People
Syllabus
Notes
Labs

CS 390S: Secure Programming

Slides will be posted on the same day as the class.

January 10: Introduction to Secure Programming
Special Guest: Scott David Miller, Ph.D. student and Arxan employee
Also: Vulnerability definitions and secure programming resources
Week 1 (pdf)
Week 1 (powerpoint)
Scott's slides (pdf)
Scott's slides (powerpoint)

January 17: Lab 1. Buffer Overflows Part 1
Week 2 (pdf)
Week 2 (powerpoint)
Submitted links:
Secure Programming.com
Anti-Virus Defence (sic) In Depth (securityfocus.com)
Defense in Depth (Wikipedia)

January 24: Buffer Overflows Part 2
Week 3 (pdf)
Week 3 (powerpoint)

January 31: Format String Vulnerabilities and Integer Overflows
Week 4 (pdf)
Week 4 (powerpoint)

February 7: Shells and Environment, Lab 2
Week 5 (pdf)
Week 5 (powerpoint)
Lab 1 is due!

February 14: Snow storm, classes cancelled

February 21: Exec calls, Trust
Week 7 (pdf)
Week 7 (powerpoint)
CWE coverage starts now! Issues covered:
    -Trust Boundary Problems
        - "Inconsistent validation mechanisms"
            - Same source handled differently in different code locations
            - At different times
            - In different circumstances
            - From different sources
                -Authentication Bypass by Alternate Path/Channel (288)
                -Unprotected Alternate Channel ID 420
        -Ill-defined trust boundaries
        -Trust Boundary Violation (diverges from ID 501 definition)
        -Misplaced or Absent Trust Boundaries
            -Self-reported information
                - "Trusting self-reported IP address, ID 291
                - "Trusting self-reported DNS name", ID 292
                - Using referrer field for authentication, ID 293
            -"Trusting the client"  no ID
                - "Client-Side Makes Server Security Decisions"  no ID
                - "Server trusting client-side-controlled data" no ID
                    -"Trusting Cookie Information" is Use of Cookies ID 565
                    -Web Parameter Tampering, ID 472
                        -Access Control Bypass Through User-Controlled SQL Primary Key, ID 566
            -Trusting Events
                -Trust of system event data ID 360
                -Unprotected Windows Messaging Channel ('Shatter') ID 422
    -Cryptographic Trust Assurance
        -Certificate Issues, ID 295
           -Failure to follow chain of trust in certificate validation ID 296
           -"Failure to validate host-specific certificate data" ID 297
           -No OpenSSL Certificate Check Performed before this Use ID 599
           -Failure to validate certificate expiration (298)
           -Failure to check for certificate revocation (299)
           -Race condition in checking for certificate revocation (370) 
        -Use of Encrypted Cookies 
           -Counterexample: Plaintext Storage in Cookie, ID 315 (different perspective on ID 565, but essentially the same mistake)

February 28: Mid-term
Does not include material seen on February 21. Remember, taking the mid-term is mandatory for a passing grade...

March 7: Meta-character vulnerabilities and code injection
Week 9 (pdf)
Week 9 (powerpoint)
CWE coverage:
Special elements (characters or reserved words), CWE ID 138
   Quoting elements " ' (149)
   Control characters and escape sequences (150)
   Delimiters (tabs, commas, etc...) (140)
   Input terminators (147)
   Wildcards (155)
   Comment element (151)
   dot dot and more
   
Code Injection attacks, CWE ID 77
   Shell commands, CWE ID 77
   SQL, CWE ID 89
   XPATH (no CWE ID yet)
   Custom special character injection, CWE ID 92
   Escape, meta, or control character/sequence, CWE ID 150
   LDAP, CWE ID 90
   Direct dynamic code evaluation, CWE ID 95
   
Input cleansing
   Collapse of Data into Unsafe Value (182)
      Path Issue - doubled dot dot slash - '....//' (34)
      Path Issue - doubled triple dot slash - '.../...//' (35)
      
Escaping and Encoding Issues
   URL-encoding, CWE ID 177
   Unicode, CWE ID 176
   Alternate Encoding, CWE ID 173
   Double Encoding, CWE ID 174

March 14: Spring Break

March 21: Web Applications: JavaScript Injection (a.k.a. XSS, Cross-site scripting vulnerabilities)
Week 10 (pdf)
Week 10 (powerpoint)

Cross-site Scripting Vulnerabilities (ID 79)
Cross-site request forgeries (attack type, ID 352)
Session fixation (ID 384)

March 28: Race Conditions (Lab 2 due! Last mini-lab)
Week 11 (pdf)
Week 11 (powerpoint)

Signal handler race condition 364
Race condition in switch (365)
Race condition within a thread (366)
Time-of-check Time-of-use race condition (367)
Context Switching Race Condition (368)
Concurrency Issues (557)
Link Following (59)
   Windows Shortcut Following (.LNK) (64)
   UNIX symbolic link (symlink) following (61)
   UNIX hard link (62)
   Windows hard link (65)

April 4: File System Issues: Links, Directory Crawls, and Race Conditions
Week 12 (pdf)
Week 12 (powerpoint)

Improper temporary file opening, ID 378
Privilege Dropping / Lowering Errors, ID 271

April 11: Randomness and Canonicalization (Last mini-lab due!)
Week 13 (pdf)
Week 13 (powerpoint)

also look at the canonicalization slides at http://projects.cerias.purdue.edu/secprog/class2/7.Canon_&_DT.pdf


April 18: Last Exam

April 25: Solution to last exam, grades, discussions

Remember, there is no final, regardless of whether a final is scheduled by Purdue.
Fall 2006 web site
Validate HTML