Software Security 2017-2018 - F.Parisi-Presicce

Security in Software Applications

Sicurezza nelle Applicazioni Software

2° semester 2017-2018

PAGE FREQUENTLY UPDATED
PAGINA AGGIORNATA PERIODICAMENTE

Instructor : Francesco Parisi-Presicce
Office : Via Salaria 113, third floor, room 342
desk phone 06 4991 8512
Email: parisi (AT) di (DOT) uniroma1 (DOT) it (include SoftSecurity in Subject )
Lectures: Wednesday and Friday from 10:30 a.m. to 1:00 p.m. in AULA 2 (aule L di Ingegneria) Via del Castro Laurenziano
Office Hours: Tuesday and Thursday from 2:00. to 4:00 p.m. (until 2 June 2018) and by Appointment

AVVISI / ANNOUNCEMENTS

VERY LAST
The evaluations of the written exams taken on September 14 are available here
Oral exams to increase/decrease the grade and/or registration on Tuesday September 18
The third round of written exams was scheduled for Friday September 14 at 2 p.m. (14:00) in Aula ALFA (Via Salaria)
Sign up on infostud

LAST
The evaluations of the written exams taken on Tue July 10 are available here
Students who have not passed the written exam (or would like to improve on their grade) can take the written exam again on
Tuesday July 10 starting at 9:30 in Aula 2 (where we held our lectures)
Sign up on infostud
Oral exams to increase/decrease the grade start on Thursday July 12 : register HERE

NEXT-TO-LAST
The evaluations of the written exams are available here
and the (corrected) evaluations of the group project HERE

Remember that the grade is computed by adding
15% of each individual project to
30% of the group project to
40% of the score (adjusted) for the written exam
If accepted, registration of the grade on Monday June 25 after 3 p.m.
Oral exams to increase/decrease the grade start on Tuesday June 26
MORE RECENT
The evaluations of the individual projects are available here
A = 30 , A- = 28, B+ = 26, B = 24, ...
The evaluations of the individual and group projects will remain valid until the exam session in September (included)
WAS RECENT
Written exam on Thursday June 7 at 9:30 a.m. in Aula 2 (the one used for the lectures)
Sign up on infostud
almost NEW
The slides of the presentation, in pdf format, can be uploaded from THIS page by Sunday June 3 2018
They will be made available to all students attending the class.
The final report of the Group Project can be uploaded from THIS page by Sunday June 10 2018
no longer NEW
The Schedule for the presentaions of the Group Project can be found here
Groups are identified by the "matricola" of one of the members of the group
The Specification of Project 2 is available HERE
This is an individual project
Solutions must be submitted by 10 p.m. (ore 22) Tuesday 15 May 2018 from THIS page
The Group Projects using OWASP ASVS have been assigned.
First deadline May 17.
Draft subitted from this page
The Specification of Project 1 is available HERE
link1
link2
This is an individual project
Solutions must be submitted by 10 p.m. (ore 22) Sunday 8 April 2018 from THIS page

Students, who have not done so already, are asked to get an account on twiki, to be used to submit the results of the individual projets
The material will not always be available before class
Students who attend this course are required to send to the instructor their email address with which they can be contacted to access course material (homework, project, slides, etc.)

DESCRIPTION

Theory and practice of software security, focusing in particular on some common software security risks, including buffer overflows, race conditions and random number generation, and on the identification of potential threats and vulnerabilities early in the design cycle. The emphasis is on methodologies and tools for identifying and eliminating security vulnerabilities, techniques to prove the absence of vulnerabilities, and ways to avoid security holes in new software, and on essential guidelines for building secure software: how to design software with security in mind from the ground up and to integrate analysis and risk management throughout the software life cycle.

EXAMS / ESAMI

The grade will be determined by a written exam, the solution of some homework problems and/or small projects periodically assigned by the instructor and possibly (depending on the size of the class) the presentation in class and discussion of a project agreed upon with the instructor. The project could be developed in teams and deal with theoretical and/or practical aspects of software security.

NOTE: Access to the exams sessions in June and July is limted to the students who will have turned in the individual projects and the group project by the indicated deadlines

The solutions to the assigned problems and the oral examination are *individual* endavours. Substantial overlap or the indication that they have been "shared" will make them void and will cause the 'perpetrators' to (at least) skip an exam session.

L'esame consiste in una prova orale, la risoluzione di alcuni problemi e/o piccoli progetti assegnati periodicamente durante il corso dal docente, e (forse: dipende dalle dimensioni della classe) la presentazione a lezione e discussione di un progetto concordato con il docente. Il progetto può essere sviluppato in gruppi di uno o due studenti e può riguardare sia aspetti teorici che aspetti pratici della sicurezza nelle applicazioni.

NOTA: Gli appelli della sessione estiva sono riservati agli studenti che avranno consegnato entro le scadenze i progetti individuali e quello di gruppo

La consegna delle soluzioni dei problemi e la prova orale sono individuali. Se ci sono significativi indizi che portano a credere che il progetto o le soluzioni consegnati siano stati copiati in tutto o in parte, il progetto o le soluzioni sono considerati nulli.

PREREQUISITI / PREREQUISITES

An undergraduate security course is not a prerequisite.
Students are expected to have some basic knowledge of programming (C, Java), of Operating Systems and of Databases (SQL)

Non è richiesto il superamento di un corso di sicurezza della triennale, ma conoscenze di sicurezza sono ovviamente utili.
Si presume che lo studente abbia conoscenze adeguate di programmazione (C, Java), di Sistemi Operativi e di Basi di Dati (SQL).

Schedule of LECTURES / Diario delle LEZIONI

(frequently updated / in continuo aggiornamento )

February 28
Introduction to the course.
- Turing Award Lecture Reflections on Trusting Trust, di K.Thompson
- Gary McGraw, Software security.
March 2
Top 25 Most Dangerous Software Errors
Slides1
March 7-9
Buffer Overflow : causes and remedies.
- article Smashing The Stack For Fun And Profit, Aleph One.
- Crispin Cowan, et al., Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade
Countermeasures to Buffer Overflow
Input validation. Code and SQL Injection.
Slides2
March 14-16
A gentle Introduction to Program Analysis
Web Security ONE and TWO
Animations explaining
- XSS 1,
- XSS 2,
- CRSF
TOCTOU.
Slides3
March 21-23
Discussion of Project 1
Principles of Secure Design
- Paper by Saltzer e Schroder
March 28
- Principles for Software Security
Slides4
March 30
Easter VACATION
April 4-6
Microsoft Security Development Lifecycle SDL
OWASP Application Security Verification Standard HERE
Discussion of Group Project
April 11-13
Language-based Security: memory safety
Overview of Types and Type Systems in security
Aliasing
Slides5
April 18-20
Java Architecture and Java Programming Rules
Sandboxing. Stack Inspection.
Slides6
April 25
VACATION - National Holiday
April 27
Program Verification
May 2-4
JML and ESC/Java2 and Discussion of Project 2
Proof Carrying Code
- G.C.Necula and P.Lee, Safe Kernel Extensions Without Run-Time Checking and other papers here .
Security Testing
Slides7
May 9-11
Language-based Security: Information Flow
- Information Flow Security
- Principles of Information Flow
Website of JIF
- A.Myers JFlow: Practical Mostly-Static Information Flow Control (POPL 1999).
- A.C.Myers and B.Liskov, Protecting privacy using the decentralized label model ACM TOSEM 2000.
May 16-18
Reverse Engineering
ByteCode Obfuscation
- S.Goldwasser and G.N.Rothblum, On best-possible Obfuscation
May 23
Presentation of the Group Projects for V2, V3, V5, V7, V9, V11, V13
May 25
Presentation of the Group Projects for V1, V8, V10, V13, V15, V16, V18, V19
May 30
Presentation of the Group Projects for V3, V8, V9, V11, V13, V16, V17
June 1
NO CLASS

TOOLS

RESOURCES

UMLSec
The 24 Deadly Sins of Software Security, by Michael Howard, David LeBlanc and John Viega, McGraw-Hill, 2009
Chris Steel, Ramesh Nagappan, Ray Lai, Core Security Patterns, Ch3, SUN
JATAC, DACS, Software Security Assurance: State of the Art Report , July 31, 2007
A Taxonomy of Computer Program Security Flaws, by C.E.Landwehr et al.
TOP 25 Most Dangerous Programming Errors , SANS Institute 2013
J.Viega, G.McGraw, Secure Programming Cookbook, O'Reilly chapter on random numbers

Useful Links

REFERENCES

R.Anderson, Security Engineering: a guide to building dependable distributed systems , 2^nd ed., John Wiley and Sons 2008
Disponibile/Available HERE
J.Viega, G.McGraw, Building Secure Software, Addison-Wesley 2002
book web page http://www.buildingsecuresoftware.com/
sample chapters
G.Hoglung, G.McGraw, Exploiting Software: how to break code , Addison-Wesley 2004
book web page http://www.exploitingsoftware.com/
sample chapter
G.McGraw, E.Felten Securing Java, John Wiley and Sons 1999, book web page
D.A.Wheeler, Secure Programming for Linux and Unix HOWTO online or downloadable

Warning In class, we may discuss vulnerabilities in general computer systems. This is NOT intended as an invitation to go and exploit those vulnerabilities. Breaking into other people's systems is inappropriate, and the existence of a security hole is no excuse.