Week 1 |
08/28 |
Introduction and Course Overview
Cancelled due to flooding
|
Syllabus |
08/30 |
Foundational concepts in security
|
SSBSI 1 |
09/01 |
System Design
|
J.H. Saltzer, D.P. Reed and D.D. Clark. End to end arguments in system design |
Week 2 |
09/04 |
Principles of Secure Design 1
|
Salzter and Kaashoek. Principles of Computer System Design, Chapter 11.1.4 |
09/06 |
Principles of Secure Design 2
Class Activity: Hack Me
|
US-CERT Build Security In Design Principles |
09/08 |
System Design
|
Ross Anderson. Why Cryptosystems Fail |
Week 3 |
09/11 |
A Risk Management Framework
|
SSBSI 2 |
09/13 |
Input Validation and Data Sanitization
|
DS 10, 1, 2 |
09/15 |
Student Presentations
|
Software Penetration Testing
Dissecting Android Malware: Characterization and Evolution
Cross-platform, secure message delivery for mobile devices |
Week 4 |
09/18 |
Overruns and Overflows
|
DS 5,6,7
Smashing the Stack for Fun and Profit
Beyond Stack Smashing |
09/20 |
Exceptions and Error Handling
|
DS 9, 11 |
09/22 |
Student Presentations
|
A Green Software Development Life Cycle for Cloud Computing
Agile Development of Secure Web Applications |
Week 5 |
09/25 |
Leakage
|
DS 12,16,17 |
09/27 |
Race Conditions
|
DS 13
Race Condition Vulnerability Lecture
[optional] Dirty COW Vulnerability |
09/29 |
Student Presentations
|
Software Engineering for Security: a Roadmap
Design and implementation of cloud security defense system with software defined networking technologies
|
Week 6 |
10/02 |
A Taxonomy of Coding Errors
|
SSBSI 12 |
10/04 |
Common Bugs and Flaws
|
OWASP Top 10
CWE/SANS Top 25
Avoiding the Top 10 Software Security Design Flaws |
10/06 |
Student Presentations
|
Penetration Testing for Web Services
Source Code Patterns of SQL Injection Vulnerabilities
DynSec: On-the-fly Code Rewriting and Repair |
Week 7 |
10/09 |
Software Security Touchpoints
|
SSBSI 3 |
10/11 |
Code Review I: Peer
|
Best Kept Secrets of Peer Code Review |
10/13 |
Student Presentations
|
Loophole: Timing Attacks on Shared Event Loops in Chrome
Research of evaluation methods for software security
AEG: Automatic Exploit Generation |
Week 8 |
10/16 |
Code Review II: Static Analysis
|
SSBSI 4 |
10/18 |
Code Review III: Dynamic Analysis
|
All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask) |
10/20 |
Project Workday
|
|
Week 9 |
10/23 |
Architectural Risk Analysis
|
SSBSI 5 |
10/25 |
Penetration Testing I
|
SSBSI 6 |
10/27 |
Project Workday
|
|
Week 10 |
10/30 |
Penetration Testing II
|
|
11/01 |
Fuzzing
|
SAGE: Whitebox Fuzzing for Security Testing |
11/03 |
Project Workday
|
|
Week 11 |
11/06 |
Risk-Based Security Testing
|
SSBSI 7 |
11/08 |
Cryptographic Sins
|
DS 19, 20, 21 |
11/10 |
Project Workday
|
|
Week 12 |
11/13 |
Abuse Cases
|
SSBSI 8 |
11/15 |
Networking Sins
|
DS 22, 23, 24 |
11/17 |
Project Workday
|
|
Week 13 |
11/20 |
Security Requirements and Operations
|
SSBSI 9 |
11/22 |
Reading Day: No Class
|
Alice's Restaurant |
11/24 |
Thanksgiving Break: No Class
|
SMBC #2425 |
Week 14 |
11/27 |
DEF CON 25 - Lee Holmes - Get $pwnd: Attacking Battle Hardened Windows Server
|
11/29 |
|
|
12/01 |
Student Presentations
|
Limits of static analysis for malware detection
Practicality of Accelerometer Side Channels on Smartphones
Your botnet is my botnet: analysis of a botnet takeover
|
Week 15 |
12/04 |
Student Presentations
|
StackGuard: Automatic Adaptive Detection
and Prevention of Buffer-Overflow Attacks
Venerable Variadic Vulnerabilities Vanquished
OAuth Demystified for Mobile Application Developers
|
12/06 |
Student Presentations
|
DeepXplore: Automated Whitebox Testing of Deep Learning Systems
Why Silent Updates Boost Security
Protection Poker: The New Software Security "Game"
|
12/08 |
No Class
|
The Final Countdown |
Week 16 |
12/12 |
Student Presentations
Final Exam: 8:00am - 10:00am
|
The Use of Security Tactics in Open Source Software Projects
A qualitative analysis of software security patterns
What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses
|