As soon as we started programming, we found to our surprise that it wasn't as easy to get programs right as we had thought. Debugging had to be discovered. I can remember the exact instant when I realized that a large part of my life from then on was going to be spent in finding mistakes in my own programs. -- Maurice Wilkes (1949)
GMU Catalog: "Theory and practice of software security, focusing in particular on some common software security risks, including buffer overflows, race conditions and random number generation, and on identification of potential threats and vulnerabilities early in design cycle. Emphasizes methodologies and tools for identifying and eliminating security vulnerabilities, techniques to prove absence of vulnerabilities, ways to avoid security holes in new software, and essential guidelines for building secure software: how to design software with security in mind from the ground up and integrate analysis and risk management throughout the software life cycle."
People around the world now depend vitally on computers for their health and well-being. Unfortunately, vulnerabilities in their software can sometimes be exploited, resulting in terrible harm. This class will study how to prevent these vulnerabilities from being in the software in the first place. The goal of the class is to prepare you to be able to develop software with far fewer security vulnerabilities than is typical today, and to prepare you to help others do the same.
This is an extremely practical class. We will cover principles, but we will also cover many specifics so you can apply these principles in the real world. If you cannot apply the theory, you understand neither the theory nor the practice. What's more, I want to have experience trying to convince others to change their behavior to produce more secure software.
This classes focuses on defense, not on attack. We'll discuss attack to some extent, but only enough to help us understand how to defend. Most software vulnerabilities are due to the same small set of weaknesses, so we will spend a lot of time on understanding these common weaknesses and how to counter them. We will also cover general designs and techniques for countering vulnerabilities in general.
|Class:||SWE 781 / ISA 681 Secure Software Design and Programming|
|Professor:||Dr. David A. Wheeler. Email dwheele4 at gmu *dot* edu (no "r"). 703-845-6662. Office hours by appointment only.|
|Possible Guest Lecturer:||Dr. Ed Schneider.|
|Teaching Assistant:||Thabat Kacem, tkacem at gmu *dot* edu (he has taken this class!)|
|Class Hours & Location:||Thursdays, 7:20 pm - 10:00 pm, Innovation Hall 204, Aug 30, 2012 - Dec 13, 2012|
|Prerequisites:||SWE 619 or permission of instructor. Must be able to read C and Java and must be able to develop software.|
|Class website:||Use Blackboard 9.1. Log in to mymasonportal.gmu.edu, select the "Sources" tab, and select "ISA-681-001 / SWE-781-001 (Fall 2012)"|
To get to the course website, use your web browser to view http://www.gmu.edu. Click on Students (at the top right), then click on "My Mason" (in the middle-left). Log in to "myMason". On the top right, click on the "Courses" tab (next to the "Home") tab. Click on "SWE-781-001 / ISA-681-001 (Fall 2012)".
Do not use "http://mason.gmu.edu/~dwheele4/swe781/" as that is an obsolete site.
The syllabus, including the schedule and topics to be covered, is subject to change, but I will notify you of any changes.
Here is the current reading list (the first two are the required textbooks; the second one is free online):
You may find some useful topic ideas in: Goertzel et al, Software Security Assurance State of the Art Report, May 2007.
The textbook "Secure Programming with Static Analysis" is available for free online through GMU's Safari Books account. Go to the GMU library e-Books@Mason page, click "Safari Books Online", enter your GMU email username/password, and search for the title of the book.
You must be able to write programs. This is a practical class for developing programs, and you'll have a programming project as part of the class.
You must be able to read and understand programs in both Java and C. The principles are language-independent, but I have to pick some languages so we can work out examples. Java and C are the top two programming languages according to the TIOBE programming community index for August 2012, and using both lets us examine a variety of real-world issues. Some students have had success learning C simultaneously, but plan to spend a lot of extra time if you plan to do that. You'll need to be able to understand both Java and C code for the mid-term exam, and I can't be a language tutor.
The lectures will cover the key issues and explain some things that might not be clear otherwise. However, you are responsible for reading and understanding the material in the assigned readings (and not just knowing what's in the lectures). We meet Thursdays, Aug 30, 2012 - Dec 13, 2012, with a Thanksgiving recess break Nov. 21-25. We are not affected by the Columbus day recess. Note that there is a significant amount of reading, especially in the first half of the course; we then move into more specialized topics and application.
|2012-08-30||Introduction (including integrating risk management); Wheeler chapters 1,2,3, Chess/West chapter 1.||2012-09-06||Input Validation and Regular Expressions; Wheeler chapter 5 (includes regular expressions), Chess/West chapter 5,|
|2012-09-13||Buffer Overflows; Wheeler chapter 6, Chess/West chapters 6, 7, Aleph, Cowan, Pincus papers|
|2012-09-20||Design for security and least privilege (including race conditions); Wheeler chapter 7, Chess/West chapter 12, and Saltzer & Schroeder (glossary and part I "basic principles" - see the "design principles" in particular!!)|
|2012-09-20||Calling out to other resources (including databases / SQL injection defense); Wheeler chapter 8, review Chess/West section 5.3.|
|2012-09-27||Send information back judiciously / Web Application Vulnerabilities (XSS, CSRF, etc.); Wheeler chapter 9, Chess/West chapter 9,10 Minor assignment due|
|2012-10-04||Cryptography: Privacy, secrets, random numbers, and password hashing; Wheeler chapter 11.1 through 11.6, Chess/West chapter 11. Read the SANS Top 25 and SwA Pocket Guides (these supplement and fill in previous materials.) Must have topic selected|
|2012-10-11||Mid-term exam: Closed book; will include multiple choice, matching regular expressions, at least one essay, and you'll need to find vulnerabilities in C and Java programs.|
|2012-10-18||Implementing Authentication and Access Control. Must have project group and game selected|
|2012-10-25||Topic presentations (you present!).|
|2012-11-01||Topic presentations (you present!). Topic papers due.|
|2012-11-08||Error Handling; Chess/West chapter 8; Wheeler chapter 9 (9.1, 9.2, 9.3 only), Newsham.|
|2012-11-15||Static Code Analysis and Runtime Analysis|
|2012-11-22||NO CLASS - Thanksgiving|
|2012-11-29||Miscellaneous topics (including formal methods, CWE, and countering malicious tools/compilers). Wheeler chapter 10, 11.6|
|2012-12-06||Please be available for class, as there may be a guest lecturer (I'll be at ACSAC). If class is cancelled, work on your final project!|
|2012-12-13, 7:30pm - 10:15pm||Project due (documentation and source code). Documentation must briefly explain its design and why you think it's secure (its assurance case). Project presentations (~5 min each), giving a demo (to show that it works) and briefly explaining why you think it's secure (the assurance case highlights). This is the exam time for the class.|
|Minor Assignment||5%||Pick a known vulnerability in a specific program, write a short (1-2 page) paper explaining the vulnerability and how it could be fixed. You'll pick from SAMATE or other sources where the vulnerability is already known. This is intended to be an easy assignment to give you early experience looking at programs with vulnerabilities. Looking at vulnerable programs, with information on why they're vulnerable, can help you find vulnerabilities in other programs.|
|Mid-term exam||30%||Covers everything up to that point.|
|Topic Paper and Presentation||35%||A 4-5 page paper on a class-related topic (25%) and matching 5-minute presentation (10%). Everyone's topic must be different. The purpose of the paper is to give you a little more depth in some specific topic. The purpose of the presentation is to give you experience in being an effective advocate for others to do (or not do) something, to improve security. See below.|
|Programming Project||30%||Create a secure game, in teams of 1-3 people. I strongly encourage pairs. Please get to know your classmates so you can pick a partner you can work with. This is a critical part of the course, because it gives you experience in applying the concepts. By working in pairs, you can easily review each other's work, and reduce the effort too.|
Do not turn in materials late. Penalty is 10%/day and they won't be accepted after three days (except for unexpected health/ family emergencies or special permission).
You must write a 4-5 page paper on a class-related topic and give a matching 5-minute presentation to the class. Everyone's topic must be different; first come, first served. It can be something covered in class. The paper needs at least two citations/references.
The topic paper and presentation must present and plausibly advocate some specific actions to take (or avoid) to produce more secure software. For example:
Everyone must give a brief 5-minute presentation to the class on their topic. This presentation must try to convince the listener to do (or not do) something to produce more secure software. We will all learn from these presentations, but that is not the only reason I'm requiring presentations. There is only one of me, and I cannot possibly teach everyone in the world about secure software development. However, if you can learn to change the behavior of others, then together we can make a difference. You must dress up when giving your topic presentation (e.g., ties/slacks for gentlemen, skirts/dresses for ladies). That may seem odd, but I am trying to approximate a professional setting that may include technical managers (who may control the budgets for doing or not doing something). Being able to write secure code is vital, but being able to convince others to change behavior is also vital (especially if they control a budget!). I want everyone to have the experience of advocating to a group, in a simulated "professional" setting, some action that you hope will improve software security. It won't hurt, and that way, you'll be more prepared to do it in real life.
I do not expect the paper or presentation to be original research. Instead, I expect you to summarize some specific topic, organizing the information from multiple sources into an understandable and actionable form. You must, of course, cite your sources per the honor code.
In class, please pay attention and don't distract others. Please configure cell phones to vibrate in class, and if you use a laptop to take notes, please don't surf the net during class (unless told otherwise). Talk to me ahead-of-time if you have an anticipated absence that will interfere with class (especially the mid-term exam), e.g., a non-work religious holiday, out-of-town work travel, or GMU athletic meet.
GMU is an Honor Code university; please see the University Catalog for a full description of the code and the honor committee process. The principle of academic integrity is taken very seriously and violations are treated gravely. What does academic integrity mean in this course? Essentially this: when you are responsible for a task, you will perform that task. When you rely on someone else's work in an aspect of the performance of that task, you will give full credit in the proper, accepted form. Another aspect of academic integrity is the free play of ideas. Vigorous discussion and debate are encouraged in this course, with the firm expectation that all aspects of the class will be conducted with civility and respect for differing ideas, perspectives, and traditions. When in doubt (of any kind) please ask for guidance and clarification. Do not plagiarize. See the Computer Science Honor Code policies for more.
Students, please use your Mason email accounts to send and receive important University information, including messages related to this class. Please use the instructor's email address for class questions. If GMU's email system messes up, that's GMU's problem; if outside emails never get to GMU (or me), that's not GMU's (or my) problem.
If you are a student with a disability and you need academic accommodations, it's nice to let me know as a courtesy, but you must contact the Office of Disability Services (ODS) at 993-2474 or http://ods.gmu.edu. All academic accommodations must be arranged through the ODS, not through me. If you qualify for accommodation, the ODS staff will give you a form detailing appropriate accommodations for your instructor (me), please bring that form to me.
This syllabus is version 2012-08-30.