CSC 495: Software Security CSC 495/680
Software Security
UNC Greensboro

CSC 495 — Topics and Schedule

Since this is the first time we have offered a class like this, the schedule and list of topics will be pretty dynamic. Topics will be modified as needed, based at least partially on student interests, and the pace will be adjusted to match how quickly students are mastering the material.

Initial Topics

  • Tuesday, January 13: Class Introduction and Motivation

  • Thursday, January 15: Responsible disclosure, ethics, and class target application selection

  • Tuesday, January 20: Class cancelled

  • Thursday, January 22: Vulnerabilities and Defense in Depth; Security Overview; and Vulnerability Markets

  • Tuesday, January 27:

    • Finish discussion of vulnerability markets

    • Start on systems review - compiling C and using gdb to examine resulting code

  • Thursday, January 29:

    • User-level memory issues: process memory layout, byte ordering, alignment

    • System-level memory issues: Virtual memory vs. physical memory, page tables

    • Kernel control over memory maps and inter-process memory protection

  • Tuesday, February 3:

    • The 15-minute "2-minute history of Unix"

    • Process properties: looking at memory maps, users, priorities, and more

    • Assembly language: basic review, and AT&T vs Intel

    • Using gdb and the disassembler to reverse engineer a program (tracing our helloworld program, and solving a level from the Leviathan wargame)

  • Thursday, February 5:

    • C for Java Programmers: Comparison to Java, compilation toolchain (preprocessor, etc.), data types (primitive and defined), primitive type sizes

  • Tuesday, February 10:

    • Tutorial on basic Unix/Linux use: role of PuTTY, the shell, working directories, basic commands, filesystem (relative vs absolute paths), …

    • Unix file permissions - user/group/other, and setuid programs

    • Assignment 1 tips and discussion - problem 3

    • Basics of network communication: TCP/IP, ports, and use of netcat

    • Assignment 1 tips and discussion - problem 4 (demo of solution!)

  • Thursday, February 12:

    • C for Java programmers (code samples on cmpunix in /home/srtate/code)

      • parameter passing and calling conventions (stack frames, automatic vs static variables, parameters and return values) - look at assembly language produced by the C compiler!

      • passing arrays - pointers and blocks of memory

    • Buffer overflow basics and stack smashing

  • Tuesday, February 17: Snow Day

  • Thursday, February 19:

    • Finish up "C for Java programmers"

      • pointers and pointer arithmetic (incl. casting pointers)

      • user-defined data types: struct and typedef

      • memory management - malloc() and free()

      • process creation and termination - fork and exec

    • Overview of the CWE/SANS Top 25 Most Dangerous Software Errors

    • Quick look at CWE-120 (Classic Buffer Overflow)

  • Tuesday, February 24: Snow Day

    • See Assignment 2 distributed online

      • Note: Video tutorials available in blackboard on exploring code for format string vulnerabilities - very help for doing this assignment!

  • Thursday, February 26: Snowpocalypse Day — see video lectures in Blackboard

  • Reading: Code spelunking and how to read code

  • Tuesday, March 3: Mid-term Exam Discussion and Review

    • If additional time: Practice with code exploration and manual searching for control hijacking vulnerabilities

  • Thursday, March 5: Mid-Term Exam

  • March 9-13: Spring Break

  • Tuesday, March 17:

    • Discussion of mid-term and assignments 1 and 2

    • High-level look at research in computer security (publishing standards, main conferences, etc.) and assignment of StackGuard paper as reading

  • Thursday, March 19: Protection Mechanisms and Tools for Memory/Buffer Vulnerabilities

    • Dynamic Protection Mechanisms (including StackGuard, ASLR, and non-executable stacks)

  • Tuesday, March 24:

    • Static Analysis: Fundamental Limitations and Existing Tools

  • Thursday, March 26:

    • Finish static analysis tool demo

    • Start overview of web application development

  • Tuesday, March 31:

    • Basic web application model - client, server, communication

    • Web threat model

    • HTTP

    • Using browser developer tools

  • Thursday, April 2:

    • Crypto: symmetric vs public key

    • Content: rendering, documents, and the DOM

    • Cookies and intro to same-origin policy

  • Tuesday, April 7:

    • Same-origin policy

    • Server side technologies: static HTML and server-side includes

  • Thursday, April 9:

    • Server side technologies: CGI scripts, PHP, and databases

  • Tuesday, April 14:

    • A little more about databases

    • Injection vulnerabilities

  • Thursday, April 16:

    • Continuing injection vulnerabilities

      • More detail and examples on SQL Injection

      • OS Command Injection (Top 25 #2 - CWE-78)

    • Using OWASP WebGoat, DVWA, and Natas to learn more about web application vulnerabilities

  • Tuesday, April 21:

    • Final SQL/Command Injection topics

      • Protection using prepared statements (example on cmpunix)

      • A look at a real SQL Injection vulnerability in deployed code

      • Command injection - basic idea and look at CWE

    • JavaScript/Browser exploitation issues

  • Thursday, April 23:

  • Tuesday, April 28: No class meeting, but Assignment 4 due

  • Thursday, April 30: Final Exam (3:30-6:30)