Software Security

Software Security, Spring 2012

Kerckhoffs Institute

This course is taught by Erik Poll.

Make sure you register in Blackboard!. (If you somehow cannot register for the course, send me an email!)

Prerequisites
Basic programming skills, incl. familiarity with C and Java.

Topics:
Broadly speaking, this course tries to address two questions.

Common security problems include for instance buffer overflows, integer overflows, SQL injection, XSS, and race conditions. Techniques to prevent or detect problems include threat modeling, check lists and coding standards, static analysis tools, code reviews, typing, static analysis, language-based security (or platform-based security), security middleware, runtime monitoring, information flow analysis, program verification, and proof-carrying code.

Both problems and solutions can be specific to the operating system, the programming language, middleware, type of application, or just down to the individual application. In order not to get lost in the forest of possibilities, we will try to understand the common themes: the root causes that lie at the heart of many problems and the fundamental good principles embodied by some of the solutions.

Grading
The course will be graded based on a written exam and project work: C++ code analysis with PREfast, a big group project looking at a web application, and the program verification tool ESC/Java.
You have to seriously participate in the project work to take the exam. Final grade will be based on the exam (50%) and results on the project (where we will come up with a scheme to fairly reflect the effort these required: proposal 5% PREfast, 40% OWASP, 5% ESC), but you will have to pass the exam to pass the course.

The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

Schedule
Lectures Fridays 10:45-12.30 in LIN 8 (Linnaeus building, lecture room 8). The lectures start Feb 10, because semester in Eindhoven and Twente starts a week later than in Nijmegen.

Lectures & obligatory reading material

NB the description below is still under construction. Slides and reading material will be added as the course progresses. Video recordings of the lectures will be in Blackboard.

nr. day slides To read (some papers will be updated as we go along)
1 Feb 10 Introduction
2 Feb 17 Buffer Overflows John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, NDSS'2003
Feb 24 No lecture - Carnaval break  
3 Mar 2 Static Analysis with PREfast & SAL Individual project: PREfast. Due: March 13.
4 Mar 9 More standard security flaws:
input validation
Read the OWASP Top 10 and DOM Based Cross Site Scripting
These animations explain XSS 1, XSS 2, CRSF, and Forceful Browsing.
5 March 16 Discussion PREfast project
Design principles
Read Principles for Software Security
6 March 23 Project 2: Software Review Group project (web-app security evaluation) We use this wiki
7 March 30 Language-based security - safety Read Chapters 2, 3 and 4 of lecture notes
7 Apr 6, 13 No lecture!  
8 April 20 Language-based security: sandboxing Java sandboxing is explained in Gary McGraw and Ed Felten, Securing Java, Sections 3.5, 3.6, and 3.7.
9 April 27 Discussion OWASP project;
Non-atomic check and use,
Java secure programming guidelines
Statically Scanning Java Code: Finding Security Vulnerabilities, IEEE Software, pp. 68-74, 2000. (Accessible from ru.nl domain; almost identical content is in Twelve rules for developing more secure Java code by Gary McGraw and Edward Felten.)
May 4 No lecture  
10 May 11 Information Flow Read Chapter 5 of lecture notes
May 18 No lecture  
11 May 25 Program verification 2nd and final individual exercise: program verification using ESC/Java2
Deadline: June 3
Movie with Michal Moskal presenting VCC
12 Jun 1! Proof Carrying Code and MIDP examples
June 1 opportunity to do program verification exercise in HG00.023 from 12:30 to 14:30
13 Jun 8 Alias control
14 Jun 15 Information Flow for Javascript
15 Jun 22. Also 13:30-15:30 OWAPS phpbb project group presentations Deadline for OWAPS phpbb project
June 29 13:30-15:30 - Exam in LIN 8 The exam is closed book, and covers the material treated in class (and in the slides), the papers listed above, and the projects.
Some hints on what to expect
August 17 Resit exam - 13:30-15:30 - HG00.068

Recommended literature

The articles listed above are obligatory reading material. For additional background reading I can recommend:
These books are available in the Nijmegen library. The "Deadly Sins" book is always available in the studielandschap.

On-line resources