UNIVERSITY OF WISCONSIN-MADISON
Computer Sciences Department
CS 639
Spring 2019
Barton Miller
Elisa Heymann
CS 639: Introduction to Software Security

Class Staff

You can find up to date office hours on the class Google calendar.

Instructor: Barton Miller
email: bart@cs.wisc.edu
Office: 7363 CompSci
Phone: 263-3378
Office hours:
    Mon 2-3:30pm
Aldo hour:
    Fri 11am-noon
Instructor: Elisa Heymann
email: elisa@cs.wisc.edu
Office: 7364 CompSci
Phone: 262-0664
Office hours:
    Mon and Wed 3pm-4:30pm
    
TA: Hongjiang Lv
email: hlv2@wisc.edu
Office: 4244 CompSci
Office hours:
    Mon 9-10am
    Wed 9-11am
    Fri 9-11am
TA: Ainur Ainabekova
email: ainabekova@wisc.edu
Office: 4291 CompSci
Office hours:
    Tue 2:30-5:30pm
    Thu 2:30-4:30pm
Grader: Arjun Kashyap
email: akashyap3@wisc.edu Office: 4244 CompSci
Office hours:
    Mon 9-10am
    Wed 9-11am
    Fri 9-11am

Course Materials

QR code for video and text home page The course is organized around our video lectures, text chapters, exercises and presentation slides. The videos and text chapters can be found on our (under development) Introduction to Software Secure course web page.

We will also reference interesting papers, articles, and videos related to software security and a variety of relevant web resources.

All grades will be recorded on the class Canvas page and Piazza (linked from Canvas) will be used for online discussions.


In-class Sessions

Class times: Tuesday/Thursday 11:00 am-12:15 pm
Room: 311 Wendt COE ALC

Important note: Class attendance is mandatory. There will be regular in-class quizzes and learning exercises that are essential to complete. If you will miss a class, you must talk with Elisa or Bart beforehand.


Quizzes

There will weekly in-class quizzes during the class and no final exam.

You can check statistics on the quiz scores.

Quiz 12: FPVA Exercise and Automated Assessment Tools, (Apr 18) Arjun & Hongjiang
Quiz 11: FPVA, (Apr 11) Ainur
Quiz 10: Open Redirect, Session Management, (Apr 4) Hongjiang
Quiz 9: XSS, CSRF, (Mar 28) Arjun
Quiz 8: Directory Traversal, Safe Open, (Mar 14) Ainur
Quiz 7: Command, Code, and XML Injections, (Mar 7) Hongjiang
Quiz 6: Exceptions, Injections, SQL Injectios, (Feb 28) Arjun & Hongjiang
Quiz 5: Numeric Errors, Serialization, (Feb 21) Arjun & Ainur
Quiz 4: Buffer Overflows, (Feb 14)
Quiz 3: Threat Modeling, (Feb 7)
Quiz 2: Thinking like an attacker, Stuxnet exercise, Secure design principles, (Feb 5)
Quiz 1: Basic Concepts and Terminology, (Jan 24)


At Home Assignments

There will be about 20 homework assignments during the course. These assignments will take the skills that you learned in the videos, text, and class, and give you a chance to practice them. Details on these assignments will listed on the calendar below (under "At home" for a given date) and be discussed in class.

Unless otherwise noted, you can work on these assignments alone or in pairs (and just to be clear, a pair means two people).

You can check statistics on the exercise scores.


Extra Credit

These assignments can boost your grade. Note that they are more difficult than the regular assignments.

You can check statistics on the exercise scores.


Late Work

Assignments listed as At home on the class schedule are due at the start of next class day.

You must get permission at the time that the work is assigned if you will not be able to make that deadline.

The last assignment will be due by noon on the Friday of the last week of class.


Academic Conduct Agreement

Make sure to read the the class page on Academic Conduct Agreement. This is critical to your success in the class.

You must complete the online form on the class Canvas page, acknowledging that you accept this policy. Until you hand this in, no assignments will be accepted.


Cells Phones

Please make sure to turn off your cell phone during class time. If your cell phone or beeper rings audibly during class, you will be asked to leave and not return until you meet with us in our office.

Computer Facilities

The majority of our assignments will be completed on your personal laptop computers, running Windows, MacOS or Linux. Your computer needs to have at least 4 GB of RAM and 10-20 GB of free disk space.

In addition, you will have access to the CS Department's Linux and Windows workstations in the first floor labs for this course. All students who have registered for this class should have an account.

You will need access to a Windows machine for the Thinking Like a Designer part of the class, to use the Microsoft Threat Modeling tool.


Grading and Evaluation Policy

Class participation:10%
Quizzes:60%
At home exercises:30%

If you miss more than two classes, you will lose the 10% for class participation (effectively lowering your final grade by one letter).


Class Schedule

The class is comprised of in-class sessions, video lectures, accompanying text chapters, and homework. It is organized around the following activities: The videos and text chapters can be found at: http://research.cs.wisc.edu/mist/SoftwareSecurityCourse/

January 22
Watch: --
Read: --
In class: Course Overview
In the News
Motivating example: maritime cyber security
At home: Read Reflections on Trusting Trust by Ken Thompson and UNIX Operating System Security by Fred Gramp and Robert Morris.
January 24
Watch: Introduction Part 1, 2, 3 modules
Read: Basic Concepts and Terminology chapters
In class: Quiz 1 (Introduction and Basic Concepts)
In the News
Discussion on Introductory material
Discussion on the paper by K. Thompson
At home: Stuxnet: Watch the videos and read the articles for the exercise on Thinking Like an Attacker
January 29
Watch: Thinking like an attacker module
Read: Thinking like an attacker chapter
In class: In the News
Thinking like an attacker
Stuxnet
At home: Exercise on Thinking Like an Attacker
January 31
Class canceled due to weather

February 5
Watch: --
Read: Secure Design Principles
In class: Quiz 2 (Thinking like an attacker, Stuxnet exercise, Secure design principles)
In the News
Thinking like a designer
Exercise on Threat Modeling
At home: Install Microsoft Threat Modeling Tool
Exercise on Threat Modeling
February 7
Watch: --
Read: Threat Modeling Overview and Goals module
In class: Quiz 3 (Threat Modeling)
In the News
Continuation discussion on Thinking like a designer
Threat Modeling
Continuation of the exercise on Threat Modeling
At home: Continuation of the exercise on Threat Modeling
February 12
Watch: Pointers and Strings module
Read: Pointers and Strings chapter
In class: In the News: Encryption, privacy and messaging
Thinking like a designer results.
Discussion on Pointers and Strings
Exercise on Buffer Overflow
At home: Continuation of the Exercise on Buffer Overflow
February 14
Watch: Numeric Errors module
Read: Numeric Errors chapter
In class: Quiz 4 (Buffer overflow)
In the News: Microsoft Exchange zero-day, article 1, article 2
Discussion on Numeric Errors
Exercise on Numeric Errors
Virtual machine instructions
At home: Continuation of exercise on Numeric Errors
Set up Virtual machine
February 19
Watch: Serialization module
Read: Serialization chapter
In class: In the News
Discussion on Serialization
Exercise on Serialization
At home: Continuation of exercise on Serialization
February 21
Watch: Exceptions module
Read: Exceptions chapter
In class: Quiz 5 (Numeric Errors and Serialization)
In the News
Discussion on Exceptions
Exercise on Exceptions
At home: Continuation of exercise on Exceptions
February 26
Watch: Introduction to injection attacks, SQL injection module
Read: Introduction to injection attacks, SQL injection chapters
In class: In the News: Karma iPhone attack
Discussion on injections and SQL injections
Exercise on SQL injection
At home: Continuation of exercise on SQL injection
February 28
Watch: Command injection module
Read: Command injection chapter
In class: Quiz 6 (Exceptions, Injections, SQL injections)
In the News: VFEmail server attack
Discussion on Command Injections
Exercise on Command injections
At home: Continuation of exercise on Command injections
March 5
Watch: Code Injections, XML Injection module
Read: Code Injections, XML Injections chapters
In class: In the News: Hacking Back (article 1) Hacking Back (article 2)
Discussion on Code injections and XML injections
Exercise on WebGoat Command Injections
At home: Continuation of exercise on WebGoat Command Injections
Delivery instructions
March 7
Watch: Directory Traversal module
Read: Directory Traversal chapter
In class: Quiz 7 (Command Injections, Code Injections, XML Injections)
In the News: Docker and Kubernetes container attack
Discussion on Directory traversal
At home: Exercise on Directory traversal
Exercise on XML injection
March 12
Watch: -
Read: -
In class: In the News: Cisco router strcpy vulnerability
Safe Open (paper, slides)
At home: Continuation of the exercises on Directory Traversal and XML Attacks
March 14
Watch: -
Read: -
In class: Quiz 8 (Directory traversal, Safe Open)
In the News: Google's MacOS vulnerability
Web attacks: Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
(slides)
At home: Exercise on Web attacks: XSS and CSRF (3 documents)
Install Android Studio and get familiar writing a basic app
Skiing , Utah
March 19 & 21
Spring Break!
Beach scene with umbrella
March 26
Watch: Mobile: Background module
Read: -
In class: In the News: Fake APKs for Apex Legend Games
Security for mobile
Exercises on Security for Mobile
At home: Exercises on Security for Mobile: XSS and Cookie Stealing (no doughnuts per typos in the mobile exercises).
March 28
Watch: -
Read: -
In class: Quiz 9 (XSS, CSRF)
In the News: The Dark Side of Machine Learning
Session Hijacking
Open Redirect
(slides)
At home:
April 2
Watch: Introduction to FPVA
Read: Paper: "First Principles Vulnerability Assessment"
In class: In the News: Man-in-the-Disk" attack on Android (Nimish Sarin)
FPVA (Step 1, Step 2, Step 3)
Exercise on FPVA: Architecture and Resource diagram for this exercise
At home: Exercise on FPVA
April 4
Watch: -
Read: -
In class: Quiz 10 (Mobile, Open redirect, Session management)
In the News: Hacking Medical Implants (Kurians Paul)
Continuation on FPVA (Step 4, Step 5)
Short exercise on FPVA for class
At home: Exercise on FPVA
April 9
No class
April 11 (Jim Kupsch)
Watch: -
Read: -
In class: Quiz 11 (FPVA)
In the News: Unpatched Microeoft Edge vulnerabilities
Continuation of FPVA
Exercise on FPVA
At home: Exercise on FPVA
April 16
Watch: Using Tools in the SWAMP
Read: -
In class: In the News: Voting machine vulnerabilities (Meagan Barillari)
Automated assessment tools (Fundamentals)
Exercise on tools
At home: Exercise on tools
Support material: Create Packages, Create and Run Assessments, Share packages, Parasoft EULA
April 18
Watch: -
Read: -
In class: Quiz 12 (FPVA Exercise and Automated assessment tools)
In the News: "Spoiler" Intel speculative execution vulnerability (Mitch Gianinni)
Automated assessment tools (Usage)
Exercise on tools
At home: Exercise on tools
April 23
Watch: -
Read: -
In class: In the News: Spoofing Windows registry dialog boxes (Kyle LaMott)
Fuzz testing: classic paper (required), fuzz revisited (optional), fuzzing Windows (optional), fuzzing MacOS (optional)
Fuzz Presentation
Exercise on fuzzing
At home: Exercise on fuzzing
April 25
Watch: -
Read: -
In class: Quiz 13 (Tools, Fuzz testing)
In the News: Hacking commercial aircraft and a follow up article (Arpit Jain)
Dynamic tools
Exercise on fuzzing
At home: Exercise on fuzzing
April 30
No class
May 2
Watch: -
Read: -
In class: Quiz 14 (Fuzz exercise, Dynamic tools)
In the News: CSS Injections (Shawn Zhong)
System Defenses: address space layout randomization, heap guards, stack canaries, control flow integrity checking.
At home: Exercise on dynamic tools


Community Standards

Our class is a safe, supportive and accepting environment. The instructors and students are expected to demonstrate respect for others in class regardless of age, race, gender, religion, nationality or abilities.

Learning Outcomes


Credits and Hours

This course is for 3 credits. If you completed the 1-credit CS638 (Secure Coding) last Summer, you should contact Elisa or Bart for alternative assignments during the secure coding part of this course.

The course is organized around the following activities:

Total of 135 hours for the 3 credits.

Disability Accomodations

The University of Wisconsin-Madison supports the right of all enrolled students to a full and equal educational opportunity. The Americans with Disabilities Act (ADA), Wisconsin State Statute (36.12), and UW-Madison policy (Faculty Document 1071) require that students with disabilities be reasonably accommodated in instruction and campus life. Reasonable accommodations for students with disabilities is a shared faculty and student responsibility. Students are expected to inform us of their need for instructional accommodations by the end of the third week of the semester, or as soon as possible after a disability has been incurred or recognized. We will work either directly with the you or in coordination with the McBurney Center to identify and provide reasonable instructional accommodations. Disability information, including instructional accommodations as part of a student's educational record, is confidential and protected under FERPA.

In addition to completing an electronic Faculty Notification Letter request through McBurney Connect, it is important for students to contact us directly by the end of the third week of the semester to set up a meeting to discuss implementation of any necessary accommodations. This early communication helps ensure that accommodations can be implemented in a timely manner. For example, if an alternative exam room is needed, arrangements must be made well in advance of an exam date to ensure room availability and to secure a room booking.


Last modified: Sun Apr 28 16:35:16 CDT 2019

Valid HTML 4.01 Transitional