Intro to Software Security Barton Miller
Elisa Heymann
Downloading and Running the Exercises

Most of the exercises are delivered to you in a virtual machine, completely configured and ready to run. We use the VirtualBox VM, which can run on Windows, Linux, and MacOS. Once you install the VM and download our VM image, you will have everything that you need to run work on the assignments.

Note that you will not need to use this virtual machine image for the exercise on numeric errors. You will need it for the exercise on Serialization.

For architectures different than M1/M2/M3:

To get started on the assignments, you will need to complete these steps. Note that once you complete step 1, you will not need to do it again. You will repeat steps 2-3 only when there is a need to update the virutal machine for new exercises.

  1. First install the VirtualBox. The VirtualBox website has instructions necessary to do this step.

  2. Once VirtualBox is downloaded and installed, download the exercises VM image here. Make sure to save the downloaded file with the name "security-exercises-24.ova". Check to make sure that there are no other file name extension, such as ".tar".

  3. Start the exercise VM by double-clicking on the "security-exercises-24.ova" file that you just downloaded and following the prompts to import the appliance. Once you have imported the machine, you should see the newly imported appliance listed in the left-hand panel of VirtualBox. Select the appliance and click the "Start" button located near the top of the VirtualBox window. Depending on your host system, it may take a few minutes to start the virtual machine.

For M1/M2/M3 architectures

Here we describe what is available at https://github.com/utmapp/UTM/discussions/2521 - and in particular in the comment at https://github.com/utmapp/UTM/discussions/2521#discussioncomment-3828872

  1. Install UTM.app: either from https://getutm.app/ or, if using brew, with brew install utm

  2. Install qemu brew install qemu

  3. Download the VM OVA file cd /tmp wget http://www.cs.wisc.edu/mist/SoftwareSecurityCourse/Exercises/security-exercises-24.ova

  4. The OVA file is internally a tar archive - extract it tar xvf security-exercises-24.ova

  5. Convert the VMDK file to QCOW2 format qemu-img convert -O qcow2 web-security-tools-disk001.vmdk web-security-tools.qcow2

  6. Download a Linux installation ISO image. Won't be really used, but is needed for the next step. Pick Ubuntu. (You can skip this step and follow a different path as explained below.)

  7. Create a new (blank) UTM VM. Select:
    If you have an ISO image:
    * Emulate (to make it a x86_64 VM)
    * Linux as the Operating System
    * Boot from ISO image and point to the image downloaded in the previous step.
    If you do not have an ISO image:
    * Emulate (to make it a x86_64 VM)
    * Choose Custom as Operating System
    * Skip ISO boot

  8. If you have an ISO image:
    Edit the setting for the just created VM and make the following changes:
    * Add a new Drive. Select NVMe interface and select Import and point to the QCOW2 file created in step 5.
    * Delete the other Drives - the blank drive created at VM creation and the "DVD" drive holding the ISO image
    * Disable UEFI boot
    If you do not have an ISO image:
    Edit the setting for the just created VM and make the following changes:
    * In drives, delete the existing drive (could be something called an IDE drive)
    * Add a new Drive and select import. Import the QCOW2 file created in step 5.
    * Go to QEMU Tab and disable UEFI boot.

  9. Save the settings changes and boot up the VM - should come up.