Software Security 2020/2021
Lucas Cordeiro will teach this course for post-graduate students in Computer Science and Engineering. This page contains information about the course.
Software is subject to numerous forms of attack such as memory corruption, buffer overflows and injection; these flaws are often too complex or expressive to be manually detected by the software developer. Techniques and tools exist to prevent and detect software flaws, which are typically too hard to be manually found, e.g., modelling, code reviews, fuzzing, static and dynamic code analyses, program verification and code tainting.
This course unit introduces students to basic and advanced approaches to formally build verified trustworthy software systems, where trustworthy comprise five attributes: reliability, availability, safety, resilience and security.
Relationship to other courses
Software Security involves people and practices, to build software systems to ensure confidentiality, integrity and availability. Therefore, this course has connections to other disciplines: cyber-security, cryptography, automated reasoning and verification, logic and modelling, agile and test-driven development, software engineering concepts and systems governance.
Fundamental programming skills, including familiarity with C and Python 3. In more detail:
For C, the student should at least know how pointers and dynamic memories work.
For Python, the student should know how to develop basic algorithms/data structures and interact with the host system.
Basic notions in Linux System Administration:
Create a web server.
Understand the difference between user space and kernel space.
Some interest/knowledge of logic and modelling:
Understand propositional and first-order logic.
Understand linear-time temporal logic.
- Part I: Software Security Fundamentals
- Defining a Discipline
- A Risk Management Framework
- Vulnerability Assessment and Management
- Overview on Traffic, Vulnerability and Malware Analysis
- Part II: Software Security
- Code Inspection for Finding Security Vulnerabilities and Exposures (ref: Mitre’s CVE)
- Architectural Risk Analysis
- Penetration Testing, Concolic Testing, Fuzzing, Automated Test Generation
- Model Checking, Abstract Interpretation, Symbolic Execution
- Risk-Based Security Testing and Verification
- Software Security Meets Security Operations
- Part III: Software Security Grows Up
- Withstanding adversarial tactics and techniques defined in Mitre’s ATT&CK™ knowledge base
- An Enterprise Software Security Program
Intended Learning Outcomes (ILOs)
On successful completion of this course unit, a student will be able to
- Explain computer security problem and identify why broken software lies at its heart.
- Explain continuous risk management and how to put it into practice to ensure software security.
- Summarise and contrast security properties and link them into the software development lifecycle.
- Develop and apply software validation and verification techniques to test security vulnerabilities.
- Relate security testing and verification to risk analysis to address continued resilience when a cyber-attack takes place.
- Develop case studies to think like an attacker in order to expose security vulnerabilities in software systems.
- Debate and solve security vulnerabilities using software verification and testing techniques.
MSc theme on software security and automated reasoning
You can find the slides we presented in the welcome week about our MSc theme on software security and automated reasoning.
Lectures & extra material
Lectures will be available here through slides, videos and reading materials.
Topics for the seminar
We provide some suggestions for software security topics for the seminars here.
The full course will be assessed as follows:
- 70% Coursework
- Lab exercises = 40%.
- Blackboard Quizes = 10% (the quizes test content covered in lectures and labs).
- Seminars = 20%.
- 30% Exam
- Format: 2 hours, 3 questions, all the material.
The books used by this course are:
- Rashid et al.: The Cyber Security Body of Knowledge, CyBOK, v1.0, 2019.
- McGraw, Gary: Software Security: Building Security In, Addison-Wesley, 2006.
- Hoglund, Greg: Exploiting Software: How to Break Code, Addison-Wesley, 2004.
- Ransome, James and Misra, Anmol: Core Software Security: Security at the Source, CRC Press, 2014.
- Edmund M. Clark Jr., Orna Grumberg, Daniel Kroening, Doron Peled, Helmut Veith: Model Checking, The MIT Press, 2018.
- Mark Dowd , John McDonald, et al.: The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities, Addison-Wesley, 2006.
- SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems, SEI - Carnegie Mellon University, 2016.
The software used by this course are: