UNIVERSITY OF WISCONSIN-MADISON
Computer Sciences Department
CS 542
Spring 2021
Barton Miller
Elisa Heymann
CS 542: Introduction to Software Security

Class Staff

Office hours:

Instructor: Barton Miller
email: bart@cs.wisc.edu
Office: 7363 CompSci
Phone: 263-3378
Instructor: Elisa Heymann
email: elisa@cs.wisc.edu
Office: 7364 CompSci
Phone: 262-0664
TA: Akhil Guliani
email: guliani@wisc.edu
Office: 1308 CS
TA: Shanmathi Natarajan
email: natarajan8@wisc.edu
Office: TBD
Peer Mentor: Yebo Cao
email: ycao99@wisc.edu
Office: TBD
Peer Mentor: Joziah Mays
email: jmays2@wisc.edu
Office: TBD
Grader: Nisarg Shah
email: nisargs@cs.wisc.edu

Course Materials

QR code for video and text home page The course is organized around our video lectures, text chapters, exercises and presentation slides. The videos and text chapters can be found on our (under development) Introduction to Software Secure course web page.

We will also reference interesting papers, articles, and videos related to software security and a variety of relevant web resources.

All grades will be recorded on the class Canvas page; Piazza (linked from Canvas) will be used for online Q and A.


In-class Sessions

Class times: Tuesday/Thursday 11:00 am-12:15 pm
Room: Online now, BBCollaborate

There will be regular in-class quizzes and learning exercises that are essential to complete.

Important note: Due to the Covid-19 crisis, all class sessions, quizzes, and office hours are online using BBCollaborate.
Class sessions will be recorded under BBCollaborate.


Quizzes

There will be weekly in-class quizzes during the class and no final exam. Your lowest quiz score will be dropped.

If you have questions or concerns about the grading of any of your homeworks, you need to contact the person who graded your work within two weeks of when the grade was released.


At Home Assignments

There will be weekly homework assignments during the course. These assignments will take the skills that you learned in the videos, text, and class, and give you a chance to practice them. Details on these assignments will listed on the calendar below (under "At home" for a given date) and be discussed in class.

Unless otherwise noted, you can work on these assignments alone or in pairs (and just to be clear, a pair means two people).

If you have questions or concerns about the grading of any of your homeworks, you need to contact the person who graded your work within two weeks of when the grade was released.


Late Work

Assignments listed as At home on the class schedule are due at the start of next class day.

You must get permission at the time that the work is assigned if you will not be able to make that deadline.

The last assignment will be due by noon on the Friday of the last week of class.


Extra Credit

Extra credit can add add up to 10 points to your grade (on top of the posible 100 point total).

The latest that you can turn in any work for extra credit is 11am on April 29.

5 point: You can submit news articles on the topic of software security to Piazza. Include a summary of the main points and conclusions of the article, including your opinion on it. If the article is about a vulnerability, you need to show two key things: (1) the vulnerable code, along with an explanation of why it is vulnerable, and (2) details of the exploit of that vulnerability. The articles must be related to software security. Please, no articles about phishing or other human engineering attacks unless it is about how to build systems that can detect or defend against such attacks.

We will select one article per week to be presented in class during the "In the News" segment. You get credit only if the article is selected and you present it.

 

5 points: For one security-related colloquium (talk) that you attend. For this talk, you must have the talk approved in advanced by Bart or Elisa, and check in with them if they are attending the talk, or get the signature of an attending faculty member (if in person). You will need to write at least a 5 page summary (10 point font, single space, 1" margins) that includes following sections, each one clearly labeled with headers: (1) the speaker's name and affiliation, (2) the title of the talk, (3) the problem that they are addressing, (4) details of the techniques that they used, (5) details of the results that they obtained, and (6) your evaluation of the work. You will get full credit only if your report is thorough and complete; otherwise you will get partial credit.

You will likely need to read background papers on the topic of the presentation. Make sure to cite any papers that you read in your report. Note that you must submit your summary within 5 days of the presentation.

 

5 points: For one security-related conference or journal paper that you review and summarize. Your review will be at least 5 pages (10 point font, single space, 1" margins) with the following sections, each one clearly labeled with headers: (1) the authors' names and affiliations, (2) the title of the paper and citation (conference name, date, city; journal name, date, volume, issue, URL if appropriate; website URL), (3) the problem that they are addressing, (4) details of the techniques that they used, (5) details of the results that they obtained, and (6) your evaluation of their work. You will get full credit only if your report is thorough and complete; otherwise you will get partial credit.

The papers must be related to software security to count for credit. You need instructor approval on a paper before reviewing it (no later than April 21).

You will likely need to read papers related to the one that chose. Make sure to cite any papers that you read in your report.

 

Note: You can get credit for only one of each category, and make at most one submission per week.


Academic Conduct Agreement

Make sure to read the the class page on Academic Conduct Agreement. This is critical to your success in the class.

You must complete the online form on the class Canvas page, acknowledging that you accept this policy. Until you hand this in, no assignments will be accepted.


Cells Phones

Please make sure to turn off your cell phone during class time. If your cell phone or beeper rings audibly during class, you will be asked to leave and not return until you meet with us in our office.

Computer Facilities

The majority of our assignments will be completed on your personal laptop computers, running Windows, MacOS or Linux. Your computer needs to have at least 4 GB of RAM and 10-20 GB of free disk space.

In addition, you will have access to the CS Department's Linux and Windows workstations in the first floor labs for this course. All students who have registered for this class should have an account.

You will need access to a Windows machine for the Thinking Like a Designer part of the class, to use the Microsoft Threat Modeling tool.


Grading and Evaluation Policy

Quizzes:60%
At home exercises:40%


Class Schedule

The class is comprised of in-class sessions, video lectures, accompanying text chapters, and homework. It is organized around the following activities: The videos and text chapters can be found at: http://research.cs.wisc.edu/mist/SoftwareSecurityCourse/

January 26
Watch: --
Read: --
In class: Course Overview
Motivating example: maritime cyber security
MITRE Top 25 CWE List
At home: Read Reflections on Trusting Trust by Ken Thompson and (optionally) UNIX Operating System Security by Fred Grampp and Robert Morris.
January 28
Watch: 1.2.1 Introduction Part 1: Basic Terminology,
1.2.2 Introduction Part 2: Threats,
1.2.3 Introduction Part 3: Risks and Basic Concepts,
1.3 Thinking Like an Attacker: Owning the Bits
Read: Basic Concepts and Terminology and Thinking like an Attacker chapters
In class: Discussion on Introductory material
Discussion on Thinking like and Attacker
Discussion on the paper by K. Thompson
At home: Stuxnet: Watch the videos and read the articles for the exercise on Thinking Like an Attacker
Exercise on Thinking Like an Attacker (due Feb 2)
February 2
Watch: 3.2 Numeric Errors module
Read: Numeric Errors chapter
In class: In the News, Visual Studio Hack, slides, Jessie Steckling
Thinking like an attacker/Stuxnet results.
Discussion on Numeric Errors
Exercise on Numeric Errors
Virtual machine instructions
At home: Continuation of the Exercise on Numeric Errors (due Feb 9)
February 4
Watch: 3.5 Serialization
Read: Serialization chapter
In class: Quiz 1 (Introduction and Basic Concepts, Thinking like an Attacker, Stuxnet)
Discussion on Serialization
Exercise on Serialization
At home: Continuation of the Exercise on Serialization (Due Feb 9)
February 9
Watch: 3.4 Exceptions
Read: Exceptions chapter
In class: In the News: Solar Winds Orion attack, slides, Aryan Sharma
Discussion of Numeric Errors and Serialization solutions
Breakout Groups and Discussion on Exceptions
Exercise on Exceptions
At home: Continuation of Exercise on Exceptions (due Feb 16)
February 11
Watch: 3.8 Introduction to Injection Attacks,
3.8.1 SQL Injection
modules
Read: Introduction to Injection Attacks, SQL Injection chapters
In class: Quiz 2 (Numeric Errors and Serialization)
Questions about Exceptions?
Breakout Groups and Discussion on Injection Attacks and SQL Injections
Exercise on SQL injection
At home: Continuation of Exercise on SQL injection (due Feb 16)
February 16
Watch: 3.8.2 Command Injection
Read: Command Injection attacks chapter
In class: In the News: Palo Alto Networks command injection
Discussion on the Exceptions and SQL injection exercises
Breakout Groups and Discussion on Command Injections
Exercise on Command Injections
At home: Continuation of exercise on Command Injections (due Feb 23)
February 18
Watch: 3.8.4 XML injection
Read: XML injection chapter
In class: Quiz 3 (Exceptions, Injections, SQL injections)
Questions about command injections?
Breakout Groups and Discussion on XML Injections
Exercise on XML injections
At home: Continuation of exercise on XML injections (due Feb 25)
February 23
Watch: 3.8.3 Code Injections
Read: Code Injections chapter
In class: In the News: Slow Loris Attack, Youtube video, slides, Suramy Pidara
Review exercise on Command Injection
Breakout Groups and Discussion on Code Injections
Exercise on Command Tampering with ZAP (due March 2)
At home: Continuation of exercise on XML injections(due Feb 25)
February 25
Watch: 3.3 Directory Traversal
Read: 3.3 Directory Traversal chapter
In class: Quiz 4 (Command Injections, XML Injections)
Breakout Groups and Discussion on Directory Traversal
Updated Directory Traversal slides (starting at slide 17)
At home: Exercise on Directory traversal (due March 2)
March 2
Watch: -
Read: Safe Open paper
In class: Safe Open (paper, slides)
safe_open_no_create algorithm (powerpoint)
Breakout Groups and Discussion on File Kernel Calls
At home: Exercise on File System Races (due March 9)
March 4
Watch: -
Read: -
In class: Quiz 5 (Code Injection, Directory Traversal)
Guest Instructor: Prof. Daphne Yao (Virginia Tech), Secure Use of Java Cryptographic APIs, slides
At home: Continuation of the Exercise on File System Races (due March 9)
March 9
Watch: 3.9.1 Web Attacks: Background,
3.9.2 Web Attacks: Cross Site Scripting (XSS),
3.9.3 Web Attacks: Cross Site Request Forgery (CSRF)
Read: -
In class: Discuss Daphne Yao's presentation
Discuss results from Race exercise
Questions on Web Attacks and Mitigations
Breakout Groups and Discussion on -Site Request Forgery (CSRF)
At home: Exercises on Web attacks: XSS, and CSRF (due March 16)
March 11
Watch: 3.9.4 Web Attacks: Session Management,
3.9.5 Web Attacks: Redirection
Read: -
In class: Quiz 6 (Safe Open)
Questions: Session Management and Redirect
Breakout Groups and Discussions: Internationalize Homograph Attacks
At home: Continuation of the exercises on web attacks (due March 16)
Install Android Studio and get familiar writing a basic app
March 16
Watch: Mobile modules
Read: -
In class: In the News: CURL Vulnerabilities, slides, Nisarg Shah
Discussion on Security for Mobile (Android manifests), slides
Breakout Group on Security for Mobile (Android manifests)
Exercises on Security for Mobile
At home: Exercises on Security for Mobile: XSS and Cookie Stealing (now due March 24)
March 18
Watch: -
Read: -
In class: Quiz 7 (Web)
Guest Instructor: Dr. Adam Everspaugh, Blockchain and Smart Contracts Blockchain and Smart Contracts
At home: Exercises on Security for Mobile: XSS and Cookie Stealing (now due March 24)
March 23
Watch: -
Read: Secure Design Principles chapter
Reread Basic Concepts and Terminology chapter
Chapters 5 and 7 of Loren's book (optional, available on Canvas)
In class: Thinking like a designer
Discussion and Breakout Group on Threat Modeling (part 1), slides
At home: Exercise on Threat Modeling (due April 1)
Install Microsoft Threat Modeling Tool
March 25
Watch: -
Read: Threat Modeling Overview and Goals module
Threat Modeling: 12 Available Methods
Chapter 4 of Loren's book (available on Canvas)
In class: Quiz 8 (Mobile)
Continuation discussion on Thinking like a designer
Discussion and Breakout Group on Threat Modeling (part 2), slides
At home: Continuation of the Exercise on Threat Modeling (due April 1)
March 30
Watch: 5.1 Introduction to FPVA,
5.2 FPVA Step 1: Architectural Analysis (part 1),
5.3 FPVA Step 1: Architectural Analysis (part 2)
Read: Paper: "First Principles Vulnerability Assessment"
In class: In the News: VMWare Unauthorized Remote Code Execution, slides, Tarun Anand
Review of Threat Modeling, slides
FPVA Step 1 with examples
At home: Continuation of the Exercise on Threat Modeling (due April 1)
April 1
Watch: -
Read: -
In class: No class
At home: Exercise on FPVA (due April 8 (part 1))
April 6
Watch: 5.3 FPVA Step 2: Resource Identification,
5.4 FPVA Step 3: Trust and Privilege Analysis
Read: -
In class: Continuation on FPVA Steps 2 & 3
Breakout Groups and Discussion: FPVA
At home: Exercise on FPVA (due April 8 (first part))
April 8
Watch: -
Read: -
In class: Quiz 9 (Threat Modeling and Thinking Like a Designer)
Continuation on FPVA Step 4, Step 5
At home: Exercise on FPVA (due April 15 (part 2))
April 13
Watch: 6.1 How Tools Work (part 1)
Read: -
In class: In the News: Tictoc Spyware, YouTube Video, slides, Elliot Asmus
Automated Assessment Tools Fundamentals, Part 2 slides
Breakout Groups and Discussion on tools
At home: Continuation of exercise on FPVA (due April 15)
April 15
Watch: -
Read: -
In class: Quiz 10 (FPVA)
Questions about Tools Fundementals
Automated Assessment Tools Usage: Coverity, SpotBugs
At home: Exercise on tools (due April 20)
April 20
Watch: 7.1 Introduction to Fuzz Testing
7.2.1 Classic Fuzz Testing, Section 1: Background
7.2.2 Classic Fuzz Testing, Section 2: Command Line Studies
7.2.3 Classic Fuzz Testing, Section 3: GUI-Based Studies
7.2.4 Classic Fuzz Testing, Sections 4 & 5: Other Studies and Commentary
Read: Classic fuzz paper (optional),
Relevance of Fuzz Testing (2020) (optional),
In class: Introduction to Fuzz Testing and Classic Fuzz Tools
Breakout Groups and Discussion on Fuzz Testing
At home: Exercise 1 and Execise 2 on Fuzz Testing (due April 29)
April 22
Watch: 7.3 Fuzz Testing with AFL
Read: -
In class: Quiz 11 (Automated Assessment Tools)
Fuzz Tools and AFL
Breakout Groups and Discussion on AFL
At home: Exercise on Fuzz Testing (due April 29)
April 27
Watch: -
Read: -
In class: No class
At home: Exercise on Fuzz Testing (due April 29)
April 29
Watch: -
Read: -
In class: Quiz 12 (Fuzz Testing)
Special presentation on diagnosing malware (slides)
Background papers:
At home: -


Community Standards

Our class is a safe, supportive and accepting environment. The instructors and students are expected to demonstrate respect for others in class regardless of age, race, gender, religion, nationality or abilities.

Learning Outcomes


Credits and Hours

This course is for 3 credits.

The course is organized around the following activities:

Total of 135 hours for the 3 credits.

Disability Accomodations

The University of Wisconsin-Madison supports the right of all enrolled students to a full and equal educational opportunity. The Americans with Disabilities Act (ADA), Wisconsin State Statute (36.12), and UW-Madison policy (Faculty Document 1071) require that students with disabilities be reasonably accommodated in instruction and campus life. Reasonable accommodations for students with disabilities is a shared faculty and student responsibility. Students are expected to inform us of their need for instructional accommodations by the end of the third week of the semester, or as soon as possible after a disability has been incurred or recognized. We will work either directly with the you or in coordination with the McBurney Center to identify and provide reasonable instructional accommodations. Disability information, including instructional accommodations as part of a student's educational record, is confidential and protected under FERPA.

In addition to completing an electronic Faculty Notification Letter request through McBurney Connect, it is important for students to contact us directly by the end of the third week of the semester to set up a meeting to discuss implementation of any necessary accommodations. This early communication helps ensure that accommodations can be implemented in a timely manner. For example, if an alternative exam room is needed, arrangements must be made well in advance of an exam date to ensure room availability and to secure a room booking.


Last modified: Wed May 5 12:49:46 CDT 2021

Valid HTML 4.01 Transitional