TRU/e

Software Security, Autumn 2018

This course is taught by Erik Poll. It is part of the TRU/e Master specialisation in Cyber Security.

Make sure you are registered in Osiris, which will then also register you in Brightspace. Beware that there is a 6EC version (ISOFSE) and a 5EC version (IMC051) of this course. Only register for the 5 EC version if you are doing the TRU/e Cyber Security specialisation.

If you somehow cannot register for the course (yet), send me an email, so that I can make sure email announcements via Brightspace reach you!

Prerequisites
Basic programming skills, incl. familiarity with C and Java. In more detail:

Topics
This course addresses two questions:

Common security problems include buffer overflows, integer overflows, injection attacks (such as command injection or SQL injection), XSS and other web-specific attacks, deserialisation attacks, and race conditions. Techniques to prevent or detect problems include threat modeling, checklists and coding standards, code reviews, "safe" programming languages, LangSec (language-theoretic security), fuzzing and other forms of security testing, static analysis tools and source code analyzers, information flow analysis (incl. tainting), program verification, and proof-carrying code.

The focus of this course is not on pen(etration)-testing or hacking to find vulnerabilities, as in the bachelor courses `Hacking in C' and `Web Security', but more on underlying causes and general techniques to improve the security of software.

Lectures & obligatory reading material

Lectures: Fridays 15:30-17:15 in HG00.304 in Q1 and HG00.303 in Q2 (i.e. starting November).

NB the description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes (i) the slides, (ii) the papers and (iii) the course lecture notes, which covers material presented in some of the lectures.

day slides Mandatory reading
Sept 7
Sept 14
Sept 21
1st individual project: PREfast. Deadline: Oct 4
Thursday evening Sept 27, not part of this course but highly relevant: OWASP NL Chapter meeting in Nijmegen
Sept 28
Oct 5
Group project: Deadlines: Nov 14 (xls on tools), Dec 19 (xls for evalution), January for the PDF report.
Oct 12
Oct 19
  • Sandboxing in programming language
Oct 26 & Nov 2: no lectures (midterm break)
Nov 9?
  • Java secure programming guidelines
Nov 16
  • Information Flow
Nov 23
  • Information flow for Android Apps
Nov 30
  • Security Testing & Fuzzing
Dec 7
  • (6EC version only)
    Program Verification
2nd individual project (6EC version only). Deadline: TBA
TBA
  • (6EC version only!)
    Program Verification lab session
Dec 14
  • State Machine Inference
Dec 21
  • Discussion group project
Jan 16 Exam - 13:00-16:00 in HAL 2 (in sports complex, the Gymnasion) The exam is closed book, and covers the material treated in class (and in the slides), the course lecture notes, the papers listed above, and the projects.
Some hints on what to expect for the exam
Mock exam
TBA Resit Exam

Grading
The course will be graded based on a written exam and project work: two smaller individual projects (C++ code analysis with PREfast, and program verification with ESC/Java) and a bigger group project looking at a web application.
You MUST seriously participate in the project work to take the exam, and do all individual exercises. Final grade will be based on the exam (50%) and results on the projects (where project grades are weighed: 5% PREfast, 40% group project, 5% ESC), but you will have to pass the exam to pass the course. Should it ever happen that anyone fails the course because of low grades for the individual exercises (which has never happened) we will arrange an ad-hoc solution to redo these.

The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

Optional additional reading

The articles listed above alongside the lecture slides are obligatory reading material. For additional background info I can recommend: