Syllabus for SWE 681 001 / ISA 681 001 - Fall 2013

What is this course?

GMU Catalog: “Theory and practice of software security, focusing in particular on some common software security risks, including buffer overflows, race conditions and random number generation, and on identification of potential threats and vulnerabilities early in design cycle. Emphasizes methodologies and tools for identifying and eliminating security vulnerabilities, techniques to prove absence of vulnerabilities, ways to avoid security holes in new software, and essential guidelines for building secure software: how to design software with security in mind from the ground up and integrate analysis and risk management throughout the software life cycle.”

People around the world now depend vitally on computers for their health and well-being. Unfortunately, this software can often be exploited by attackers, resulting in terrible harm. This class will study how to develop software that is far more resistant to attack, in particular, how to prevent many vulnerabilities from being in the software in the first place. The goal of the class is to prepare you to be able to develop software that is far more secure, and to prepare you to help others do the same.

This is an extremely practical class. We will cover theory and principles, but we will also cover many specifics so you can apply these principles in the real world. If you cannot apply the theory, then you understand neither the theory nor the practice. What’s more, I want you to have experience in trying to convince others to change their behavior; that is absolutely necessary to get more secure software worldwide.

This classes focuses on defense, not on attack. We’ll discuss attack to some extent, but only enough to help us understand how to defend. Most software security problem stem from the same small set of types of vulnerabilities (aka weaknesses), so we will spend a lot of time learning about these common weaknesses and how to counter them. We will also cover general designs and techniques for securing software designs and implementations in general.

Key Information

Class: SWE 681 / ISA 681 Secure Software Design and Programming
Professor: Dr. David A. Wheeler. Email dwheele4 at gmu *dot* edu (no “r”). 703-845-6662. GMU email is my preferred method, but call if you are in a hurry. Office hours by appointment only.
Possible Guest Lecturer: Dr. Reg Meeson.
Class Hours & Location: Wednesdays, 7:20 pm - 10:00 pm, Innovation Hall 136
Prerequisites: SWE 619 or permission of instructor. Must be able to read C and Java and must be able to develop software.
Class website: Use Blackboard 9.1. Log in to mymasonportal.gmu.edu, select the “Sources” tab, and select “ISA-681-001 / SWE-681-001” (for this semester)

To get to the course website, use your web browser to view http://www.gmu.edu. Click on Students (at the top right), then click on “My Mason” (in the middle-left). Log in to “myMason”. On the top right, click on the “Courses” tab (next to the “Home”) tab. Click on “SWE-681-001 / ISA-681-001 for this semester”.

Do not use “http://mason.gmu.edu/~dwheele4/swe681/” as that is an obsolete site.

The syllabus, including the schedule and topics to be covered, is subject to change, but I will notify you of any changes.

Reading List

Here is the current reading list (the first two are the required textbooks, the rest are required articles):

You may find some useful topic ideas in: Goertzel et al, Software Security Assurance State of the Art Report, May 2007.

Prerequisites

You must be able to write programs. This is a practical class for developing programs, and you’ll have a programming project as part of the class.

You must be able to read and understand programs in both Java and C. The principles are language-independent, but I have to pick some languages so we can discuss specific examples. Java and C are two of the top programming languages according to the TIOBE programming community index; using both lets us examine a variety of real-world issues with widely-used languages. In particular, C lets us examine issues that can only occur in memory-unsafe languages (e.g., C, C++, and Objective-C), while Java lets us examine issues that can still occur in memory-safe languages. Some students have had success learning C simultaneously, but plan to spend a lot of extra time if you do that. You’ll need to be able to understand both Java and C code for the mid-term exam, and I can’t be a language tutor.

Schedule

The lectures will cover the key issues and explain some things that might not be clear otherwise. However, you are responsible for reading and understanding the material in the assigned readings (and not just knowing what’s in the lectures). Note that there is a significant amount of reading, especially in the first half of the course; we then move into more specialized topics and application.

First actual class date is August 28, 2013; the last actual class day is December 11. The last class has a slightly different time (7:30 pm - 10:15 pm) and will be used for final project presentations (this is the time assigned for final examinations). I routinely check the list of ”non-work” religious holidays maintained by GMU. In this semester, on 2013-11-13 we have Ashura (10th day of Muharram, an Islamic holiday), but that is just a lecture day; the presentation slides will be available to you.

2013-08-28 1: Introduction (including integrating risk management); Wheeler chapters 1,2,3, Chess/West chapter 1; Software Assurance Using Structured Assurance Case Models.
2013-09-04 2: Input validation and regular expressions (including whitelists); Wheeler chapter 5 (includes regular expressions), Chess/West chapter 5.
2013-09-11 3: Buffer Overflows; Wheeler chapter 6, Chess/West chapters 6, 7, Aleph, Cowan, Pincus papers.
2013-09-18 4: Design for security and least privilege (including race conditions); Wheeler chapter 7, Chess/West chapter 12, Saltzer & Schroeder (glossary and part I “basic principles” - see the “design principles” in particular!!), and McGraw’s discussion of S&S.
2013-09-25 5: Calling out to other resources (databases/SQL injection, other injection); Wheeler chapter 8, review Chess/West section 5.3.
2013-10-02 6: Output (send information back judiciously), Web Application Vulnerabilities (XSS, CSRF, etc.), and top vulnerability lists; Wheeler chapter 9, Chess/West chapter 9,10. Read the SANS Top 25 and SwA Pocket Guides (these supplement and fill in previous materials) and the OWASP XSS cheatsheet. Minor assignment due. Must have topic selected.
2013-10-09 Mid-term exam: Closed book; will include multiple choice, matching regular expressions, at least one essay, and you’ll need to find vulnerabilities in C and Java programs. I strongly encourage you to have your project group and game selected by this point.
2013-10-16 7: Cryptography: Privacy, secrets, random numbers, and password hashing, and implementing authentication and access control. Wheeler chapter 11.1 through 11.6, Chess/West chapter 11. Must have project group and project (game) selected
2013-10-23 Topic presentations (you present!).
2013-10-30 Topic presentations (you present!). Topic papers due.
2013-11-06 8: Error Handling and Language-specific issues; Chess/West chapter 8; Wheeler chapter 9 (9.1, 9.2, 9.3 only), 10. Newsham. Also, any topic presentations that could not be done earlier.
2013-11-13 9: Tools (static and dynamic analysis)
2013-11-20 10: Miscellaneous topics - part 1. This includes open source software, formal methods (which allow you to prove properties of specifications or even programs), and countering malicious tools/compilers. Wheeler chapter 11.6, ”Fully Countering Trusting Trust through Diverse Double-Compiling” (abstract, chapter 1, and chapter 4).
2013-11-27 Thanksgiving break.
2013-12-04 10: Miscellaneous - part 2. Final class discussion.
2013-12-11, 7:30pm - 10:15pm Project due (documentation and source code). Documentation must briefly explain its design and why you think it’s secure (its assurance case). Project presentations (~5 min each), giving a live demo (to show that it works) and briefly explaining why you think it’s secure (the assurance case highlights). This is the exam time for the class.

Grading

Minor Assignment 5% Pick a known vulnerability in a specific program from the NIST SAMATE Reference Dataset (SRD) or similar source. Please look at several examples before you pick one to write about (you can click on a test case id to see its specifics)! Do not just pick the first one in the list, but try to be a little more random; I do not want to read about the same one from everyone. Then write a short (1-2 page) paper showing the vulnerable code snippet, explaining the vulnerability (where is the vulnerability? why is it vulnerable? what kind of vulnerability is it?), and explaining how it could be fixed (give specifics). Be sure to cite your source(s). This is intended to be an easy assignment to give you early experience looking at programs with vulnerabilities. Looking at vulnerable programs, with information on why they’re vulnerable, can help you find vulnerabilities in other programs... and is great practice for the mid-term.
Mid-term exam 30% Covers everything up to that point.
Topic Paper and Presentation 25% A 4-5 page paper on a class-related topic (15%) and matching 5-minute presentation (10%). Everyone’s topic must be different. The purpose of the paper is to give you a little more depth in some specific topic. The purpose of the presentation is to give you experience in being an effective advocate for others to do (or not do) something, to improve security. See below.
Programming Project 40% Create a secure game, in teams of 1-3 people. I strongly encourage pairs and I discourage trios. Please get to know your classmates so you can pick a partner you can work with. This is a critical part of the course, because it gives you experience in applying the concepts. By working in pairs, you can easily review each other’s work, and reduce the effort too.

Do not turn in materials late. Penalty is 10%/day and they won’t be accepted after three days (except for unexpected health/ family emergencies or special permission).

Topic Paper/presentation

You must write a 4-5 page paper on a class-related topic and give a matching 5-minute presentation to the class. Everyone’s topic must be different; first come, first served. It can be something covered in class. The paper needs at least two citations/references.

The topic paper and presentation must present and plausibly advocate some specific actions to take (or avoid) to produce more secure software. For example:

  1. If your topic is a particular type of vulnerability, explain what it is, but you must also explain at least one way to counter that vulnerability (more than one is fine; then briefly compare/contrast them). If you fail to describe and advocate at least one specific approach to avoid having these vulnerabilities, you will lose points.
  2. If your topic is the developing secure software in a particular programming language, you need to describe and advocate specific constructs to use/avoid (and explain why). In these kinds of papers, just put in a sentence like “The general principles of developing secure software apply to this programming language; this paper describes some of the specific issues in language XYZ”, and then just focus on the key issues specific to that language.
  3. If your topic is a particular attack or security incident, you need to give the “lessons learned” on specific actions a software developer or manager should take or avoid, so that that type of attack/incident would not be successful or as damaging.

Everyone must give a brief 5-minute presentation to the class on their topic. This presentation must try to convince the listener to do (or not do) something to produce more secure software. We will all learn from these presentations, but that is not the only reason I’m requiring presentations. There is only one of me, and I cannot possibly teach everyone in the world about secure software development. However, if you can learn to change the behavior of others, then together we can make a difference. You must dress up when giving your topic presentation (e.g., ties/slacks for gentlemen, skirts/dresses for ladies). That may seem odd, but I am trying to approximate a more formal professional setting that may include technical managers (who may control the budgets for doing or not doing something). Being able to write secure code is vital, but being able to convince others to change behavior is also vital (especially if they control a budget!). I want everyone to have the experience of advocating to a group, in a simulated “professional” setting, some action that you hope will improve software security. It won’t hurt, and that way, you’ll be more prepared to do it in real life.

I do not expect the paper or presentation to be original research. Instead, I expect you to summarize some specific topic, organizing the information from multiple sources into an understandable and actionable form. You must, of course, cite your sources per the honor code.

If you report exact measurements, use the correct units. In particular, do not use base-10 prefixes when you mean a binary prefix. A gigabyte (GB) is exactly 10^9 bytes; if you mean exactly 2^30 bytes, then that is a gibibyte (GiB), not a gigabyte. The NIST page on binary prefixes explains more if you aren’t familiar with binary prefixes. Binary prefixes are supported by ISO, IEC, IEEE, U.S. NIST, and the International Bureau of Weights and Measures (BIPM); the European Union (EU) has required the use of the IEC binary prefixes since 2007. By law, base-10 prefixes only mean base-10 in the U.S., and several companies have lost court cases or had to accept out-of-court settlements because they used base-10 prefixes (Willem Vroegh v. Eastman Kodak Company, Orin Safier v. Western Digital Corporation, and Cho v. Seagate Technology (US) Holdings, Inc.). If you’re being vague (“I have several gigabytes of memory”) it doesn’t matter, but when you’re giving specific measurements it matters. Measured values have gotten larger over the last several decades, and so the errors between base-10 and base-2 prefixes have increased.

Other information

In class, please pay attention and don’t distract others. Please configure cell phones to vibrate in class.

Please talk to me ahead-of-time if you have an anticipated absence that will interfere with the mid-term, your topic presentation, or final presentation, e.g., a non-work religious holiday, out-of-town work travel, or GMU athletic meet. I can easily reschedule topic presentations; the others are much harder. Don’t bother telling me if you’ll miss other class times; I strongly recommend class attendance, but I understand if work, family, or other commitments sometimes make that difficult to do. You can always turn in work early (e.g., if the deadline conflicts with a religious holiday).

Important information for any GMU class

Academic Integrity (Honor Code)

GMU is an Honor Code university; please see the University Catalog for a full description of the code and the honor committee process. The principle of academic integrity is taken very seriously and violations are treated gravely. What does academic integrity mean in this course? Essentially this: when you are responsible for a task, you will perform that task. When you rely on someone else’s work in an aspect of the performance of that task, you will give full credit in the proper, accepted form. Another aspect of academic integrity is the free play of ideas. Vigorous discussion and debate are encouraged in this course, with the firm expectation that all aspects of the class will be conducted with civility and respect for differing ideas, perspectives, and traditions. When in doubt (of any kind) please ask for guidance and clarification. Do not plagiarize. See the Computer Science Honor Code policies for more.

GMU Email Accounts

Students, please use your Mason email accounts (or other GMU facilities) to send and receive important University information, including messages related to this class. Please use the instructor’s email address for class questions. If GMU’s email system messes up, that’s GMU’s problem; if outside emails never get to GMU (or me), that’s not GMU’s (or my) problem. This also helps compliance with student privacy laws.

Office of Disability Services (ODS)

If you are a student with a disability and you need academic accommodations, it’s nice to let me know as a courtesy, but you must contact the Office of Disability Services (ODS) at 993-2474 or http://ods.gmu.edu. All academic accommodations must be arranged through the ODS, not through me. If you qualify for accommodation, the ODS staff will give you a form detailing appropriate accommodations for your instructor (me), please bring that form to me.

Other Useful Campus Resources & University Policies

Related Links

This syllabus is version 2013-08-15.