Synopsis: The course studies the nature of security vulnerabilities in software systems, the techniques to detect and prevent these problems, and the embedding of these techniques in a security-aware software development process.
Learning outcomes: The student will acquire:
- A good understanding of the nature of security vulnerabilities in software systems
- A good understanding of principles for secure software development
- A basic understanding of security testing and dynamic analysis techniques
- A good understanding of static analysis techniques and language-based security
Examination: Written exam in WebLab (can be done on multiple sites) and homework (programming) assignments.
Contents: Software Security Vulnerabilities (buffer overflows, integer overflows, SQL injection, cross-site scripting (XSS), race conditions, bad randomness, information exposure), Principles of Secure Programming (threat modeling, defense in depth, least privilege, small/simple trusted computing base, secure failures, secure defaults, attack surface and reducing it, check lists and coding standards, code reviews); Input Validation (preventing injection attacks, XSS); Language-Based Security (memory safety, type safety, access control); Modeling Language-Based Security (static semantics, types, type checking, dynamic semantics, type soundness); Static Analysis (static analysis techniques, data flow analysis, control flow analysis); Information Flow (least privilege)
Core text: Papers & a book such as “Software Security: Building Security In” by Gary McGraw (to be confirmed)