public
,
private
,
protected
,
and the default package
),
making fields final
to make them constant,
making classes final
so that they cannot be subclassed,
and the concepts of (de)serialisation and reflection.
All these concepts will be briefly explained in the course,
but this will assume basic knowledge of a standard class-based object-oriented
programming languages, i.e. an OO language that has classes with fields and methods and
sub-classing (aka inheritance).
The focus of this course is not on pen-testing or hacking to find vulnerabilities, as in the bachelor courses 'Hacking in C' and 'Web Security'. Instead the focus is on (addressing) the underlying causes and general techniques to improve software security.
Lectures: Fridays 10:30-12:15 in MM 00.035 (Maria Montessori building), starting in November in LIN 4.
The description below will be updated as we go along, with slides and pointers to papers. The obligatory reading material and exam material for the course includes the slides, some academic research papers listed below, and the following textbook material:
day | slides | Mandatory reading & mini-assignments | |
---|---|---|---|
Sept 9 |
| ||
Sept 15 | |||
Sept 16 |
| ||
Sept 23 | |||
Feedback on PREfast solutions | |||
Sept 30 |
|
|
|
Group fuzzing project |
Deadline for making group and picking project: ASAP,
ideally Oct 6.
Deadline for the final report: Nov 30 |
||
Oct 7 |
|
||
Oct 7 |
|
(slides in Brightspace) | |
Oct 14 | |||
Oct 21 |
|
||
Oct 21 |
|
(slides in Brightspace) | |
Oct 28 & Nov 4: no lectures (midterm break/exam period) The lecture-free period is a good time to read the CyBok chapter on Software Security, also listed at mandatory reading material. | |||
Nov 11 | |||
Nov 18 |
| ||
Nov 25 | Secure input handling (2): |
|
|
Dec 2 |
| ||
Dec 9 |
|
||
Dec 16 |
|
||
Dec 23 |
|
|
|
Jan ?? |
|
The exam is closed book, and covers the material treated in class
(and in the slides), the course lecture notes, the papers listed above, and the projects.
Mock exam |
The exam will cover the material presented in the lectures, the obligatory
literature listed below, and the project work. The exam is closed book, ie. you
cannot bring copies of slides, papers etc to the exam. You're not expected to be
able to reproduce technical details from the papers, but you should be able to
explain the core ideas. I will only ask about technical details from the papers
that have been discussed in the lectures (and are covered by the slides). You
are expected to be able to spot simple buffer overflow problems given some
hints, but are not expected to spot tricky ones even with hints.
Optional background reading
For additional background info I can recommend:
If you are completely new to things like SQL injection,
XSS, etc., it is useful to look through
The 24 Deadly Sins of Software Security.
There is a copy of this book in the library of the Faculty of
Science. You can't take it out, but you can always read it there.
Not always directly related to this course: a good way to keep up to date
with the news and developments in cybersecurity
is following Risky Biz
podcast, which also pays plenty of attention to software
security problems, and
Bruce Schneier's blog.