GMU Catalog: "Theory and practice of software security, focusing in particular on some common software security risks, including buffer overflows, race conditions and random number generation, and on identification of potential threats and vulnerabilities early in design cycle. Emphasizes methodologies and tools for identifying and eliminating security vulnerabilities, techniques to prove absence of vulnerabilities, ways to avoid security holes in new software, and essential guidelines for building secure software: how to design software with security in mind from the ground up and integrate analysis and risk management throughout the software life cycle."
People around the world now depend vitally on computers for their health and well-being. Unfortunately, vulnerabilities in their software can sometimes be exploited, resulting in terrible harm. This class will study how to prevent these vulnerabilities from being in the software in the first place. The goal of the class is to prepare you to be able to develop software with far fewer security vulnerabilities than is typical today, and to prepare you to help others do the same.
This is an extremely practical class. We will cover theory and principles, but we will also cover many specifics so you can apply these principles in the real world. If you cannot apply the theory, you understand neither the theory nor the practice. What's more, I want to have experience trying to convince others to change their behavior to produce more secure software.
This classes focuses on defense, not on attack. We'll discuss attack to some extent, but only enough to help us understand how to defend. Most software vulnerabilities are due to the same small set of weaknesses, so we will spend a lot of time on understanding these common weaknesses and how to counter them. We will also cover general designs and techniques for countering vulnerabilities in general.
Class: | SWE 781 / ISA 681 Secure Software Design and Programming | |
Professor: | Dr. David A. Wheeler. Email dwheele4 at gmu *dot* edu (no "r"). 703-845-6662. Office hours by appointment only. | |
Possible Guest Lecturer: | Dr. Ed Schneider. | |
Teaching Assistant: | Thabat Kacem, tkacem at gmu *dot* edu (he has taken this class!) | |
Class Hours & Location: | Wednesdays, 7:20 pm - 10:00 pm, Enterprise Hall 276 | |
Prerequisites: | SWE 619 or permission of instructor. Must be able to read C and Java and must be able to develop software. | |
Class website: | Use Blackboard 9.1. Log in to mymasonportal.gmu.edu, select the "Sources" tab, and select "ISA-681-001 / SWE-781-001" (for this semester) |
To get to the course website, use your web browser to view http://www.gmu.edu. Click on Students (at the top right), then click on "My Mason" (in the middle-left). Log in to "myMason". On the top right, click on the "Courses" tab (next to the "Home") tab. Click on "SWE-781-001 / ISA-681-001 for this semester".
Do not use "http://mason.gmu.edu/~dwheele4/swe781/" as that is an obsolete site.
The syllabus, including the schedule and topics to be covered, is subject to change, but I will notify you of any changes.
Here is the current reading list (the first two are the required textbooks; the second one is free online):
You may find some useful topic ideas in: Goertzel et al, Software Security Assurance State of the Art Report, May 2007.
The textbook "Secure Programming with Static Analysis" is available for free online through GMU's Safari Books account. Go to the GMU library e-Books@Mason page, click "Safari Books Online", enter your GMU email username/password, and search for the title of the book.
You must be able to write programs. This is a practical class for developing programs, and you'll have a programming project as part of the class.
You must be able to read and understand programs in both Java and C. The principles are language-independent, but I have to pick some languages so we can work out examples. Java and C are the top two programming languages according to the TIOBE programming community index for January 2013; using both lets us examine a variety of real-world issues. Some students have had success learning C simultaneously, but plan to spend a lot of extra time if you do that. You'll need to be able to understand both Java and C code for the mid-term exam, and I can't be a language tutor.
The lectures will cover the key issues and explain some things that might not be clear otherwise. However, you are responsible for reading and understanding the material in the assigned readings (and not just knowing what's in the lectures). Note that there is a significant amount of reading, especially in the first half of the course; we then move into more specialized topics and application.
First actual class date is January 23, 2013; the last actual class day is May 8. The May 8 class has slightly different time (7:30 pm - 10:15 pm) and will be used for final project presentations (this is the time assigned for final examinations). I routinely check the list of "non-work" religious holidays maintained by GMU; in this semester, Passover overlaps (March 26-27th and April 2-3rd), so talk to me so we can schedule your topic presentation appropriately.
2013-01-23 | 1: Introduction (including integrating risk management); Wheeler chapters 1,2,3, Chess/West chapter 1. | 2013-01-30 | 2: Input validation and regular expressions (including whitelists); Wheeler chapter 5 (includes regular expressions), Chess/West chapter 5. |
2013-02-06 | 3: Buffer Overflows; Wheeler chapter 6, Chess/West chapters 6, 7, Aleph, Cowan, Pincus papers. |
2013-02-13 | 4: Design for security and least privilege (including race conditions); Wheeler chapter 7, Chess/West chapter 12, Saltzer & Schroeder (glossary and part I "basic principles" - see the "design principles" in particular!!), and McGraw's discussion of S&S. |
2013-02-20 | 5: Calling out to other resources (databases/SQL injection, other injection); Wheeler chapter 8, review Chess/West section 5.3. |
2013-02-27 | 6: Output (send information back judiciously), Web Application Vulnerabilities (XSS, CSRF, etc.), and top vulnerability lists; Wheeler chapter 9, Chess/West chapter 9,10. Read the SANS Top 25 and SwA Pocket Guides (these supplement and fill in previous materials.) GUEST LECTURER. Minor assignment due. Must have topic selected. |
2013-03-06 | Mid-term exam: Closed book; will include multiple choice, matching regular expressions, at least one essay, and you'll need to find vulnerabilities in C and Java programs. I strongly encourage you to have your project group and game selected by this point. |
2013-03-13 | SPRING BREAK |
2013-03-20 | 7: Cryptography: Privacy, secrets, random numbers, and password hashing, and implementing authentication and access control. Wheeler chapter 11.1 through 11.6, Chess/West chapter 11. Must have project group and game selected |
2013-03-27 | Topic presentations (you present!). |
2013-04-03 | Topic presentations (you present!). Topic papers due. |
2013-04-10 | 8: Error Handling and Language-specific issues; Chess/West chapter 8; Wheeler chapter 9 (9.1, 9.2, 9.3 only), 10. Newsham. Also, any topic presentations that could not be done earlier. |
2013-04-17 | 9: Tools (static and dynamic analysis) |
2013-04-24 | 10: Miscellaneous topics (including open source software, formal methods, and countering malicious tools/compilers). Wheeler chapter 11.6, "Fully Countering Trusting Trust through Diverse Double-Compiling" (abstract, chapter 1, and chapter 4). |
2013-05-01 | TBD; this is likely to be a continuation of the previous week. |
2013-05-08, 7:30pm - 10:15pm | Project due (documentation and source code). Documentation must briefly explain its design and why you think it's secure (its assurance case). Project presentations (~5 min each), giving a demo (to show that it works) and briefly explaining why you think it's secure (the assurance case highlights). This is the exam time for the class. |
Minor Assignment | 5% | Pick a known vulnerability in a specific program, write a short (1-2 page) paper explaining the vulnerability and how it could be fixed. You'll pick from SAMATE or other sources where the vulnerability is already known. This is intended to be an easy assignment to give you early experience looking at programs with vulnerabilities. Looking at vulnerable programs, with information on why they're vulnerable, can help you find vulnerabilities in other programs. |
Mid-term exam | 30% | Covers everything up to that point. |
Topic Paper and Presentation | 35% | A 4-5 page paper on a class-related topic (25%) and matching 5-minute presentation (10%). Everyone's topic must be different. The purpose of the paper is to give you a little more depth in some specific topic. The purpose of the presentation is to give you experience in being an effective advocate for others to do (or not do) something, to improve security. See below. |
Programming Project | 30% | Create a secure game, in teams of 1-3 people. I strongly encourage pairs and I discourage trios. Please get to know your classmates so you can pick a partner you can work with. This is a critical part of the course, because it gives you experience in applying the concepts. By working in pairs, you can easily review each other's work, and reduce the effort too. |
Do not turn in materials late. Penalty is 10%/day and they won't be accepted after three days (except for unexpected health/ family emergencies or special permission).
You must write a 4-5 page paper on a class-related topic and give a matching 5-minute presentation to the class. Everyone's topic must be different; first come, first served. It can be something covered in class. The paper needs at least two citations/references.
The topic paper and presentation must present and plausibly advocate some specific actions to take (or avoid) to produce more secure software. For example:
Everyone must give a brief 5-minute presentation to the class on their topic. This presentation must try to convince the listener to do (or not do) something to produce more secure software. We will all learn from these presentations, but that is not the only reason I'm requiring presentations. There is only one of me, and I cannot possibly teach everyone in the world about secure software development. However, if you can learn to change the behavior of others, then together we can make a difference. You must dress up when giving your topic presentation (e.g., ties/slacks for gentlemen, skirts/dresses for ladies). That may seem odd, but I am trying to approximate a professional setting that may include technical managers (who may control the budgets for doing or not doing something). Being able to write secure code is vital, but being able to convince others to change behavior is also vital (especially if they control a budget!). I want everyone to have the experience of advocating to a group, in a simulated "professional" setting, some action that you hope will improve software security. It won't hurt, and that way, you'll be more prepared to do it in real life.
I do not expect the paper or presentation to be original research. Instead, I expect you to summarize some specific topic, organizing the information from multiple sources into an understandable and actionable form. You must, of course, cite your sources per the honor code.
In class, please pay attention and don't distract others. Please configure cell phones to vibrate in class.
Please talk to me ahead-of-time if you have an anticipated absence that will interfere with the mid-term, your topic presentation, or final presentation, e.g., a non-work religious holiday, out-of-town work travel, or GMU athletic meet. I can easily reschedule topic presentations; the others are much harder. There's no need to tell me if you'll miss other class times; I strongly recommend class attendance, but I understand if work or other commitments make that difficult to do. You can always turn in work earlier than scheduled (e.g., because the deadline conflicts with a non-work religious holiday).
GMU is an Honor Code university; please see the University Catalog for a full description of the code and the honor committee process. The principle of academic integrity is taken very seriously and violations are treated gravely. What does academic integrity mean in this course? Essentially this: when you are responsible for a task, you will perform that task. When you rely on someone else's work in an aspect of the performance of that task, you will give full credit in the proper, accepted form. Another aspect of academic integrity is the free play of ideas. Vigorous discussion and debate are encouraged in this course, with the firm expectation that all aspects of the class will be conducted with civility and respect for differing ideas, perspectives, and traditions. When in doubt (of any kind) please ask for guidance and clarification. Do not plagiarize. See the Computer Science Honor Code policies for more.
Students, please use your Mason email accounts to send and receive important University information, including messages related to this class. Please use the instructor's email address for class questions. If GMU's email system messes up, that's GMU's problem; if outside emails never get to GMU (or me), that's not GMU's (or my) problem.
If you are a student with a disability and you need academic accommodations, it's nice to let me know as a courtesy, but you must contact the Office of Disability Services (ODS) at 993-2474 or http://ods.gmu.edu. All academic accommodations must be arranged through the ODS, not through me. If you qualify for accommodation, the ODS staff will give you a form detailing appropriate accommodations for your instructor (me), please bring that form to me.
This syllabus is version 2013-01-21.