Software Security

Software Security, Spring 2012

This course is taught by Erik Poll.

Make sure you register in Blackboard!.

Prerequisites
Basic programming skills, incl. familiarity with C and Java.

Topics:
Broadly speaking, this course tries to address two questions.

What are common security problems and what are their underlying causes?
What are techniques, guidelines and principles, and tools that can help to prevent or detect them?

Common security problems include for instance buffer overflows, integer overflows, SQL injection, XSS, and race conditions. Techniques to prevent or detect problems include threat modeling, check lists and coding standards, static analysis tools, code reviews, typing, static analysis, language-based security (or platform-based security), security middleware, runtime monitoring, information flow analysis, program verification, and proof-carrying code.

Both problems and solutions can be specific to the operating system, the programming language, middleware, type of application, or just down to the individual application. In order not to get lost in the forest of possibilities, we will try to understand the common themes: the root causes that lie at the heart of many problems and the fundamental good principles embodied by some of the solutions.

Grading
The course will be graded based on a written exam and project work: C++ code analysis with PREfast, a big group project looking at a web application, and the program verification tool ESC/Java.
You have to seriously participate in the project work to take the exam. Final grade will be based on the exam (50%) and results on the project (where we will come up with a scheme to fairly reflect the effort these required: proposal 5% PREfast, 40% OWASP, 5% ESC), but you will have to pass the exam to pass the course.

The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

Schedule
Lectures Fridays 10:45-12.30 in LIN 8 (Linnaeus building, lecture room 8). The lectures start Feb 10, because semester in Eindhoven and Twente starts a week later than in Nijmegen.

Lectures & obligatory reading material

NB the description below is still under construction. Slides and reading material will be added as the course progresses. Video recordings of the lectures will be in Blackboard.

slides

nr.	day	To read (some papers will be updated as we go along)
1	Feb 10	Introduction	Gary McGraw, Software security. Gary McGraw and Greg Morrisett, Attacking Malicious Code: A Report to the Infosec Research Council. Also available here. Have a look at BugTraq, CERT Bulletins and Security Tracker
2	Feb 17	Buffer Overflows	John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, NDSS'2003
	Feb 24	No lecture - Carnaval break
3	Mar 2	Static Analysis with PREfast & SAL	Individual project: PREfast. Due: March 2, before the lecture.
4	Mar 9	More standard security flaws: input validation	Watch these animations explaining XSS 1, XSS 2, CRSF, and Forceful Browsing. Read the new draft OWASP Top 10.
5	March 16	Discussion PREfast project Design principles	Read Principles for Software Security
6	March 23	Project 2: Software Review	Project 2 (web-app security evaluation) using wiki To read for this: OWASP ASVS, eg. available as [PDF]
7	March 30	Language-based security
7	Apr 6, 13	No lectures!
8	April 20	Language-based security - (in)famous Java security flaws	Java sandboxing is explained in Gary McGraw and Ed Felten, Securing Java, Sections 3.5, 3.6, and 3.7.
9	April 27	Discussion OWASP project; Non-atomic check and use, Java secure programming guidelines	Statically Scanning Java Code: Finding Security Vulnerabilities, IEEE Software, pp. 68-74, 2000. (Accessible from ru.nl domain; almost identical content is in Twelve rules for developing more secure Java code by Gary McGraw and Edward Felten.)
	May 4	No lecture
10	May 11	Program verification	Movie with Michal Moskal presenting VCC
	May 18	No lecture
11	May 25	Alias control	Jan Vitek and Boris Bokowski, Confined Types in Java, Software - Practice and Experience, Vol. 31 , No. 6, pp. 507 - 532, 2001.
12	May 25?	program verification exercise session TBA	2nd and final individual exercise: program verification using ESC/Java2 Deadline: June 3
12	Jun 1	Proof Carrying Code and MIDP examples	George C. Necula and Peter Lee, Safe Kernel Extensions without Run-Time Checking, OSDI'96, pp. 229-243
13	Jun 8	Information Flow	Geoffrey Smith, Principles of Secure Information Flow Analysis (Exam won't include questions on Section 2.1 (Concurrency))
14	Jun 15	Information Flow for Javascript	Dominique Devriese and Frank Piessens, Non-interference through Secure Multi-Execution (Exam won't include questions on Section III, IV, and VII)
15	June 22	OWAPS phpbb project group presentations	Deadline for OWAPS phpbb project
	June 29	10:30-12:30 - Exam in LIN 8	The exam is closed book, and covers the material treated in class (and in the slides), the papers listed above, and the projects. Some hints on what to expect
	August 17	Resit exam - 13:30-15:30 - HG00.068

Recommended literature

The articles listed above are obligatory reading material. For additional background reading I can recommend:

Building Secure Software, by John Viega and Gary McGraw. Addison-Wesley, 2002.

The 24 Deadly Sins of Software Security, by Michael Howard, David LeBlanc and John Viega, McGraw-Hill, 2009, or the earlier "The 19 Deadly Sins of Software Security" that appeared in 2005.
Secure Coding: Principles & Practices, by Mark G. Graff and Kenneth R. van Wyk. O'Reilly, 2003.
Writing Secure Code, by Michael Howard and David LeBlanc, Microsoft Press, 2002.

These books are available in the Nijmegen library. The "Deadly Sins" book is always available in the studielandschap.

On-line resources

There are several websites that provide information about common security flaws, secure coding guidelines, and more general good security principles:
- Building Security In provides, among other things, information on security principles
- OWASP focusses on security issues for web applications, and publishes the OWASP Top Ten vulnerabilities in web applications.
- There is also the CWE/SANS Top 25 Most Dangerous Programming Errors.
- CERT Secure Coding. Material here includes secure coding guidelines for C, C++ and Java.
There are several websites that keep track of vulnerabilities
I also recommend subscribing to Bruce Scheier's crypto-gram, which is interesting and entertaining to read. It is about security in general, not specifically about software security.