People
Syllabus
Notes
Labs

CS 390S: Secure Programming

Slides will be posted on the same day as the class.

January 9: Introduction to Secure Programming & Motivation
Topics:
  • Definitions of vulnerabilities, attacks, exploits, exposures, flaws
  • Need for secure programming
  • MITRE: CVE, CWE, OVAL, CCE
  • NIST: NVD (National Vulnerability Database), NIST guides
  • NIST CVSS (Common Vulnerability Scoring System)
  • CERT, US-CERT
Week 1 (pdf)
Classes of Vulnerabilities and Attacks (Pascal Meunier) Wiley Handbook of Science and Technology for Homeland Security (distributed in class, or by email). You should read the first 4 pages this week and be done reading it by the mid-term.

January 16: Secure Programming Principles & Assurance
Week 2 (pdf)

January 23: Buffer Overflows
Week 3, version 2 with clipped text fixed (pdf)

January 30: Buffer Overflows, part 2
Week 4

February 6: Integer Overflows, Format String Vulnerabilities
Week 5

February 13: Shells and Environment
Week 6

February 20: Exec calls, Trust Boundaries
Week 7, v2 (v2 changes: reworked the "exec" and "file descriptors" slides)

February 27: Mid-term
Does not include material seen on February 20. Remember, taking the mid-term is mandatory for a passing grade...

March 5: Meta-character vulnerabilities and code injection
Week 9

March 12: Spring Break

March 19: Web Applications
Week 11
  • Domain Security
  • JavaScript Injection (a.k.a. XSS, Cross-site scripting vulnerabilities)
March 26: Race Conditions
Week 12

April 2: File System Issues: Links, Directory Crawls, and Race Conditions
Week 13 (abridged version so we can catch up)

April 9: Randomness and Canonicalization
Week 14

April 16: Last Exam

April 23: Solution to last exam, grades, discussions

Remember, there is no final, regardless of whether a final is scheduled by Purdue.
Spring 2007 web site