University of South Carolina

Department of Computer Science and Engineering

 

CSCE 548 Building Secure Software

Spring 2012

Monday, Wednesday 5:30 – 6:45 pm

Swearingen 1A20

 

 

 

Lectures

 

 

Date

Topic

Slides

Reading

 

 

 

 

January 9

Intro. to Information Security

Lecture notes

 

o   CSCE 522 Information Security Principles, http://www.cse.sc.edu/~farkas/csce522-2011/csce522.htm 

January 11

Introduction to software security

Lecture notes

o   McGraw: Chapter 1

 

Recommended:

o   CyberInsecurity: The Cost of Monopoly, http://cryptome.org/cyberinsecurity.htm

Current news (recommended):

o   Kelly Jackson Higgins, Dark Reading, SQL Injection Hack Infects 1 Million Web Pages, InformationWeek, January 5, 2012, http://www.informationweek.com/news/security/attacks/232301355

o   Gregg Keizer, Adobe plugs 6 critical holes in Reader, Computerworld, January 11, 2012, http://www.computerworld.com/s/article/9223344/Adobe_plugs_6_critical_holes_in_Reader

o   Gregg Keizer, Microsoft patches critical Windows drive-by bug, Computerworld, January 10, 2012, http://www.computerworld.com/s/article/9223326/Microsoft_patches_critical_Windows_drive_by_bug

January 16

No Classes

 

 

January 18

Risk Management

 

Homework 1

Due: 01/25

Lecture notes

o   McGraw: Chapter 2

 

Recommended:

o   Computer Security Incident Handling Guide,
Recommendations of the National Institute of Standards and Technology
http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf

January 23

Software Development Process

Lecture notes

Read Only

o   The Software Development Life Cycle (SDLC), http://www.shellmethod.com/refs/SDLC.pdf

o   Practical UML™: A Hands-On Introduction for Developers, http://dn.codegear.com/article/31863

 

Recommended read:

o   J. Roman, Decade-Long Virus Infection Discovered, Bank Info Security, http://www.bankinfosecurity.com/articles.php?art_id=4418

o   Stratfor web site on security breach at the end of 2011, http://www.stratfor.com/hacking-news

January 25

Software Security Touchpoints

Lecture notes

o   McGraw: Chapter 3

 

Recommended:

o   Kromholz: Assurance – A Case for the V-Model, https://syst.eui.upm.es/conference/sv03/papers/V-Chart%20200309Kromholz08.ppt

January 30

Code Review

Lecture notes

o   McGraw: Chapter 4

 

Recommended:

o   R. Berg, The Path to a Secure Application: A SOURCE CODE SECURITY REVIEW CHECKLIST, http://www.ouncelabs.com/writable//resources/file/path_to_secure_application.pdf

 

February 1

Architectural Risk Analysis

Lecture notes

o   McGraw: Chapter 5

 

February 6

 

Pre-recorded

 

UML Security

 

NO CLASS

Lecture notes

 

Video

Required:

o   Lodderstedt et. al, SecureUML: A UML-Based Modeling Language for Model-Driven Security, http://kisogawa.inf.ethz.ch/WebBIB/publications-softech/papers/2002/0_secuml_uml2002.pdf

 

Recommended:

o   Jan Jürjens, Towards Development of Secure Systems using UMLsec, http://citeseer.ist.psu.edu/536233.html

o   K. Alghathbar and D. Wijesekera, authUML: a three-phased framework to analyze access control specifications in use cases, http://portal.acm.org/citation.cfm?id=1035438

February 8

NO CLASS

 

Work on Project

February 13

Misuse Cases

 

 

 

 

 

Lecture Notes

 

 

o   McGraw: Chapter 8

 

Required:

o   I. Alexander, Misuse Cases: Use Cases with Hostile Intent, IEEE Software, vol. 20, no. 1, pp. 58-66, Jan./Feb. 2003. http://www.computer.org/portal/web/csdl/doi/10.1109/MS.2003.1159030

 

Recommended:

o   Pauli and Xu, Misuse Case-Based Design and Analysis of Secure Software Architecture, http://cs.ndsu.edu/~dxu/publications/pauli-xu-ITCC05.pdf

o   Steven and Peterson, Defining Misuse within the Development Process, http://csdl.computer.org/dl/mags/sp/2006/06/j6081.pdf

February 15

Software Reliability

 

 

Homework 2

Due: 02/22

Lecture notes

Required:

o   B. Littlewood, P. Popov, L. Strigini, "Modelling software design diversity - a review", ACM Computing Surveys, Vol. 33, No. 2, June 2001, pp. 177-208, http://portal.acm.org/citation.cfm?doid=384192.384195

 

Recommended:

o   John C. Knight, Nancy G. Leveson, An Experimental Evaluation Of The Assumption Of Independence In Multi-Version Programming, http://sunnyday.mit.edu/papers/nver-tse.pdf 

o   The Role of Software in Spacecraft Accidents by Nancy Leveson. AIAA Journal of Spacecraft and Rockets, Vol. 41, No. 4, July 2004. (PDF )

February 20

Penetration Testing

 

Risk-Based Security Testing

Lecture notes

 

Lecture notes

o   McGraw: Chapter 6, 7

 

Required:

o   Schneier on Security, http://schneier.com/blog/archives/2007/05/is_penetration.html

 

February 22

Security Operations

 

DUE: HW2

Lecture notes

o   McGraw: Chapter 9

 

Recommended:

o   Proceedings of Workshop on Software Security Assurance Tools, Techniques, and Metrics, http://samate.nist.gov/docs/NIST_Special_Publication_500-265.pdf

February 27

Taxonomy of Coding Errors

Lecture notes

o   McGraw: Chapter 12

 

Required:

o   P. Meunier, Classes of Vulnerabilities and Attacks, Wiley Handbook of Science and Technology for Homeland Security, http://homes.cerias.purdue.edu/~pmeunier/aboutme/classes_vulnerabilities.pdf

February 29

Summary

Test 1 review

 

Due: Proj. #5

Test 1 Review

 

 

March 5, 7

Spring Break

 

 

March 12

National Standards

 

Due: Proj. #6

Lecture notes

o   US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html 

o   Certified Information Systems Security Professional (CISSP), http://www.isc2.org/cissp/default.aspx

 

March 14

TEST 1

 

 

March 19

Store and Protect Data Securely
Information Leakage

Lecture Notes

o   Howard et al., 19 deadly sins: Chapters 6, 13, 12, 11 

o   Howard et al., 24 deadly sins: Chapters 11, 12, 17, 19

March 21

Failing to handle errors

 

Security design patterns

Lecture notes

o   Howard et al., 19 deadly sins: Chapters 6, 13, 12, 11 

o   Howard et al., 24 deadly sins: Chapters 11, 12, 17, 19

o   Security Design Patterns, Black Hat Briefings, http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-peterson-up.pdf

Recommended:

o   Secure Design Patterns, Software Engineering Institute, Carnegie Mellon, www.cert.org/archive/pdf/09tr010.pdf

o   Security Design Patterns, Black Hat Briefings, http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-peterson-up.pdf

March 26

Buffer Overruns

 

 

SQL Injection

 

 

Lecture notes

o   Howard et al., 19 deadly sins: Chapters 1, 4 

o   Howard et al., 24 deadly sins: Chapters 5, 1

 

 

 

 

Recommended Reading

1.      Embry-Riddle Aeronautical University, College of Engineering in Prescott, online buffer overflow demo, http://nsfsecurity.pr.erau.edu/bom/index.html

2.      G. Hoglund and G.McGraw, Exploiting Software: How to Break Code, Chapter 7 -- Buffer Overflow, http://searchsecurity.techtarget.com/searchSecurity/downloads/ExploitingSoftware-Ch07.pdf

 

March 28

Format string problems

 

 

 

 

 

Integer overflow

Lecture notes

o   Howard et al., 19 deadly sins: Chapters  2, 3

o   Howard et al., 24 deadly sins: Chapters 6, 7

 

 

Recommended Reading

1.      Common Weakness Enumeration Project, http://cwe.mitre.org/

2.      2010 CWE/SANS Top 25 Most Dangerous Programming Errors, http://cwe.mitre.org/top25/index.html

3.      Open Web Application Security Project, http://www.owasp.org/index.php/Main_Page

4.      From CERT: https://www.securecoding.cert.org/confluence/download/attachments/ 3515/sd-west-integers-2up.pdf?version=1

 

April 2

Web Application Security

 

 

Lecture Notes

 

April 4

Web server and client security

 

REVIEW

Bonus Homework Due

Lecture Notes

o   Howard et al., 19 deadly sins: Chapters 1, 4 

o   Howard et al., 24 deadly sins: Chapters 2,3,4

April 9

Class project 1, 2

PASS

 

 

 

 

 

 

 

 

XSS

1.      PASS, W. Reade, B. Miley, M. Zimmermann, R. Bowen

Question 1: Consider the application area of university registrar that keeps personal information about the students.  Group 1 members evaluated the privacy issues related to this application.  Evaluate the reliability needs of the application and recommend a method to support this need. (Consider the Littlewood paper)

Question 2: Describe an attack against the PASS application that was not described during the test but an attacker may try to attempt.  Recommend a mitigation strategy against this attack.

 

2.      XSS, B. Stancel, B. Moore, M. Szarka

 

April 11

Class projects 3, 4

Mobile health

 

Android permissions

3.      Mobile Health, J. Benton, L. Gibbs, A. Stephenson

Question 1: Digital ecosystem have been shown promising to model the interactions among information system components.   Consider the applicability of this approach to represent security interactions among the mobile health system components and rank the importance of the security requirements.  For example, an application to support interaction about prescription information between a physician and a pharmacy will become successful if it guarantees integrity and availability, even at the cost of loss of confidentiality. 

 

Question 2: As ecosystems change, only those species that are capable of adapting to the changed environment will survive.  Explain how this aspect of biological ecosystems relates to the digital ecosystem, where the species are the computing industry, users, sellers, etc.  For example, consider the survivability of mainframe computer manufacturers vs. manufacturers of mobile devices.

 

 

4.      Android permissions, J. McCall, B. Alleman, W. Galloway

Question 1: Improper authorization is one of the main software security problems.  Access control models allow to express both positive (permission) and negative (denial) access privileges.  Briefly explain the widely used Discretionary Access Control (DAC) model.

Question 2: Obtaining unneeded privileges is one of the main concerns when downloading applications to mobile devices.  Consider the Discretionary Access Control (DAC) model that is extended with the “need-to-know” restrictions.  We can express application-level constraints, by requiring that (1) each application inherits the access privileges based on the trust-level of the application developer, and (2) each application has a “need-to-know” permissions, based on the permissions required by similar applications.  Would this approach be feasible to enhance mobile device security?  Why/Why not?

 

April 16

Class projects 5, 6

 

NEW!  Final project report due date is extended to April 25th

Google Chrome

 

 

Digital Ecosystem

5.      Google Chrome Extensions, M. Nenov, T. Hussey, C. Hui

Same questions as for group 4.

 

 

6.      Software Security for Digital Ecosystems, C. Leonhardt, S. Strohmeier

Same questions as for group 3.

April 18

Class projects 7, 8

Static analysis tools

 

 

Password security

7.      Static Analysis Tools, K. Denmark, W. Goss, R. Moyer

Question 1: What does false positive and false negative rates mean with respect to code review using a static analysis tool.

Question 2: Consider the scenario that your supervisor asks you to evaluate the security of the application developed by your research group.   After running a state-of-the-art static analysis tool on the application code, and finding only minor problems, you declare the application safe.  What is wrong with this scenario?

 

8.      Password-based security, N. Lognworth, M. Shoppell, R. Brown

Question 1: Briefly describe three recommendations that the application developers should follow when implementing a password-based authentication. 

Question 2: One of the common error application developer make is storing passwords as an unencrypted file.  Evaluate, whether the proposed password management method, presented by the research group, is vulnerable to the same error.  Why/why not?

 

April 23

Class projects 9, 10

 

 

 

 

 

 

 

Final Exam Review

DRM slides

 

 

 

 

 

Android practices

 

 

Lecture notes

9.      DRM Protected audio risk, B. Wells

Question 1: Show how to extend the security touch points to support DRM requirements. 

Question 2: Consider DRM.  Would you consider the legal requirements functional or non-functional requirements? Justify your answer.

 

10.  Android Security, C. Le, E. Samson, M. Scofield

Same questions as for group 4.

 

April 25

5:30 -7:30 pm

Room 2A15

FINAL EXAM

 

NEW!

Due: Proj. #9 – Bring a hard copy of the final project report to the class!