CSC 495 — Topics and Schedule
Since this is the first time we have offered a class like this, the schedule and list of topics will be pretty dynamic. Topics will be modified as needed, based at least partially on student interests, and the pace will be adjusted to match how quickly students are mastering the material.
Initial Topics
-
Tuesday, January 13: Class Introduction and Motivation
-
Thursday, January 15: Responsible disclosure, ethics, and class target application selection
-
Tuesday, January 20: Class cancelled
-
Thursday, January 22: Vulnerabilities and Defense in Depth; Security Overview; and Vulnerability Markets
-
Tuesday, January 27:
-
Finish discussion of vulnerability markets
-
Start on systems review - compiling C and using gdb to examine resulting code
-
-
Thursday, January 29:
-
User-level memory issues: process memory layout, byte ordering, alignment
-
System-level memory issues: Virtual memory vs. physical memory, page tables
-
Kernel control over memory maps and inter-process memory protection
-
-
Tuesday, February 3:
-
The 15-minute "2-minute history of Unix"
-
Process properties: looking at memory maps, users, priorities, and more
-
Assembly language: basic review, and AT&T vs Intel
-
Using gdb and the disassembler to reverse engineer a program (tracing our helloworld program, and solving a level from the Leviathan wargame)
-
-
Thursday, February 5:
-
C for Java Programmers: Comparison to Java, compilation toolchain (preprocessor, etc.), data types (primitive and defined), primitive type sizes
-
-
Tuesday, February 10:
-
Tutorial on basic Unix/Linux use: role of PuTTY, the shell, working directories, basic commands, filesystem (relative vs absolute paths), …
-
Unix file permissions - user/group/other, and setuid programs
-
Assignment 1 tips and discussion - problem 3
-
Basics of network communication: TCP/IP, ports, and use of netcat
-
Assignment 1 tips and discussion - problem 4 (demo of solution!)
-
-
Thursday, February 12:
-
C for Java programmers (code samples on
cmpunixin/home/srtate/code)-
parameter passing and calling conventions (stack frames, automatic vs static variables, parameters and return values) - look at assembly language produced by the C compiler!
-
passing arrays - pointers and blocks of memory
-
-
Buffer overflow basics and stack smashing
-
-
Tuesday, February 17: Snow Day
-
Thursday, February 19:
-
Finish up "C for Java programmers"
-
pointers and pointer arithmetic (incl. casting pointers)
-
user-defined data types: struct and
typedef -
memory management - malloc() and free()
-
process creation and termination - fork and exec
-
-
Overview of the CWE/SANS Top 25 Most Dangerous Software Errors
-
Quick look at CWE-120 (Classic Buffer Overflow)
-
-
Tuesday, February 24: Snow Day
-
See Assignment 2 distributed online
-
Note: Video tutorials available in blackboard on exploring code for format string vulnerabilities - very help for doing this assignment!
-
-
-
Thursday, February 26: Snowpocalypse Day — see video lectures in Blackboard
-
Buffer Overflow (Top 25 #3 - CWE-120)
-
Real world examples include recent GHOST vulnerability (CVE-2015-0235) and CVE 2014-9328 vulnerability in ClamAV
-
-
Incorrect Calculation of Buffer Size (Top 25 #20 - CWE-131)
-
Use of Potentially Dangerous Functions (Top 25 #18 - CWE-676)
-
Integer Overflow or Wraparound (Top 25 #24 - CWE-190)
-
Uncontrolled Format String (Top 25 #23 - CWE-134)
-
-
Reading: Code spelunking and how to read code
-
George V. Neville-Neil, Code Spelunking: Exploring Cavernous Code Bases, Queue, Vol. 1, No. 6, Sept. 2003, pp. 42-48.
-
George V. Neville-Neil, Code Spelunking Redux, Queue, Vol. 6, No. 7, Jan. 2009, pp. 26-33.
-
-
Tuesday, March 3: Mid-term Exam Discussion and Review
-
If additional time: Practice with code exploration and manual searching for control hijacking vulnerabilities
-
-
Thursday, March 5: Mid-Term Exam
-
March 9-13: Spring Break
-
Tuesday, March 17:
-
Discussion of mid-term and assignments 1 and 2
-
High-level look at research in computer security (publishing standards, main conferences, etc.) and assignment of StackGuard paper as reading
-
-
Thursday, March 19: Protection Mechanisms and Tools for Memory/Buffer Vulnerabilities
-
Dynamic Protection Mechanisms (including StackGuard, ASLR, and non-executable stacks)
-
-
Tuesday, March 24:
-
Static Analysis: Fundamental Limitations and Existing Tools
-
-
Thursday, March 26:
-
Finish static analysis tool demo
-
Start overview of web application development
-
-
Tuesday, March 31:
-
Basic web application model - client, server, communication
-
Web threat model
-
HTTP
-
Using browser developer tools
-
-
Thursday, April 2:
-
Crypto: symmetric vs public key
-
Content: rendering, documents, and the DOM
-
Cookies and intro to same-origin policy
-
-
Tuesday, April 7:
-
Same-origin policy
-
Server side technologies: static HTML and server-side includes
-
-
Thursday, April 9:
-
Server side technologies: CGI scripts, PHP, and databases
-
-
Tuesday, April 14:
-
Thursday, April 16:
-
Continuing injection vulnerabilities
-
More detail and examples on SQL Injection
-
OS Command Injection (Top 25 #2 - CWE-78)
-
-
Using OWASP WebGoat, DVWA, and Natas to learn more about web application vulnerabilities
-
-
Tuesday, April 21:
-
Final SQL/Command Injection topics
-
Protection using prepared statements (example on
cmpunix) -
A look at a real SQL Injection vulnerability in deployed code
-
Command injection - basic idea and look at CWE
-
-
JavaScript/Browser exploitation issues
-
-
Thursday, April 23:
-
Secure design principles
-
Reading: Chapter 13 ("Design Principles") in Computer Security: Art and Science by Matt Bishop (chapter available as a "sample chapter" on that web page
-
More detail on Least Privilege
-
-
Basic info for Final Exam
-
Class evaluation
-
-
Tuesday, April 28: No class meeting, but Assignment 4 due
-
Thursday, April 30: Final Exam (3:30-6:30)