Security in Software Applications
Sicurezza nelle Applicazioni Software
2° semester
2017-2018
PAGE FREQUENTLY UPDATED
PAGINA
AGGIORNATA PERIODICAMENTE
Instructor
: Francesco Parisi-Presicce
Office
: Via Salaria 113, third floor,
room 342
desk phone
06 4991 8512
Email: parisi (AT) di
(DOT) uniroma1 (DOT) it
(include SoftSecurity in Subject )
Lectures: Wednesday and Friday from 10:30 a.m. to 1:00 p.m.
in AULA 2 (aule
L di Ingegneria) Via del Castro Laurenziano
Office Hours: Tuesday and
Thursday from 2:00. to 4:00 p.m.
(until 2 June 2018) and by
Appointment
AVVISI /
ANNOUNCEMENTS
- VERY LAST
The evaluations of the written exams taken on September 14
are
available here
Oral exams to increase/decrease the grade and/or registration
on Tuesday
September 18
The third round of written exams was scheduled for Friday September 14
at 2 p.m. (14:00) in Aula ALFA (Via Salaria)
Sign up on infostud
- LAST
The evaluations of the written exams taken on Tue July 10
are
available here
Students who have not passed the written exam (or would like to improve
on their grade) can take the written exam again on
Tuesday July 10
starting at 9:30 in Aula 2 (where we held our
lectures)
Sign up on infostud
Oral exams to increase/decrease the grade start on Thursday
July 12 : register HERE
- NEXT-TO-LAST
The evaluations of the written exams are available here
and the (corrected) evaluations of the group project HERE
Remember that the grade is computed by adding
15% of each individual project to
30% of the group project to
40% of the score (adjusted) for the written exam
If accepted, registration of the grade on Monday June 25 after
3 p.m.
Oral exams to increase/decrease the grade start on Tuesday
June 26
- MORE
RECENT
The evaluations of the individual projects are available here
A = 30 , A- = 28, B+ = 26, B = 24, ...
The evaluations of the individual and group projects will remain valid until
the exam session in September (included)
- WAS RECENT
Written exam on Thursday June 7 at 9:30 a.m.
in Aula 2 (the one used for the lectures)
Sign up on infostud
- almost NEW
The slides of the presentation, in pdf
format, can be uploaded from THIS
page by Sunday June 3 2018
They will be made available to all students attending the class.
The final report of the Group
Project can be uploaded from THIS
page by Sunday June 10 2018
- no longer
NEW
The Schedule for the presentaions of
the Group Project can be
found here
Groups are identified by the "matricola" of one of the members of the
group
- The Specification of Project 2 is available HERE
This is an individual project
Solutions must be submitted by 10 p.m. (ore 22) Tuesday 15 May 2018
from THIS
page
- The Group
Projects using OWASP ASVS have been assigned.
First deadline May 17.
Draft subitted from this
page
- The Specification of Project 1 is available HERE
link1
link2
This is an individual project
Solutions must be submitted by 10 p.m. (ore 22) Sunday 8 April 2018
from THIS
page
- Students,
who have not done so already, are asked to get an account on
twiki, to be used to submit the results of the individual projets
- The material will not always be available before class
- Students who attend this course are required to send to the
instructor their email address with which they can be contacted to
access course material (homework, project, slides, etc.)
DESCRIPTION
Theory and practice
of software security, focusing in particular on some common software
security
risks, including buffer overflows, race conditions and random number
generation, and on the identification of potential threats and
vulnerabilities
early in the design cycle. The emphasis is on methodologies and tools
for
identifying and eliminating security vulnerabilities, techniques to
prove the
absence of vulnerabilities, and ways to avoid security holes in new
software,
and on essential guidelines for building secure software: how to design
software with security in mind from the ground up and to integrate
analysis and
risk management throughout the software life cycle.
EXAMS /
ESAMI
The grade will be determined by a written exam, the solution of some
homework problems and/or small projects periodically assigned by the
instructor
and possibly
(depending on the size of the class) the presentation in class and
discussion of a project agreed upon with the instructor. The project
could be developed in teams and deal with theoretical and/or
practical aspects of software security.
NOTE: Access to the exams sessions in June and July is limted
to the students
who will have turned in the individual projects and the group project
by the indicated deadlines
The solutions to the assigned
problems and the oral examination are *individual* endavours.
Substantial overlap or the indication that they have been "shared" will
make them void and will cause the 'perpetrators' to (at least) skip an
exam
session.
L'esame consiste in una prova orale, la risoluzione di alcuni problemi
e/o piccoli progetti assegnati periodicamente durante il corso dal
docente, e (forse: dipende dalle dimensioni della classe) la
presentazione a lezione e discussione
di un progetto concordato con il
docente. Il progetto può essere sviluppato in gruppi di uno o
due studenti e può riguardare sia aspetti teorici che aspetti
pratici della sicurezza nelle applicazioni.
NOTA: Gli appelli della sessione estiva sono riservati agli
studenti che avranno consegnato entro le scadenze i progetti
individuali e quello di gruppo
La consegna delle soluzioni dei problemi e la prova orale sono
individuali. Se ci sono significativi indizi che portano a credere che
il
progetto o le soluzioni consegnati siano stati copiati in tutto o
in parte, il progetto o le soluzioni sono considerati nulli.
PREREQUISITI
/ PREREQUISITES
An undergraduate security course is not a prerequisite.
Students are expected to have some basic knowledge of programming (C,
Java), of Operating Systems and of Databases (SQL)
Non è richiesto il superamento di un corso di sicurezza della
triennale, ma conoscenze di sicurezza sono ovviamente utili.
Si presume che lo studente abbia conoscenze adeguate di programmazione
(C, Java), di Sistemi Operativi e di Basi di Dati (SQL).
Schedule
of LECTURES / Diario delle LEZIONI
(frequently
updated / in continuo
aggiornamento )
- February 28
Introduction to the course.
- March 2
Top 25 Most Dangerous Software
Errors
Slides1
- March 7-9
Buffer Overflow : causes and remedies.
Countermeasures
to Buffer Overflow
Input validation. Code and SQL Injection.
Slides2
- March 14-16
A gentle Introduction to Program
Analysis
Web Security ONE
and TWO
Animations explaining
TOCTOU.
Slides3
- March 21-23
Discussion of Project 1
Principles of Secure Design
- March 28
Slides4
- March 30
Easter VACATION
- April 4-6
Microsoft Security Development Lifecycle SDL
OWASP Application Security Verification Standard HERE
Discussion of Group Project
- April 11-13
Language-based Security: memory safety
Overview of Types and Type Systems in security
Aliasing
Slides5
- April 18-20
Java
Architecture and Java Programming Rules
Sandboxing. Stack Inspection.
Slides6
- April 25
VACATION - National Holiday
- April 27
Program Verification
- May 2-4
JML and ESC/Java2 and Discussion of Project 2
Proof Carrying Code
- G.C.Necula and P.Lee, Safe Kernel Extensions Without
Run-Time Checking and other papers here .
Security Testing
Slides7
- May 9-11
Language-based Security: Information Flow
Website of JIF
- A.Myers JFlow:
Practical Mostly-Static Information Flow Control
(POPL 1999).
- A.C.Myers and B.Liskov, Protecting privacy
using the decentralized
label model ACM TOSEM 2000.
- May 16-18
Reverse Engineering
ByteCode
Obfuscation
- S.Goldwasser and G.N.Rothblum, On best-possible
Obfuscation
- May 23
Presentation of the Group Projects for V2, V3, V5, V7, V9, V11, V13
- May 25
Presentation of the Group Projects for V1, V8, V10, V13, V15, V16, V18,
V19
- May 30
Presentation of the Group Projects for V3, V8, V9, V11, V13, V16, V17
- June 1
NO CLASS
TOOLS
RESOURCES
- UMLSec
- The
24 Deadly
Sins of Software Security,
by Michael Howard, David LeBlanc and John Viega, McGraw-Hill, 2009
- Chris Steel, Ramesh Nagappan, Ray Lai, Core Security
Patterns, Ch3,
SUN
- JATAC, DACS, Software Security Assurance:
State of
the
Art Report ,
July 31, 2007
- A
Taxonomy of Computer Program Security Flaws, by C.E.Landwehr
et al.
- TOP 25 Most Dangerous Programming Errors ,
SANS Institute 2013
- J.Viega,
G.McGraw, Secure Programming Cookbook,
O'Reilly chapter
on random numbers
Useful Links
REFERENCES
- R.Anderson, Security Engineering: a guide to
building
dependable distributed systems , 2nd ed., John Wiley
and Sons 2008
Disponibile/Available HERE
- J.Viega,
G.McGraw, Building Secure Software,
Addison-Wesley 2002
book web page
http://www.buildingsecuresoftware.com/
sample
chapters
- G.Hoglung, G.McGraw, Exploiting Software: how to
break code ,
Addison-Wesley 2004
book web page
http://www.exploitingsoftware.com/
sample
chapter
- G.McGraw, E.Felten Securing Java, John Wiley and
Sons
1999, book web page
- D.A.Wheeler, Secure Programming for Linux and Unix
HOWTO online
or downloadable
In
class, we may discuss vulnerabilities
in
general computer systems. This is NOT intended as an
invitation to go
and exploit those vulnerabilities. Breaking into
other
people's systems is inappropriate, and the existence of a security hole
is no
excuse.