If you somehow cannot register for the course (yet), send me an email, so that I can make sure email announcements via Blackboard reach you!Prerequisites
This course tries to address two questions:
Common security problems include buffer overflows, integer overflows, injection attacks such as SQL injection or XSS, and race conditions. Techniques to prevent or detect problems include threat modeling, check lists and coding standards, code reviews, static analysis tools, language-based security, information flow analysis (incl. tainting), program verification, proof-carrying code, LangSec (language-theoretic security), and security testing incl. fuzzing.
The focus of this course is not on pen-testing/hacking to find vulnerabilities, as eg. done in the Hacker's Hut course at TU/e and the RU bachelor courses Hacking in C and Web Security, but more on underlying causes and general techniques to improve the security of software.Lectures & obligatory reading material
Lectures: Fridays 15:30-17:30 in HG00.068
NB the description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes (i) the slides, (ii) the papers and (iii) the course lecture notes, which covers the material presented in some of the lectures.
|Sept 8|| Introduction
Security in the SDLC
|Sept 15||Buffer overflows & platform-level countermeasures||
|Sept 22|| More buffer overflow countermeasures |
incl. Static analysis with PREfast & SAL
|Sept 29||Input problems|
|Oct 4||Not part of this course but relevant: DCypher National Cyber Security Symposium|
|Oct 6|| Discussion PREfast project|
Intro group project
|Oct 12 18:00 onwards||Not officially part of this course: OWASP NL Chapter meeting|
|Oct 13||'Safe' programming languages||Chapters 2 & 3 of lecture notes|
|Oct 20||Sandboxing||Chapter 4 of lecture notes|
Java secure programming guidelines
|Nov 3||No lecture (midterm break)|
|Nov 10||No lecture (midterm break)|
|TBA||Program Verification (6EC version only)|
|Nov 17||Information Flow||Chapter 5 of lecture notes|
|Nov 24||Information flow for Android Apps|
|Dec 1||Fuzzing||[lego robot movie]|
LangSec & State Machine Inference
|Dec 15||Discussion group project|
|Dec 22||Security principles|
|Jan 12||PCC (6EC version only!)|
|Jan 19||Question time||Opportunity to ask questions about any of the material, papers, etc.|
|TBA||Exam|| The exam is closed book, and covers the material treated in class
(and in the slides), the course lecture notes, the papers listed above, and the projects.
Some hints on what to expect for the exam
The course will be graded based on a written exam and project work: two smaller individual projects (C++ code analysis with PREfast, and program verification with ESC/Java) and a bigger group project looking at a web application.
You MUST seriously participate in the project work to take the exam, and do all individual exercises. Final grade will be based on the exam (50%) and results on the project (where project grades are weighed: 5% PREfast, 40% OWASP, 5% ESC), but you will have to pass the exam to pass the course. Should it ever happen that anyone fails the course because of low grades for the individual exercises (which has never happened) we will arrange an ad-hoc solution to redo these.
If you are completely new to things like SQL injection, XSS, etc., it is useful to look through The 24 Deadly Sins of Software Security. There is a copy of this book in the library of the Faculty of Science. You can't take it out, but you can always read it there.
There are many more online sources for information about this. The OWASP website provides LOTS of information on security issues for web applications, but more recently also mobile applications. The CWE/SANS Top 25 Most Dangerous Programming Errors als discusses common security flaws.