CS 390S: Secure Programming
Slides will be posted on the same day as the class.January 9: Introduction to Secure Programming & Motivation
Topics:
- Definitions of vulnerabilities, attacks, exploits, exposures, flaws
- Need for secure programming
- MITRE: CVE, CWE, OVAL, CCE
- NIST: NVD (National Vulnerability Database), NIST guides
- NIST CVSS (Common Vulnerability Scoring System)
- CERT, US-CERT
Classes of Vulnerabilities and Attacks (Pascal Meunier) Wiley Handbook of Science and Technology for Homeland Security (distributed in class, or by email). You should read the first 4 pages this week and be done reading it by the mid-term.
January 16: Secure Programming Principles & Assurance
Week 2 (pdf)
January 23: Buffer Overflows
Week 3, version 2 with clipped text fixed (pdf)
January 30: Buffer Overflows, part 2
Week 4
February 6: Integer Overflows, Format String Vulnerabilities
Week 5
February 13: Shells and Environment
Week 6
February 20: Exec calls, Trust Boundaries
Week 7, v2 (v2 changes: reworked the "exec" and "file descriptors" slides)
February 27: Mid-term
Does not include material seen on February 20. Remember, taking the mid-term is mandatory for a passing grade...
March 5: Meta-character vulnerabilities and code injection
Week 9
March 12: Spring Break
March 19: Web Applications
Week 11
- Domain Security
- JavaScript Injection (a.k.a. XSS, Cross-site scripting vulnerabilities)
Week 12
April 2: File System Issues: Links, Directory Crawls, and Race Conditions
Week 13 (abridged version so we can catch up)
April 9: Randomness and Canonicalization
Week 14
April 16: Last Exam
April 23: Solution to last exam, grades, discussions
Remember, there is no final, regardless of whether a final is scheduled by Purdue.