MyPage is a personalized page based on your interests.The page is customized to help you to find content that matters you the most.


I'm not curious

Software Security

Course Summary

This course we will explore the foundations of software security. We will consider important software vulnerabilities and attacks that exploit them -- such as buffer overflows, SQL injection, and session hijacking -- and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques.


  • +

    Course Syllabus

    In addition to a brief introductory sequence, the course is broken into six units, one per week:

    • Low-level, memory-based attacks, including stack smashing, format string attacks, stale memory access attacks, and return-oriented Programming (ROP)
    • Defenses against memory-based attacks, including stack canaries, non-executable data (aka W+X or DEP), address space layout randomization (ASLR), memory-safety enforcement (e.g., SoftBound), control-flow Integrity (CFI)
    • Web security, covering attacks like SQL injection, Cross-site scripting (XSS), Cross-site request forgery (CSRF), and Session hijacking, and defenses that have in common the idea of input validation
    • Secure design, covering ideas like threat modeling and security design principles, including organizing ideas like favor simplicity, trust with reluctance, and defend in depth; we present real-world examples of good and bad designs
    • Automated code review with static analysis and symbolic execution, presenting foundations and tradeoffs and using static taint analysis and whitebox fuzz testing as detailed examples
    • Penetration testing, presenting an overview of goals, techniques, and tools of the trade

  • +

    Recommended Background

    Roughly: A third-year undergraduate in computer science.

    In detail, we expect

    • a good knowledge of the C programming language (equivalent of at least a one semester undergraduate course), and 
    • programming proficiency in at least one language (either C, or another one, equivalent to 1-2 semesters). 

    We also expect familiarity with the following (though we will do some review):

    • Unix/Linux (basic commands using the shell, and basic tools like gcc)
    • the WWW and basic networking concepts (TCP, HTTP, HTML)
    • Machine-level program execution and assembly language (ideally, Intel x86)

  • +

    Course Format

    The class will consist of lecture videos, which are between 8 and 12 minutes in length. These typically contain 1-2 integrated quiz questions per video, to check understanding. There will also be standalone quizzes (one per week) that are not part of the video lectures, and three hands-on projects.

  • +

    Suggested Reading

    We will provide supplementary readings to material that is freely available on the web.


Course Fee:
Free

Course Type:

Self-Study

Course Status:

Active

Workload:

1 - 4 hours / week

Attended this course?

Back to Top

Awards & Accolades for MyTechLogy
Winner of
REDHERRING
Top 100 Asia
Finalist at SiTF Awards 2014 under the category Best Social & Community Product
Finalist at HR Vendor of the Year 2015 Awards under the category Best Learning Management System
Finalist at HR Vendor of the Year 2015 Awards under the category Best Talent Management Software
Hidden Image Url

Back to Top