CS 542 - Introduction to Software Security- Fall 2023

	UNIVERSITY OF WISCONSIN-MADISON Computer Sciences Department
CS 542 Fall 2023		Barton Miller
	CS 542: Introduction to Software Security

Class Staff
Course Materials
In-class Sessions
Credits and Hours
Quizzes
Late Work
Extra Credit
Course Canvas Page

Academic Conduct Agreement
Cell Phones
Computer Facilities
Grading Policies
Class Scheduling
Learning Outcomes
Disability Accommodations

Important note: There will be a special class activity on Tuesday, November 7th, 8:00am-noon (an extended class session). The US Department of Homeland Security will be conducting a cyber-attack tabletop (simulation) exercise for our class. To participate and get credit, you must be checked in by 8:00am and stay for the entire event.

Course Materials

The course is organized around our video lectures, text chapters, exercises and presentation slides. The videos and text chapters can be found on our Introduction to Software Security course web page.

We will also reference interesting papers, articles, and videos related to software security and a variety of relevant web resources.

All grades will be recorded on the class Canvas page; Piazza (linked from Canvas) will be used for online Q and A.

In-class Sessions

Section 1		Section 2
Tuesday/Thursday 11:00 am - 12:15 pm B107 Van Vleck		Tuesday/Thursday 8:00 am - 9:15 am 2305 Engineering Hall

There will be regular in-class quizzes and learning exercises that are essential to complete.

Important note: You must attend the section in which you are registered, as there are space limitations on each classroom.

Quizzes

There will be weekly in-class quizzes during the class and no final exam. Your lowest quiz score will be dropped.

Each quiz will have questions from the readings and videos, the recently turned in homework exercise, and the in-class discussion and exercise. From past classes, we've noticed that students who attend class regularly score over a full grade higher than students who do not.

If you have questions or concerns about the grading of any of your quizzes or homework assignments, you need to contact the person who graded your work within two weeks of when the grade was released.

At Home Assignments

There will be weekly homework assignments during the course. These assignments will take the skills that you learned in the videos, text, and class, and give you a chance to practice them. Details on these assignments will listed on the calendar below (under "At home" for a given date) and be discussed in class.

Unless otherwise noted, you can work on these assignments alone or in pairs (and just to be clear, a pair means two people).

If you have questions or concerns about the grading of any of your homework assignments, you need to contact the person who graded your work within two weeks of when the grade was released.

Late Work

Assignments listed as At home on the class schedule are due at the start of next class day.

You must get permission at the time that the work is assigned if you will not be able to make that deadline.

The last assignment will be due by noon on the Friday of the last week of class.

Extra Credit

Details of extra credit can be found on this page.

Academic Conduct Agreement

Make sure to read the the class page on Academic Conduct Agreement. This is critical to your success in the class.

You must complete the online form on the class Canvas page, acknowledging that you accept this policy. Until you hand this in, no assignments will be accepted.

Illness

If you are ill, do not come to class. Contact Elisa or Bart and we will work with you to make some accommodation for the classtime missed. Expect that we will ask you for a note from your doctor.

Cells Phones

Please make sure to turn off your cell phone during class time. If your cell phone or beeper rings audibly during class, you will be asked to leave and not return until you meet with us in our office.

Computer Facilities

The majority of our assignments will be completed on your personal laptop computers, running Windows, MacOS or Linux. Your computer needs to have at least 4 GB of RAM and 10-20 GB of free disk space.

In addition, you will have access to the CS Department's Linux and Windows workstations in the first floor labs for this course. All students who have registered for this class should have an account.

You will need access to a Windows machine for the Thinking Like a Designer part of the class, to use the Microsoft Threat Modeling tool. Windows machines are available in the CS 1st floor labs.

Grading and Evaluation Policy

Quizzes:	60%
At home exercises:	40%

Class Schedule

The class is comprised of in-class sessions, video lectures, accompanying text chapters, and homework. It is organized around the following activities:

Watch means video lectures that you view BEFORE class.
Read means text chapters or papers that you read BEFORE class.
In class means the required two 75-minute classroom sessions each week. These will include group learning exercises, quizzes, and a few live lectures.
At home activities are for after the class, with a specified due date.

The videos and text chapters can be found at: http://research.cs.wisc.edu/mist/SoftwareSecurityCourse/

Starting soon

September 7

Watch: -
Read: -
In class: Course Overview
Motivating example: maritime cyber security
MITRE Top 25 CWE List
At home: Read Reflections on Trusting Trust by Ken Thompson and (optionally) UNIX Operating System Security by Fred Grampp and Robert Morris.

September 12

Watch: 1.2.1 Introduction Part 1: Basic Terminology,
1.2.2 Introduction Part 2: Threats,
1.2.3 Introduction Part 3: Risks and Basic Concepts,
1.3 Thinking Like an Attacker: Owning the Bits
Read: Basic Concepts and Terminology and Thinking like an Attacker chapters
In class: Discussion on Introductory material
Discussion on Thinking like and Attacker
Discussion on the paper by K. Thompson
At home: Watch the videos and read the articles for the exercise on Thinking Like an Attacker
Exercise on Thinking Like an Attacker (due September 19)(Pranav)

September 14

Watch: 3.2 Numeric Errors module
Read: Numeric Errors chapter
In class: Quiz 1 (Introduction and Basic Concepts, Thinking like an Attacker) (8am Caleb, 11am Shirley)
Questions on Stuxnet
Breakout groups and discussion on Numeric Errors
Exercise on Numeric Errors
Virtual machine instructions
At home: Continuation of the Exercise on Numeric Errors (due September 21) (Lei)
Set up Virtual Machine.

September 19

Watch: 3.5 Serialization
Read: Serialization chapter
In class: Discussion of Stuxnet. Thinking like an attacker/Stuxnet results.
Breakout Groups and Discussion on Serialization.
Exercise on Serialization
At home: Continuation of the Exercise on Serialization (due September 26)(Boyuan, Shirley)

September 21

Watch: 3.4 Exceptions
Read: Exceptions chapter
In class: Quiz 2 (Stuxnet, Numeric Errors) (8am Caleb, 11am Boyuan)
Discussion of Numeric Errors solution
Breakout Groups and Discussion on Exceptions
Exercise on Exceptions
At home: Continuation of Exercise on Exceptions (due September 28)(Pranav, Caleb)

September 26

Watch: -
Read: -
In class: No class (NMIOTC)

At home: -

September 28

Watch: -
Read: -
In class: No class (NMIOTC)

At home: -

October 3

Watch: 3.8 Introduction to Injection Attacks,
3.8.1 SQL Injection modules
Read: Introduction to Injection Attacks, SQL Injection chapters
In class: Discussion on the Serialization solution.
Discussion on the Exceptions solution.
Breakout Groups and Discussion on Injection Attacks and SQL Injections
Exercise on SQL injection
At home: Continuation of Exercise on SQL injection (due October 10) (Shirley, Lei)

October 5

Watch: 3.8.2 Command injection module
Read: Command Injection attacks chapter
In class: Quiz 3 (Exceptions, Serialization) (8am Caleb, 11am Pranav)
Discussion on command injections chapter/video
Breakout Groups and Discussion on Command Injections
Exercise on Command Injections
At home: Continuation of exercise on Command Injections (due October 12) (Boyuan)

October 10

Watch: 3.8.4 XML injection
Read: XML Injections chapter
In class: Questions about command injections?
Discussion on the SQL injection solution
Breakout Groups and Discussion on XML Injections
Exercise on XML injections
At home: Continuation of exercise on XML injections(due October 24)(Pranav, Caleb)

October 12

Watch: 3.8.3 Code injections
Read: Code Injections chapter

In class: Quiz 4 (Introduction to injections, SQL injections) (8am Shirley, 11am Caleb)
Discussion on the command injection solution
Questions on XML Injection?
Breakout Groups and Discussion on Code Injections
Exercise on Command Tampering with ZAP (due October 19) (Lei)

At home: Continuation of exercise on XML injections, and exercise on Command Tampering

October 17

Watch: 3.3 Directory Traversal
Read: Directory Traversal chapter
In class: Breakout Groups and Discussion on Directory Traversal
Exercise on Directory traversal (due October 31)(Shirley, Boyuan)

At home: Continuation of exercise on Directory Traversal (due October 31)

October 19

Watch: 3.9.1 Web Attacks: Background,
3.9.2 Web Attacks: Cross Site Scripting (XSS),
3.9.3 Web Attacks: Cross Site Request Forgery (CSRF)
Read: 3.9.1 Web Attacks: Background, 3.9.2 Web Attacks: Cross Site Scripting (XSS), 3.9.3 Web Attacks: Cross Site Request Forgery (CSRF)
In class: Quiz 5 (Command injection, Code injection) (8am Caleb, 11am Pranav)
Questions on Web Attacks and Mitigations
Breakout Groups and Discussion on -Site Request Forgery (CSRF)

At home: Exercises on Web attacks: XSS, and CSRF (due November 9)(Caleb, Pranav)

October 24

Watch: -
Read: -
In class: No class (NFS Cybersecurity meeting)
At home: -

October 26

Watch: 3.9.4 Web Attacks: Session Management,
3.9.5 Web Attacks: Redirection
Read: 3.9.4 Web Attacks: Session Management
In class: Quiz 6 (XML injection) (8am Shirley, 11am Boyuan)
Questions: Session Management and Redirect
Review exercise on XML injections
Breakout Groups and Discussions: Session Management

At home: Continuation of the exercises on web attacks (due November 9)

October 31
Watch: -
Read: 2.1 Secure Design Principles, 2.2 Overview of Threat Modeling, 2.3 Microsoft Security Design Lifecycle and Threat Modeling Methodology, 2.4 Microsoft DREAD Categories, and 2.5 PASTA Threat Modeling Methodology chapters

In class: Thinking like a designer
Discussion and Breakout Groups on Threat Modeling
DHS Table Top Exercise role discussion
At home: Exercise on Threat Modeling (due November 14)(Shirley, Lei)
Install Microsoft Threat Modeling Tool

November 2

Watch: -
Read: -
In class: No class (Maritime Security Regimes Round Table)

At home: Continuation of the Exercise on Threat Modeling (due November 14)

November 7

Watch: -
Read: -
In class: Special Class! DHS Table Top Exercise, 8:00am - 12:00pm.

At home: Make sure to complete the DHS survery. Very important.
Continuation of the Exercise on Threat Modeling (due November 14)

November 9

Watch: -
Read: -
In class: Quiz 7 (Directory Traversal, Web attacks) (8am Shirley, 11am Boyuan)
Feedback on initial design for the Threat Modeling exercise
Breakout groups and discussion: STRIDE
MS Threat Modeling tool

At home: Continuation of the Exercise on Threat Modeling (due November 14)

November 14

Watch: 5.1 Introduction to FPVA,
5.2 FPVA Step 1: Architectural Analysis (part 1),
5.3 FPVA Step 1: Architectural Analysis (part 2)
Read: Paper: "First Principles Vulnerability Assessment"
In class: Review of the Threat Modeling exercise
FPVA Step 1: Breakout Groups and Discussion

At home: Exercise on FPVA (part 1) (due November 21)

November 16

Watch: 5.3 FPVA Step 2: Resource Identification,
5.4 FPVA Step 3: Trust and Privilege Analysis
Read: -
In class: Quiz 8 (Threat Modeling concepts, Threat Modeling, and Thinking Like a Designer) (8am Shirley, 11am Pranav)
Continuation on FPVA
At home: Exercise on FPVA (due November 21 (part 1))(Boyuan)

November 21

Watch: -
Read: -
In class: Continuation on FPVA Step 4, Step 5
At home: Exercise on FPVA (part 2) (due November 28) (Shirley)

Thanksgiving

Watch: -
Read: -
In class: -
At home: -

November 28

Watch: 6.1 How Tools Work (part 1)
Read: -
In class: Automated Assessment Tools Fundamentals
Part 1 slides, Part 2 slides
Breakout Groups and Discussion on tools
At home: Exercise on Automated Assessment Tools (due December 5)(Pranav)

November 30

Watch: 6.5.1 Dependency Analysis Tools: Conceptual Background
6.5.2 Dependency Tools: How to Use the Tools
Read: -
In class: Quiz 9 (FPVA) (8am Caleb, 11am Boyuan)
Questions about Tools Fundamentals
Active learning exercise: Snyk
At home: Exercise on Automated Assessment Tools (due December 5)

December 5

Watch: 7.1 Introduction to Fuzz Testing,
7.2.1 Classic Fuzz Testing, Section 1: Background,
7.2.2 Classic Fuzz Testing, Section 2: Command Line Studies,
7.2.3 Classic Fuzz Testing, Section 3: GUI-Based Studies,
7.2.4 Classic Fuzz Testing, Sections 4 & 5: Other Studies and Commentary
Read: Classic fuzz paper (optional),
Relevance of Fuzz Testing (2020) (optional)
In class: Introduction to Fuzz Testing and Classic Fuzz Tools
Breakout Groups and Discussion on Fuzz Testing
At home: Exercise on classic Fuzz testing (due December 12)

December 7

Watch: 7.3 Fuzz Testing with AFL
Read: -
In class: Quiz 10 (Automated assessment tools: Fundamentals & Usage, Dependency analysis tools) (8am Shirley, 11am Pranav)
Discussion on AFL
Group exercise on AFL (slides)
At home: Exercise 2 Exercise on AFL (due December 12)

December 12

Watch:
Read: -
In class: No class
At home: -

END OF SEMESTER

Community Standards

Our class is a safe, supportive and accepting environment. The instructors and students are expected to demonstrate respect for others in class regardless of age, race, gender, religion, nationality or abilities.

Learning Outcomes

Learn the basics of thinking like an attacker.
Learn to design secure programs based on a structured methodology.
Learn how to program in a secure way.
Students will be able to think like a security analyst and perform a basic vulnerability assessment.
Learn to think like a security analyst, and how to perform an in-depth vulnerability assessment.
Learn a variety of automated assessment tools that help analyze code for security flaws.
Through hands-on exercises, reinforce the above outcomes.

Credits and Hours

This course is for 3 credits.

The course is organized around the following activities:

Watch: video lectures that you view BEFORE class (approx. 20 hours)
Read: text chapters and articles that you read BEFORE class (approx. 25 hours).
In class: the required two 75-minute classroom sessions each week. These will include group learning exercises, quizzes, and a few live lectures. (approx. 45 hours)
At home activities: after the class, with a specified due date (approx. 45 hours)

Total of 135 hours for the 3 credits.

Disability Accommodations

The University of Wisconsin-Madison supports the right of all enrolled students to a full and equal educational opportunity. The Americans with Disabilities Act (ADA), Wisconsin State Statute (36.12), and UW-Madison policy (Faculty Document 1071) require that students with disabilities be reasonably accommodated in instruction and campus life. Reasonable accommodations for students with disabilities is a shared faculty and student responsibility. Students are expected to inform us of their need for instructional accommodations by the end of the third week of the semester, or as soon as possible after a disability has been incurred or recognized. We will work either directly with the you or in coordination with the McBurney Center to identify and provide reasonable instructional accommodations. Disability information, including instructional accommodations as part of a student's educational record, is confidential and protected under FERPA.

In addition to completing an electronic Faculty Notification Letter request through McBurney Connect, it is important for students to contact us directly by the end of the third week of the semester to set up a meeting to discuss implementation of any necessary accommodations. This early communication helps ensure that accommodations can be implemented in a timely manner. For example, if an alternative exam room is needed, arrangements must be made well in advance of an exam date to ensure room availability and to secure a room booking.

Last modified: Thu 07 Dec 2023 07:43:36 AM CST