marco

teaching » 2012 » secure programming

Menu:

• home
• publications
• teaching
• service
• projects
• blog

Secure Programming

For general information about the course, please visit the School's page of the module. It contains the official information about learning outcomes, restrictions, prerequisites, and co-requisites, and assessment.

Description

Our daily lives are growing more dependent on accurate, reliable and secure software systems. Unfortunately, such systems are too often vulnerable (by design or due to implementation errors) and are frequent targets of attacks.

This course focuses on the security analysis of software programs, focusing in particular on implementation issues. The course will discuss principles of secure programming, and then present approaches and techniques to identify vulnerabilities in existing programs, to develop attacks against them, and to defend against such attacks.

There is a marked emphasis on practical, hands-on approaches for both defending and attacking software systems (to acquire an “attacker mindset”). In addition, there will be discussion of seminal and/or current research work in the area (to acquire foundational and/or advanced research knowledge).

Ethical issues will also be discussed.

Instructor

Marco Cova
Computer Science building, Room 207

Class schedule

Mondays, 12pm-1pm, B23, Mechanical Engineering
Tuesdays, 12pm-1pm, B05 Mechanical Engineering until week 4, then 1 12 Muirhead Tower
Thursdays, 3pm-4pm, L R5 Arts

See the full calendar at a glance.

Office hours

Tuesdays, 3pm-5pm, and by appointment

Demonstrator

Maxim Strygin
Office hours: Wednesdays, 10am–12pm
No session on Wed Feb 6; extra session on Fri Feb 8
Room 217

News

Mon 21 January lecture is canceled

Lectures

	Date	Lecture	Readings
01	07 Jan	Introduction [PDF]
02	08 Jan	Security Principles [PDF]	The Security Architecture of the Chromium Browser
03	10 Jan	Finding Vulnerabilities [PDF]
04	14 Jan	SQL injection [PDF]	AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks
05	15 Jan	More injections [PDF]
06	17 Jan	Buffer overflows [PDF]
07	21 Jan 22 Jan	Shellcode writing [MOV]	English Shellcode
08	24 Jan	Shellcode writing [MOV]
09	28 Jan	Memory corruption defenses [MOV]	Control-Flow Integrity
10	29 Jan	More memory corruption defenses [MOV]
11	31 Jan	Heap overflow [MOV]
12	04 Feb	Format string and integer vulnerabilities [MOV]
13	05 Feb	Race conditions [MOV]
14	07 Feb	Denial of service [MOV]
15	08 Feb	Java vulnerabilities [MOV]
16	11 Feb	Malicious web [MOV]	Static Enforcement of Web Application Integrity Through Strong Typing
17	12 Feb	Return oriented programming [MOV]
18	14 Feb	The lecture is canceled
18	15 Feb	Exploits Workshop (with MWR InfoSecurity)	Mechanical Engineering, Room B04, 10am–5pm
19	18 Feb	Ruby on Rails [MOV]
20	19 Feb	Sample exam
21	21 Feb	Module recap

Read the reading material (if any) before coming to class.

Note: the schedule is only indicative and may change as we progress.

Homework assignments

• Homework 1, due Sunday February 3, 2012 Tuesday February 5, 11:59pm UTC.
• Homework 2, due Wednesday, February 20 2013, at 11:59pm UTC.
• Homework 3, due Sunday, March 17 2013, at 11:59pm UTC.

Calendar