CS527 Software Security

Mathias Payer -- Spring semester 2017, 3 credit course.

News

Course overview

This course focuses on software security fundamentals, secure coding guidelines and principles, and advanced software security concepts. Students will learn to assess and understand threats, learn how to design and implement secure software systems, and get hands-on experience with common security pitfalls.

The course consists of two lectures per week (50 minutes each) and a 2-hour lab.

Course objectives

Software running on current systems is exploited by attackers despite many deployed defence mechanisms and best practices for developing new software. In this course students will learn about current security threats, attack vectors, and defence mechanisms on current systems. The students will work with real world problems and technical challenges of security mechanisms (both in the design and implementation of programming languages, compilers, and runtime systems).

Learning outcomes

Students who complete the course will have demonstrated the ability to do the following:

Prerequisites

CS 52600, Introduction to Information Security or equivalent course with the consent of the instructor. Significant programming experience and skills are required to complete the labs and homework.

Schedule

  1. Scott's Introduction (01/09/17)
  2. Course introduction (01/11/17)
  3. Basic principles (01/18/17) [1]
  4. Memory safety (01/23/17, 01/25/17, 01/30/17, 02/01/17) [2], [3], [4]
  5. Reverse engineering (02/06/17)
  6. Defense mechanisms (02/13/17, 02/15/17, 02/22/17)
  7. Bug discovery (02/23/17) [5]
  8. Exploitation, format string attacks (03/01/17, 03/06/17, 03/20/17) [9]
  9. OS security (03/22/17, 03/27/17, 03/29/17) [6], [7] [8]
  10. Practical defenses
  11. Browser security
  12. Web security
  13. Mobile security
  14. Summary

Projects

For the class project, you will implement a simple file editing service. Your task is to develop the underlying API that is then used in a client and a server. To get you started, we provide you with a description. The deadlines and details are mentioned in the project description.

Grading

  1. For academic honesty refer to the Purdue integrity/code of conduct;
  2. Except as by prior arrangement or notification by the professor of an extension before the deadline, missing or late work will be counted as a zero/fail.
  3. For the project, all code, documentation, and reports must be submitted into bitbucket and you must give the instructors access to the code (user ids 'gannimo' and 'isp0').

Course policies

This course will be run under the "reasonable adults" policy wherein it is assumed that all students are reasonable adults that want to benefit the most of the course by attending the course regularly, completing the homework assignments and projects on time, asking questions during the course and if they run into problems, and checking back with the instructor and the TA regularly to ensure good progress.

A more verbose version of the policy is available on Spaf's page. CS-527 follows the policies listed on that page. If you have any question about the course policy, don't hesitate to ask the instructor or the TA.

As a short summary: (i) you are expected to attend all classes (modulo good reasons), (ii) you are supposed to hand in all work before the deadlines (there's a 10% point reduction per day for late hand-ins), (iii) if you need special treatment or have special circumstances, talk to the instructor or TA.

References and Reading Assignments

[1]Butler W. Lampson. Protection. ACM Operating Systems'74
[2]Laszlo Szekeres, Mathias Payer, Tao Wei, Dawn Song. SoK: The Eternal War in Memory. IEEE S&P'13
[3]Santosh Nagarakatte, Milo M. K. Martin, and Steve Zdancewic. Everything You Want to Know About Pointer-Based Checking. SNAPL'15
[4]Michael Hicks. What is memory safety? Blogpost'14.
[5]Mathias Paper. Triggering Deep Vulnerabilities Using Symbolic Execution. 30C3'13, video of the talk.
[6]Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David Mazières. Making information flow explicit in HiStar. OSDI'06
[7]Daniel J. Bernstein. Some thoughts on security after ten years of qmail 1.0. Technical Report'07
[8]Mathias Payer. HexPADS: a platform to detect "stealth" attacks. ESSoS'16
[9]Exploit examples.