CS527 Software Security
Mathias Payer -- Spring semester 2018, 3 credit
course.
News
- The final is on Wed 05/02 1:00p to 3:00p in LWSN B151
- The midterm will be on March 21 during class.
- First class on 01/08 at 3:30p in LWSN 1106, second class on 01/10 at 1:30p in
LWSN 3102AB (note the location).
- Course registration: due to a limitation of the CS registration
system you have to ask for instructor permission.
Please send me an email and (i) mention that you have taken CS-503 and CS-528
or (ii) state your C/C++/assembly coding experience, operating system
knowledge, and prior hacking experience. We will then enable registration for
you on a per student basis. Sorry for the inconvenience!
Course overview
This course focuses on software security fundamentals, secure coding guidelines
and principles, and advanced software security concepts. Students will learn to
assess and understand threats, learn how to design and implement secure software
systems, and get hands-on experience with common security pitfalls.
The course consists of two lectures per week (50 minutes each) and a 2-hour lab.
- Class: M/W 3:30pm to 4:20pm in LWSN 1106 (from 01/08 to 04/28).
- Office hour: M 4:30pm to 5:20pm in LWSN 3154M and by request.
- Lab: M/W 1:30pm to 3:20pm in LWSN B158 (M) and B146 (W)
Course objectives
Software running on current systems is exploited by attackers despite many
deployed defence mechanisms and best practices for developing new software. In
this course students will learn about current security threats, attack vectors,
and defence mechanisms on current systems. The students will work with real
world problems and technical challenges of security mechanisms (both in the
design and implementation of programming languages, compilers, and runtime
systems).
Learning outcomes
Students who complete the course will have demonstrated the ability to do the
following:
- Explain the top 20 most common weaknesses in software security (CWE top 20) and
understand how such problems can be avoided in software.
- Identify common security threats, risks, and attack vectors for software
systems.
- Evaluate and assess current security best practices and defense mechanisms for
current software systems. Become aware of limitations of existing defense
mechanisms and how to avoid them.
- Identify security problems in source code and binaries, assess the associated
risks, and reason about their severity and exploitability.
- Assess the security of given source code or applications.
Prerequisites
CS 52600, Introduction to Information Security or equivalent course with the
consent of the instructor. Significant programming experience and skills are
required to complete the labs and homework.
Schedule
- Course introduction (01/08/18, 01/10/18)
- Secure software lifecycle (01/10/18)
- Basic principles (01/10/18)
- Reverse engineering (01/22/18, 01/24/18)
- Security policies: Memory and Type safety (01/29/18, 01/31/18, 02/05/18, 02/07/18) , ,
- Software bugs (02/12/18, 02/14/18)
- Attack vectors (02/26/18, 03/05/18)
- Mitigations (03/07/18, 03/19/18)
- Advanced mitigations (03/26/18, 04/02/18, 04/04/18)
- Software testing (04/09/18, 4/11/18, 4/16/18)
- Web security (04/18/18)
- Mobile security (04/23/18)
- Summary (04/25/18)
Projects
Please refer to Piazza for the course project.
Grading
- Lab assignments (CTF): 25%
- Programming project: 25%
- Midterm exam: 20%
- Final exam: 30%
- For academic honesty refer to the Purdue integrity/code of conduct;
- Except as by prior arrangement or notification by the professor of an
extension before the deadline, missing or late work will be counted as a zero/fail.
Course policies
This course will be run under the "reasonable adults" policy wherein it is
assumed that all students are reasonable adults that want to benefit the most of
the course by attending the course regularly, completing the homework
assignments and projects on time, asking questions during the course and if they
run into problems, and checking back with the instructor and the TA regularly to
ensure good progress.
A more verbose version of the policy is available
on Spaf's page. CS-527 follows
the policies listed on that page. If you have any question about the course
policy, don't hesitate to ask the instructor or the TA.
As a short summary: (i) you are expected to attend all classes (modulo good
reasons), (ii) you are supposed to hand in all work before the deadlines (there's a
10% point reduction per day for late hand-ins), (iii) if you need special
treatment or have special circumstances, talk to the instructor or TA.
References and Reading Assignments