People
Syllabus
Notes
Labs

CS 390S: Secure Programming

If you wonder how vulnerabilities are created, and what are the various types of vulnerabilities, this class is for you. If you want to be more employable and have an edge, this class will show employers that you are less likely to cause them embarrassment and cost them through mistakes. They also won't have to pay huge sums to send you to secure programming seminars and classes. This one-credit class will explain the fundamental issues in secure programming: trust management, design issues, and the many stupid little mistakes with big consequences that programmers are likely to do. No book purchase is required, as the material is entirely provided on slides. We will focus on how to do things correctly, and not on exploits (although examples will be provided for entertainment and motivational reasons). Students interested in how some exploits work may consult "Secure Coding in C/C++" (Seacord 2005, Addison-Wesley) while taking this class. This one-credit class emphasizes low-level mistakes, and also covers secure programming principles and ideas. However, other important topics such as the proper use of cryptography, software development methods, requirement specification, architecture, testing and other software assurance subjects are not covered due to time limitations.

Topics covered

  • Shell and environment
  • Buffer overflows
  • Integer overflows
  • Format strings
  • Meta-character vulnerabilities (code injection) and Input Validation
  • Web Application issues (including cross-site scripting vulnerabilities)
  • Race conditions
  • File system issues
  • Randomness

Syllabus

Cr. 1 Concurrent or prior registration in CS 354 or CS 355 is required. CS majors may use this course only as a free elective.

Instructor

Pascal Meunier, Ph.D., M.Sc., CISSP

Schedule

Lecture: W 10:30-11:20am Jan 7 - Apr 27, 2008 BRNG 1232

Course Organization

The course consists of mixed lecture and lab sessions, as well as two in-class quizzes.

Grade Distribution

The final grade will be 50% for the two quizzes, and 50% for the projects. The projects will consist of a number of quick mini-labs and 2 longer labs. Half of the class will get an A and the other half a B. Attendance at the quizzes is necessary to pass this class.
First Quiz: date to be decided in class
Last Quiz: last class before dead week
No Final exam

Lists and Announcements:

All announcements will be sent via email. It is important that you add yourself to the cs390s mailing list. From your CS account type:
"mailer add me to cs390s"

To verify that you are on the list you may type

"mailer list cs390s"
To get help with the mailer program type "mailer help" or "man mailer".
Spring 2007 web site