Software Security, Autumn 2017

This course is taught by Erik Poll. It is part of the TRU/e Master specialisation in Cyber Security.

Make sure you are registered in Osiris, which will then also register you in Blackboard. Beware that there is a 6EC version of this course (ISOFSE) and a 5EC version (IMC051). Only register for the 5 EC version if you are doing the Cyber Security specialisation (TRU/e).

If you somehow cannot register for the course (yet), send me an email, so that I can make sure email announcements via Blackboard reach you!

Basic programming skills, incl. familiarity with C and Java. In more detail:

This course tries to address two questions:

Common security problems include buffer overflows, integer overflows, injection attacks such as SQL injection or XSS, and race conditions. Techniques to prevent or detect problems include threat modeling, check lists and coding standards, code reviews, static analysis tools, language-based security, information flow analysis (incl. tainting), program verification, proof-carrying code, LangSec (language-theoretic security), and security testing incl. fuzzing.

The focus of this course is not on pen-testing/hacking to find vulnerabilities, as eg. done in the Hacker's Hut course at TU/e and the RU bachelor courses Hacking in C and Web Security, but more on underlying causes and general techniques to improve the security of software.

Lectures & obligatory reading material

Lectures: Fridays 15:30-17:30 in HG00.068

NB the description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes (i) the slides, (ii) the papers and (iii) the course lecture notes, which covers the material presented in some of the lectures.

day slides Mandatory reading
Sept 8 Introduction
Security in the SDLC
Sept 15 Buffer overflows & platform-level countermeasures
Sept 22 More buffer overflow countermeasures
incl. Static analysis with PREfast & SAL
General feedback on PREfast assignment
Sept 29 'Safe' programming languages Chapters 2 & 3 of lecture notes
Oct 6 Discussion PREfast project
Intro group project
Input problems
Webpage for the group project
Deadline: For the .xls, December 21, before 17:00. For the report, January 11.
Oct 12 18:00 onwards Not part of this course but highly relevant: OWASP NL Chapter meeting in Nijmegen
Oct 13 Input problems: root causes and defenses D. Kurilova et al, Wyvern: Impacting Software Security via Programming Language Design, PLATEAU 2014, ACM.
Oct 20 Sandboxing Chapter 4 of lecture notes
Oct 27 Java secure programming guidelines
TOCTOU attacks
J. Viega et al.,Statically Scanning Java Code: Finding Security Vulnerabilities, IEEE Software, 2000. (Accessible from ru domain, and presumable also from tue.)
Nov 3 No lecture (midterm break)
Nov 10 No lecture (midterm break)
Nov 17 Information Flow Chapter 5 of lecture notes
Nov 24 Information flow for Android Apps M.D. Ernst et al., Collaborative Verification of Information Flow for a High-Assurance App Store, CCS 2014
Dec 1 Fuzzing P. Godefroid et al., SAGE: whitebox fuzzing for security testing, ACM Queue, 2012
and D. Wheeler, The Apple goto fail vulnerability: lessons learned, 2016
[lego robot movie]
Dec 8 Guest lecture by Wil Michiels (NXP/TUE) on Obfuscation
Dec 15 Program Verification (6EC version only)
Dec 22 Discussion group project
Jan 12 PCC (6EC version only!)
Jan 19 Question time Opportunity to ask questions about any of the material, papers, etc.
TBA Exam The exam is closed book, and covers the material treated in class (and in the slides), the course lecture notes, the papers listed above, and the projects.
Some hints on what to expect for the exam
Mock exam
TBA Resit Exam

The course will be graded based on a written exam and project work: two smaller individual projects (C++ code analysis with PREfast, and program verification with ESC/Java) and a bigger group project looking at a web application.
You MUST seriously participate in the project work to take the exam, and do all individual exercises. Final grade will be based on the exam (50%) and results on the project (where project grades are weighed: 5% PREfast, 40% OWASP, 5% ESC), but you will have to pass the exam to pass the course. Should it ever happen that anyone fails the course because of low grades for the individual exercises (which has never happened) we will arrange an ad-hoc solution to redo these.

The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

Optional additional reading

The articles listed above alongside the lecture slides are obligatory reading material. For additional background info I can recommend: