AIT 681: Secure Software Engineering (Spring 2019)


Course Description

This is a graduate level course on software security. It consists of three major components. First, it provides a framework/foundation for building secure software by applying security principles to the software development lifecycle. Second, students will learn the practical skills for writing and testing secure software. Programming flaws, methods to avoid and correct flaws, and economic cost of software bugs will be addressed. Third, it will cover the advanced software security topics focusing on how to perform software program analysis for identifying security vulnerabilities and defending security attacks.


Course Information

Class Time: W 4:30pm - 7:10pm
Class Location: Innovation Hall 133

Instructor: Dr. Kun Sun
Email: ksun3@gmu.edu
Office Hours: W 10:00pm - noon and by appointment, Research Hall, #421

TA: Omoche (Cheche) Oagada
Email: oagada@masonlive.gmu.edu
Office Hours: Appointment by email.


Grading Policy

Homework: 20%
Mid term exam: 20%
Lab Exercises: 60%


Textbook

1. [Du] Wenliang Du, Computer Security: A Hands-on Approach, ISBN-13: 978-1548367947, ISBN-10: 154836794X

2. [Seacord] Secure Coding in C and C++ (2nd Edition), by Robert Seacord, ISBN-13: 978-0321822130, ISBN-10: 0321822137

3. [McGraw] Gary McGraw, Software Security: Building Security In (1st Edition), Addison-Wesley Professional, ISBN-10: 0321356705 ISBN-13: 978-0321356703

Lab Exercises

Class Schedule (tentative)

Note: the schedule will change as the course progresses. Please check frequently.

Date
Topic
Reading Assignment
Project Assignment
Handouts
01/23/2019

Topic 1. Introduction

 

slides

Topic 2. Software Security Fundamentals

[Mcgraw] Chapter 1
"Top 10 Security Design Flaws"

slides
01/30/2019
Topic 3. Fundation: Risk Management

[Mcgraw] Chapter 2
"Automatic security analysis using security metrics"

slides

Topic 4. Fundation: Touchpoints (I)

[Mcgraw] Chapter 3, 4, 5
"Best Practices for Code Review"
slides
02/06/2019
Topic 5. Fundation: Touchpoints (II)
[Mcgraw] Chapter 6

 

slides
Topic 6. Fundation: Touchpoints (III)
[Mcgraw] Chapter 7, 8, 9
slides
02/13/2019

Topic 7: Secure coding: Buffer Overflow

[Du] Chapter 4
Lab 1: Buffer Overflow Vulnerability (due on 2/20/2019)
slides

Topic 8. Secure coding: Strings
Topic 9. Secure coding: Pointer Subterfuge

[Seacord] Chapters 2&3


slides_string
slides_pointer
02/20/2019
Class cancelled due to inclement weather.
02/27/2019

Topic 9. Secure coding: Pointer Subterfuge (cont)
Topic 10. Secure coding: Dynamic Memory

[Seacord] Chapter 4

HW1 (due on 03/17/2019)

slides_mem

Topic 11. Secure coding: Formatted Output
[Du] Chapter 6
[Seacord] Chapter 6
Lab 2: Format String Vulnerability (due on 3/13/2019)

slides_output

 

03/06/2019

Topic 12. Secure coding: Integer Security

[Seacord] Chapter 5
slides
Topic 13. Secure coding: Race Conditions
[Du] Chapter 7
[Seacord] Chapter 6

Lab 3: Race Condition Vulnerability (due on 3/27/2019)

slides
03/13/2019
No Class (Spring Break)
03/20/2019
Mid-term Exam
03/27/2019

Mid-term review
Topic 14. Secure coding: Web Security

[Du] Chapter 9, 10
[Seacord] Chapter 7

Lab 4: XSS attacks (due on 4/13/2019)

slides
04/03/2019
Topic 15: Secure coding: Return-to-libc
[Du] Chapter 5
Lab 5: Return-to-Libc Attack (due on 4/21/2019)
slides
Topic 16: Secure coding: Dirty COW
[Du] Chapter 8

Lab 6: Dirty COW Attack(due on 5/03/2019)

slides
04/10/2019
Topic 17. Program Analysis: Basics
Topic 18. Program Analysis: Dynamic Analysis
"Control-Flow Integrity: Principles, Implementations, and Applications"
 
slides
slides
04/17/2019

Topic 18. Program Analysis: Dynamic Analysis (cont)

Topic 19. Program Analysis: Static Analysis

"Valgrind: A Framework for Heavyweight Dynamic Binary Instrumentation"
"Tutorial: Static Analysis and Dynamic Testing of Computer Software"

 
slides
04/24/2019
Topic 20. Program Analysis: Symbolic Analysis
"All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution"
HW2 (due on 05/05/2019)
slides
05/01/2019
Topic 21. Virtual Machine Introspection
"SoK: Introspections on Trust and the Semantic Gap"
 
slides

Honor Code

Students are required to follow George Mason Univeristy's Honor Code.

Students with Disabilities

Any student with a disability needing academic adjustments or accommodations should contact the instructor immediately.

Acknowledgement

This course includes materials provided by Dr. Kevin Du (Syracuse University), Dr. Michael Hicks (University of Maryland), Dr. Xiangyu Zhang (Purdue University), and Zhiqiang Lin (OSU).