Software Security

Software Security, Spring 2012

Kerckhoffs Institute

This course is taught by Erik Poll.

Make sure you register in Blackboard!.

Prerequisites
Basic programming skills, incl. familiarity with C and Java.

Topics:
Broadly speaking, this course tries to address two questions.

Common security problems include for instance buffer overflows, integer overflows, SQL injection, XSS, and race conditions. Techniques to prevent or detect problems include threat modeling, check lists and coding standards, static analysis tools, code reviews, typing, static analysis, language-based security (or platform-based security), security middleware, runtime monitoring, information flow analysis, program verification, and proof-carrying code.

Both problems and solutions can be specific to the operating system, the programming language, middleware, type of application, or just down to the individual application. In order not to get lost in the forest of possibilities, we will try to understand the common themes: the root causes that lie at the heart of many problems and the fundamental good principles embodied by some of the solutions.

Grading
The course will be graded based on a written exam and project work: C++ code analysis with PREfast, a big group project looking at a web application, and the program verification tool ESC/Java.
You have to seriously participate in the project work to take the exam. Final grade will be based on the exam (50%) and results on the project (where we will come up with a scheme to fairly reflect the effort these required: proposal 5% PREfast, 40% OWASP, 5% ESC), but you will have to pass the exam to pass the course.

The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

Schedule
Lectures Fridays 10:45-12.30 in LIN 8 (Linnaeus building, lecture room 8). The lectures start Feb 10, because semester in Eindhoven and Twente starts a week later than in Nijmegen.

Lectures & obligatory reading material

NB the description below is still under construction. Slides and reading material will be added as the course progresses. Video recordings of the lectures will be in Blackboard.

slides
nr. day To read (some papers will be updated as we go along)
1 Feb 10 Introduction
2 Feb 17 Buffer Overflows John Wilander and Mariam Kamkar, A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention, NDSS'2003
Feb 24 No lecture - Carnaval break  
3 Mar 2 Static Analysis with PREfast & SAL Individual project: PREfast. Due: March 2, before the lecture.
4 Mar 9 More standard security flaws:
input validation
Watch these animations explaining XSS 1, XSS 2, CRSF, and Forceful Browsing.
Read the new draft OWASP Top 10.
5 March 16 Discussion PREfast project
Design principles
Read Principles for Software Security
6 March 23 Project 2: Software Review Project 2 (web-app security evaluation) using wiki
To read for this: OWASP ASVS, eg. available as [PDF]
7 March 30 Language-based security  
7 Apr 6, 13 No lectures!  
8 April 20 Language-based security - (in)famous Java security flaws Java sandboxing is explained in Gary McGraw and Ed Felten, Securing Java, Sections 3.5, 3.6, and 3.7.
9 April 27 Discussion OWASP project;
Non-atomic check and use,
Java secure programming guidelines
Statically Scanning Java Code: Finding Security Vulnerabilities, IEEE Software, pp. 68-74, 2000. (Accessible from ru.nl domain; almost identical content is in Twelve rules for developing more secure Java code by Gary McGraw and Edward Felten.)
May 4 No lecture  
10 May 11 Program verification Movie with Michal Moskal presenting VCC
May 18 No lecture  
11 May 25 Alias control Jan Vitek and Boris Bokowski, Confined Types in Java, Software - Practice and Experience, Vol. 31 , No. 6, pp. 507 - 532, 2001.
12 May 25? program verification exercise session
TBA
2nd and final individual exercise: program verification using ESC/Java2
Deadline: June 3
12 Jun 1 Proof Carrying Code and MIDP examples George C. Necula and Peter Lee, Safe Kernel Extensions without Run-Time Checking, OSDI'96, pp. 229-243
13 Jun 8 Information Flow Geoffrey Smith, Principles of Secure Information Flow Analysis
(Exam won't include questions on Section 2.1 (Concurrency))
14 Jun 15 Information Flow for Javascript Dominique Devriese and Frank Piessens, Non-interference through Secure Multi-Execution
(Exam won't include questions on Section III, IV, and VII)
15 June 22 OWAPS phpbb project group presentations Deadline for OWAPS phpbb project
June 29 10:30-12:30 - Exam in LIN 8 The exam is closed book, and covers the material treated in class (and in the slides), the papers listed above, and the projects.
Some hints on what to expect
August 17 Resit exam - 13:30-15:30 - HG00.068

Recommended literature

The articles listed above are obligatory reading material. For additional background reading I can recommend:
These books are available in the Nijmegen library. The "Deadly Sins" book is always available in the studielandschap.

On-line resources