Software Security TRU/e

Software Security, Autumn 2016

This course is taught by Erik Poll. It is part of the TRU/e Master specialisation in Cyber Security.

Make sure you are registered in Osiris, which will then also register you in Blackboard. Beware that there is a 6EC version of this course (ISOFSE) and a 5EC version (IMC051). Only register for the 5 EC version if you are doing the Cyber Security specialisation (TRU/e).

If you somehow cannot register for the course (yet), send me an email, so that I can make sure email announcements via Blackboard reach you!

Prerequisites: Basic programming skills, incl. familiarity with C and Java.

Topics: This course tries to address two questions.

Common security problems include for instance buffer overflows, integer overflows, SQL injection, XSS, and race conditions. Techniques to prevent or detect problems include threat modeling, check lists and coding standards, static analysis tools, code reviews, typing, static analysis, language-based security (or platform-based security), security middleware, runtime monitoring, information flow analysis, program verification, and proof-carrying code.

Both problems and solutions can be specific to the operating system, the programming language, middleware, type of application, or just down to the individual application. In order not to get lost in the forest of possibilities, we will try to understand the common themes: the root causes that lie at the heart of many problems and the fundamental good principles embodied by some of the solutions.

The focus of this course is not on pen-testing/hacking to find vulnerabilities, as eg. done in the Hacker's Hut course at TU/e and the first year bachelor courses Hacking in C and Web Security, but more on underlying causes and how to prevent them or at least reduce the risk and impact.

Lectures & obligatory reading material

Lectures: Mondays 15:30-17.30 in HG00.062.

NB the description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes (i) the slides, (ii) the papers and (iii) the course lecture notes, which covers the material presented in some of the lectures.

day slides Obligatory reading
Aug 29 No lecture!
Sept 5 Introduction Gary McGraw, Software security, IEEE Security & Privacy, 2004.
Brian Chess & Brad Arkin, Software Security in Practice, IEEE Security & Privacy, 2009.
Have a look at US-CERT Bulletins, Security Focus, Security Tracker , and historical overview of CVEs
Sept 12 Buffer overflows & platform-level countermeasures Sections 30.3 & 30.4 of Low-level Software Security by Example by Ulfar Erlingsson, Yves Younan, and Frank Piessens
Sept 19 Other countermeasures and Static Analysis with PREfast & SAL
C++ example used in PREfast demo
1st individual project: PREfast. Deadline: Oct 3 (before the lecture)
A video demoing static analysis support in Visual Studio
Sept 19 17:30 onwards Borrel for the TRU/e students, in the Mercator building
Sept 22 18:00 onwards Not officially part of this course: OWASP NL Chapter meeting
Sept 26 Input problems Background reading on Blind SQL injection and XSS info at OWASP and on wikipedia
D. Kurilova et al, Wyvern: Impacting Software Security via Programming Language Design, PLATEAU 2014, ACM.
Oct 3 Discussion PREfast project
Intro group project
Webpage for the group project
Deadline: For the .xls, December 16. For the report, Jan 8.
Oct 10 'Safe' programming languages Chapters 2 & 3 of lecture notes
Oct 17 Sandboxing The material in the slides is described in Chapter 4 the lecture notes.
Java sandboxing is explained in Gary McGraw and Ed Felten, Securing Java, Sections 3.5, 3.6, and 3.7.
Oct 24 No lecture (midterm break)
Oct 31 No lecture (midterm break)
Nov 7 (Only for 6 EC version!)
Program verification
(Only for 6 EC version)
Individual exercise: program verification using ESC/Java2 Deadline: Nov 30
Movie with Michal Moskal presenting VCC (not exam material)
Nov 14 Java secure programming guidelines
TOCTOU attacks
J. Viega et al.,Statically Scanning Java Code: Finding Security Vulnerabilities, IEEE Software, 2000. (Accessible from ru.nl domain; identical content is in Twelve rules for developing more secure Java code.)
Nov 21 Information Flow Chapter 5 of lecture notes
Thu Nov 24 Only for 6EC version!
HG00.137, 13:30-16:30
Opportunity to do the individual JML/ESCJava exercise if you need help
Nov 28 Information flow for Android Apps M.D. Ernst et al., Collaborative Verification of Information Flow for a High-Assurance App Store, CCS 2014
Dec 5 Fuzzing P. Godefroid et al., SAGE: whitebox fuzzing for security testing, ACM Queue, 2012
and D. Wheeler, The Apple goto fail vulnerability: lessons learned, 2016
Dec 12 Language-Theoretic Security & State Machine Inference
[lego robot movie]
LangSec "manifesto"
E. Poll, J. de Ruiter, and A. Schubert, Protocol State Machines and session languages, LangSec 2015.
Dec 16, 23:59 Deadline .xls for the group project
Dec 19 Discussion group project
Dec 21, 15:30-17:30, LIN 9 (Only for 6 EC version!)
Proof-Carrying Code
(Only for 6 EC version)
G.C. Necula and P. Lee, Safe Kernel Extensions without Run-Time Checking, OSDI'96 (No need to understand details of the operational semantics (Fig 3) or the VCGen (Fig 4).)
Jan 8, 23:59 Deadline report for the group project
Jan 9 Question time Opportunity to ask questions about any of the material, papers, etc.
Friday Jan 27 13:30 - 16:30 Exam in LIN 1 (Linneaus building, next to the Huygens building) The exam is closed book, and covers the material treated in class (and in the slides), the course lecture notes, the papers listed above, and the projects.
Some hints on what to expect for the exam
Mock exam

Tue March 14 - 18.00-21.00 HG00.065
Grading
The course will be graded based on a written exam and project work: two smaller individual projects (C++ code analysis with PREfast, and program verification with ESC/Java) and a bigger group project looking at a web application.
You MUST seriously participate in the project work to take the exam, and do all individual exercises. Final grade will be based on the exam (50%) and results on the project (where project grades are weighed: 5% PREfast, 40% OWASP, 5% ESC), but you will have to pass the exam to pass the course. Should it ever happen that anyone fails the course because of low grades for the individual exercises (which has never happened) we will arrange an ad-hoc solution to redo these.

The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

Recommended literature

The articles listed above alongside the lecture slides are obligatory reading material. For additional background reading I can recommend:
These books are available in the Nijmegen library. The "Deadly Sins" book is always available in the studielandschap.

On-line resources