COMS W4995: Secure Software Development: Theory and Practice (Spring 2017)

Lecture Details

Instructor: Suman Jana
Office: Mudd 412
Office hours: Wednesday (4-6 pm)
TA Office hours: Plaban - Monday (12:30-2:30pm) and Eugene - Wednesday (12:30-2:30 pm)
Classroom: 415 Schapiro [SCEP]
Class hours: Monday and Wednesday (2:40-3:55 pm)

Description

Writing secure code is notoriously hard! Security vulnerabilities resulting from software bugs cost companies billions of dollars every year. In this course you will learn how to write secure code that can withstand attacks, how to perform security testing and auditing of your software, and systematically debug and analyze the root causes of security vulnerabilities. Throughout the semester, you will not only learn about existing tools and techniques for secure software development but gain a detailed understanding of the underlying principles. You will also work on a semester-long group project.

Prerequisite

There is no formal prerequisite for this class but you should be generally comfortable to deal with complex large source code (> 1000 lines of C/C++ code) and have basic knowledge of testing/debugging tools like gdb, gcov, etc. Feel free to send me an email if you have any specific questions.

Grading

• Quizzes/programming assignments - 35%
• Midterm - 30%
• Group Project (3-4 students) - 30% (Possible project domains)
• List of group members due - Feb 13th before class
• Project proposal (1 page) due - Feb 22nd before class
• Midterm project status report (1 page) due - Mar 27th before class
• Final report (6-12 double-column pages with 10pt font) due - May 11th (11:59 pm ET)
• Class participation - 5%

Schedule

Date	Topics	Lecture slides & Reading
Jan 18	Introduction	intro.odp, intro.pdf
Jan 23	Real-world security bugs	Real World Bugs.odp, Real World Bugs.pdf. Additional reading: heartbleed, gotofail, DirtyCOW, Debian randomness fiasco.
Jan 25	Control flow analysis	Control Flow Analysis.pptx, Control Flow Analysis.pdf Additional reading: Control Flow Analysis, Using llvm to view CFG (Slide 6).
Jan 30	Data flow analysis	Data Flow Analysis.pptx, Data Flow Analysis.pdf Additional reading: Data Flow Analysis. (PA 1 assigned in CourseWorks. It is due before class on 02/08/2017)
Feb 1	Symbolic execution	Symbolic Execution.pptx, Symbolic Execution.pdf Additional reading: Symbolic Execution for Software Testing: Three Decades Later (Cadar and Sen) KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs (Cadar et al.) CUTE: A Concolic Unit Testing Engine for C (Sen et al.) DART: Directed Automated Random Testing (Godfroid et al.) Symbolic execution and program testing (King et al.)
Feb 6	Symbolic execution (cntd.)
Feb 8	Fuzzing	fuzzing.pptx, fuzzing.pdf PA1 is due before class Additional reading: AFL Readme Fuzzing: The State of the Art (McNally et al.)
Feb 13	Fuzzing (cntd.)	List of group members due, send a list to the TAs
Feb 15	Taint analysis	taint_tracking.pptx, taint_tracking.pdf Additional reading: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (PA 2 assigned in CourseWorks. It is due by 11:59pm on 02/24/2017)
Feb 20	Low level attacks: memory corruption	memory_attacks.pptx, memory_attacks.pdf Additional reading: Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Basic integer overflows
Feb 22	Memory corruption (cntd.)	One page project proposal is due before class
Feb 27	Runtime defenses: reference monitors (CFI, XFI)	ref_monitor.pptx, ref_monitor.pdf Additional reading: Control-Flow Integrity: Principles, Implementations, and Applications XFI: Software Guards for System Address Spaces
Mar 1	Midterm review session
Mar 6	Midterm (1st part)	Open slides/open notes
Mar 8	Midterm (2nd part) till 3:20 pm	Open slides/open notes
Mar 20	Runtime defenses: reference monitors (CFI, XFI) cntd.
Mar 22	Web attacks: XSS, SQL injection, CSRF	web_app_sec.pptx, web_app_sec.pdf Additional reading: Cross site scripting explained SQL Injection attacks Cross-Site Request Forgery
Mar 27	Web attacks: XSS, SQL injection, CSRF	One page midterm project status update due before class
Mar 29	Web attacks: XSS, SQL injection, CSRF	PA 3 assigned in CourseWorks. It is due by 11:59pm on 04/07/2017
Apr 3	Web attacks: XSS, SQL injection, CSRF
Apr 5	How to detect XSS/SQL injection/CSRF vulnerabilities?	Detecting_Web_vulns.pptx, Detecting_Web_vulns.pdf Additional reading: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks
Apr 10	Semantic/logic bugs	shop_free.pptx, shop_free.pdf Additional reading: How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores
Apr 12	How to detect semantic/logic bugs?	frankencerts.pptx, frankencerts.pdf Additional reading: Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations (PA 4 assigned in CourseWorks. It is due by 11:59pm on 04/26/2017)
Apr 17	Side channel attacks	Web-Side-channels.pptx, Web-side-channels.pdf Additional reading: Side-channel-leaks in Web Applications: A Reality today, A Challenge Tomorrow
Apr 19	How to detect side channel vulnerabilities?	Web_sidechannel_detection.pptx, web_sidechannel_detection.pdf Additional reading: Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications
Apr 24	Web security recap with Eugene & Plaban
Apr 26	No class	PA 4 is due by 11:59pm on 04/26/2017
May 1	No class	Work on the project
May 11	Final project reports due by 11:59 pm