Security in Software Applications
Sicurezza nelle Applicazioni Software
2° semester
2015-2016
PAGE FREQUENTLY UPDATED
PAGINA
AGGIORNATA PERIODICAMENTE
Instructor
: Francesco Parisi-Presicce
Office
: Via Salaria 113, third floor,
room 342
desk phone
06 4991 8512
Email: parisi (AT) di
(DOT) uniroma1 (DOT) it
(include SoftSecurity in Subject )
Orario ricevimento studenti (Office Hours): Mon/Wed after
class
(until 13 June 2016) and by
Appointment
AVVISI /
ANNOUNCEMENTS
- LAST:
Last chance to take the exam
By appointment Friday February 10
Contact the instructor by email
- no-lomger-NEW :
Last chance to take the exam in 2016
By appointment from Nov 7 to Nov 11
Contact the instructor by email
- The third round of oral exams will start on Tueesday
September 6 at 9:00 in the instructor's office
Upon request, oral exams are possible on September 1 in the afternoon.
Send an email to confirm/coordinate the time.
Sign-up via
infostud and in the
twiki page HERE
- The
second round of exams will start on Wednesday July 13
and will be scheduled as in the twiki page HERE
where students should sign up
Sign-up also via
infostud
- The
first round of exams will start on Tuesday June 7 and will be
by
appointment only
Sign-up via infostud
and also from this
page
- old :
GROUP PROJECT
First deadline 10 p.m. (ore 22) Sunday 8 May 2016
Presentation 9:30 - 13:30 Monday May 30
WELL DONE !
Second deadline 10 p.m. (ore 22) Tuesday 31 May 2016
- SEMINARIO Martedì 17 maggio, ore 10
Social Engineering cyber game challenge. Dimensioni tipiche
dell'approccio alla cybersecurity
AULA Alfa piano terra Dipartimento di Informatica Via Salaria
locandina
- NO class on Wednesday May 18
EXTRA hour on Monday May 16 from 12 to 1 p.m.
- The Specifications of Project 2 is available HERE
This is an individual project
Solutions must be submitted by 10 p.m. (ore 22) Friday 29 April 2016
(new deadline)
from
THIS page
- The Specifications of the Group Project is available HERE
This is a group effort
First deadline 10 p.m. (ore 22) Sunday 8 May 2016
Second deadline 10 p.m. (ore 22) Monday 30 May 2016
- There will be ONE additional Lecture, on April 5 same
room (Aula
Alfa) and same time (10:15 - 11:45),
replacing the lecture originally scheduled for April 18
- The deadline for submitting Project 1 has been moved to 10
p.m.
(ore 22) Wednesday 30 March 2016
- the lecture on Monday March 21 will be held in Aula
Seminar (third floor)
- There will be TWO additional Lectures, on March 17 and
on March
31, same room (Aula Alfa) and same time (10:15 - 11:45),
replacing the
lectures originally scheduled for the week of April 11-15
- The Specifications of Project 1 is available HERE
This is an individual project
Solutions must be submitted by 10 p.m. (ore 22) Wednesday 23 March
2016
from
THIS page
- Students,
who have not done so already, are asked to get an account on
twiki, to be used to submit the results of the individual projets
- The material will not always be available before class
- Students who attend this course are required to send to the
instructor their email address with which they can be contacted to
access course material (homework, project, slides, etc.)
DESCRIPTION
Theory and practice
of software security, focusing in particular on some common software
security
risks, including buffer overflows, race conditions and random number
generation, and on the identification of potential threats and
vulnerabilities
early in the design cycle. The emphasis is on methodologies and tools
for
identifying and eliminating security vulnerabilities, techniques to
prove the
absence of vulnerabilities, and ways to avoid security holes in new
software,
and on essential guidelines for building secure software: how to design
software with security in mind from the ground up and to integrate
analysis and
risk management throughout the software life cycle.
EXAMS /
ESAMI
The exam will consist of an oral part, the solution of some
homework
problems and/or small projects periodically assigned by the instructor
and
possibly
(depending on the size of the class) the presentation in class and
discussion of a project agreed upon with the instructor. The project
could be developed in teams and deal with theoretical and/or
practical aspects of software security.
The solutions to the assigned
problems and the oral examination are *individual* endavours.
Substantial overlap or the indication that they have been "shared" will
make them void and will cause the 'perpetrators' to skip an exam
session.
L'esame consiste in una prova orale, la risoluzione di alcuni problemi
e/o piccoli progetti assegnati periodicamente durante il corso dal
docente, e (forse: dipende dalle dimensioni della classe) la
presentazione a lezione e discussione
di un progetto concordato con il
docente. Il progetto può essere sviluppato in gruppi di uno o
due studenti e può riguardare sia aspetti teorici che aspetti
pratici della sicurezza nelle applicazioni.
La consegna delle soluzioni dei problemi e la prova orale sono
individuali. Se ci sono significativi indizi che portano a credere che
il
progetto o le soluzioni consegnati siano stati copiati in tutto o
in parte, il progetto o le soluzioni
è/sono considerati nulli.
PREREQUISITI
An undergraduate security course is not a prerequisite..
Students are expected to have some basic knowledge of programming (C,
Java), Operating Systems and Databases (SQL)
Non è richiesto il superamento di un corso di sicurezza della
triennale, ma conoscenze di sicurezza sono ovviamente utili.
Si presume che lo studente abbia conoscenze adeguate di programmazione
(C, Java), Sistemi Operativi e Basi di Dati (SQL).
Schedule
of LECTURES / Diario delle LEZIONI
(frequently
updated / in continuo
aggiornamento )
- February 22-24
Introduction.
Top
25 Most Dangerous Software Errors
- February 29
Buffer Overflow : causes and remedies.
- March 2
Countermeasures to Buffer Overflow
- March 7-9
Code and SQL
injection
Input Validation
Animations explaining
- March 14-16
Some Random thoughts
Code Analysis and testing
Principles
for Software Security
- March 17
substitutes the lecture on April 11
Overview of Types and Type Systems in security
- March 21-23
Language-based Security 1
Stack
Inspection
- March 30
Language-based Security 2
Sandbox (Ch.2) and Stack Inspection (Ch.3) in here
- March 31
substitutes the lecture on April 13
Programming Principles for Java.
Extended Static Checker for Java version 2 (ESC/Java2)
- April 4-5
Java Security and Cryptographic Primitives
- April 6
The OWASP ASVS project
The standard to be used for the project can be found here
- April 11-13
MOVED to March 17 and March 31, same time same room
- April 18-20
One lecture moved to April 5, the other one postponed to May
time devoted to Project2
- April 27
Verification and Hoare Logic
- May 2-4
Proof Carrying Code
- D.Kozen, Language-Based Security
- G.C.Necula and P.Lee, Safe Kernel Extensions Without
Run-Time Checking and other papers here .
- May 9-11
- Information
Flow Security
- Principles of Information Flow
JIF Website
- A.Myers and B.Liskov, A Decentralized Model
for
Information Flow Control
(SOSP 1997).
- A.Myers JFlow:
Practical Mostly-Static Information Flow Control
(POPL 1999).
- A.C.Myers and B.Liskov, Protecting privacy
using the decentralized
label model ACM TOSEM 2000.
- May 16 from 10:15 to 13:00
Completion of Information Flow
Aliasing
- May 18
NO CLASS
- May 23-25
Microsoft Security Development Lifecycle SDL
ByteCode
Obfuscation
- May 30
Presentation of part of the Group Projects from 9:30 to 13:30
WELL DONE !!
TOOLS
RESOURCES
- UMLSec
<7LI<
- The
24 Deadly
Sins of Software Security,
by Michael Howard, David LeBlanc and John Viega, McGraw-Hill, 2009
- Chris Steel, Ramesh Nagappan, Ray Lai, Core Security
Patterns, Ch3,
SUN
- JATAC, DACS, Software Security Assurance:
State of
the
Art Report ,
July 31, 2007
- A
Taxonomy of Computer Program Security Flaws, by C.E.Landwehr
et al.
- TOP 25 Most Dangerous Programming Errors ,
SANS Institute 2013
- J.Viega,
G.McGraw, Secure Programming Cookbook,
O'Reilly chapter
on random numbers
Useful Links
REFERENCES
- R.Anderson, Security Engineering: a guide to
building
dependable distributed systems , 2nd ed., John Wiley
and Sons 2008
Disponibile/Available HERE
- J.Viega,
G.McGraw, Building Secure Software,
Addison-Wesley 2002
book web page
http://www.buildingsecuresoftware.com/
sample
chapters
- G.Hoglung, G.McGraw, Exploiting Software: how to
break code ,
Addison-Wesley 2004
book web page
http://www.exploitingsoftware.com/
sample
chapter
- G.McGraw, E.Felten Securing Java, John Wiley and
Sons
1999, book web page
- D.A.Wheeler, Secure Programming for Linux and Unix
HOWTO online
or downloadable
In
class, we may discuss vulnerabilities
in
general computer systems. This is NOT intended as an
invitation to go
and exploit those vulnerabilities. Breaking into
other
people's systems is inappropriate, and the existence of a security hole
is no
excuse.