Software Security

Software Security, Spring 2012

This course is taught by Erik Poll.

Make sure you register in Blackboard!. (If you somehow cannot register for the course, send me an email!)

Prerequisites
Basic programming skills, incl. familiarity with C and Java.

Topics:
Broadly speaking, this course tries to address two questions.

What are common security problems and what are their underlying causes?
What are techniques, guidelines and principles, and tools that can help to prevent or detect them?

Common security problems include for instance buffer overflows, integer overflows, SQL injection, XSS, and race conditions. Techniques to prevent or detect problems include threat modeling, check lists and coding standards, static analysis tools, code reviews, typing, static analysis, language-based security (or platform-based security), security middleware, runtime monitoring, information flow analysis, program verification, and proof-carrying code.

Both problems and solutions can be specific to the operating system, the programming language, middleware, type of application, or just down to the individual application. In order not to get lost in the forest of possibilities, we will try to understand the common themes: the root causes that lie at the heart of many problems and the fundamental good principles embodied by some of the solutions.

Grading
The course will be graded based on a written exam and project work: C++ code analysis with PREfast, a big group project looking at a web application, and the program verification tool ESC/Java.
You have to seriously participate in the project work to take the exam. Final grade will be based on the exam (50%) and results on the project (where we will come up with a scheme to fairly reflect the effort these required: proposal 5% PREfast, 40% OWASP, 5% ESC), but you will have to pass the exam to pass the course.

The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

Schedule
Lectures Fridays 10:45-12.30 in LIN 8 (Linnaeus building, lecture room 8). The lectures start Feb 10, because semester in Eindhoven and Twente starts a week later than in Nijmegen.

Lectures & obligatory reading material

NB the description below is still under construction. Slides and reading material will be added as the course progresses. Video recordings of the lectures will be in Blackboard.

nr.	day	slides	To read (some papers will be updated as we go along)
1	Feb 10	Introduction	Gary McGraw, Software security. Gary McGraw and Greg Morrisett, Attacking Malicious Code: A Report to the Infosec Research Council. Also available here. Have a look at BugTraq, CERT Bulletins and Security Tracker
2	Feb 17	Buffer Overflows	John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, NDSS'2003
	Feb 24	No lecture - Carnaval break
3	Mar 2	Static Analysis with PREfast & SAL	Individual project: PREfast. Due: March 13.
4	Mar 9	More standard security flaws: input validation	Read the OWASP Top 10 and DOM Based Cross Site Scripting These animations explain XSS 1, XSS 2, CRSF, and Forceful Browsing.
5	March 16	Discussion PREfast project Design principles	Read Principles for Software Security
6	March 23	Project 2: Software Review	Group project (web-app security evaluation) We use this wiki
7	March 30	Language-based security - safety	Read Chapters 2, 3 and 4 of lecture notes
7	Apr 6, 13	No lecture!
8	April 20	Language-based security: sandboxing	Java sandboxing is explained in Gary McGraw and Ed Felten, Securing Java, Sections 3.5, 3.6, and 3.7.
9	April 27	Discussion OWASP project; Non-atomic check and use, Java secure programming guidelines	Statically Scanning Java Code: Finding Security Vulnerabilities, IEEE Software, pp. 68-74, 2000. (Accessible from ru.nl domain; almost identical content is in Twelve rules for developing more secure Java code by Gary McGraw and Edward Felten.)
	May 4	No lecture
10	May 11	Information Flow	Read Chapter 5 of lecture notes
	May 18	No lecture
11	May 25	Program verification	2nd and final individual exercise: program verification using ESC/Java2 Deadline: June 3 Movie with Michal Moskal presenting VCC
12	Jun 1!	Proof Carrying Code and MIDP examples
	June 1	opportunity to do program verification exercise in HG00.023 from 12:30 to 14:30
13	Jun 8	Alias control
14	Jun 15	Information Flow for Javascript
15	Jun 22. Also 13:30-15:30	OWAPS phpbb project group presentations	Deadline for OWAPS phpbb project
	June 29	13:30-15:30 - Exam in LIN 8	The exam is closed book, and covers the material treated in class (and in the slides), the papers listed above, and the projects. Some hints on what to expect
	August 17	Resit exam - 13:30-15:30 - HG00.068

Recommended literature

The articles listed above are obligatory reading material. For additional background reading I can recommend:

Building Secure Software, by John Viega and Gary McGraw. Addison-Wesley, 2002.

The 24 Deadly Sins of Software Security, by Michael Howard, David LeBlanc and John Viega, McGraw-Hill, 2009, or the earlier "The 19 Deadly Sins of Software Security" that appeared in 2005.
Secure Coding: Principles & Practices, by Mark G. Graff and Kenneth R. van Wyk. O'Reilly, 2003.
Writing Secure Code, by Michael Howard and David LeBlanc, Microsoft Press, 2002.

These books are available in the Nijmegen library. The "Deadly Sins" book is always available in the studielandschap.

On-line resources

There are several websites that provide information about common security flaws, secure coding guidelines, and more general good security principles:
- Building Security In provides, among other things, information on security principles
- OWASP focusses on security issues for web applications, and publishes the OWASP Top Ten vulnerabilities in web applications.
- There is also the CWE/SANS Top 25 Most Dangerous Programming Errors.
- CERT Secure Coding. Material here includes secure coding guidelines for C, C++ and Java.
There are several websites that keep track of vulnerabilities
I also recommend subscribing to Bruce Scheier's crypto-gram, which is interesting and entertaining to read. It is about security in general, not specifically about software security.