COMS W4995: Secure Software Development: Theory and Practice (Spring 2017)

Lecture Details

Instructor: Suman Jana
Office: Mudd 412
Office hours: Wednesday (4-6 pm)
TA Office hours: Plaban - Monday (12:30-2:30pm) and Eugene - Wednesday (12:30-2:30 pm)
Classroom: 415 Schapiro [SCEP]
Class hours: Monday and Wednesday (2:40-3:55 pm)


Writing secure code is notoriously hard! Security vulnerabilities resulting from software bugs cost companies billions of dollars every year. In this course you will learn how to write secure code that can withstand attacks, how to perform security testing and auditing of your software, and systematically debug and analyze the root causes of security vulnerabilities. Throughout the semester, you will not only learn about existing tools and techniques for secure software development but gain a detailed understanding of the underlying principles. You will also work on a semester-long group project.


There is no formal prerequisite for this class but you should be generally comfortable to deal with complex large source code (> 1000 lines of C/C++ code) and have basic knowledge of testing/debugging tools like gdb, gcov, etc. Feel free to send me an email if you have any specific questions.



Date Topics Lecture slides & Reading
Jan 18 Introduction intro.odp, intro.pdf
Jan 23 Real-world security bugs Real World Bugs.odp, Real World Bugs.pdf.
Additional reading: heartbleed, gotofail, DirtyCOW, Debian randomness fiasco.
Jan 25 Control flow analysis Control Flow Analysis.pptx, Control Flow Analysis.pdf
Additional reading: Control Flow Analysis, Using llvm to view CFG (Slide 6).
Jan 30 Data flow analysis Data Flow Analysis.pptx, Data Flow Analysis.pdf
Additional reading: Data Flow Analysis.
(PA 1 assigned in CourseWorks. It is due before class on 02/08/2017)
Feb 1 Symbolic execution Symbolic Execution.pptx, Symbolic Execution.pdf
Additional reading: Symbolic Execution for Software Testing: Three Decades Later (Cadar and Sen)
KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs (Cadar et al.)
CUTE: A Concolic Unit Testing Engine for C (Sen et al.)
DART: Directed Automated Random Testing (Godfroid et al.)
Symbolic execution and program testing (King et al.)
Feb 6 Symbolic execution (cntd.)
Feb 8 Fuzzing fuzzing.pptx, fuzzing.pdf
PA1 is due before class
Additional reading: AFL Readme
Fuzzing: The State of the Art (McNally et al.)
Feb 13 Fuzzing (cntd.) List of group members due, send a list to the TAs
Feb 15 Taint analysis taint_tracking.pptx, taint_tracking.pdf
Additional reading: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software
All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution
(PA 2 assigned in CourseWorks. It is due by 11:59pm on 02/24/2017)
Feb 20 Low level attacks: memory corruption memory_attacks.pptx, memory_attacks.pdf
Additional reading: Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade
Basic integer overflows
Feb 22 Memory corruption (cntd.) One page project proposal is due before class
Feb 27 Runtime defenses: reference monitors (CFI, XFI) ref_monitor.pptx, ref_monitor.pdf
Additional reading: Control-Flow Integrity: Principles, Implementations, and Applications
XFI: Software Guards for System Address Spaces
Mar 1 Midterm review session
Mar 6 Midterm (1st part) Open slides/open notes
Mar 8 Midterm (2nd part) till 3:20 pm Open slides/open notes
Mar 20 Runtime defenses: reference monitors (CFI, XFI) cntd.
Mar 22 Web attacks: XSS, SQL injection, CSRF web_app_sec.pptx, web_app_sec.pdf
Additional reading: Cross site scripting explained
SQL Injection attacks
Cross-Site Request Forgery
Mar 27 Web attacks: XSS, SQL injection, CSRF One page midterm project status update due before class
Mar 29 Web attacks: XSS, SQL injection, CSRF PA 3 assigned in CourseWorks. It is due by 11:59pm on 04/07/2017
Apr 3 Web attacks: XSS, SQL injection, CSRF
Apr 5 How to detect XSS/SQL injection/CSRF vulnerabilities? Detecting_Web_vulns.pptx, Detecting_Web_vulns.pdf
Additional reading: Automatic Creation of SQL Injection and Cross-Site Scripting Attacks
Apr 10 Semantic/logic bugs shop_free.pptx, shop_free.pdf
Additional reading: How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores
Apr 12 How to detect semantic/logic bugs? frankencerts.pptx, frankencerts.pdf
Additional reading: Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations
(PA 4 assigned in CourseWorks. It is due by 11:59pm on 04/26/2017)
Apr 17 Side channel attacks Web-Side-channels.pptx, Web-side-channels.pdf
Additional reading: Side-channel-leaks in Web Applications: A Reality today, A Challenge Tomorrow
Apr 19 How to detect side channel vulnerabilities? Web_sidechannel_detection.pptx, web_sidechannel_detection.pdf
Additional reading: Automated Black-Box Detection of Side-Channel Vulnerabilities in Web Applications
Apr 24 Web security recap with Eugene & Plaban
Apr 26 No class PA 4 is due by 11:59pm on 04/26/2017
May 1 No class Work on the project
May 11 Final project reports due by 11:59 pm