As soon as we started programming, we found to our surprise that it wasn't as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. -- Maurice Wilkes (1949)

SWE 781/ISA 681 - Fall 2010 Syllabus

This class web page at http://mason.gmu.edu/~dwheele4/swe781 also serves as the class syllabus.

Overview

This class will provide the theory and practice of software security, focusing in particular on some common software security risks, including buffer overflows, race conditions and random number generation, and on the identification of potential threats and vulnerabilities early in the design cycle. The emphasis is on methodologies and tools for identifying and eliminating security vulnerabilities, techniques to prove the absence of vulnerabilities, and ways to avoid security holes in new software and on essential guidelines for building secure software: how to design software with security in mind from the ground up and to integrate analysis and risk management throughout the software life cycle.

The goal of the class is to prepare you to be able to develop software with far fewer security vulnerabilities than is typical today, and to prepare you to help others do the same.

Why Bother?

People around the world now depend vitally on computers for their health and well-being. Unfortunately, vulnerabilities in their software can be exploited to dangerous ends, resulting in terrible harm. This class will study how to prevent these vulnerabilities from being in the software in the first place.

Key Information

Class:	SWE 781 / ISA 681 Secure Software Design and Programming
Professor:	Dr. David A. Wheeler
Office:	By appointment only
Email:	dwheele4 at gmu, dot, edu (no "r"; don't use my other email addresses for GMU class email)
Class Hours/Location:	T 4:30P to 7:10P, Engineering Building 1107
Prerequisites:	SWE 619 or permission of instructor. Must be able to read C and Java.
Class website:	http://mason.gmu.edu/~dwheele4/swe781

Reading List

Schedule

The lectures will cover the key issues and explain some things that might not be clear otherwise. However, you are responsible for reading and understanding the material in the assigned readings (and not just knowing what's in the lectures). See the page on assignments for more about them.

Sep 2	Lecture 1 - Introduction; Chess/West chapter 1, Wheeler chapters 1,2,3
Sep 9	Lecture 2 - Attacker Overview
Sep 16	Lecture 3 - Input Validation; Chess/West chapter 5, Wheeler chapter 5
Sep 23	Lecture 4 - Buffer Overflows; Chess/West chapters 6, 7; Wheeler chapter 6, Aleph, Cowan, Pincus papers
Sep 30	Lecture 5 - Error Handling; Chess/West chapter 8; Wheeler chapter 9 (9.1, 9.2, 9.3 only); Minor Assignment 1 due
Oct 7	Lecture 6 - Privacy, Secrets, and Cryptography; Chess/West chapter 11; Wheeler chapter 11 (11.3, 11.4, 11.5 only); propose a topic for topic presentation (1-2 sentences)
Oct 14	Lecture 7 - Implementing Authentication and Access Control, Major assignment introduction
Oct 21	Mid Term Exam
Oct 28	Lecture 8 - Web Application Vulnerabilities; Chess/West chapter 9,10. Major project teams (and what they will do) should be decided.
Nov 4	Lecture 9 - Secure Programming Best Practices; Chess/West chapter 12; Wheeler chapters 7,8,9,10. (There is no longer a Minor Assignment 2.)
Nov 11	Lecture 10 - Static Code Analysis and Runtime Analysis
Nov 18	Topic Presentations (you present!); Major Assignment Stage Check DUE
Nov 24	NO CLASS (Thanksgiving recess)
Dec 2	Topic Presentations (you present!)
Dec 9	TBD (Virtual Machines, Usability [phishing], E-Voting, Privilege Separation, Java Security, Network Security & Worms)
Dec 16	Major Project Presentations and Project Due. (This is the exam period.)

NOTE: On the first day of class I listed two minor assignments, but warned that I might drop one. I have now dropped one, so there is only one minor assignment. The 10% of the grade from the dropped minor assignment has been distributed among the mid term exam and the major project. See the changes list for more info.

There may be some further changes as we go along. In particular, some material may be discussed in a different order or moved earlier/later. The slides were originally developed by Ron Ritchey, and I expect to make changes to the slides as we go along. See the GMU Fall 2010 Semester calendar for the pan-GMU schedule.

Grading

Minor Assignment	10%
Mid Term Exam	35%
Topic Presentation	20%
Major (End-of-Semester) Project	35%

Other information

Talk to me ahead-of-time if you have an anticipated absence that will interfere with class (especially the mid-term exam), e.g., a non-work religious holiday, out-of-town travel for work, GMU athletic meet, and so on.

If you have a learning or physical difference that may affect your academic work, you will need to furnish appropriate documentation to the Office of Disability Services (ODS); you can contact them at http://ods.gmu.edu or at 703-993-2474. If you qualify for accommodation, the ODS staff will give you a form detailing appropriate accommodations for your instructor (me).

In class, please pay attention and don't distract others. Please configure cell phones to vibrate, and if you use a laptop to take notes, please don't surf the net (unless told otherwise).

Credits

My thanks to Ron Ritchie who developed much of the course organization and lecture slides.