Security in Software Applications
Sicurezza nelle Applicazioni Software
1st semester
2019-2020
PAGE FREQUENTLY UPDATED
PAGINA
AGGIORNATA PERIODICAMENTE
Instructor
: Francesco Parisi-Presicce
Office
: Via Salaria 113, third floor,
room 342
desk phone
06 4991 8512
Email: parisi (AT) di
(DOT) uniroma1 (DOT) it
(include SoftSecurity in Subject )
Lectures: Monday from
8:00 a.m. to 11:00 a.m and
Wednesday from 8:00 a.m. to 10:00 a.m.
in AULA 2 in Via del Castro Laurenziano
Office Hours: Tuesday and Wednesday from 2:00. to 4:00
p.m.
(until 19 December 2019) and by
Appointment
AVVISI /
ANNOUNCEMENTS
- VERY
LAST
The deadline for the uploading of
the report on the Group Project
has been moved to January 2020
Reports (one per group) must be submitted by 10 p.m. (ore 22)
Sunday 5
January 2020 from this
page
- LAST
The Specification of Project 2 is available on
the elearning platform
This is an individual project
Solutions must be submitted by 10 p.m. (ore 22) Sunday 15 December
2019
from this
page
- RECENT
The Specification of Project 1 is available on
the elearning platform
This is an individual project
Solutions must be submitted by 10 p.m. (ore 22) Thursday 31 October
2019
from this
page
- first
The material for this coursewill be available on the elearning
platform of Sapienza. Search for SoftSec_FA2019
- Students,
who have not done so already, are asked to get an account on
twiki, to be used to submit the results of the individual projets
- The material will not always be available before class
DESCRIPTION
Theory and practice
of software security, focusing in particular on some common software
security
risks, including buffer overflows, race conditions and random number
generation, and on the identification of potential threats and
vulnerabilities
early in the design cycle. The emphasis is on methodologies and tools
for
identifying and eliminating security vulnerabilities, techniques to
prove the
absence of vulnerabilities, and ways to avoid security holes in new
software,
and on essential guidelines for building secure software: how to design
software with security in mind from the ground up and to integrate
analysis and
risk management throughout the software life cycle.
EXAMS /
ESAMI
The grade will be determined by a written exam, the solution of some
homework problems and/or small projects periodically assigned by the
instructor
and possibly
(depending on the size of the class) the presentation in class and
discussion of a group project agreed upon with the instructor. The
project
should be developed in teams and deal with theoretical and/or
practical aspects of software security.
NOTE: Access to the exams sessions in January and February is
limted
to the students
who will have turned in the individual projects and the group project
by the indicated deadlines
The solutions to the assigned
problems and the written/oral examination are *individual* endavours.
Substantial overlap or the indication that they have been "shared" will
make them void and will cause the 'perpetrators' to (at least) skip an
exam
session.
L'esame consiste in una prova scritta, la risoluzione di alcuni
problemi
e/o piccoli progetti assegnati periodicamente durante il corso dal
docente, e (forse: dipende dalle dimensioni della classe) la
presentazione a lezione e discussione
di un progetto di gruppo concordato con il
docente. Il progetto può essere sviluppato in gruppi di
due o tre studenti e può riguardare sia aspetti teorici che
aspetti
pratici della sicurezza nelle applicazioni.
NOTA: Gli appelli della sessione invernale sono riservati agli
studenti che avranno consegnato entro le scadenze i progetti
individuali e quello di gruppo
La consegna delle soluzioni dei problemi e la prova scritta/orale sono
individuali. Se ci sono significativi indizi che portano a credere che
il
progetto o le soluzioni consegnati siano stati copiati in tutto o
in parte, il progetto o le soluzioni sono considerati nulli.
ACKNOWLEDGEMENT
The slides presented in class include material from E.Poll
(U.
Nijmegen -
NL), I.Dillig (UTA -USA), J.Burket (CMU - USA), M.-L. Potet (Verimag -
FR)
PREREQUISITI
/ PREREQUISITES
An undergraduate security course is not a prerequisite.
Students are expected to have some basic knowledge of programming (C,
Java), of Operating Systems and of Databases (SQL)
Non è richiesto il superamento di un corso di sicurezza della
triennale, ma conoscenze di sicurezza sono ovviamente utili.
Si presume che lo studente abbia conoscenze adeguate di programmazione
(C, Java), di Sistemi Operativi e di Basi di Dati (SQL).
Schedule
of LECTURES / Diario delle LEZIONI
(frequently
updated / in continuo
aggiornamento )
- September 23-25
Introduction to the course.
Top 25 Most Dangerous Software
Errors
- September 30
- October 2
- Crispin Cowan, et al., Buffer
Overflows: Attacks and Defenses for the Vulnerability of the
Decade
- October 7-9
Program Analysis and Tools
- October 14-16
- October 21-23
Input Languages
- October 28-30
- November 6
- November 11-13
Java
Architecture
- November 18-20
Sandboxing in Java
Java Programming Rules and TOCTOU
- November 25-27
Verification and Proof-Carrying-Code
- December 2-4
Type systems for Information Flow
- December 9-11
- December 16-18
Reverse Engineering and Code Obfuscation
TOOLS
RESOURCES
- UMLSec
- Chris Steel, Ramesh Nagappan, Ray Lai, Core Security
Patterns, Ch3,
SUN
- JATAC, DACS, Software Security
Assurance: State of the
Art
Report ,
July 31, 2007
- A
Taxonomy of Computer Program Security Flaws, by C.E.Landwehr
et al.
- TOP 25 Most Dangerous Programming Errors ,
SANS Institute 2013
- J.Viega,
G.McGraw, Secure Programming Cookbook,
O'Reilly chapter
on random numbers
Useful Links
REFERENCES
- R.Anderson, Security Engineering: a guide to
building
dependable distributed systems , 2nd ed., John Wiley
and Sons 2008
Disponibile/Available HERE
- J.Viega,
G.McGraw, Building Secure Software,
Addison-Wesley 2002
book web page
http://www.buildingsecuresoftware.com/
sample
chapters
- G.Hoglung, G.McGraw, Exploiting Software: how to
break code ,
Addison-Wesley 2004
book web page
http://www.exploitingsoftware.com/
sample
chapter
- G.McGraw, E.Felten Securing Java, John Wiley and
Sons
1999, book web page
- D.A.Wheeler, Secure Programming for Linux and Unix
HOWTO online
or downloadable
In
class, we may discuss vulnerabilities
in
general computer systems. This is NOT intended as an
invitation to go
and exploit those vulnerabilities. Breaking into
other
people's systems is inappropriate, and the existence of a security hole
is no
excuse.