UNIVERSITY OF WISCONSIN-MADISON
Computer Sciences Department
CS 639
Spring 2020
Barton Miller
Elisa Heymann
CS 639: Introduction to Software Security

Class Staff

You can find up to date office hours on the class Google calendar.

Instructor: Barton Miller
email: bart@cs.wisc.edu
Office: 7363 CompSci
Phone: 263-3378
Office hours:
    TBD
Aldo hour:
    Fri 11am-noon
Instructor: Elisa Heymann
email: elisa@cs.wisc.edu
Office: 7364 CompSci
Phone: 262-0664
Office hours:
    TBD
    
TA: Akhil Guliani
email: guliani@wisc.edu
Office: TBD
Office hours:
    
    TBD
    
TA: Hsuan-Heng Wu
email: hwu337@wisc.edu
Office: TBD
Office hours:
    
    TBD
Peer Mentor: Emma He
email: he57@wisc.edu
Office: TBD
Office hours:
    
    TBD
    
Peer Mentor: Ali Zaidi
email: azaidi3@wisc.edu
Office: TBD
Office hours:
    
    TBD
Grader: TBD
email: TBD Office: TBD
Office hours:
    
    TBD
    

Course Materials

QR code for video and text home page The course is organized around our video lectures, text chapters, exercises and presentation slides. The videos and text chapters can be found on our (under development) Introduction to Software Secure course web page.

We will also reference interesting papers, articles, and videos related to software security and a variety of relevant web resources.

All grades will be recorded on the class Canvas page and Piazza (linked from Canvas) will be used for online discussions.


In-class Sessions

Class times: Tuesday/Thursday 2:30 am-3:45 pm
Room: Wendt

Important note: There will be regular in-class quizzes and learning exercises that are essential to complete.


Participation

Participation will count towards 10% of your grade (for a maximum of 10 points).
1 point: Each relevant news article that you post to Piazza. Note that only the first person who posts the news article will get credit. The articles must be related to software security to count for credit.
5 points: Each news article for which you are selected to present in class (and actually present in class).
5 points: Each security-related conference or journal paper that you review and summarize. Reviews will be 2 pages in length in the specific format. The papers must be related to software security to count for credit. (You need instructor approval on a paper before reviewing it.)

Quizzes

There will weekly in-class quizzes during the class and no final exam. Your lowest score will be dropped.


At Home Assignments

There will be about 20 homework assignments during the course. These assignments will take the skills that you learned in the videos, text, and class, and give you a chance to practice them. Details on these assignments will listed on the calendar below (under "At home" for a given date) and be discussed in class.

Unless otherwise noted, you can work on these assignments alone or in pairs (and just to be clear, a pair means two people).


Late Work

Assignments listed as At home on the class schedule are due at the start of next class day.

You must get permission at the time that the work is assigned if you will not be able to make that deadline.

The last assignment will be due by noon on the Friday of the last week of class.


Academic Conduct Agreement

Make sure to read the the class page on Academic Conduct Agreement. This is critical to your success in the class.

You must complete the online form on the class Canvas page, acknowledging that you accept this policy. Until you hand this in, no assignments will be accepted.


Cells Phones

Please make sure to turn off your cell phone during class time. If your cell phone or beeper rings audibly during class, you will be asked to leave and not return until you meet with us in our office.

Computer Facilities

The majority of our assignments will be completed on your personal laptop computers, running Windows, MacOS or Linux. Your computer needs to have at least 4 GB of RAM and 10-20 GB of free disk space.

In addition, you will have access to the CS Department's Linux and Windows workstations in the first floor labs for this course. All students who have registered for this class should have an account.

You will need access to a Windows machine for the Thinking Like a Designer part of the class, to use the Microsoft Threat Modeling tool.


Grading and Evaluation Policy

Class participation:10%
Quizzes:60%
At home exercises:30%


Class Schedule

The class is comprised of in-class sessions, video lectures, accompanying text chapters, and homework. It is organized around the following activities: The videos and text chapters can be found at: http://research.cs.wisc.edu/mist/SoftwareSecurityCourse/

January 21
Watch: --
Read: --
In class: Course Overview
Motivating example: maritime cyber security
At home: Read Reflections on Trusting Trust by Ken Thompson and UNIX Operating System Security by Fred Gramp and Robert Morris.
January 23
Watch: Introduction Part 1, 2, 3, and Thinking like an Attacker modules
Read: Basic Concepts and Terminology and Thinking like and Attacker chapters
In class: In the News
Discussion on Introductory material
Discussion on Thinking like and Attacker
Discussion on the paper by K. Thompson
At home: Stuxnet: Watch the videos and read the articles for the exercise on Thinking Like an Attacker
Exercise on Thinking Like an Attacker
January 28
Watch: Numeric Errors module
Read: Numeric Errors chapter
In class: Thinking like an attacker results.
Discussion on Numeric Errors
Exercise on Numeric Errors
Virtual machine instructions
At home: Continuation of the Exercise on Numeric Errors
January 30
Watch: Serialization module
Read: Serialization chapter
In class: Quiz 1 (Introduction and Basic Concepts, Thinking like an Attacker)
In the News
Discussion on Serialization
Exercise on Serialization
At home: Continuation of Exercise on Serialization
February 4
Watch: Exceptions module
Read: Exceptions chapter
In class: Discussion on Exceptions
Exercise on Exceptions
At home: Continuation of Exercise on Exceptions
February 6
Watch: Introduction to Injection Attacks, SQL Injection modules
Read: Introduction to Injection Attacks, SQL Injection chapters
In class: Quiz 2 (Numeric Errors and Serialization)
In the News
Discussion on Injection Attacks and SQL Injections
Exercise on SQL injection
At home: Continuation of Exercise on SQL injection
February 11
Watch: Command Injection module
Read: Command Injection attacks chapter
In class: Discussion on injections and SQL injections
Exercise on command injection
At home: Continuation of exercise on command injection
February 13
Watch: XML injection module
Read: XML injection chapter
In class: Quiz 3 (Exceptions, Injections, SQL injections)
In the News.
Discussion on Command Injections
Exercise on XML injections
At home: Continuation of exercise on XML injections
February 18
Watch: Code Injections module
Read: Code Injections chapter
In class: Discussion on Code injections
Exercise on WebGoat Command Injections
At home: Continuation of exercise on WebGoat Command Injections
Delivery instructions
February 20
Watch: Directory Traversal module
Read: Directory Traversal chapter
In class: Quiz 4 (Command Injections, XML Injections)
In the News
Discussion on Directory traversal
At home: Exercise on Directory traversal
February 25
Watch: -
Read: -
In class: Safe Open (paper)
At home:
February 27
Watch: -
Read: -
In class: Quiz 5 (Directory Traversal, Safe Open)
In the News
Advanced Web Attacks and Mitigations:
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
At home: Exercises on Web attacks, XSS, and CSRF
March 3
No class
March 5
Watch: -
Read: -
In class: Quiz 6 (XSS, XSRF)
In the news
Advanced Web Attacks and Mitigations:
Session Management
Open Redirect
Other Attacks
At home: Continuation of the exercises on web attacks
Install Android Studio and get familiar writing a basic app
March 10
Watch: Mobile background module
Read: -
In class: Security for mobile
Exercises on Security for Mobile
At home: Exercises on Security for Mobile: XSS and Cookie Stealing
March 12
Watch: -
Read: Secure Design Principles chapter
In class: Quiz 7
In the news
Thinking like a designer
First exercise of threat modeling
At home: Install Microsoft Threat Modeling Tool
Continuation of the First Exercise on Threat Modeling
Skiing , Utah
March 17 & 19
Spring Break!
Beach scene with umbrella
March 24
Invited Talk: Blockchain and Smart Contracts
March 26
Watch: --
Read: Threat Modeling Overview and Goals module
In class: Quiz 8 (Thinking like a Designer)
In the news
Continuation discussion on Thinking like a designer
Second Exercise on Threat Modeling
At home: Continuation of the second Exercise on Threat Modeling
March 31
Watch: Introduction to FPVA
Read: Paper: "First Principles Vulnerability Assessment"
In class: FPVA Steps 1, 2, 3
Exercise on FPVA: Architecture and Resource diagram for this exercise
At home: Exercise on FPVA
April 2
Watch: -
Read: -
In class: Quiz 9 (Threat modeling)
In the News
Continuation on FPVA Step 4, 5
Short exercise on FPVA for class
At home: Exercise on FPVA
April 7
Watch: -
Read: -
In class: FPVA
Exercise on FPVA
At home: Exercise on FPVA
April 9
Watch: -
Read: -
In class: Quiz 10 (FPVA)
In the News
Continuation of FPVA
Exercise on FPVA
At home: Exercise on FPVA
April 14
Watch: Using Tools in the SWAMP
Read: -
In class: Fundamentals of Automated Assessment Tools
Exercise on Tools
At home: Exercise on tools
April 16
Watch: -
Read: -
In class: Quiz 11 (FPVA Exercise)
In the News
Automated assessment tools (Usage)
Exercise on tools
At home: Exercise on tools
April 21
Invited Talk: Loren Kohnfelder
April 23
Watch: -
Read: -
In class: Quiz 12 (FPVA)
In the news
Fuzz testing
Exercise on fuzzing
At home: Exercise on fuzzing
April 28
Watch: -
Read: -
In class: Dynamic Analysis Tools
Exercise on dynamic tools
At home: Exercise on dynamic tools
April 30
Watch: -
Read: -
In class: Quiz 13 (Fuzz exercise)
In the News
Exercise on dynamic tools
At home: Exercise on dynamic tools


Community Standards

Our class is a safe, supportive and accepting environment. The instructors and students are expected to demonstrate respect for others in class regardless of age, race, gender, religion, nationality or abilities.

Learning Outcomes


Credits and Hours

This course is for 3 credits.

The course is organized around the following activities:

Total of 135 hours for the 3 credits.

Disability Accomodations

The University of Wisconsin-Madison supports the right of all enrolled students to a full and equal educational opportunity. The Americans with Disabilities Act (ADA), Wisconsin State Statute (36.12), and UW-Madison policy (Faculty Document 1071) require that students with disabilities be reasonably accommodated in instruction and campus life. Reasonable accommodations for students with disabilities is a shared faculty and student responsibility. Students are expected to inform us of their need for instructional accommodations by the end of the third week of the semester, or as soon as possible after a disability has been incurred or recognized. We will work either directly with the you or in coordination with the McBurney Center to identify and provide reasonable instructional accommodations. Disability information, including instructional accommodations as part of a student's educational record, is confidential and protected under FERPA.

In addition to completing an electronic Faculty Notification Letter request through McBurney Connect, it is important for students to contact us directly by the end of the third week of the semester to set up a meeting to discuss implementation of any necessary accommodations. This early communication helps ensure that accommodations can be implemented in a timely manner. For example, if an alternative exam room is needed, arrangements must be made well in advance of an exam date to ensure room availability and to secure a room booking.


Last modified: Fri Dec 20 14:34:48 CST 2019

Valid HTML 4.01 Transitional