We will also reference interesting papers, articles, and videos related to software security and
a variety of relevant web resources.
There will be regular in-class quizzes and learning exercises that are essential to complete.
Each quiz will have questions from the readings and videos, the recently turned in homework exercise, and the in-class discussion and exercise.
From past classes, we've noticed that students who attend class regularly score over a full grade higher than students who do not.
If you have questions or concerns about the grading of any of your quizzes or homework assignments,
you need to contact the person who graded your work within
two weeks of when the grade was released.
Unless otherwise noted, you can work on these assignments alone or in pairs (and just to be clear,
a pair means two people).
If you have questions or concerns about the grading of any of your homework assignments,
you need to contact the person who graded your work within
two weeks of when the grade was released.
You must get permission at the time that the work is assigned if you will not be
able to make that deadline.
The last assignment will be due by noon on the Friday of the last week of class.
In addition, you
will have access to the CS Department's Linux and Windows workstations in the first
floor labs for this course.
All students who have registered for this class should have an account.
|
|
|
September 14 |
|
Watch: |
3.2 Numeric Errors module |
Read: |
Numeric Errors chapter |
In class: |
Quiz 1 (Introduction and Basic Concepts, Thinking like an Attacker)
(8am Caleb, 11am Shirley)
Questions on Stuxnet
Breakout groups and discussion on Numeric Errors
Exercise on Numeric Errors
Virtual machine instructions
|
At home: |
Continuation of the Exercise on Numeric Errors (due September 21) (Lei)
Set up Virtual Machine.
|
|
September 19 |
|
Watch: |
3.5 Serialization |
Read: |
Serialization chapter |
In class: |
Discussion of Stuxnet. Thinking like an attacker/Stuxnet results.
Breakout Groups and Discussion on Serialization.
Exercise on Serialization
|
At home: |
Continuation of the Exercise on Serialization
(due September 26)(Boyuan, Shirley)
|
|
September 21 |
|
Watch: |
3.4 Exceptions
|
Read: |
Exceptions chapter |
In class: |
Quiz 2 (Stuxnet, Numeric Errors) (8am Caleb, 11am Boyuan)
Discussion of Numeric Errors solution
Breakout Groups and Discussion on Exceptions
Exercise on Exceptions
|
At home: |
Continuation of Exercise on Exceptions
(due September 28)(Pranav, Caleb)
|
|
September 26 |
|
Watch: |
- |
Read: |
- |
In class: |
No class (NMIOTC)
|
At home: |
-
|
|
September 28 |
|
Watch: |
-
|
Read: |
- |
In class: |
No class (NMIOTC)
|
At home: |
-
|
|
October 3 |
|
Watch: |
3.8 Introduction to Injection Attacks,
3.8.1 SQL Injection modules |
Read: |
Introduction to Injection Attacks, SQL Injection chapters |
In class: |
Discussion on the Serialization solution.
Discussion on the Exceptions solution.
Breakout Groups and Discussion on Injection Attacks and SQL Injections
Exercise on SQL injection
|
At home: |
Continuation of
Exercise on SQL injection (due October 10) (Shirley, Lei)
|
|
October 5 |
|
Watch: |
3.8.2 Command injection
module |
Read: |
Command Injection attacks
chapter |
In class: |
Quiz 3 (Exceptions, Serialization) (8am Caleb, 11am Pranav)
Discussion on command injections chapter/video
Breakout Groups and Discussion on Command Injections
Exercise on Command Injections
|
At home: |
Continuation of exercise
on Command Injections
(due October 12) (Boyuan)
|
|
October 10 |
|
Watch: |
3.8.4 XML injection |
Read: |
XML Injections chapter |
In class: |
Questions about command injections?
Discussion on the SQL injection solution
Breakout Groups and Discussion on XML Injections
Exercise on XML injections
|
At home: |
Continuation of exercise on XML injections(due October 24)(Pranav, Caleb)
|
|
October 12 |
|
Watch: |
3.8.3 Code injections |
Read: |
Code Injections chapter |
In class: |
Quiz 4 (Introduction to injections, SQL injections) (8am Shirley, 11am Caleb)
Discussion on the command injection solution
Questions on XML Injection?
Breakout Groups and Discussion on Code Injections
Exercise on
Command Tampering with ZAP (due October 19) (Lei)
|
At home: |
Continuation of exercise on XML injections, and exercise on Command Tampering
|
|
October 17 |
|
Watch: |
3.3 Directory Traversal
|
Read: |
Directory Traversal chapter |
In class: |
Breakout Groups and Discussion on Directory Traversal
Exercise on Directory traversal
(due October 31)(Shirley, Boyuan)
|
At home: |
Continuation of exercise on Directory Traversal (due October 31)
|
|
October 19 |
|
Watch: |
3.9.1 Web Attacks: Background,
3.9.2 Web Attacks: Cross Site Scripting (XSS),
3.9.3 Web Attacks: Cross Site Request Forgery (CSRF)
|
Read: |
3.9.1 Web Attacks: Background,
3.9.2 Web Attacks: Cross Site Scripting (XSS),
3.9.3 Web Attacks: Cross Site Request Forgery (CSRF) |
In class: |
Quiz 5 (Command injection, Code injection) (8am Caleb, 11am Pranav)
Questions on Web Attacks and Mitigations
Breakout Groups and Discussion on -Site Request Forgery (CSRF)
|
At home: |
Exercises on
Web attacks: XSS, and CSRF
(due November 9)(Caleb, Pranav)
|
|
October 24 |
|
Watch: |
-
|
Read: |
- |
In class: |
No class (NFS Cybersecurity meeting)
|
At home: |
-
|
|
October 26 |
|
Watch: |
3.9.4 Web Attacks: Session Management,
3.9.5 Web Attacks: Redirection
|
Read: |
3.9.4 Web Attacks: Session Management |
In class: |
Quiz 6 (XML injection) (8am Shirley, 11am Boyuan)
Questions: Session Management and Redirect
Review exercise on XML injections
Breakout Groups and Discussions: Session Management
|
At home: |
Continuation of the exercises on web attacks (due November 9)
|
|
October 31 |
|
Watch: |
- |
Read: |
2.1 Secure Design Principles, 2.2 Overview of Threat Modeling,
2.3 Microsoft Security Design Lifecycle and Threat Modeling Methodology,
2.4 Microsoft DREAD Categories, and 2.5 PASTA Threat Modeling Methodology
chapters
|
In class: |
Thinking like a designer
Discussion and Breakout Groups on Threat Modeling
DHS Table Top Exercise role discussion
|
At home: |
Exercise on Threat Modeling
(due November 14)(Shirley, Lei)
Install Microsoft Threat Modeling Tool
|
|
November 2 |
|
Watch: |
- |
Read: |
-
|
In class: |
No class (Maritime Security Regimes Round Table)
|
At home: |
Continuation of the Exercise on Threat Modeling (due November 14)
|
|
November 7 |
|
Watch: |
-
|
Read: |
-
|
In class: |
Special Class! DHS Table Top Exercise, 8:00am - 12:00pm.
|
At home: |
Make sure to complete the DHS survery. Very important.
Continuation of the Exercise on Threat Modeling (due November 14)
|
|
November 9 |
|
Watch: |
-
|
Read: |
-
|
In class: |
Quiz 7 (Directory Traversal, Web attacks) (8am Shirley, 11am Boyuan)
Feedback on initial design for the Threat Modeling exercise
Breakout groups and discussion: STRIDE
MS Threat Modeling tool
|
At home: |
Continuation of the Exercise on Threat Modeling (due November 14)
|
|
November 14 |
|
Watch: |
5.1 Introduction to FPVA,
5.2 FPVA Step 1: Architectural Analysis (part 1),
5.3 FPVA Step 1: Architectural Analysis (part 2)
|
Read: |
Paper:
"First
Principles Vulnerability Assessment"
|
In class: |
Review of the Threat Modeling exercise
FPVA Step 1:
Breakout Groups and Discussion
|
At home: |
Exercise on FPVA (part 1) (due November 21)
|
|
November 16 |
|
Watch: |
5.3 FPVA Step 2: Resource Identification,
5.4 FPVA Step 3: Trust and Privilege Analysis
|
Read: |
- |
In class: |
Quiz 8 (Threat Modeling concepts, Threat Modeling, and Thinking Like a Designer)
(8am Shirley, 11am Pranav)
Continuation on FPVA
|
At home: |
Exercise on FPVA (due November 21 (part 1))(Boyuan)
|
|
|
Thanksgiving |
|
Watch: |
- |
Read: |
- |
In class: |
-
|
At home: |
-
|
|
|
November 30 |
|
Watch: |
6.5.1 Dependency Analysis Tools: Conceptual Background
6.5.2 Dependency Tools: How to Use the Tools
|
Read: |
-
|
In class: |
Quiz 9 (FPVA) (8am Caleb, 11am Boyuan)
Questions about Tools Fundamentals
Active learning exercise:
Snyk
|
At home: |
Exercise on Automated Assessment Tools
(due December 5)
|
|
December 5 |
|
Watch: |
7.1 Introduction to Fuzz Testing,
7.2.1 Classic Fuzz Testing, Section 1: Background,
7.2.2 Classic Fuzz Testing, Section 2: Command Line Studies,
7.2.3 Classic Fuzz Testing, Section 3: GUI-Based Studies,
7.2.4 Classic Fuzz Testing, Sections 4 & 5: Other Studies and Commentary
|
Read: |
Classic fuzz paper (optional),
Relevance of Fuzz Testing (2020) (optional)
|
In class: |
Introduction to Fuzz Testing and Classic Fuzz Tools
Breakout Groups and Discussion on Fuzz Testing
|
At home: |
Exercise on classic Fuzz testing (due December 12)
|
|
December 7 |
|
Watch: |
7.3 Fuzz Testing with AFL
|
Read: |
-
|
In class: |
Quiz 10 (Automated assessment tools: Fundamentals & Usage, Dependency analysis tools)
(8am Shirley, 11am Pranav)
Discussion on AFL
Group exercise on AFL (slides)
|
At home: |
Exercise 2 Exercise on AFL (due December 12)
|
|
December 12 |
|
Watch: |
|
Read: |
- |
In class: |
No class
|
At home: |
-
|
|
|
In addition to completing an electronic Faculty Notification Letter request
through McBurney Connect, it is important for students to contact
us directly by the end of the third week of the semester to set up a meeting
to discuss implementation of any necessary accommodations.
This early communication helps ensure that accommodations can be
implemented in a timely manner.
For example, if an alternative exam room is needed, arrangements must be
made well in advance of an exam date to ensure room availability and to
secure a room booking.