People
Syllabus
Notes
Labs

CS 390S: Secure Programming

This is a one-credit class to familiarize you with ways to avoid repeating common programming mistakes. As the sister class to CS354, we will pay special attention to operating system calls that are difficult to use correctly, and point out the safer ones. In general, the role of the operating system in supporting secure programming will be emphasized, with Linux and Windows examples. No book purchase is required, as the material is entirely provided on slides. We will focus on the analysis of assumptions and invariants in code and their validation with correct programming practices, and not on exploits; students interested in how the exploits work should consult "Secure Coding in C/C++" (Seacord 2005, Addison-Wesley) while taking this class.

Topics covered

  • Buffer overflows
  • Format strings
  • Code Injection and input validation
  • Cross-site scripting vulnerabilities
  • Links and race conditions
  • Temporary files and randomness
  • Canonicalization and directory traversal
  • Shell and environment
  • Resource exhaustion vulnerabilities
  • Trust management

Syllabus

Cr. 1 Concurrent or prior registration in CS 354 is required. CS majors may use this course only as a free elective.

Instructor

Pascal Meunier, Ph.D., M.Sc., CISSP

Schedule

Lecture: W 10:30-11:20pm, UNIV 101

References

The materials used in this class will be a selection of the class material available from module 1, and all of module 2.

Goal

After successfully completing this course:
  • You will be familiar with the most frequent programming errors and negligences leading to vulnerabilities.

Course Organization

The course consists of mixed lecture and lab sessions, as well as two in-class quizzes.

Lists and Announcements:

All announcements will be sent via email. It is important that you add yourself to the cs390s mailing list. From your CS account type:
"mailer add me to cs390s"

To verify that you are on the list you may type

"mailer list cs390s"
To get help with the mailer program type "mailer help" or "man mailer".

Grade Distribution

The final grade will be 50% for the two quizzes, and 50% for the projects. The projects will consist of a number of quick mini-labs and 2 longer labs. Half of the class will get an A and the other half a B. Attendance at the quizzes is necessary to pass this class.
First Quiz: date to be decided in class
Last Quiz: last class before dead week
No Final exam
Fall 2004 web site
Validate HTML