance to participate in a CTF contest before.

The course has 4 assignments, 25% each. So no exams whatsoever. You bomb one assignment, you bomb your course grade. A1 and A2 covers software security, while A3 and A4 covers systems security.

A1 gave me an executable along with the C source code. This program contains a bunch of different vulnerabilities such as buffer overflow, format string, TOCTTOU, etc. I was asked to write 3 sploits, 1 for memory vulnerability and 2 for non-memory vulnerabilities. The goal for all 3 sploits is to execute shellcode that obtains a root shell. The lectures did teach me what each type of vulnerability is, and how it could be performed. But all of that was only on a high level. I had to figure out how to actually perform the hack myself. If you have ever done CTF, you know precisely where this is going, especially for a beginner. Extracting information from GDB is not trivial. Constructing the memory layout is not trivial. Crafting the payload is not trivial. Nothing is trivial. I ended up bombing the assignment with 62.5% because there wasn’t a single buffer overflow vulnerability (which would have made things 10 times easier), and I still couldn’t figure out the right payload to exploit the format string vulnerability, the only goddamn memory vulnerability in that program. TOCTTOU and hostile environment were surprisingly straightforward tho.

A2 gave me 3 programs and asked me to perform fuzzing and differential testing on them. All programs accept an input string representing an arithmetic expression and return the value of the expression. The goal is to find the buggy program. We were given the CFG for the arithmetic expression, so that wasn’t so bad. I just had to figure out how to do mutual recursion properly to simulate the CFG and there was my fuzzer.

A3 gave me 5 sandboxes, all built with seccomp. The goal for all sandboxes is to read a file and print its contents to stdout. Each sandbox has different rules on what it allows and what it blocks. The lectures only said what a seccomp-based sandbox is and that it can allow/block syscalls. That was it. You wanna know which syscalls are allowed and which syscalls are blocked? Go figure it out yourself. By CTF standard, you use seccomp-tools, a tool that could tell you that information in a single command, but it took me 2 fricking hours to figure that out. And then came the real nightmare. How do you read a file when the read syscall is blocked? How do you write to stdout when every single write syscall is blocked? Why the heck is there a rule about 32-bit syscalls and how the heck is it helpful? I spent 12 hours answering all those questions and completing the assignment. The lesson is that Linux syscall documentation is very very helpful, go read the damn thing. You can man <syscall> or read it online, whichever works best for you.

A4 gave me 4 authentication programs, each using a different hashing scheme. The goal is to reverse the hashing scheme to obtain the original password from the hash. It wasn’t straightforward per say, but with a little research on the specific hashing schemes, I was able to reverse the hash pretty quickly. It was also the last assignment so the profs went easy on us.

On the other hand, the lectures basically taught me everything there is know about software security and systems security, on a medium-to-low overview level. And the lectures covered way more stuff than the assignments. Think of the assignments as CTF challenges, except they were not for beginner hackers at all. The experience was excruciating and interesting at the same time.

Final rating: true hacking experience/10. Still kinda wished they would also give us web security stuff.