Software Security

Software Security, Autumn 2021

This course is taught by Erik Poll.

Make sure you are registered in Osiris, which will then also register you in Brightspace. If you don't log in to Brightspace often, then you will miss announcement there, so in that case configure your Brightspace account to have announcements forwarded to you by email.

Apart from the normal, 6EC version (ISOFSE) of this course, there is also a legacy, 5EC version (IMC051). Register for the 6EC version and if there is a convincing reason why you should take the 5EC one come and talk to me after the lecture.

Prerequisites

Basic programming skills, incl. familiarity with C and some standard OO language like Java or C#. In more detail:

For C, you should know how pointers, C strings, and memory (de)allocation with malloc and free works, and understand how pointer arithmetic can be used to access elements in a string or an array.
For Java, you should understand the idea of visibility modifiers (public, private, protected, and the default package), making fields final to make them constant, making classes final so that they cannot be subclassed, and the concepts of (de)serialisation and reflection. All these concepts will be briefly explained in the course, but this will assume basic knowledge of a standard class-based object-oriented programming languages, i.e. an OO language that has classes with fields and methods and sub-classing (aka inheritance).

Topics

Software is the most important root cause behind most IT security problems: things can get hacked because they contain software! This course addresses two questions:

What are common security problems in software and what are their underlying root causes?
What are techniques, guidelines, principles, and tools that can help to prevent or detect them?

Techniques to prevent or detect problems include threat modeling, checklists and coding standards, code reviews, "safe" programming languages, LangSec (language-theoretic security), fuzzing and other forms of security testing (aka DAST), static analysis tools and source code analyzers (aka SAST), information flow analysis (incl. tainting), and program verification as the most extreme form of static analysis.

The focus of this course is not on pen-testing or hacking to find vulnerabilities, as in the bachelor courses 'Hacking in C' and 'Web Security'. Instead the focus is on (addressing) the underlying causes and general techniques to improve the security of software.

Lectures & obligatory reading material

Lectures: Fridays 13:30-15:15 in HG0.062; starting Nov 12 in SP1 (Spinoza building)

The description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes the slides, some academic research papers listed below, and the following textbook material:

Secure Software Lifecycle, CyBok chapter by Laurie Williams, Version 1.0.2, 2021
Software Security, CyBok chapter by Frank Piessens, Version 1.0.1, 2021
Lecture Notes on Language-based Security, 2019.

day	slides	Mandatory reading & mini-assignments
Sept 10	Introduction & Security in the Software Development Life Cycle	To read: Secure Software Lifecycle, CyBok chapter by Williams, 2019. To do: have a look at the latest US-CERT Bulletin and the CVE Twitter feed to get a feel for the scale of software security problems. To do: search the CVE list or NIST's Vulnerability Database for flaws in the browser you are using to view this webpage and for the PDF viewer you are using to look at the slides. (These use the same list of vulnerabilities, but NIST's webpage has better search options.) For some of the vulnerabilities, check how the CVSS score was determined. You can also search for known flaws in the other applications or operating systems that you commonly use, and maybe double-check that these are automatically patched.
Sept 17	Memory-corruption	To read: Sections 3.1 & 3.2 of the lecture notes To read: SoK: Eternal War in Memory by Szekeres et al., IEEE Symposium on Security & Privacy, 2013. You can skip Section VII. To do: have a look at some CVEs that involve buffer overflows, integer overflows, and format strings, to get an idea of the sheer numbers, the kind of software affected, etc. Maybe playing around with the exact search terms will give more complete results. To remind yourself of the HeartBleed bug, the most famous example of a buffer overread attack, this xkcd cartoon might be useful. Or this youtube movie, if you dislike cartoons.
Sept 24	Advanced defenses against memory corruption Static analysis with PREfast & SAL
1st assignment: PREfast. Deadline: Sept 30		Feedback on PREfast assignment
Oct 1	Discussion PREfast project Security testing & Fuzzing	Read Section 1 of the technical whitepaper for afl-fuzz for the explanation of how afl's instrumentation to monitor of branch coverage works. Patrice Godefroid, Fuzzing: Hack, Art, and Science, Communications of the ACM, 2020. David Wheeler, The Apple goto fail vulnerability: lessons learned, personal blog, 2021.
Group fuzzing project. Deadline: Nov 30
Oct 8	Guest lecture: Penetration Testing by Ralph Moonen of Secura	(slides in Brightspace)
Oct 8	Security testing & Fuzzing 'Safe' programming languages	To read: Chapters 2 & 3 of lecture notes
Oct 15	'Safe' programming languages (cont.) Sandboxing/Compartmentalisation
Oct 22	Guest lecture: Automated Vulnerability testing by Frans van Buul of Microfocus	(slides in Brightspace)
Oct 22	Sandboxing/Compartmentalisation (cont.) TOCTOU and race conditions	To read: Chapter 4 of lecture notes TOCTOU aka race condition vulnerabilities are also discussed in the CyBok chapter on Software Security.
Oct 29 & Nov 5: no lectures (midterm break/exam period) The lecture-free period may be a good time to read the CyBok chapter on Software Security, also listed at mandatory reading material.
Nov 12	Input problems, validation & sanitisation	To read: Lecture notes on secure input and output handling. the OWASP Top 10 [PDF,HTML] NB there might be a new 2021 edition of the OWASP Top 10 coming out in the autumn. (For more background on XXE than the brief description in the OWASP Top 10 document, this video gives a nice explanation.) Some interesting things to look at: Nice example of bypassing crappy input filtering by a WAF (Web Application Firewall) that rejects use of `..\..` in input parameters to stop path traversals, but not `..\.\..`. the 2021 CWE Top 25 Most Dangerous Software Weaknesses, 2021 edition
Nov 19	More structural ways to improve input handling	LangSec: Recognition, Validation, and Compositional Correctness for Real World Security, USENIX Security handout, 2013(?). Wang et al., If It's Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening, ICSE'21, ACM/IEEE, 2021 Poll, Strings considered harmful, USENIX ;login:, 2018
Nov 26	Information Flow	To read: Chapter 5 of lecture notes
Dec 3	Information flow for Android Apps	Ernst et al., Collaborative Verification of Information Flow for a High-Assurance App Store, CCS 2014
Dec 10	State Machine Learning and Formal Methods	Poll et al., Protocol State Machines and session languages, LangSec 2015, IEEE S&P workshop, 2015. Fisher et al., The HACMS program: using formal methods to eliminate exploitable bugs, Royal Society Publishing, 2017.
Dec 17	Discussion on fuzzing project The Log4J vulnerability	News article about the possibility to trigger and detect the Log4j bug by renaming your iPhone that was discussed in the lecture.
Jan 14	Exam	The exam is closed book, and covers the material treated in class (and in the slides), the course lecture notes, the papers listed above, and the projects. Mock exam

Grading

The course will be graded based on a written exam. The group project work can earn you a bonus point. The other exercises, to be done individually or in pairs, are not graded but are mandatory. You MUST seriously participate in the project and do all the other exercises to take the exam, and there are not options to resit these.

The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

Optional background reading

For additional background info I can recommend:

Standard software security flaws
If you are completely new to things like SQL injection, XSS, etc., it is useful to look through The 24 Deadly Sins of Software Security. There is a copy of this book in the library of the Faculty of Science. You can't take it out, but you can always read it there.
Keeping up with the (software) security news
Not always directly related to this course: a good way to keep up to date with the news and developments in cybersecurity is following Risky Biz podcast, which also pays plenty of attention to software security problems, and Bruce Schneier's blog.