Apart from the normal, 6EC version (ISOFSE) of this course, there is also a legacy, 5EC version (IMC051). Register for the 6EC version and if there is a convincing reason why you should take the 5EC one come and talk to me after the lecture.
Techniques to prevent or detect problems include threat modeling, checklists and coding standards, code reviews, "safe" programming languages, LangSec (language-theoretic security), fuzzing and other forms of security testing (aka DAST), static analysis tools and source code analyzers (aka SAST), information flow analysis (incl. tainting), and program verification as the most extreme form of static analysis.
The focus of this course is not on pen-testing or hacking to find vulnerabilities, as in the bachelor courses 'Hacking in C' and 'Web Security'. Instead the focus is on (addressing) the underlying causes and general techniques to improve the security of software.
Lectures: Fridays 13:30-15:15 in HG0.062; starting Nov 12 in SP1 (Spinoza building)
The description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes the slides, some academic research papers listed below, and the following textbook material:
day | slides | Mandatory reading & mini-assignments | |
---|---|---|---|
Sept 10 |
| ||
Sept 17 |
| ||
Sept 24 | |||
1st assignment: PREfast. Deadline: Sept 30 | |||
Oct 1 |
|
|
|
Group fuzzing project. Deadline: Nov 30 | |||
Oct 8 |
|
(slides in Brightspace) | |
Oct 8 |
|
||
Oct 15 | |||
Oct 22 |
|
(slides in Brightspace) | |
Oct 22 |
|
||
Oct 29 & Nov 5: no lectures (midterm break/exam period) The lecture-free period may be a good time to read the CyBok chapter on Software Security, also listed at mandatory reading material. | |||
Nov 12 | To read:
|
||
Nov 19 |
| ||
Nov 26 |
|
||
Dec 3 |
| ||
Dec 10 |
|
||
Dec 17 | |||
Jan 14 |
|
The exam is closed book, and covers the material treated in class
(and in the slides), the course lecture notes, the papers listed above, and the projects.
Mock exam |
The exam will cover the material presented in the lectures, the obligatory
literature listed below, and the project work. The exam is closed book, ie. you
cannot bring copies of slides, papers etc to the exam. You're not expected to be
able to reproduce technical details from the papers, but you should be able to
explain the core ideas. I will only ask about technical details from the papers
that have been discussed in the lectures (and are covered by the slides). You
are expected to be able to spot simple buffer overflow problems given some
hints, but are not expected to spot tricky ones even with hints.
Optional background reading
For additional background info I can recommend:
If you are completely new to things like SQL injection,
XSS, etc., it is useful to look through
The 24 Deadly Sins of Software Security.
There is a copy of this book in the library of the Faculty of
Science. You can't take it out, but you can always read it there.
Not always directly related to this course: a good way to keep up to date
with the news and developments in cybersecurity
is following Risky Biz
podcast, which also pays plenty of attention to software
security problems, and
Bruce Schneier's blog.