Syllabus for SWE 781 001 (70704) / ISA 681 001 (75281) - Fall 2011

As soon as we started programming, we found to our surprise that it wasn't as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. -- Maurice Wilkes (1949)

What is this course?

GMU Catalog: "Theory and practice of software security, focusing in particular on some common software security risks, including buffer overflows, race conditions and random number generation, and on identification of potential threats and vulnerabilities early in design cycle. Emphasizes methodologies and tools for identifying and eliminating security vulnerabilities, techniques to prove absence of vulnerabilities, ways to avoid security holes in new software, and essential guidelines for building secure software: how to design software with security in mind from the ground up and integrate analysis and risk management throughout the software life cycle."

People around the world now depend vitally on computers for their health and well-being. Unfortunately, vulnerabilities in their software can sometimes be exploited, resulting in terrible harm. This class will study how to prevent these vulnerabilities from being in the software in the first place. The goal of the class is to prepare you to be able to develop software with far fewer security vulnerabilities than is typical today, and to prepare you to help others do the same.

Key Information

Class: SWE 781 / ISA 681 Secure Software Design and Programming
Professor: Dr. David A. Wheeler. Email dwheele4 at gmu, dot, edu (no "r"). 703-845-6662. Office hours by appointment only.
Guest Lecturer: Dr. Ed Schneider, on 2011-08-29 (first day) and 2011-11-07.
Teaching Assistant: Nan Li, nli1@masonlive.gmu.edu. Office hours Thursdays 4-6pm.
Class Hours & Location: Tuesdays 7:20 pm - 10:00 pm, Krug Hall 5, Aug 29, 2011 - Dec 20, 2011
Prerequisites: SWE 619 or permission of instructor. Must be able to read C and Java and must be able to develop software.
Class website: Use Blackboard 9.1. Log in to mymasonportal.gmu.edu, select the "Sources" tab, and select "ISA-681-001 / SWE-781-001"

Do not use "http://mason.gmu.edu/~dwheele4/swe781/" as that is an obsolete site.

Reading List

Here is the current reading list (the first two are the required textbooks; the second one is free online):

As we progress there will probably be some additional reading assignments.

Schedule

The lectures will cover the key issues and explain some things that might not be clear otherwise. However, you are responsible for reading and understanding the material in the assigned readings (and not just knowing what's in the lectures).

2011-08-30 (guest) Lecture 1 - Introduction; Chess/West chapter 1, Wheeler chapters 1,2,3
2011-09-06 Lecture 2 - Attacker Overview; also read SANS Top 25, SwA Pocket Guides
2011-09-13 Lecture 3 - Input Validation; Chess/West chapter 5, Wheeler chapter 5 (includes regular expressions)
2011-09-20 Lecture 4 - Buffer Overflows; Chess/West chapters 6, 7; Wheeler chapter 6, Aleph, Cowan, Pincus papers
2011-09-27 Lecture 5 - Error Handling; Chess/West chapter 8; Wheeler chapter 9 (9.1, 9.2, 9.3 only), Newsham; Minor Assignment DUE
2011-10-04 Lecture 6 - Privacy, Secrets, and Cryptography; Chess/West chapter 11; Wheeler chapter 11 (11.3, 11.4, 11.5 only). Topic proposal DUE (ungraded; 1-2 sentences; Goertzel may help!), Major assignment introduction.
2011-10-11 Columbus Day recess (Monday classes/labs meet Tuesday. Tuesday classes do not meet this week)
2011-10-18 Mid Term Exam
2011-10-25 Lecture 7 - Implementing Authentication and Access Control. Membership and goal of major project teams DUE (ungraded; just report who).
2011-11-01 Lecture 8 - Web Application Vulnerabilities; Chess/West chapter 9,10, OWASP Top 10. Major assignment stage check DUE (ungraded; short 1-pager on who, what you will do, and how)
2011-11-08 (guest) Lecture 9 - Secure Programming Best Practices; Chess/West chapter 12; Wheeler chapters 7,8,9,10.
2011-11-15 Lecture 10 - Static Code Analysis and Runtime Analysis
2011-11-22 Topic Presentations (you present!)
2011-11-29 Topic Presentations (you present!). Topic papers DUE.
2011-12-06 Topic Presentations (you present!) and "Miscellaneous topics"
2011-12-13 Major Project Presentations and Project DUE. Every project will give a 5 minute presentation/demo of their result. (This is the exam period.)

The schedule and topics to be covered is subject to change. My thanks to Ron Ritchie for many of the original slides. See also the GMU Fall 2011 Semester calendar.

Grading

Minor Assignment 5% Pick a known vulnerability in a specific program, write a short (1-2 page) paper explaining it and how it could be fixed.
Mid Term Exam 30% Covers everything up to that point.
Topic Paper and Presentation 35% An 8+ page paper on a class-related topic (25%) and matching 10-minute presentation (10%). Everyone's topic must be different.
Major (End-of-Semester) Programming Project 30% Create a secure game, in teams of 1-3 people (I encourage pairs).

Do not turn in materials late. Penalty is 10%/day and they won't be accepted after three days (except for unexpected health/ family emergencies or special permission).

Other information

In class, please pay attention and don't distract others. Please configure cell phones to vibrate in class, and if you use a laptop to take notes, please don't surf the net during class (unless told otherwise). Talk to me ahead-of-time if you have an anticipated absence that will interfere with class (especially the mid-term exam), e.g., a non-work religious holiday, out-of-town work travel, or GMU athletic meet.

Important information for any GMU class

Academic Integrity (Honor Code)

GMU is an Honor Code university; please see the University Catalog for a full description of the code and the honor committee process. The principle of academic integrity is taken very seriously and violations are treated gravely. What does academic integrity mean in this course? Essentially this: when you are responsible for a task, you will perform that task. When you rely on someone else's work in an aspect of the performance of that task, you will give full credit in the proper, accepted form. Another aspect of academic integrity is the free play of ideas. Vigorous discussion and debate are encouraged in this course, with the firm expectation that all aspects of the class will be conducted with civility and respect for differing ideas, perspectives, and traditions. When in doubt (of any kind) please ask for guidance and clarification. Do not plagerize. See the Computer Science Honor Code policies for more.

GMU Email Accounts

Students must use their Mason email accounts - either the existing "MEMO" system or a new "MASONLIVE" account to receive important University information, including messages related to this class. See http://masonlive.gmu.edu for more information. Please use the instructor's email address for class questions.

Office of Disability Services (ODS)

If you are a student with a disability and you need academic accommodations, please see me and contact the Office of Disability Services (ODS) at 993-2474 or http://ods.gmu.edu. All academic accommodations must be arranged through the ODS. If you qualify for accommodation, the ODS staff will give you a form detailing appropriate accommodations for your instructor (me).

Other Useful Campus Resources & University Policies

Related Links

This syllabus is version 2011-09-05.