Software Security

Credits: Many slides are inspired or taken from other excellent courses in software security, including notes from Lujo Bauer, Anupam Datta, Dan Boneh, and Giovanni Vigna.

Schedule subject to change. Please check back regularly.
Date	Topic	Reading	Notes
8/29	Introduction and Course Overview		slides
8/31	Machine Code Execution - Basic Instructions	x86 Assembly Guide	slides(updated) survey
9/5	No Class - University Holiday
9/7	Machine Code - Procedures, Reversing Basics of exploitation	Smashing the Stack for Fun and Profit Paul Makowski's blog post on what has changed since the paper was written Exploiting Format String Vulnerabilities	slides slides
9/12	OS Protection: ASLR and DEP	On the Effectiveness of Address Space Randomization ASLR Smack and Laugh Reference Extra: Design of ASLR in PAX	slides HW 1 Out
9/14	Return-oriented programming (Ed Schwartz)	The Geometry of Innocent Flesh on the Bone: Return-to-libc without Function Calls (on the x86) Q: Exploit Hardening Made Easy	slides Project Phase 1 due
9/19	Fixing C: Fixing Unsafe Language Features	Backwards-Compatible Array Bound Checking for C with Very Low Overhead Control Flow Integrity (you must be on campus or use the CMU VPN to view this file without paying.)	slides slides
9/21	Integer Vulnerabilities and Defenses	Type Systems Sections 1-4 Efficient and Accurate Detection of Integer-based Attacks Extra: CCured in the real world	slides HW 1 due
9/26	Web Intro and Client-Side Web Security	Wikipedia on XSS Robust Defenses for Cross-Site Request Forgery Extra: Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense	slides slides
9/28	Server-Side Web Security	xkcd	slides
10/3	Project Presentations		Project Phase 2 due HW 2 out
10/5	Guest Lecture: Trusted Computing (Jon McCune)	Bootstrapping Trust in Commodity Computers	slides
10/10	Information Flow	Language-based Information Flow Security All you ever wanted to know about dynamic taint analysis and symbolic execution	slides slides HW 2 due
10/12	Information Flow: Applications	Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones	slides slides Information flow reading also covers symbolic execution
10/17	Review
10/19	Midterm
10/24	Applications of Symbolic execution	Proof Carrying Code Automated Exploit Generation	slides
10/26	Malware Attacks	Dynamic Analysis of Malicious Code BitShred: Feature Hashing Malware For Scalable Triage and Semantic Analysis	slides slides Project Phase 3 due
10/31	Not everything is safety: Timing Attacks	Remote timing attacks are practical Timing Analysis of Keystrokes and Timing Attacks on SSH	slides slides HW 3 out
11/2	Group status reports
11/7	Guest Lecture: Limin Jia
11/9	No Class		HW 3 due Extra HW out
11/14	Separation and Isolation	Efficient Software-Based Fault Isolation, by Wahbe et al. Enforceable Security Policies	slides
11/16	Separation and Separation Challenges	Traps and Pitfalls: Practical Problems in System Call Interposition Based Security Tools Native Client: A Sandbox for Portable, Untrusted x86 Native Code	slides
11/21	Static Analysis	Bugs as deviant behavior: A general approach to inferring errors in system code Checking System Rules Using System-Specific, Programmer-written Compiler Extensions Extra: A paper by Dawson Engler explaining why commercialization is hard: A few billion lines of code later: using static analysis to find bugs in the real world.	slides Extra HW due
11/23	No Class - University Holiday
11/28	Model Checking and Security	Model Checking 1 Millions Lines of C Code Semantics-aware Malware Detection	slides Project Phase 4 due
11/30	Software Security and IDS	Bouncer: Securing Software by Blocking Bad Input Creating Vulnerability Signatures Using Weakest Preconditions	slides
12/5	Wrap up
12/7	Final Presentations		Final papers due: Dec 20th 1pm EDT by email