Credits: 5EC
Delivery: This course is not tele-lectured, but video recorded. Travel is not required.
Pre-requisites:Â Basic knowledge of programming in C; basic knowledge of operating systems & compilers.
Synopsis: The course studies the nature of security vulnerabilities in software systems, the techniques to detect and prevent these problems by proper programming and programming languages, and their embedding in a security-aware software development process.
Learning outcomes: The student will acquire:
- A good understanding of the nature of security vulnerabilities in software systems
- A basic understanding of principles for secure software development and language-based security concepts
- A good understanding of static and dynamic program analysis techniques and security testingÂ
Lecturer: Dr Erik Tews (UT/EWI)
Examination: Written exam and homework (programming and/or program analysis) assignments.
Contents:
- Software Security Vulnerabilities (buffer and integer overflows, return oriented programming, code injection (SQL, XSS), race conditions, information exposure);
- Principles of Secure Programming (threat modeling, small/simple trusted computing base, coding standards for secure defaults & failures, least privilege, preventing injection attacks by input validation);
- Language-Based Security (memory & type safety, access control, static and dynamic semantics, type soundness);
- Static Analysis Techniques (control, data & information flow analysis, fuzzing and penetration testing, symbolic execution).
Core text: Book: âSoftware Security: Building Security Inâ by Gary McGraw; Papers & online-material.