CS440X D09: Software Security Engineering Syllabus

CS 440X (D09): Software Security Engineering
Class and Reading Schedule

Home | Staff | Syllabus | Assignments | MyWPI | Policies

Texts

Given the wealth of information online about security, we will not have a textbook for this class. Our readings will come from a combination of papers, blogs, tutorials, and other online sources.

That said, there are some excellent reference books out there. I particularly like Ross Anderson's Security Engineering (first edition available online). For web security, check out Dafydd Studdard and Marcus Pinto's Web Application Hacker's Handbook.

As background, you should read the following papers during the first week of the course:

The Protection of Information in Computer Systems. Saltzer and Schroeder
Reflections on Trusting Trust. Ken Thompson
Information Security Economics--and Beyond. Ross Anderson and Tyler Moore
Stalking the Wily Hacker. Clifford Stoll

Class Schedule

Highlighted readings should be done before class. Other readings provide additional information for those interested in the topic. Some topics may move to different dates in the second half of the course.

Mar 16: Course Overview

Mar 17-20: Attacking Inputs
Discussors (2 slots): Forging HTTP requests via Flash: ____________, NoScript and RequestPolicy (browser extensions): ____________

Readings:

HTTP Overview. (if you don't know how HTTP works)

DOM Reference. (if you don't know what the DOM is)

SQL Tutorial. (if you don't know basic SQL)

CSRF Overview. Jesse Burns

Web Application Security Engineering. J. Meier

An XSS Attack Archive.

SQL Injection Attacks by Example. Steve Friedl

Defeating Script Injection Attacks with Browser-Enforced Embedded Policies. Trevor Jim, Nikhil Swamy, and Michael Hicks

Mar 23: Threat Modelling

Readings:

Larry Osterman Blog--follow the first-sentence links.

Software [In]security: Software Security Top 10 Surprises. Gary McGraw, Brian Chess, Sammy Migues

Mar 24: Sessions and Multi-stage Applications
Discussors (1 slots): Changing register values on running programs: Patrick M

Readings:

The Same-Origin Policy.

Secure Session Management With Cookies for Web Applications. Chris Palmer

Protecting Browser State from Web Privacy Attacks. Collin Jackson, Andrew Bortz, Dan Boneh, and John C. Mitchell

Mar 26: Breaking TurnOut/Web
Discussors (2 slots): Nam, Andrey

Mar 27: Access Control

Readings:

Economic stimulus act heightens HIPAA enforcement. Dom Nicastro.

Mar 30: Authentication and Identity
Discussors (3 slots): biometrics: Tyler, e-passports: Aaron, PIN numbers: Patrick C.

Readings:

The Laws of Identity. Kim Cameron

Who Goes There? Authentication through the lens of privacy (chapter 5). National Academy of Sciences

Security and Privacy Issues in E-passports. Ari Juels, David Molnar and David Wagner

Overview of Federated Authentication.

Mar 31: Patching TurnOut/Web
Discussors (2 slots): Chris P., James C.

Apr 2: Password Schemes
Discussors (2 slots): site keys: Jessica, OpenID: Josh and Maurice

Readings:

Password Security: A Case History. Robert Morris and Ken Thompson

Apr 3: Information Flow

Apr 6: Attacking C Code

Readings:

Smashing the Stack for Fun and Profit. Aleph One

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. Crispin Cowan, et al.

Exploiting Format String Vulnerabilities.

Hacking: The Art of Exploitation (code link on page). Jon Erickson

Apr 7: Robust C Programming

Readings:

Robust Programming. Matt Bishop

Apr 9: Information Disclosure
Discussors (2 slots): Greg B., Peter L.

Apr 10: Data Aggregation
Discussors (2 slots): Mali, Antoniya

Apr 13: Aggregation and Privacy in Social Networks

Readings:

De-Anonymizing Social Networks. Arvind Narayanan and Vitaly Shmatikov

Apr 14, Part 1: Breaking TurnOut/C
Discussors (2 slots): Rob, Radoslav

Apr 14, Part 2: Protocols and Analysis
Discussors (2 slots): CPPL: Konstantin, TBD: Justin

Apr 16: Usability
Discussors (3 slots): Matt D., James J., Edwin

Readings:

Why Johnny Can't Encrypt. Alma Whitten and Doug Tygar

Usability and Privacy: A Study of KaZaA P@P File Sharing. Nathaniel Good and Aaron Krekelberg

User Interaction Design for Secure Systems. Ka-Ping Yee

Apr 17: Patching TurnOut/C
Discussors (2 slots): Jordan, Keilin

Apr 20: No Class

Apr 21: Encryption
Discussors (1 slots): SSL: Mig

Apr 23: No Class

Apr 24: Digital Rights Management
Discussors (3 slots): Greg H., Nam, Chris K.

Apr 27: Network Security (Guest Lecture)

Apr 28: DoS Attacks
Discussors (2 slots): Nam, Mali

Apr 30: Airline Security
Discussors (2 slots): Gerard, Kevin

May 1: Electronic Voting
Discussors (3 slots): Andrey, Kevin, Jessica

May 4: Potpourri
Discussors (3 slots): Secure Browser Architectures: James J, Email spoofing: Radoslav, TBD: Rob

May 5: Course Evals and Experimental Course Feedback