Software Vulnerabilities and Security Fall 2018


Software Vulnerabilities and Security is a graduate course covering common software programming, configuration, and design mistakes, and how to avoid them. The goals of the course are the following:

  • Examine major vulnerability classes introduced in various software domains and levels of the software stack
  • Understand effective techniques for defending against exploitation in situ
  • Understand approaches for detecting the presence of vulnerabilities during development and deployment
  • Gain hands-on experience in attacking and defending vulnerable software

Examples of topics covered by this course include:

  • Memory corruption
  • Web security
  • Intrusion detection
  • Reverse engineering and binary analysis
  • Static and dynamic vulnerability discovery
  • Malware classification and triage

Meetings

  • Class meets Thursdays 6-9 PM in 117 Snell Library
  • TA hours are held Mondays 2-4 PM in 655 ISEC and Fridays 5-7 PM in 632 ISEC
  • Office hours are by appointment

Grading

Grades will be assigned based on the completion of assignments, quizzes, and a midterm and final exam. Points will also be awarded for class participation.

Component Contribution
Projects 30%
Quizzes 15%
Midterm Exam 25%
Final Exam 25%
Participation 5%

Prerequisites

This course requires significant “programming maturity” and a solid background in computer architecture, operating systems, and networking. This is a consequence of the fact that security spans many domains. Moreover, not only must you know the relevant abstractions, you must know how they are implemented in order to understand how to break them. Therefore, you must have passed the following courses to succeed in this class:

  • Computer architecture: ISAs, fetch-decode-execute cycles, pipelining, cache organization
  • OS design principles: paged memory management, processes, threads, scheduling
  • Networking concepts and standards: Ethernet, 802.11, IP, TCP, UDP

It is virtually impossible to learn the above on the fly and pass this class. If you don’t satisfy one of these prerequisites, you should only take this class after you have done so.

In addition, practical familiarity with the following or the ability to refer to other references and documentation for the following is also required:

  • Programming languages: Shell scripting, C and C++ (C++11 or later), scripting languages such as Python or Ruby, JavaScript and popular frameworks like jQuery
  • Relational databases: SQL, SQLite, PostgreSQL, MariaDB
  • SSH: Remote login, connection tunneling
  • Source control: Git, GitHub or GitLab

If you aren’t familiar with these technologies or are uncomfortable referring to available documentation on your own, logic and experience both dictate that you will have significant difficulty with this course.

As a concrete example for calibration purposes: If asked to write a TCP client that connects to a remote endpoint and engages in a simple binary proof-of-work protocol from a grammar-based specification, this should take on the order of one hour rather than on the order of a week’s time.

Policies

Cheating. Work submitted for grading must represent your own effort. Group work is not allowed unless a problem statement specifically states otherwise. Similarly, use of third-party content (for code, whether as a library, service, or in source form) is only permissible in the context of the allowances explicitly made as part of a problem statement. “Use” in this context refers not only to copying in the cut-and-paste sense, but any content derived from third-party work. A non-exhaustive list of plagiarism examples include:

  • Copying third-party code verbatim that was published in an online source code repository, forum, or other reference site such as GitHub, GitLab, Stack Overflow, Wikipedia, or similar
  • Adapting an algorithm found in third-party code published online
  • Collaborating on code with other students, such as adapting code written by another student or working together on a shared code base at any point

While referring to third-party code can be helpful in devising your own solution, it is also extremely dangerous as it is all too easy to plagiarize without realizing it. (It is for exactly this reason that viewing source code published online that may be relevant to a product is almost always strictly forbidden in corporate settings due to intellectual property concerns.) While discussing course material with other students is encouraged, it is strongly recommended that students refrain from viewing any third-party source code.

Cheating damages the reputation of the university as well as the grades of students who participate in the course in good faith. As such, there will be zero tolerance for cheating in this course. Students that participate in this course must acknowledge that they have read and understood the University Academic Integrity Policy. All cheating cases will be brought to the CCIS Academic Integrity Committee and to OSCCR on the first offense. Finally, all students found to be cheating will receive a failing grade on the first offense.

Grading. Late assignments will be accepted, with the caveat that grading will be penalized by a full letter grade for each day that an assignment is late. Grades may be subject to a curve.

Reference Material. There is no official textbook for this course. Instead, we will rely on lectures and readings. If you need to brush up on background material on algorithms, architecture, systems, or networks, strongly reconsider whether you satisfy the course prerequisites.

Due to the fast pace of the field, much information is only available online and thus referring to third-party online sources is encouraged. However, keep in mind that referring to third-party source code is permissible only within the constraints of the class and university academic integrity policies.

Online Discussion. Online discussion and questions will be handled through Piazza, not via email. A best effort attempt will be made to respond to posts within 24 hours on weekdays during normal working hours. To ensure a timely response, do not wait to ask questions until the night before a submission deadline.

Ethics. This course covers sensitive material that includes information on how to exploit vulnerable software. Attack-oriented work must be restricted to the computing resources provided. Alternatively, students can perform this work using personal resources so long as other computing resources are not affected.

In particular, attacks performed against University resources or the open Internet are expressly prohibited. Students should also be familiar with the University Appropriate Use policy.

Schedule

Note: This schedule is preliminary and subject to change
Date Module Topics and Readings
Thu Sep 06 Foundations Introduction and Security Foundations
Thu Sep 13 Systems Passwords
Thu Sep 20 Systems Users and Privilege
Thu Sep 27 Systems Resources and Side Channels
Thu Oct 04 Web XSS, CSRF, and SQL Injection; Quiz
Thu Oct 11 Web CSP, CORS, and Browser Separation
Thu Oct 18 Web Privacy
Thu Oct 25 Exam Midterm Exam
Thu Nov 01 Applications Memory Unsafety
Thu Nov 08 Applications ASLR, DEP, and CFI
Thu Nov 15 Applications Disassembly and Reverse Engineering; Quiz
Thu Nov 29 Applications Fuzzing and Program Testing
Thu Dec 06 Practice Live Security Exercise
Thu Dec 13 Exam Final Exam

Assignments

TBD