Security in Software Applications
Sicurezza nelle Applicazioni Software
1st semester
2018-2019
PAGE FREQUENTLY UPDATED
PAGINA
AGGIORNATA PERIODICAMENTE
Instructor
: Francesco Parisi-Presicce
Office
: Via Salaria 113, third floor,
room 342
desk phone
06 4991 8512
Email: parisi (AT) di
(DOT) uniroma1 (DOT) it
(include SoftSecurity in Subject )
Lectures: Monday and Tuesday from 8:00 a.m. to 10:30 p.m.
in AULA 1 (aule
L di Ingegneria) Via del Castro Laurenziano
Office Hours: Tuesday and Wednesday from 2:00. to 4:00
p.m.
(until 21 December 2018) and by
Appointment
AVVISI /
ANNOUNCEMENTS
- LAST
The first round of exam of the Summer Session will start on Wednesday
June 19 with
the written test from 3:00 p.m. to 6:00 p.m. in Aula Alfa (in
Via Salaria)
All projects must have been submitted no later than Monday June 17.
Sign-up via
infostud
- The second round of exams will start on Tuesday February 19
with
the written test from 9:00 to 12:00 in AULA P1
- The first round of exams will start on Tuesday January 15
with
the written test from 3 p.m. (15:00) to 6 p.m. (18:00) in AULA P1
A checklist of sort has been uploaded on the elearning platform
- The final report of the
Group
Project can be uploaded from THIS
page by Sunday January 20 2019
- NEW
DEADLINE for the submission of the Draft of the Group
Project.
Drafts must be submitted by 10 p.m. (ore 22) Wednesday 12 December 2018
from THIS
page
- The Specification of Project 2 is available on
the elearning platform
This is an individual project
Solutions must be submitted by 10 p.m. (ore 22) Tuesday 4 December 2018
from THIS
page
The DEADLINE for this submission has been moved to Saturday
December 8 same time
- The Specification of Project 1 is available on
the elearning platform
This is an individual project
Solutions must be submitted by 10 p.m. (ore 22) Tuesday 6 November 2018
from this
page
- NOT-SO-RECENT
All the students interested in taking the exam in the January/February
session must form a group (ideally of 3 students) for the Group Project
and comunicate the members of the group by Friday October 19
Each group will be assigned its part of the project by the end of
October
- OLD
The material for this course is available on the elearning
platform of Sapienza. Search for Security in Software
Applications
- Students,
who have not done so already, are asked to get an account on
twiki, to be used to submit the results of the individual projets
- The material will not always be available before class
- Students who attend this course are required to send to the
instructor their email address with which they can be contacted to
access course material (homework, project, slides, etc.)
DESCRIPTION
Theory and practice
of software security, focusing in particular on some common software
security
risks, including buffer overflows, race conditions and random number
generation, and on the identification of potential threats and
vulnerabilities
early in the design cycle. The emphasis is on methodologies and tools
for
identifying and eliminating security vulnerabilities, techniques to
prove the
absence of vulnerabilities, and ways to avoid security holes in new
software,
and on essential guidelines for building secure software: how to design
software with security in mind from the ground up and to integrate
analysis and
risk management throughout the software life cycle.
EXAMS /
ESAMI
The grade will be determined by a written exam, the solution of some
homework problems and/or small projects periodically assigned by the
instructor
and possibly
(depending on the size of the class) the presentation in class and
discussion of a project agreed upon with the instructor. The project
could be developed in teams and deal with theoretical and/or
practical aspects of software security.
NOTE: Access to the exams sessions in January and February is
limted
to the students
who will have turned in the individual projects and the group project
by the indicated deadlines
The solutions to the assigned
problems and the written/oral examination are *individual* endavours.
Substantial overlap or the indication that they have been "shared" will
make them void and will cause the 'perpetrators' to (at least) skip an
exam
session.
L'esame consiste in una prova scritta, la risoluzione di alcuni
problemi
e/o piccoli progetti assegnati periodicamente durante il corso dal
docente, e (forse: dipende dalle dimensioni della classe) la
presentazione a lezione e discussione
di un progetto concordato con il
docente. Il progetto può essere sviluppato in gruppi di
due o tre studenti e può riguardare sia aspetti teorici che
aspetti
pratici della sicurezza nelle applicazioni.
NOTA: Gli appelli della sessione invernale sono riservati agli
studenti che avranno consegnato entro le scadenze i progetti
individuali e quello di gruppo
La consegna delle soluzioni dei problemi e la prova scritta/orale sono
individuali. Se ci sono significativi indizi che portano a credere che
il
progetto o le soluzioni consegnati siano stati copiati in tutto o
in parte, il progetto o le soluzioni sono considerati nulli.
ACKNOWLEDGEMENT
The slides presented in class include material from E.Poll
(U.
Nijmegen -
NL), I.Dillig (UTA -USA), J.Burket (CMU - USA), M.-L. Potet (Verimag -
FR)
PREREQUISITI
/ PREREQUISITES
An undergraduate security course is not a prerequisite.
Students are expected to have some basic knowledge of programming (C,
Java), of Operating Systems and of Databases (SQL)
Non è richiesto il superamento di un corso di sicurezza della
triennale, ma conoscenze di sicurezza sono ovviamente utili.
Si presume che lo studente abbia conoscenze adeguate di programmazione
(C, Java), di Sistemi Operativi e di Basi di Dati (SQL).
Schedule
of LECTURES / Diario delle LEZIONI
(frequently
updated / in continuo
aggiornamento )
- September 24-25
Introduction to the course.
Top 25 Most Dangerous Software
Errors
- October 1-2
- October 8-9
Program Analysis and Tools
- October 15-16
Animations explaining
- October 22-23
Input Languages
- October 29-30
CLASSES CANCELLED
- November 5-6
Testing
Secure Software Develpoment Life Cycle
- November 12-13
Java
Architecture
- November 19-20
Sandboxing in Java
Java Programming Rules and TOCTOU
Verification in Java and JML
- November 26-27
Review of Types and type systems
Language-bsed Security : memory safety
- December 3-4
Language-bsed Security : information flow
Website of JIF
- A.Myers JFlow:
Practical Mostly-Static Information Flow Control
(POPL 1999).
- A.C.Myers and B.Liskov, Protecting privacy
using the decentralized
label model ACM TOSEM 2000.
Program Verification and Proof Carrying Code
- December 10-11
Reverse Engineering and Code Obfuscation
- December 17-18
Group Projects
TOOLS
RESOURCES
- UMLSec
- Chris Steel, Ramesh Nagappan, Ray Lai, Core Security
Patterns, Ch3,
SUN
- JATAC, DACS, Software Security
Assurance: State of the
Art
Report ,
July 31, 2007
- A
Taxonomy of Computer Program Security Flaws, by C.E.Landwehr
et al.
- TOP 25 Most Dangerous Programming Errors ,
SANS Institute 2013
- J.Viega,
G.McGraw, Secure Programming Cookbook,
O'Reilly chapter
on random numbers
Useful Links
REFERENCES
- R.Anderson, Security Engineering: a guide to
building
dependable distributed systems , 2nd ed., John Wiley
and Sons 2008
Disponibile/Available HERE
- J.Viega,
G.McGraw, Building Secure Software,
Addison-Wesley 2002
book web page
http://www.buildingsecuresoftware.com/
sample
chapters
- G.Hoglung, G.McGraw, Exploiting Software: how to
break code ,
Addison-Wesley 2004
book web page
http://www.exploitingsoftware.com/
sample
chapter
- G.McGraw, E.Felten Securing Java, John Wiley and
Sons
1999, book web page
- D.A.Wheeler, Secure Programming for Linux and Unix
HOWTO online
or downloadable
In
class, we may discuss vulnerabilities
in
general computer systems. This is NOT intended as an
invitation to go
and exploit those vulnerabilities. Breaking into
other
people's systems is inappropriate, and the existence of a security hole
is no
excuse.