18732 Secure Software Systems

Instructor	Dawn Song
Course Home	http://www.ece.cmu.edu/~dawnsong/teaching/f04
Location	Porter Hall 226B
Meeting Times	Tuesday & Thursday, 1:30-2:50PM

Instructor	TA
Dawn Song HH D203 http://www.ece.cmu.edu/~dawnsong	Debin Gao HH D-level, cube C6

Email address	Purpose
18732-f04-general@lists.andrew.cmu.edu	Questions about subject matter, course policy, grading, etc. (Also see the class discussion board, on blackboard).
18732-f04-summaries@lists.andrew.cmu.edu	Submit reading summaries here.
18732-f04-project@lists.andrew.cmu.edu	Submit project proposals, milestones, and papers here.
18732-f04-announce@lists.andrew.cmu.edu	You should subscribe to this list to receive class announcements. See instructions below.

To subscribe to 18732-f04-announce, send email to majordomo@lists.andrew.cmu.edu, with the text "subscribe 18732-f04-announce" in the body of the email.

Prerequisites:

The prerequisites of this class include 18730 (Introduction to Computer Security), an undergraduate Operating System class, proficient programming in C and Java, and familarity with assembly language.

Topics Covered in Class:

Software vulnerabilities: study the causes and manifestations of different forms of vulnerabilities, including language dependent vulnerabilities (buffer overrun, format string vulnerabilities, etc.), language independent vulnerabilities (race conditions, concurrency vulnerabilities, privilege control, etc.), and viruses, etc.

Software analysis, testing, and verification: study the general methodology and specific techniques for analyzing software for vulnerabilities, testing programs for bugs, and verifying correctness of code. Techniques covered include static analysis, high-coverage testing, fault injection, model checking, and theorem proving. We'll survey a set of existing tools as well as the underlying techniques.

Software transformation: study various software tranformation techniques for different purposes, including worm/virus morphing and software watermarking.

Secure software engineering practices and system evaluation: study security issues in software lifecycle including design, implementation, evaluation, patching, etc.

Secure operating systems & platforms: study foundations of secure OS, attacks & defenses, fault isolation, sandboxing and confinement, Virtual machine monitors, runtime monitoring, NGSCB, TCG, SE Linux, .net

Other topics: web security, Java security, mobile code securtiy, storage systems and database security, DRM

Class Format:

Each class will involve lecturing and some discussions on related topics. 1 to 3 research papers will be assigned as reading requirements for each class. Reading assignments will be posted to the class web site several days before the class. Students must read the assigned papers before each class and write a short summary to be turned in electronically before class. The summaries should be sent to 18732-f04-summaries@lists.andrew.cmu.edu in plain text format (no attachment). Each summary should contain a description of the technical approach in the paper, three technical points that you learned from the paper, and three most significant flaws that you discovered in the paper.

Grading:

35%	Final project	Each group needs to implement and demonstrate a tool that can assist in improving software system security. Each group needs to write a project report and give a in-class presentation.
10%	Attack Survey	Each group needs to survey a certain aspect of real exploits and attacks. Each group needs to write a survey paper on the selected topic and give a presentation in class.
10%	Product Survey	Each group needs to survey security products on a certain topic. Each group needs to write a survey paper on the selected topic and give a presentation in class.
15%	Midterm	There will be a midterm exam.
10%	Software security tools	A couple of published tools for software security will be covered in class. Each group of students is supposed to read the related papers and manuals of these tools, and try them out on selected programs and compare the different tools. Each group needs to write a report on the result of using these tools.
10%	Paper summaries	This portion is for paper summaries. Students must write a short summary for every paper assigned to the class. Summaries will be chosen randomly to be graded.
10%	Class participation	All students should participate in class discussions.

Format Requirements for Survey Paper and Project Report

The survey paper and project report should be written in LaTex, so we can easily assemble surveys and reports from different groups into one document. The template for the survey paper and project report is available here. You should write your contents in a separate file and include it in survey.tex and project.tex using the "\input{your-flie-name}" line. The bibliography should be included in the .bib tex file. If you are not familiar with LaTex, you may also use Lyx at http://www.lyx.org.

Resources:

Information about the class will be available at http://www.ece.cmu.edu/~dawnsong/teaching/f04. Course information, announcements, and reading assignments will be posted to this site. We will also be using the CMU Blackboard site for this course. To access the site, go to http://www.cmu.edu/blackboard and log in. If you are enrolled in the course, it will appear under my courses.

If you have a question about the course, including course logistics or material we have covered, please post it to the Discussion Board. It's on the course blackboard site, under Communications. You may also send mail to 18732-f04-general@lists.andew.cmu.edu.

Warning

We may discuss vulnerabilities in widely-deployed computer systems in class. This is not intended as an invitation to go exploit those vulnerabilities. CMU's policy (and my policy) on this should be clear: you may not break into machines that are not your own; you may not attempt to attack or subvert system security. Breaking into other people's systems is inappropriate, and the existence of a security hole is no excuse.