Software security

CS-412 / 8 crédits

Enseignant: Payer Mathias Josef

Langue: Anglais

Remark: This course is a "depth" for Cyber Security master program and Cyber Security minor.

Summary

This course focuses on software security fundamentals, secure coding guidelines and principles, and advanced software security concepts. Students learn to assess and understand threats, learn how to design and implement secure software systems, and get hands-on experience with security pitfalls.

Content

This course focuses on software security fundamentals, secure coding guidelines and principles, and advanced software security concepts. Students will learn to assess and understand threats, learn how to design and implement secure software systems, and get hands-on experience with common security pitfalls.

Software running on current systems is exploited by attackers despite many deployed defence mechanisms and best practices for developing new software. In this course students will learn about current security threats, attack vectors, and defence mechanisms on current systems. The students will work with real world problems and technical challenges of security mechanisms (both in the design and implementation of programming languages, compilers, and runtime systems).

 

  • Secure software lifecycle: design, implementation, testing, and deployment

  • Basic software security principles

  • Reverse engineering : understanding code

  • Security policies: Memory and Type safety

  • Software bugs and undefined behavior

  • Attack vectors: from flaw to compromise

  • Runtime defense: mitigations

  • Software testing: fuzzing and sanitization

  • Focus topic: Web security

  • Focus topic: Mobile security

 

Learning Prerequisites

Required courses

  • COM-402 Information security and privacy (or an equivalent security course)

  • A systems programming course (with focus on C/C++)

  • An operating systems course

 

Important concepts to start the course

Basic computer literacy like system administration, build systems, C/C++ programming skills, debugging, and development skills. Understanding of virtual machines and operating systems.

 

Teaching methods

The lectures are denser early in the semester, then tapering off before the end. They are backed up by PDF files of all the lecture material, as well as a few textbook recommendations.

The exercises sessions start slowly early in the semester but pick up and occupy all time towards the end. Homework exercises consist mostly of paper questions involving the analysis, critical review, and occasional correction of software. They include a reading, writing, and presentation assignment.

The labs focus on practical software security aspects and during the course the students will be assessed through their completion of several challenging "hands on" labs.

 

Assessment methods

The grade will be continuously evaluated through a combination of practical assignments in the form of labs during the semester and a final exam in the exam session. The labs account for 30% and the final exam for 70%. In addition, we will provide ungraded quizzes as training material.

 

Resources

Notes/Handbook

Software Security: Principles, Policies, and Protection (SS3P, by Mathias Payer)

https://nebelwelt.net/SS3P/

Moodle Link

Dans les plans d'études

  • Semestre: Printemps
  • Forme de l'examen: Ecrit (session d'été)
  • Matière examinée: Software security
  • Cours: 3 Heure(s) hebdo x 14 semaines
  • Exercices: 2 Heure(s) hebdo x 14 semaines
  • Labo: 1 Heure(s) hebdo x 14 semaines
  • Type: obligatoire
  • Semestre: Printemps
  • Forme de l'examen: Ecrit (session d'été)
  • Matière examinée: Software security
  • Cours: 3 Heure(s) hebdo x 14 semaines
  • Exercices: 2 Heure(s) hebdo x 14 semaines
  • Labo: 1 Heure(s) hebdo x 14 semaines
  • Type: obligatoire
  • Semestre: Printemps
  • Forme de l'examen: Ecrit (session d'été)
  • Matière examinée: Software security
  • Cours: 3 Heure(s) hebdo x 14 semaines
  • Exercices: 2 Heure(s) hebdo x 14 semaines
  • Labo: 1 Heure(s) hebdo x 14 semaines
  • Type: optionnel
  • Semestre: Printemps
  • Forme de l'examen: Ecrit (session d'été)
  • Matière examinée: Software security
  • Cours: 3 Heure(s) hebdo x 14 semaines
  • Exercices: 2 Heure(s) hebdo x 14 semaines
  • Labo: 1 Heure(s) hebdo x 14 semaines
  • Type: optionnel
  • Semestre: Printemps
  • Forme de l'examen: Ecrit (session d'été)
  • Matière examinée: Software security
  • Cours: 3 Heure(s) hebdo x 14 semaines
  • Exercices: 2 Heure(s) hebdo x 14 semaines
  • Labo: 1 Heure(s) hebdo x 14 semaines
  • Type: obligatoire
  • Semestre: Printemps
  • Forme de l'examen: Ecrit (session d'été)
  • Matière examinée: Software security
  • Cours: 3 Heure(s) hebdo x 14 semaines
  • Exercices: 2 Heure(s) hebdo x 14 semaines
  • Labo: 1 Heure(s) hebdo x 14 semaines
  • Type: obligatoire
  • Semestre: Printemps
  • Forme de l'examen: Ecrit (session d'été)
  • Matière examinée: Software security
  • Cours: 3 Heure(s) hebdo x 14 semaines
  • Exercices: 2 Heure(s) hebdo x 14 semaines
  • Labo: 1 Heure(s) hebdo x 14 semaines
  • Type: optionnel
  • Semestre: Printemps
  • Forme de l'examen: Ecrit (session d'été)
  • Matière examinée: Software security
  • Cours: 3 Heure(s) hebdo x 14 semaines
  • Exercices: 2 Heure(s) hebdo x 14 semaines
  • Labo: 1 Heure(s) hebdo x 14 semaines
  • Type: optionnel
  • Forme de l'examen: Ecrit (session d'été)
  • Matière examinée: Software security
  • Cours: 3 Heure(s) hebdo x 14 semaines
  • Exercices: 2 Heure(s) hebdo x 14 semaines
  • Labo: 1 Heure(s) hebdo x 14 semaines
  • Type: optionnel
  • Semestre: Printemps
  • Forme de l'examen: Ecrit (session d'été)
  • Matière examinée: Software security
  • Cours: 3 Heure(s) hebdo x 14 semaines
  • Exercices: 2 Heure(s) hebdo x 14 semaines
  • Labo: 1 Heure(s) hebdo x 14 semaines
  • Type: optionnel

Semaine de référence

Cours connexes

Résultats de graphsearch.epfl.ch.