Software Security, Autumn 2020
This course is taught by Erik Poll.
It is part of the TRU/e Master specialisation in Cyber Security.
More background on goals, prerequisites, etc. at the bottom of
this web page.
Make sure you are registered in Osiris, which
will then also register you in Brightspace. Beware
that there is a 6EC version (ISOFSE) and a 5EC version
(IMC051) of this course. The 5 EC version
is for students doing the TRU/e Cyber Security specialisation.
For TU/e students: if you somehow cannot register for the course (yet),
send me an email, so that I can make sure email
announcements via Brightspace reach you. A pdf with links to
the online lectures has been sent over the
security mailing list, so make sure you get on that list
(via this web form)!
Lectures & obligatory reading material
Lectures: Fridays 10:30-12:15
NB the description below will be updated as we go along, with
slides and pointers to papers. The obligatory reading material
and exam material for the course includes the slides, some
academic research papers listed below, and the following
|| Mandatory reading & mini-assignments
- To read:
Secure Software Lifecycle, CyBok chapter by Williams, 2019.
- To do:
have a look at the latest
US-CERT Bulletin and
the CVE Twitter feed
to get a feel for the scale of software security
- To do:
search the CVE list
or NIST's Vulnerability Database
for flaws in the browser you are using to view this webpage, and check out how CVSS score was determined. You can also search for known flaws in the other applications or operating systems that you commonly use, and maybe double-check that you are applying patches automatically.
- To read: Sections 3.1 & 3.2 of the lecture notes
- To read: SoK: Eternal War in Memory by Szekeres et al., IEEE Symposium on Security & Privacy, 2013 - You can skip Section VII.
- To do: have a look at some CVEs that involve
integer overflows, and
format strings, to get an idea of the sheer
numbers, the kind of software affected, etc. Maybe
playing around with the exact search terms will give
more complete results.
- To remind yourself of the HeartBleed bug, the most
famous example of a buffer overread attack,
this xkcd cartoon might be
useful. Or this youtube movie, if you dislike cartoons.
1st assignment (individual or in pairs): PREfast. Deadline: Thursday Sept 24, 23:59
Some generic feedback
- Discussion PREfast project
- Security testing & Fuzzing (up to SAGE)
SAGE and the 'coverage-guided graybox fuzzing' approaches
mentioned in Payer's article (more in particular afl) will be
discussed next week.
- David Wheeler, The Apple goto fail vulnerability: lessons learned, personal blog, 2020.
- Mathias Payer, The Fuzzing Hype-Train: How Random Testing Triggers Thousands of Crashes, IEEE S&P, Vol. 17, No. 1, 2019.
- Patrice Godefroid et. al, SAGE: whitebox fuzzing for security testing ACM Queue, Vol. 10, No. 1, 2012
Group fuzzing project. Deadline: Nov 30
|| To read:
Some interesting things to look at:
Oct 23 & 30 : no lectures (midterm break/exam period)
The lecture-free period may be a good time to read the
CyBok chapter on Software Security, also listed at mandatory reading material.
One of the topics mentioned, race conditions (aka TOCTOU),
will still be discussed in weeks to come.
Guest lectures by Secura
- Pen-testing, by Geert Smelt
- Red Teaming for Operational Technologies, by Ben Brücker
- Slides are in Brightspace.
- Recording of last year's lecture is in Brightspace.
- Q&A about last week's lecture on Android
Information Flow and TOCTOU.
- Discussion fuzzing project
- (6EC version only)
Program Verification (slides)
- (6EC version only) Another online lab session to work on the verification
NB in Brightspace Virtual Classroom, not in Discord.
||Location: de Vereeniging (or for students with right to extra time: HG00.0065 in Huygens Building) BUT CHECK LOCATION IN THE OFFICIAL SCHEDULE
The exam is closed book, and covers the material treated in class
(and in the slides), the course lecture notes, the papers listed above, and the projects.
- Resit exam at 12:45 - see official schedule for
Basic programming skills, incl. familiarity with C and Java.
In more detail:
For C, you should at least know how pointers, C strings, malloc(),
and free(), work, and understand how pointer arithmetic can be used
to access elements in a string or an array.
For Java, you should understand the idea of visibility modifiers
and the default package),
making fields final to make them constant,
making classes final so that they cannot be subclassed,
and the concepts of (de)serialisation and reflection.
All these concepts will be briefly explained in the course, but this
assumes basic knowledge of object-oriented
programming languages, with classes with fields and method and
sub-classing aka inheritance.
Software is the root cause behind most IT security problems.
This course addresses two questions:
Common security problems include memory corruption, integer
overflows, various injection attacks (command injection,
SQL injection, XSS, deserialisation attacks ...), race conditions...
The LangSec paradigm explains some of these underlying root
causes, namely buggy or unintended parsing of many
input languages, which are often too complex, too expressive, or
- What are common security problems in software and what are their
underlying root causes?
- What are techniques, guidelines, principles, and
tools that can help to prevent or detect them?
Techniques to prevent or detect problems include threat modeling,
checklists and coding standards, code reviews, "safe" programming
languages, LangSec (language-theoretic security), fuzzing and
other forms of security testing, static analysis tools and source code
analyzers, information flow analysis (incl. tainting), program
verification, and proof-carrying code.
The focus of this course is not on pen-testing or
hacking to find vulnerabilities, as in the RU bachelor courses
'Hacking in C' and 'Web Security', but more on (addressing) the underlying causes
and general techniques to improve the security of software.
The course will be graded based on a written exam. The group
project work can earn you a bonus point. The individual exercises
are not graded. You MUST seriously participate in the project
work to take the exam, and do all individual exercises.
The exam will cover the material presented in the lectures, the obligatory literature listed below, and the project work. The exam is closed book, ie. you cannot bring copies of slides, papers etc to the exam. You're not expected to be able to reproduce technical details from the papers, but you should be able to explain the core ideas. I will only ask about technical details from the papers that have been discussed in the lectures (and are covered by the slides).
You are expected to be able to spot simple buffer overflow problems given some hints,
but are not expected to spot tricky ones even with hints.
Optional background reading
For additional background info I can recommend:
- Common software security
If you are completely new to things like SQL injection,
XSS, etc., it is useful to look through
The 24 Deadly Sins of Software Security.
There is a copy of this book in the library of the Faculty of
Science. You can't take it out, but you can always read it there.
More information on typical security issues can be
found in the
OWASP Top 10 and
CWE/SANS Top 25 Most
Dangerous Programming Errors.
- General cyber security interest
Not always directly related to this course: a good way to keep up to date
with the news and developments in cybersecurity
is following Risky Biz
podcast, which also pays plenty of attention to software
Bruce Schneier's blog.