CS 638 - Introduction to Secure Programming

	UNIVERSITY OF WISCONSIN-MADISON Computer Sciences Department
CS 638 Summer 2018		Barton Miller Elisa Heymann
	CS 638: Secure Programming Techniques Course Outline and Syllabus

New Stuff
Class Staff
Course Materials
In-class Sessions
Credits and Hours
Quizzes

Late Work
Cell Phones
Computer Facilities
Grading Policies
Class Scheduling
Learning Outcomes

New Stuff

Quiz 5 and statistics are available (22 Jun 2018).
Quiz 4 answers and statistics are available (20 Jun 2018).
For June 18 (noon): Hand in your reports your vulnerability research. (12 Jun 2018)
For June 13: Hand in your reports on the SWAMP exercise. (12 Jun 2018)
Quiz 3 answers and statistics are available (7 Jun 2018).
For June 11: Hand in printouts of the source files that you modify as part of your solution for the exercises on (1) Cross Site Scripting and (2) Cross Site Request Forgery (7 Jun 2018)
Quiz 2 answers are available (31 May 2018).
For June 6: Hand in printouts of the source files that you modify as part of your solution for the exercises on (1) Basic Command Injections and (2) WebGoat Command Injections. (5 Jun 2018)
For June 4: Hand in printouts of the source files that you modify as part of your solution for the exercises on (1) Buffer Overflow, (2)Directory Traversal, (3) Numeric Errors and (4) SQL Injections. (31 May 2018)
Quiz 1 answers and statistics are available (31 May 2018).
For May 30: Hand in printouts of the source files that you modify as part of your solution for the exercises on Exceptions and Serialization. (23 May 2018)
Before class, make sure to watch two introductory videos:
Basic Concepts and Terminology and Thinking Like an Attacker: Owning the Bits
[modules 1.2 and 1.3]. (15 May 2017)

Class Staff

Instructor: Barton Miller
email: bart@cs.wisc.edu
Office: 7363 CompSci
Phone: 263-3378
Office hours:
tba
Aldo hour:
Friday 11am-noon

Instructor: Elisa Heymann
email: elisa@cs.wisc.edu
Office: 7364 CompSci
Phone: 262-0664
Office hours:
tba

The course is organized around our video lectures, text chapters, exercises and presentation slides. The videos and text chapters can be found on our (under development) Introduction to Software Secure course web page.

We will also reference interesting papers related to software security and a variety of relevant web resources.

In-class Sessions

Class times: Monday/Wednesday 4pm-5:15pm
Room: 2317 Engineering

Credits and Hours

This course is for 1 credit. Note that this course forms about ¹⁄₃ of the curriculum of an upcoming Introduction to Software Security course. If you complete this CS638, you would qualify for 1 credit of the new course and not have to re-do that material when you take it.

The course is organized around the following activities:

Watch: video lectures that you view BEFORE class (approx. 8 hours)
Read: text chapters or papers that you read BEFORE class (approx. 8 hours).
In class: the required two 75-minute classroom sessions each week. These will include group learning exercises, quizzes, and a few live lectures (approx. 12 hours).
At home activities: after the class, with a specified due date (approx. 17 hours)

Total of 45 hours for the 1 credit.

Quizzes

There will five in-class quizzes during the class and no final exam.

Quiz 5: The SWAMP, Statistics. (Jun 22)
Quiz 4: Cross Site Scrpting and Cross Site Request Forgeries, Statistics. (Jun 13)
Quiz 3: Command Injections, Statistics (June 7)

Quiz 2: Pointers and Strings, Numeric Errors, Directory Traversal and SQL Injections, Statistics (June 5)

Quiz 1: Exceptions and Serialization, Statistics. (May 31)

At Home Assignments

These assignments will take the skills that you learned in the videos, text, and class, and give you a chance to practice them.

Due Date Assignment

June 18: Hand in your reports your vulnerability research. Due at noon.

June 13: Hand in your reports on the SWAMP exercise.

June 11: Hand in printouts of the source files that you modify as part of your solution for the exercises on Cross Site Scripting and Cross Site Request Forgery.
Bring the code you will be using for the SWAMP exercise.

June 11: Hand in printouts of the source files that you modify as part of your solution for the exercises on Cross Site Scripting and Cross Site Request Forgery.

June 6: Hand in printouts of the source files that you modify as part of your solution for the exercises on Basic Command Injections and WebGoat Command Injections.

June 4: Hand in printouts of the source files that you modify as part of your solution for the exercises on Buffer Overflow, Directory Traversal, Numeric Errors and SQL Injections.

May 30: Hand in printouts of the source files that you modify as part of your solution for the exercises on Exceptions and Serialization.

Due Date	Assignment
June 18:	Hand in your reports your vulnerability research. Due at noon.
June 13:	Hand in your reports on the SWAMP exercise.
June 11:	Hand in printouts of the source files that you modify as part of your solution for the exercises on Cross Site Scripting and Cross Site Request Forgery. Bring the code you will be using for the SWAMP exercise.
June 11:	Hand in printouts of the source files that you modify as part of your solution for the exercises on Cross Site Scripting and Cross Site Request Forgery.
June 6:	Hand in printouts of the source files that you modify as part of your solution for the exercises on Basic Command Injections and WebGoat Command Injections.
June 4:	Hand in printouts of the source files that you modify as part of your solution for the exercises on Buffer Overflow, Directory Traversal, Numeric Errors and SQL Injections.
May 30:	Hand in printouts of the source files that you modify as part of your solution for the exercises on Exceptions and Serialization.

Late Work

Assignments listed as At home on the class schedule are due at the start of next class day.

You must get permission at the time that the work is assigned if you will not be able to make that deadline.

The last assignment will be due by noon on the Friday of the last week of class.

Cells Phones

Please make sure to turn off your cell phone during class time. If your cell phone or beeper rings audibly during class, you will be asked to leave and not return until you meet with me in my office.

Computer Facilities

TBA

Grading and Evaluation Policy

Class participation:	10%
Quizzes:	60%
At home exercises:	30%

Class Schedule

The class is comprised of in-class sessions, video lectures, accompanying text chapters, and homework. It is organized around the following activities:

Watch means video lectures that you view BEFORE class (approx. 6 hours)
Read means text chapters or papers that you read BEFORE class (approx. 6 hours).
In class means the required two 75-minute classroom sessions each week. These will include group learning exercises, quizzes, and a few live lectures (approx. 12 hours).
At home activities are for after the class, with a specified due date (approx. 16 hours)

The videos and text chapters can be found at: http://research.cs.wisc.edu/mist/SoftwareSecurityCourse/

May 21

Watch: Introduction and Thinking Like an Attacker modules.
Read: -
In class: Course Overview
Discussion on introductory videos
Virtual machine instructions
At home: Set up Virtual machine

May 23

Watch: Exceptions and Serialization modules
Read: Exceptions and Serialization chapters
In class: Discussion on Exceptions and Serialization
Exercise on Exceptions
Exercise on Serialization
At home: Exercise on Serialization (finish)

May 28
Memorial Day (no class)

May 30
2 hour class (make-up for Memorial Day)

Watch: Pointers and Strings, Numeric Errors, Introduction to Injections and SQL Injections modules
Read: Pointers and Strings, Numeric Errors, Introduction to Injections and SQL Injections chapters
In class: Quiz 1 (Exceptions and Serialization)
Discussion on Pointers and Strings, Numeric Errors, Intro to Injections and SQL Injections
Exercise on Buffer Overflow
Presentation on Directory Traversal
Exercise on Directory Traversal (start)
At home: Exercise on Directory Traversal (finish)
Exercise on Numeric Errors
Exercise on SQL Injections

June 4

Watch: XML Injections module
Read: XML Injections chapter
In class: Quiz 2 (Pointer and Strings, Numeric Errors, Directory Traversal and SQL Injections)
Discussion on XML Injections
Presentation on Command Injections
Introduction to WebGoat
At home: Basic exercise on Command Injections
WebGoat exercise on Command Injections

June 6

Watch: -
Read: Paper: How to Open a File and Not Get Hacked
In class: Quiz 3 (Command Injections)
Presentation on Web Attacks: XSS
Presentation on Web Attacks: CSRF
Discussion on "How to Open a File and Not Get Hacked"
At home: Exercise on XSS and CSRF

June 11

Watch: Using Tools in The SWAMP module
Read: -
In class: Quiz 4 (XSS, CSRF)
Discussion on how to use the SWAMP
Presentation on Automated Assessment Tools
Excercise on the SWAMP (start)
At home: Exercise on the SWAMP (finish)

June 13 (Guest lecture: Jim Kupsch)

Watch: -
Read: Paper on First Principles Vulnerability Assessment
In class: Quiz 5 (SWAMP and assessment tools)
Discuss problems found in your code by the SWAMP
Presentation on FPVA
At home: Researching a vulnerability

Learning Outcomes

Students will learn the basics of thinking like an attacker.
Students will understand how to program in a secure way.
Students will be able to think like a security analyst and perform a basic vulnerability assessment.
Through hands-on exercises, students will learn to exploit and fix vulnerabilities.

Quiz 5:	The SWAMP, Statistics. (Jun 22)
Quiz 4:	Cross Site Scrpting and Cross Site Request Forgeries, Statistics. (Jun 13)
Quiz 3:	Command Injections, Statistics (June 7)
Quiz 2:	Pointers and Strings, Numeric Errors, Directory Traversal and SQL Injections, Statistics (June 5)
Quiz 1:	Exceptions and Serialization, Statistics. (May 31)

Last modified: Fri Jun 22 10:34:24 CDT 2018 by bart