Software Security

Software Security, Autumn 2022

This course is taught by Erik Poll with the help of Seyed Benham Andarzian and Cristian Daniele.

Make sure you are registered in Osiris, which will then also register you in Brightspace. If you don't log in to Brightspace often, configure your Brightspace account to have announcements forwarded to you by email, as you are expected to check these announcements on a regular/daily basis.

Prerequisites

Basic programming skills, incl. familiarity with C and some standard OO language like Java or C#. In more detail:

For C, you should know how pointers, C strings, and memory (de)allocation with malloc and free works, and understand how pointer arithmetic can be used to access elements in a string or an array.
For Java, you should understand the idea of visibility modifiers (public, private, protected, and the default package), making fields final to make them constant, making classes final so that they cannot be subclassed, and the concepts of (de)serialisation and reflection. All these concepts will be briefly explained in the course, but this will assume basic knowledge of a standard class-based object-oriented programming languages, i.e. an OO language that has classes with fields and methods and sub-classing (aka inheritance).

Topics

Software is the most important root cause behind most IT security problems: things can get hacked because they contain software! This course addresses two questions:

What are common security problems in software and what are their underlying root causes?
What are techniques, guidelines, principles, and tools that can help to prevent or detect them?

Techniques to prevent or detect problems include threat modeling, checklists and coding standards, code reviews, "safe" programming languages, LangSec (language-theoretic security) and more generally organising input and output handliing in a structured way, fuzzing and other forms of security testing (aka DAST), static analysis tools and source code analyzers (aka SAST), information flow analysis (incl. tainting), and program verification as the most extreme form of static analysis.

The focus of this course is not on pen-testing or hacking to find vulnerabilities, as in the bachelor courses 'Hacking in C' and 'Web Security'. Instead the focus is on (addressing) the underlying causes and general techniques to improve software security.

Lectures & obligatory reading material

Lectures: Fridays 10:30-12:15 in MM 00.035 (Maria Montessori building), starting in November in LIN 4.

The description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes the slides, some academic research papers listed below, and the following textbook material:

My own lecture notes on Language-based Security and on Secure Input Handling.
Page 1-10 & 27-30 of Secure Software Lifecycle, CyBok chapter by Laurie Williams, Version 1.0.2, 2021
Software Security, CyBok chapter by Frank Piessens, Version 1.0.1, 2021

plus the additional scientific papers listed below.

day	slides	Mandatory reading & mini-assignments
Sept 9	Introduction & Security in the Software Development Life Cycle [PDF]	To read: page 1-10 & 27-30 of Secure Software Lifecycle, CyBok chapter by Williams, 2019. Page 6-10 are about Microsoft SDL (Security Development Lifecycle): Microsoft's website about SLD also provides a summary of the 12 practices of SDL with pointers to much more information. Page 11-26 discuss other approaches, but the basic ingredients are always the same. To do: have a look at the latest US-CERT Bulletin and the CVE Twitter feed to get a feel for the scale of software security problems. To do: search the CVE list or NIST's Vulnerability Database for flaws in the browser you are using to view this webpage and for the PDF viewer you are using to look at the slides. (These use the same list of vulnerabilities, but NIST's webpage has better search options.) For some of the vulnerabilities, check how the CVSS score was determined. You can also search for known flaws in the other applications or operating systems that you commonly use, and maybe double-check that these are automatically patched.
Sept 15	OWASP NL meet-up
Sept 16	Memory-corruption [PDF]	To read: Sections 3.1 & 3.2 of the lecture notes on (programming) language-based security To read: SoK: Eternal War in Memory by Szekeres et al., IEEE Symposium on Security & Privacy, 2013. You can skip Section VII. To do: have a look at some CVEs that involve buffer overflows, integer overflows, and format strings, to get an idea of the sheer numbers, the kind of software affected, etc. Maybe playing around with the exact search terms will give more complete results. To remind yourself of the HeartBleed bug: this xkcd cartoon might be useful. Or this youtube movie, if you dislike cartoons.
Sept 23	Memory corruption (continued) [PDF] Static analysis with PREfast & SAL [PDF]
1st assignment: Static analysis with PREfast		Feedback on PREfast solutions
Sept 30	Discussion PREfast project Security testing & Fuzzing [PDF]	David Wheeler, The Apple goto fail vulnerability: lessons learned, personal blog, 2021.
Group fuzzing project		Deadline for making group and picking project: ASAP, ideally Oct 6. Deadline for the final report: Nov 30
Oct 7	Greybox and whitebox fuzzing [PDF] 'Safe' programming languages [PDF]	Read Section 1 of the technical whitepaper for afl-fuzz for the explanation of how afl's instrumentation to monitor of branch coverage works. Patrice Godefroid, Fuzzing: Hack, Art, and Science, Communications of the ACM, 2020. To read: Chapters 2 & 3 of lecture notes on language-based security
Oct 7	Guest lecture: Technical Penetration Testing by Francisco Dominguez of Hunt and Hacket, 13:30-15:15 in LIN 4	(slides in Brightspace)
Oct 14	'Safe' programming languages (cont.) [PDF] Sandboxing/Compartmentalisation [PDF]
Oct 21	Sandboxing/Compartmentalisation (cont.) [PDF]	Chapter 4 of lecture notes on language based security
Oct 21	Guest lecture: Automated Vulnerability testing by Frans van Buul of Microfocus, 13:30-15:15 in LIN 4	(slides in Brightspace)
Oct 28 & Nov 4: no lectures (midterm break/exam period) The lecture-free period is a good time to read the CyBok chapter on Software Security, also listed at mandatory reading material.
Nov 11	Input problems	Chapters 1-3 lecture notes on secure input handling The Rule Of 2, Chomium Docs
Nov 18	Secure input handling (1)	Chapters 4-7 of lecture notes on secure input handling
Nov 25	Secure input handling (2): DOM-based XSS and summary of secure input handling TOCTOU & race conditions	Demo web pages to experiment with encodings for the web Wang et al., If It's Not Secure, It Should Not Compile: Preventing DOM-Based XSS in Large-Scale Web Development with API Hardening, ICSE'21, ACM/IEEE, 2021 TOCTOU aka race condition vulnerabilities are also discussed in the CyBok chapter on Software Security.
Dec 2	Information Flow	Chapter 5 of lecture notes on Language-Based Security
Dec 9	Information flow for Android Apps	Ernst et al., Collaborative Verification of Information Flow for a High-Assurance App Store, CCS 2014
Dec 16	Discussion on fuzzing project State machine inference	Poll et al., Protocol State Machines and session languages, LangSec 2015, IEEE S&P workshop, 2015.
Dec 23	no lecture
Jan ??	Exam	The exam is closed book, and covers the material treated in class (and in the slides), the course lecture notes, the papers listed above, and the projects. Mock exam

Grading

The course will be graded based on a written exam. The group project work can earn you a bonus point. The other exercises, to be done individually or in pairs, are not graded but are mandatory. You MUST seriously participate in the project and do all the other exercises to take the exam, and there are not options to resit these.

The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides). You are expected to be able to spot simple buffer overflow problems given some hints, but are not expected to spot tricky ones even with hints.

Optional background reading

For additional background info I can recommend:

Standard software security flaws
If you are completely new to things like SQL injection, XSS, etc., it is useful to look through The 24 Deadly Sins of Software Security. There is a copy of this book in the library of the Faculty of Science. You can't take it out, but you can always read it there.
Keeping up with the (software) security news
Not always directly related to this course: a good way to keep up to date with the news and developments in cybersecurity is following Risky Biz podcast, which also pays plenty of attention to software security problems, and Bruce Schneier's blog.