As soon as we started programming, we found to our surprise that it wasn't as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. -- Maurice Wilkes (1949)

Overview

This class will provide the theory and practice of software security, focusing in particular on some common software security risks, including buffer overflows, race conditions and random number generation, and on the identification of potential threats and vulnerabilities early in the design cycle. The emphasis is on methodologies and tools for identifying and eliminating security vulnerabilities, techniques to prove the absence of vulnerabilities, and ways to avoid security holes in new software and on essential guidelines for building secure software: how to design software with security in mind from the ground up and to integrate analysis and risk management throughout the software life cycle.

Syllabus

Professor: Ron Ritchey
Office: Off campus
Office Hours: By appointment
email: ritchey_ronald@bah.com
Class Hours / Location T 4:30P to 7:10P, Robinson Hall A243
Prerequisites: SWE 619 or permission of instructor

Reading List

Related Links

Schedule

Sep 1st Introduction (pdf); Chess/West chapter 1, Wheeler chapters 1,2,3
Sep 8th Computer Attack Overview
Sep 15th Input Validation; Chess/West chapter 5, Wheeler chapter 5
Sep 22nd Buffer Overflows; Chess/West chapters 6, 7; Wheeler chapter 6, Aleph, Cowan, Pincus papers
Sep 29th Class Cancelled
Oct 6th Error Handling; Chess/West chapter 8; Wheeler chapter 9 (9.1, 9.2, 9.3 only)
Oct 13th Columbus Recess NO CLASS
Oct 20th Mid Term Exam
Oct 27th Mid Term Review / Major Assignment Introduction / Privacy, Secrets, and Cryptography; Chess/West chapter 11; Wheeler chapter 11 (11.3, 11.4, 11.5 only)
Nov 3rd Implementing Authentication and Access Control
Nov 10th Web Application Vulnerabilities; Chess/West chapter 9,10
Nov 17th Secure Programming Best Practices / Major Assignment Stage Check; Chess/West chapter 12; Wheeler chapters 7,8,9,10
Nov 24th Static Code Analysis and Runtime Analysis
Dec 1st The State of the Art (guest lecture)
Dec 8th TBD (Virtual Machines, Usability [phishing], E-Voting, Privilege Separation, Java Security, Network Security & Worms)
Dec 15th Final Project Presentations

Grading

Minor Assignments 20%
Mid Term Exam 30%
Major Assignment / Final 50%