CSE360

Course CSE360
Title Software Security
Credits 3
Course Coordinator

R. Sekar

Description

This course will describe the principles and practice of securing software systems. Topics will include: software vulnerabilities; static and dynamic analysis techniques for vulnerability detection; exploit detection and prevention; secure software development techniques and defensive programming; malware detection and analysis; security policies and sandboxing; information flow.

Prerequisite CSE331; CSE major
Course Outcomes

The participants of this course will acquire an in-depth understanding of

(a) software bugs, how they lead to vulnerabilities, and the tools and techniques available to mitigate them

(b) form and functionality of malware, and  ways to effectively defend against them

(c) architectures and design/development practices for improving software security.

Textbook
Major Topics Covered in Course
  • Week 1. Course overview. Threat models and definitions. Software bugs and their discovery. Ethical vulnerability disclosure.
  • Week 2. OS security: Processor privileges, kernel vs user mode. Memory protection. File permissions and access control. Capabilities.
  • Week 3. Memory corruption vulnerabilities: buffer overflow, heap overflow, integer vulnerabilities.
  • Week 4. Countermeasures against memory corruption: address space layout randomization (ASLR), bounds checking, safe languages.
  • Week 5. Input validation vulnerabilities. Injection exploits. Countermeasures against injection exploits.
  • Week 6. Time-of-check-to-time-of-use attacks and defenses. Vulnerabilities in setuid applications and countermeasures.
  • Week 7. Midterm Exam
  • Week 8. Untrusted code and forms of malware. Defenses against malware: sandboxing and isolation. Malware analysis techniques.
  • Week 9. Mitigation techniques: Privilege separation, Control-flow integrity and inline reference monitoring, fault isolation
  • Week 10. Mitigation techniques: information flow policies, analysis and enforcement frameworks. Decentralized information flow. Least privilege policies.
  • Week 11. Static analysis techniques and application to vulnerability detection.
  • Week 12. Dynamic analysis techniques and application to vulnerability detection.
  • Week 13. Intrusion detection and forensics.
  • Week 14. Secure software design and development techniques. Defensive programming.

Laboratory Projects
Course Webpage