CYSE 411: Secure Software Engineering (Spring 2017)


Course Description

This is an upper-level undergraduate course on software security. This course provides a foundation for building secure software by applying security principles to the software development lifecycle. Students will learn the practical skills for developing and testing secure software. The focus is practical with discussions on why and how mechanisms ensure security, what level of security is provided, and how hostile adversaries might violate the mechanisms. Programming flaws, methods to avoid and correct flaws, and economic cost of software bugs are also addressed.


Course Information

Class Time: W 10:30am - 1:10pm
Class Location: David King Jr. Hall 1006

Instructor: Dr. Kun Sun
Email: ksun3@gmu.edu
Office Hours: W 2:00pm - 4:00pm and by appointment, Research Hall, #421


Grading Policy

Term project

 

Each student is required to complete a mid-size project, which includes proposal, implementation, and final demo or paper. Each student must finish the project by himself/herself.

Requirements for project proposal.
Requirements for project final report.
Requrrements for presentation.

Projects include but are not limited to:

  • Research Paper [sample 1][sample 2]
    • You can work on original research problems. The outcome should be a paper with original technical contribution. Your grade on this will be judged on originality, soundness of the approach, and quality of presentation.
    • Example Topics:
      • Android Security
      • Honeypot
      • Virtualization Security, e.g., Docker, VMM
      • Vulnerability Analysis
      • Intrusion Detection
      • Authentication and Access Control
      • DNS Security
      • Trusted Execution Environment
      • New Attacks
      • etc.
  • Survey Paper [sample 1] [sample 2]
    • You can write a paper that surveys a particular field on software security. The outcome should be a paper that summarizes the trend in the field you have chosen. Your grade will be judged on the completeness of the survey, the quality of the trend analysis, and the quality of presentation.
    • Example topics:
      • Cybercrime, e.g., Ransomware, Online Black market
      • Web application Vulnerabilitie, e.g., XSS
      • Database Vulnerabilities, e.g., SQL Injection
      • Network Security, e.g., Botnet, SDN, NFV
      • Secuity of Browser Plug-ins/extensions
      • Drive-by Downloads, social engineering
      • Code-level Vulnerabilities: Return-oriented Programming (ROP), Buffer Overflow,
      • Software Defense Mechanism, e.g., Address Space Layout Randomization (ASLR)
      • Symbolic Execution
      • etc.

Textbook

1. [McGraw] Gary McGraw, Software Security: Building Security In (1st Edition), Addison-Wesley Professional, ISBN-10: 0321356705 ISBN-13: 978-0321356703

2. [Seacord] Secure Coding in C and C++ (2nd Edition), by Robert Seacord, ISBN-13: 978-0321822130, ISBN-10: 0321822137

Class Schedule (tentative)

Note: the schedule will change as the course progresses. Please check frequently.

Date
Topic
Reading Assignment
Project Assignment
Handouts
01/25/2017

Topic 1. Introduction to Information Security
Topic 2-1. Software Security Fundamentals

[Mcgraw] Chapter 1

T01 slides
T02.1 slides

02/01/2017
Topic 2-1. Software Security Fundamentals (cont.)
Topic 2-2. Secure coding: Strings

[Mcgraw] Chapter 1
[Seacord] Chapter 2

T02.2_slides
02/08/2017
Topic 2-2. Secure coding: Strings (cont.)
Topic 3. Risk Management

[Seacord] Chapter 2
[Mcgraw] Chapter 2

T03_slides
02/15/2017

Topic 3. Risk Management (cont.)
Topic 4. Software Development Process and Software Security Touchpoints

[Mcgraw] Chapter 3
Quiz 1
T04_slides
02/22/2017
Topic 5-1. Code Review
Topic 5-2. Static Analysis
[Mcgraw] Chapter 4

 

T05.1_slides
T05.2_slides
03/01/2017
Topic 5-2. Static Analysis (cont.)
Topic 6. Penetration Testing
[Mcgraw] Chapter 6

T06_slides 1
T06_slides 2

03/08/2017

Topic 7-1. Architectural Risk Analysis
Topic 7-2. Risk-Based Security Testing
Topic 7-3.Abuse/Misuse Cases

[Mcgraw] Chapter 5,7, 8
Quiz 2
Project proposal due on 03/10/2017

T07.1_slides
T07.2_slides
T07.3_slides

03/15/2017
No Class (Spring break)
 
 
03/22/2017

Topic 8. Security Operations
Topic 9.1. Secure coding: Dynamic Memory
Topic 9.2. Secure coding: Integer Security

[Mcgraw] Chapter 9
[Seacord] Chapter 4
[Seacord] Chapter 5


T08_slides
T09.1_slides
T09.2_slides

03/29/2017
Topic 9.3. Secure coding: Formatted Output
Topic 9.4. Race Conditions
Topic 10. Symbolic Execution
[Seacord] Chapter 6
[Seacord] Chapter 7
T09.3_slides
T09.4_slides
T10_slides
04/05/2017
Topic 10. Symbolic Execution (cont.)
Topic 11. Web Security
 

04/12/2017

Student Presentation (I)
 
04/19/2017

Student Presentation (II)

 
04/26/2017
Student Presentation (III)
 
05/03/2017
Final Review
 
05/10/2017
Final Exam (10:30 am – 1:10 pm)
Project final report due on 5/10/2017

Honor Code

Students are required to follow George Mason Univeristy's Honor Code.

Students with Disabilities

Any student with a disability needing academic adjustments or accommodations should contact the instructor immediately.

Acknowledgement

This course includes materials provided by Dr. Thomas Schwarz (Marquette University), Dr. Michael Hicks (University of Maryland) and Dr. Csilla Farkas (University of South Carolina).