COMS E6998-9: Software Security and Exploitation

 

Course Overview:

 

The course involves the study of emerging and unexplored topics in software security and the exploitation of security vulnerabilities. It begins with the foundations of secure programming. We will then examine language-specific security issues, vulnerabilities, exploitation techniques, operating system defenses, compiler defenses, and models of secure software development. Students will learn about the boundaries and effectiveness of techniques such as virtualization, stack and heap protections, address space randomization, session security, and other current approaches. Student projects will analyze advanced software exploitation techniques and countermeasures.

 

 

Assessment:

 

Students will be evaluated based on one exam, class participation, homework, and one major project.

 

Midterm Exam: 30% - Scheduled on April 4th

Project: 50% - click here for more details

Homework: 20%

 

Instructor:

Herbert Hugh Thompson, Ph.D. (bio)

Email: hthompson@cs.columbia.edu

 

 

Detailed Outline:

 

Lecture 1: Introduction

January 24, 2011

 

Introduction to software security

Understanding hackers, the underground, and Security in the Software Development Life Cycle (SDLC)

Looking at recent vulnerabilities and how they were discovered and exploited.

Thinking like an attacker and defending against them

A first look at the course project

 

slides

 

Lecture 2: Software Security Design Principles

January 31, 2011

 

Thinking like an attacker

Gateway data

Security design principles

 

slides

 

Lecture 3: Design Principles Continued and Input Validation

February 7, 2011

 

Security Design Principles Cont.

Input Validation

Buffer Overflows

 

slides

 

Lecture 4: Video lecture on 3rd Party Trust

 

Note: Watch the video of the Friday keynote from RSA Conference here.

 

 

Lecture 5: Buffer Overflows In-Depth

February 21, 2011

 

Buffer overflow mechanics

Stack vs. Heap overflows

 

Note: Homework 1 can be found here

 

Lecture 6: Buffer Overflow Defenses and other Input Validation Issues

February 28, 2010

 

More on buffer overflow defenses

Command injection

SQL injection

 

Slides

 

 

Lecture 7: More Vulnerabilities; Data Security and Cryptography; Fuzzing

March 14, 2010

 

Cross site scripting, more command injection

Data security

Cryptography

Fuzzing

 

Slides

 

 

Lecture 8: Fail Secure; DoS Defenses; Evaluating 3rd Party components

March 21, 2010

 

Fail Secure

DoS Prevention

Evaluating Components for Security

 

Slides

 

Note: Exam is on April 4th. It will cover all material discussed in class as well as the following reading list:

·         “Smashing the stack for fun and profit” by Aleph One. (originally in Phrack Vol. 7, Issue 49)

·         “Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns” by Jonathan Pincus and Brandon Baker (IEEE Security & Privacy 2 (4): 20–27)

·         “Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform” by David Litchfield

·         “On the effectiveness of address-space randomization” by Hovav Shacham , Matthew Page , Ben Pfaff , Eu-Jin Goh , Nagendra Modadugu , and Dan Boneh, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA

 

 

Lecture 9: Code/Binary Analysis for Security Vulnerabilities

 

Note: No class on March 28th – Video lecture will be posted after the exam on April 4th.

 

 

Lecture 10: Secure Development Methodologies and Exam

 

Secure development methodologies

 

Note: Midterm exam for the second half of the class