CS 639 - Introduction to Software Security- Spring 2019

	UNIVERSITY OF WISCONSIN-MADISON Computer Sciences Department
CS 639 Spring 2020		Barton Miller Elisa Heymann
	CS 639: Introduction to Software Security

Class Staff
Course Materials
In-class Sessions
Credits and Hours
Quizzes
Late Work

Academic Conduct Agreement
Cell Phones
Computer Facilities
Grading Policies
Class Scheduling
Learning Outcomes
Disability Accomodations

Class Staff

You can find up to date office hours on the class Google calendar.

Instructor: Barton Miller
email: bart@cs.wisc.edu
Office: 7363 CompSci
Phone: 263-3378 Instructor: Elisa Heymann
email: elisa@cs.wisc.edu
Office: 7364 CompSci
Phone: 262-0664

TA: Akhil Guliani
email: guliani@wisc.edu
Office: 1308 CS TA: Hsuan-Heng Wu
email: hwu337@wisc.edu
Office: 4229 CS

Peer Mentor: Emma He
email: he57@wisc.edu
Office: TBD Peer Mentor: Ali Zaidi
email: azaidi3@wisc.edu
Office: TBD

Grader: Nachiket Kshatriya
email: nkshatriya@wisc.edu

Course Materials

The course is organized around our video lectures, text chapters, exercises and presentation slides. The videos and text chapters can be found on our (under development) Introduction to Software Secure course web page.

We will also reference interesting papers, articles, and videos related to software security and a variety of relevant web resources.

All grades will be recorded on the class Canvas page and Piazza (linked from Canvas) will be used for online discussions.

In-class Sessions

Class times: Tuesday/Thursday 2:30 pm-3:45 pm Room: 324 Wendt (Online now, BBCollaborate)

There will be regular in-class quizzes and learning exercises that are essential to complete.

Important note: Due to the Covid-19 crisis, all class sessions, quizzes, and office hours have moved online using BBCollaborate as of March 24. Class sessions will be recorded under BBCollaborate.

Participation

Participation will count towards 10% of your grade (for a maximum of 10 points).

The latest that you can turn in anything for participation is April 28 at 5pm.

1 point: Each relevant news article that you post to Piazza. Include a summary of the main points and conclusions of the article, including your opinion on it. If the article is about a vulnerability, you need to show two keep things: (1) the vulnerable code, along with an explanation of why it is vulnerable, and (2) details of the exploit of that vulnerability. Note that only the first person who posts the news article will get credit. The articles must be related to software security to count for credit. Please, no articles about phishing or other human engineering attacks unless it is about how to build systems that can detect or defend against such attacks.
5 points: Each news article for which you are selected to present in class (and actually present in class).
3 points: Each security-related colloquia (talk) that you attend. For each talk, you must check in with Bart or Elisa if they are attending the talk, or get the signature of an attending faculty member. You will need to write a 2-page summary that includes following sections: (1) the speaker's name and affiliation, (2) the title of the talk, (3) the problem that they are addressing, (4) the techniques that they used, (5) the results that they obtained, and (6) your evaluation of the work. Note that you must submit your summary within 10 days of the presentation.
5 points: Each security-related conference or journal paper that you review and summarize. Reviews will be 2 pages with the following sections: (1) the authors' names and affiliations, (2) the title of the paper and citation (conference name, date, city; journal name, date, volume, issue, URL if appropriate; website URL), (3) the problem that they are addressing, (4) the techniques that they used, (5) the results that they obtained, and (6) your evaluation of their work. The papers must be related to software security to count for credit. You need instructor approval on a paper before reviewing it (no later than April 21).

Note: you can add up to 5 extra participation points (above the 10) for extra credit.

Quizzes

There will weekly in-class quizzes during the class and no final exam. Your lowest score will be dropped.

Quiz 1: Basic Concepts and Stuxnet, (Jan 24) Graded by Nachiket

Quiz 2: Numeric Errors and Serialization (Feb 6) Graded by Akhil

Quiz 3: Exceptions, Injections, SQL injections, (Feb 13) Graded by Hsuan-Heng

Quiz 4: Command Injections, XML injections, (Feb 20) Graded by Akhil

Quiz 5: WebGoat exercise, Code Injectio, Directory Traversal, (Feb 27) Graded by Nachiket

Quiz 6: SafeOpen, (March 5) Graded by Hsuan-Heng

Quiz 7: Web, (March 12) Graded by Akhil

Quiz 8: Mobile, (March 26) Graded by Akhil

Quiz 9: Threat Modeling, (April 2) Graded by Akhil

Quiz 10: FPVA, (April 16) Graded by Hsuan-Heng

Quiz 11: Automated Assessment Tools, (April 23) Graded by Hsuan-Heng

Quiz 12: Fuzz, (April 30) Graded by Akhil

At Home Assignments

There will be about 20 homework assignments during the course. These assignments will take the skills that you learned in the videos, text, and class, and give you a chance to practice them. Details on these assignments will listed on the calendar below (under "At home" for a given date) and be discussed in class.

Unless otherwise noted, you can work on these assignments alone or in pairs (and just to be clear, a pair means two people).

Exercise on Thinking Like an Attacker due Jan 28 at 2:30pm. (Hsuan-Heng)
Exercise on Numeric Errors due Jan 30 at 2:30pm. (Akhil)
Exercise on Serialization due Feb 4 at 2:30pm. (Nachiket)
Exercise on Exceptions due Feb 6 at 2:30pm. (Hsuan-Heng)
Exercise on SQL Injections due Feb 11 at 2:30pm. (Akhil)
Exercise on Command Injections due Feb 13 at 2:30pm. (Nachiket)
Exercise on XML Injections due Feb 18 at 2:30pm. (Hsuan-Heng)
Exercise on WebGoat Command Injections due Feb 20 at 2:30pm. (Nachiket)
Exercise on Directory Traversal due Feb 27 at 2:30pm. (Akhil and Hsuan-Heng)
Exercise on Web attacks due March 10 at 2:30pm (Hsuan-Heng and Nachiket)
Exercise on Security for Mobile due March 24 at 2:30pm (Hsuan-Heng and Nachiket)
Exercise on Threat Modeling due March 31 at 2:30pm (Nachiket: First exercise, Hsuan-Heng: Second exercise)
Exercise on FPVA (diagrams) due April 7 at 2:30pm (Hsuan-Heng)
Exercise on FPVA (Steps 4 and 5) due April 14 at 2:30pm (Akhil and Nachiket)
Exercise on Tools due April 21 at 2:30pm (Akhil and Nachiket)
Exercise on Fuzzing due April 28 at 2:30pm (Husan-Heng and Nachiket)

Late Work

Assignments listed as At home on the class schedule are due at the start of next class day.

You must get permission at the time that the work is assigned if you will not be able to make that deadline.

The last assignment will be due by noon on the Friday of the last week of class.

Academic Conduct Agreement

Make sure to read the the class page on Academic Conduct Agreement. This is critical to your success in the class.

You must complete the online form on the class Canvas page, acknowledging that you accept this policy. Until you hand this in, no assignments will be accepted.

Cells Phones

Please make sure to turn off your cell phone during class time. If your cell phone or beeper rings audibly during class, you will be asked to leave and not return until you meet with us in our office.

Computer Facilities

The majority of our assignments will be completed on your personal laptop computers, running Windows, MacOS or Linux. Your computer needs to have at least 4 GB of RAM and 10-20 GB of free disk space.

In addition, you will have access to the CS Department's Linux and Windows workstations in the first floor labs for this course. All students who have registered for this class should have an account.

You will need access to a Windows machine for the Thinking Like a Designer part of the class, to use the Microsoft Threat Modeling tool.

Grading and Evaluation Policy

Class participation:	10%
Quizzes:	60%
At home exercises:	30%

Class Schedule

The class is comprised of in-class sessions, video lectures, accompanying text chapters, and homework. It is organized around the following activities:

Watch means video lectures that you view BEFORE class.
Read means text chapters or papers that you read BEFORE class.
In class means the required two 75-minute classroom sessions each week. These will include group learning exercises, quizzes, and a few live lectures.
At home activities are for after the class, with a specified due date.

The videos and text chapters can be found at: http://research.cs.wisc.edu/mist/SoftwareSecurityCourse/

January 21

Watch: --
Read: --
In class: Course Overview
Motivating example: maritime cyber security

At home: Read Reflections on Trusting Trust by Ken Thompson and UNIX Operating System Security by Fred Gramp and Robert Morris.

January 23

Watch: Introduction Part 1, 2, 3, and Thinking like an Attacker modules
Read: Basic Concepts and Terminology and Thinking like and Attacker chapters
In class: Discussion on Introductory material
Discussion on Thinking like and Attacker
Discussion on the paper by K. Thompson
At home: Stuxnet: Watch the videos and read the articles for the exercise on Thinking Like an Attacker
Exercise on Thinking Like an Attacker

January 28

Watch: Numeric Errors module
Read: Numeric Errors chapter
In class: In the News
Thinking like an attacker/Stuxnet results.
Discussion on Numeric Errors
Exercise on Numeric Errors
Virtual machine instructions
At home: Continuation of the Exercise on Numeric Errors

January 30

Watch: Serialization module
Read: Serialization chapter
In class: Quiz 1 (Introduction and Basic Concepts, Thinking like an Attacker, Stuxnet)
Discussion on Serialization
Exercise on Serialization
Exercise on Serialization

At home: Continuation of Exercise on Serialization Continuation of Exercise on Serialization

February 4

Watch: Exceptions module
Read: Exceptions chapter
In class: In the News: Seriously, stop using RSA (Ryan Liang)
Discussion on Exceptions
Exercise on Exceptions Exercise on Exceptions
At home: Continuation of Exercise on Exceptions Continuation of Exercise on Exceptions

February 6

Watch: Introduction to Injection Attacks, SQL Injection modules
Read: Introduction to Injection Attacks, SQL Injection chapters
In class: Quiz 2 (Numeric Errors and Serialization)
Discussion on Injection Attacks and SQL Injections
Exercise on SQL injection
At home: Continuation of Exercise on SQL injection
Extra credit: SQL injection in Python
Files you will need: create.py and sqlMain.py

February 11

Watch: Command Injection module
Read: Command Injection attacks chapter
In class: In the News: sudo buffer overflow vulnerability, https://nvd.nist.gov/vuln/detail/CVE-2019-18634 (Tianhao Chan)
Discussion on Command Injections
Exercise on Command Injections
At home: Continuation of exercise on Command Injections

February 13

Watch: XML injection module
Read: XML injection chapter
In class: Quiz 3 (Exceptions, Injections, SQL injections)
Discussion on XML Injections
Exercise on XML injections
At home: New Virtual Machine image
In Docker (Follow these instructions)
Continuation of exercise on XML injections

February 18

Watch: Code Injections module
Read: Code Injections chapter
In class: In the News: Cisco Router Vulnerability (Elias Barrett-Wilt)
Discussion on Code Injections
Exercise on WebGoat Command Injections
At home: Continuation of exercise on WebGoat Command Injections

February 20

Watch: Directory Traversal module
Read: Directory Traversal chapter
In class: Quiz 4 (Command Injections, XML Injections)
Discussion on Directory traversal
Updated Directory Traversal slides

At home: Exercise on Directory traversal

February 25

Watch: -
Read: Safe Open paper
In class: In the News: Who is responsible for code security (William Hofkamp)
Safe Open (paper, slides)
safe_open_no_create algorithm (powerpoint)
At home:

February 27

Watch: Web Attacks: Background, Cross Site Scripting, and Cross Site Request Forgery modules. (3 videos)
Read: -
In class: Quiz 5 (WebGoat exercise, Code Injection, Directory Traversal)
Advanced Web Attacks and Mitigations:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)

At home: Exercises on Web attacks: XSS, and CSRF
VM image for the Web exercises

March 3

No class

March 5

Watch: Web Attacks: Session Management and Redirection modules (2 videos)
Read: -
In class: Quiz 6 (Safe Open)
Advanced Web Attacks and Mitigations:
Session Management
Open Redirect
Other Attacks

At home: Continuation of the exercises on web attacks

March 10

Watch: -
Read: -
In class: In the News: PPPD Vulnerability, David Stewart
Guest Instructor: Adam Everspaugh, Blockchain and Smart Contracts.
At home: Install Android Studio and get familiar writing a basic app

March 12

Watch: Mobile modules
Read:
In class: Quiz 7 (Web)
Security for mobile
Exercises on Security for Mobile
Class slides
At home: Exercises on Security for Mobile: XSS and Cookie Stealing

Skiing , Utah March 17 & 19
Spring Break! Beach scene with umbrella

March 24
Watch: -
Read: Secure Design Principles chapter
Reread Basic Concepts and Terminology chapter
Chapters 5 and 7 of Loren's book (optional, available on Canvas)
In class: In the News: WordPress Pop-up Plug-in XSS Attack (Zachary Lesavich)
Thinking like a designer
First Exercise on Threat Modeling
At home: Continuation of the First Exercise on Threat Modeling
Install Microsoft Threat Modeling Tool

March 26

Watch: -
Read: Threat Modeling Overview and Goals module
Threat Modeling: 12 Available Methods
Slides from class
Chapter 4 of Loren's book (available on Canvas)
In class: Quiz 8 (Mobile)
Continuation discussion on Thinking like a designer
Second Exercise on Threat Modeling
At home: Continuation of the second Exercise on Threat Modeling

March 31

Watch: Introduction to FPVA
Read: Paper: "First Principles Vulnerability Assessment"
In class: In the News: Zoho Zero Day Serialization vulnerability (Chenhao Lu)
FPVA Step 1
Exercise on FPVA: Architecture and Resource diagram for this exercise
At home: Exercise on FPVA Exercise on FPVA

April 2

Watch: -
Read: -
In class: Quiz 9 (Threat modeling)
Continuation on FPVA Step 2, Step 3
Class activity
At home: Exercise on FPVA

April 7

Watch: -
Read: -
In class: In the News: Zoombombing and Zoom Path Injection (Becca Mercer and Zach Lesavich)
Continuation on FPVA Step 4, Step 5
Exercise on FPVA
At home: Exercise on FPVA

April 9

No class

April 14

Watch: Using Tools in the SWAMP
Read: -
In class: In the News: Citrix vulnerability and Citrix patch management (Meghan Ammentorp)
Fundamentals of Automated assessment tools

At home: Exercise on tools

April 16

Watch: -
Read: -
In class: Quiz 10 (FPVA)
Automated assessment tools (Usage)
Exercise on tools
At home: Exercise on tools

April 21

Watch: -
Read: -
In class: In the News: jQuery XSS Vulnerability, Devin Porter
Guest Instructor: Eugene Spafford, "Rethinking Cyber Security" (slides)
At home: Exercise on fuzzing

April 23

Watch: -
Read: Classic fuzz paper (required),
Fuzz revisited (optional),
Fuzzing Windows (optional),
Fuzzing MacOS (optional)
In class: Quiz 11 (Automated Assessment Tools, Spaf)
Fuzz testing (slides)
Exercise on fuzzing

At home: Exercise on fuzzing

April 28

Watch: -
Read: -
In class: In the News: Qualcomm mobile chipset device race condition, Nathan Weinshenker
Fuzz testing (continued)
Dynamic Analysis Tools

At home: Exercise on fuzzing

April 30

Watch: -
Read: -
In class: Quiz 12 (SWAMP, Fuzz)
Special presentation on diagnosing malware (slides)
Background papers:

Kevin A. Roundy and Barton P. Miller, Hybrid Analysis and Control of Malware Binaries, 13th International Symposium on Recent Advances in Intrusion Detection (RAID2010), Ottawa, Ontario, Canada, September 2010.
Kevin A. Roundy and Barton P. Miller, Binary-Cod Obfuscations in Prevalent Packer Tools, ACM Computing Surveys 46, 1, October 2012.
Andrew R. Bernat, Kevin A. Roundy and Barton P. Miller, Efficient, Sensitivity Resistant Binary Instrumentation, International Symposium on Software Testing and Analysis (ISSTA), Toronto, Canada, July 2011.

At home: -

Community Standards

Our class is a safe, supportive and accepting environment. The instructors and students are expected to demonstrate respect for others in class regardless of age, race, gender, religion, nationality or abilities.

Learning Outcomes

Learn the basics of thinking like an attacker.
Learn to design secure programs based on a structured methodology.
Learn how to program in a secure way.
Students will be able to think like a security analyst and perform a basic vulnerability assessment.
Learn to think like a security analyst, and how to perform an in-depth vulnerability assessment.
Learn a variety of automated assessment tools that help analyze code for security flaws.
Through hands-on exercises, reinforce the above outcomes.

Credits and Hours

This course is for 3 credits.

The course is organized around the following activities:

Watch: video lectures that you view BEFORE class (approx. 20 hours)
Read: text chapters and articles that you read BEFORE class (approx. 25 hours).
In class: the required two 75-minute classroom sessions each week. These will include group learning exercises, quizzes, and a few live lectures. (approx. 45 hours)
At home activities: after the class, with a specified due date (approx. 45 hours)

Total of 135 hours for the 3 credits.

Disability Accomodations

The University of Wisconsin-Madison supports the right of all enrolled students to a full and equal educational opportunity. The Americans with Disabilities Act (ADA), Wisconsin State Statute (36.12), and UW-Madison policy (Faculty Document 1071) require that students with disabilities be reasonably accommodated in instruction and campus life. Reasonable accommodations for students with disabilities is a shared faculty and student responsibility. Students are expected to inform us of their need for instructional accommodations by the end of the third week of the semester, or as soon as possible after a disability has been incurred or recognized. We will work either directly with the you or in coordination with the McBurney Center to identify and provide reasonable instructional accommodations. Disability information, including instructional accommodations as part of a student's educational record, is confidential and protected under FERPA.

In addition to completing an electronic Faculty Notification Letter request through McBurney Connect, it is important for students to contact us directly by the end of the third week of the semester to set up a meeting to discuss implementation of any necessary accommodations. This early communication helps ensure that accommodations can be implemented in a timely manner. For example, if an alternative exam room is needed, arrangements must be made well in advance of an exam date to ensure room availability and to secure a room booking.

Instructor: Barton Miller email: bart@cs.wisc.edu Office: 7363 CompSci Phone: 263-3378	Instructor: Elisa Heymann email: elisa@cs.wisc.edu Office: 7364 CompSci Phone: 262-0664
TA: Akhil Guliani email: guliani@wisc.edu Office: 1308 CS	TA: Hsuan-Heng Wu email: hwu337@wisc.edu Office: 4229 CS
Peer Mentor: Emma He email: he57@wisc.edu Office: TBD	Peer Mentor: Ali Zaidi email: azaidi3@wisc.edu Office: TBD
Grader: Nachiket Kshatriya email: nkshatriya@wisc.edu

1 point:	Each relevant news article that you post to Piazza. Include a summary of the main points and conclusions of the article, including your opinion on it. If the article is about a vulnerability, you need to show two keep things: (1) the vulnerable code, along with an explanation of why it is vulnerable, and (2) details of the exploit of that vulnerability. Note that only the first person who posts the news article will get credit. The articles must be related to software security to count for credit. Please, no articles about phishing or other human engineering attacks unless it is about how to build systems that can detect or defend against such attacks.
5 points:	Each news article for which you are selected to present in class (and actually present in class).
3 points:	Each security-related colloquia (talk) that you attend. For each talk, you must check in with Bart or Elisa if they are attending the talk, or get the signature of an attending faculty member. You will need to write a 2-page summary that includes following sections: (1) the speaker's name and affiliation, (2) the title of the talk, (3) the problem that they are addressing, (4) the techniques that they used, (5) the results that they obtained, and (6) your evaluation of the work. Note that you must submit your summary within 10 days of the presentation.
5 points:	Each security-related conference or journal paper that you review and summarize. Reviews will be 2 pages with the following sections: (1) the authors' names and affiliations, (2) the title of the paper and citation (conference name, date, city; journal name, date, volume, issue, URL if appropriate; website URL), (3) the problem that they are addressing, (4) the techniques that they used, (5) the results that they obtained, and (6) your evaluation of their work. The papers must be related to software security to count for credit. You need instructor approval on a paper before reviewing it (no later than April 21).

Quiz 1:	Basic Concepts and Stuxnet, (Jan 24) Graded by Nachiket
Quiz 2:	Numeric Errors and Serialization (Feb 6) Graded by Akhil
Quiz 3:	Exceptions, Injections, SQL injections, (Feb 13) Graded by Hsuan-Heng
Quiz 4:	Command Injections, XML injections, (Feb 20) Graded by Akhil
Quiz 5:	WebGoat exercise, Code Injectio, Directory Traversal, (Feb 27) Graded by Nachiket
Quiz 6:	SafeOpen, (March 5) Graded by Hsuan-Heng
Quiz 7:	Web, (March 12) Graded by Akhil
Quiz 8:	Mobile, (March 26) Graded by Akhil
Quiz 9:	Threat Modeling, (April 2) Graded by Akhil
Quiz 10:	FPVA, (April 16) Graded by Hsuan-Heng
Quiz 11:	Automated Assessment Tools, (April 23) Graded by Hsuan-Heng
Quiz 12:	Fuzz, (April 30) Graded by Akhil

Last modified: Fri May 1 07:53:04 CDT 2020