CS-412 / 8 credits

Teacher: Payer Mathias Josef

Language: English


Summary

This course focuses on software security fundamentals, secure coding guidelines and principles, and advanced software security concepts. Students learn to assess and understand threats, learn how to design and implement secure software systems, and get hands-on experience with security pitfalls.

Content

This course focuses on software security fundamentals, secure coding guidelines and principles, and advanced software security concepts. Students will learn to assess and understand threats, learn how to design and implement secure software systems, and get hands-on experience with common security pitfalls.

Software running on current systems is exploited by attackers despite many deployed defence mechanisms and best practices for developing new software. In this course students will learn about current security threats, attack vectors, and defence mechanisms on current systems. The students will work with real world problems and technical challenges of security mechanisms (both in the design and implementation of programming languages, compilers, and runtime systems).

 

  • Secure software lifecycle: design, implementation, testing, and deployment

  • Basic software security principles

  • Reverse engineering : understanding code

  • Security policies: Memory and Type safety

  • Software bugs and undefined behavior

  • Attack vectors: from flaw to compromise

  • Runtime defense: mitigations

  • Software testing: fuzzing and sanitization

  • Focus topic: Web security

  • Focus topic: Mobile security

 

Keywords

Software security, mitigation, software testing, sanitization, fuzzing

Learning Prerequisites

Required courses

  • COM-402 Information security and privacy (or an equivalent security course)

  • A systems programming course (with focus on C/C++)

  • An operating systems course

 

Important concepts to start the course

Basic computer literacy like system administration, build systems, C/C++ programming skills, debugging, and development skills. Understanding of virtual machines and operating systems.

 

Learning Outcomes

By the end of the course, the student must be able to:

  • Explain the top 20 most common weaknesses in software security and understand how such problems can be avoided in software.
  • Identify common security threats, risks, and attack vectors for software systems.
  • Assess / Evaluate current security best practices and defense mechanisms for current software systems. Become aware of limitations of existing defense mechanisms and how to avoid them.
  • Identify security problems in source code and binaries, assess the associated risks, and reason about their severity and exploitability.
  • Assess / Evaluate the security of given source code or applications.

Transversal skills

  • Identify the different roles that are involved in well-functioning teams and assume different roles, including leadership roles.
  • Keep appropriate documentation for group meetings.
  • Summarize an article or a technical report.
  • Access and evaluate appropriate sources of information.
  • Write a scientific or technical report.
  • Make an oral presentation.

Teaching methods

The lectures are denser early in the semester, then tapering off before the end. They are backed up by PDF files of all the lecture material, as well as a few textbook recommendations.

The exercises sessions start slowly early in the semester but pick up and occupy all time towards the end. Homework exercises consist mostly of paper questions involving the analysis, critical review, and occasional correction of software. They include a reading, writing, and presentation assignment.

The labs focus on practical software security aspects and during the course the students will be assessed through their completion of several challenging "hands on" labs.

 

Expected student activities

Students are encouraged to attend lectures and exercise sessions. In addition to normal studying of the lecture and practice of the exercises, the reading assignment consists of analyzing a few suggested scientific papers on a large selection of topics; the presentation assignment consists of holding a 15-minute presentation on the selected topic; and the writing assignment of documenting what was learned in a term paper due at the end of the semester.

 

Assessment methods

The grade will continuously be evaluated through a combination of pracitcal assignments in the form of several labs and theoretical quizzes throughout the semester. The labs will account for 50%, the quizzes and tests to 50%.

The exact dates of the labs/quizzes will be communicated at the beginning of the class.

Resources

Notes/Handbook

Software Security: Principles, Policies, and Protection (SS3P, by Mathias Payer)

https://nebelwelt.net/SS3P/

Moodle Link

In the programs

  • Semester: Spring
  • Exam form: During the semester (summer session)
  • Subject examined: Software security
  • Courses: 3 Hour(s) per week x 14 weeks
  • Exercises: 2 Hour(s) per week x 14 weeks
  • Lab: 1 Hour(s) per week x 14 weeks
  • Type: optional
  • Semester: Spring
  • Exam form: During the semester (summer session)
  • Subject examined: Software security
  • Courses: 3 Hour(s) per week x 14 weeks
  • Exercises: 2 Hour(s) per week x 14 weeks
  • Lab: 1 Hour(s) per week x 14 weeks
  • Type: optional
  • Semester: Spring
  • Exam form: During the semester (summer session)
  • Subject examined: Software security
  • Courses: 3 Hour(s) per week x 14 weeks
  • Exercises: 2 Hour(s) per week x 14 weeks
  • Lab: 1 Hour(s) per week x 14 weeks
  • Type: optional
  • Semester: Spring
  • Exam form: During the semester (summer session)
  • Subject examined: Software security
  • Courses: 3 Hour(s) per week x 14 weeks
  • Exercises: 2 Hour(s) per week x 14 weeks
  • Lab: 1 Hour(s) per week x 14 weeks
  • Type: optional
  • Semester: Spring
  • Exam form: During the semester (summer session)
  • Subject examined: Software security
  • Courses: 3 Hour(s) per week x 14 weeks
  • Exercises: 2 Hour(s) per week x 14 weeks
  • Lab: 1 Hour(s) per week x 14 weeks
  • Type: optional
  • Semester: Spring
  • Exam form: During the semester (summer session)
  • Subject examined: Software security
  • Courses: 3 Hour(s) per week x 14 weeks
  • Exercises: 2 Hour(s) per week x 14 weeks
  • Lab: 1 Hour(s) per week x 14 weeks
  • Type: optional
  • Semester: Spring
  • Exam form: During the semester (summer session)
  • Subject examined: Software security
  • Courses: 3 Hour(s) per week x 14 weeks
  • Exercises: 2 Hour(s) per week x 14 weeks
  • Lab: 1 Hour(s) per week x 14 weeks
  • Type: optional
  • Semester: Spring
  • Exam form: During the semester (summer session)
  • Subject examined: Software security
  • Courses: 3 Hour(s) per week x 14 weeks
  • Exercises: 2 Hour(s) per week x 14 weeks
  • Lab: 1 Hour(s) per week x 14 weeks
  • Type: optional
  • Exam form: During the semester (summer session)
  • Subject examined: Software security
  • Courses: 3 Hour(s) per week x 14 weeks
  • Exercises: 2 Hour(s) per week x 14 weeks
  • Lab: 1 Hour(s) per week x 14 weeks
  • Type: optional
  • Semester: Spring
  • Exam form: During the semester (summer session)
  • Subject examined: Software security
  • Courses: 3 Hour(s) per week x 14 weeks
  • Exercises: 2 Hour(s) per week x 14 weeks
  • Lab: 1 Hour(s) per week x 14 weeks
  • Type: optional

Reference week

Tuesday, 10h - 13h: Lecture INF1

Thursday, 15h - 17h: Exercise, TP INM200

Thursday, 17h - 18h: Project, labs, other INM200

Related courses

Results from graphsearch.epfl.ch.