CSCE 489: Special Topics in Software Security

Note: Dates and topics are approximate and subject to change.

Date	Topics	Reading
Week 1
08/28	Introduction and Course Overview Cancelled due to flooding	Syllabus
08/30	Foundational concepts in security	SSBSI 1
09/01	System Design	J.H. Saltzer, D.P. Reed and D.D. Clark. End to end arguments in system design
Week 2
09/04	Principles of Secure Design 1	Salzter and Kaashoek. Principles of Computer System Design, Chapter 11.1.4
09/06	Principles of Secure Design 2 Class Activity: Hack Me	US-CERT Build Security In Design Principles
09/08	System Design	Ross Anderson. Why Cryptosystems Fail
Week 3
09/11	A Risk Management Framework	SSBSI 2
09/13	Input Validation and Data Sanitization	DS 10, 1, 2
09/15	Student Presentations	Software Penetration Testing Dissecting Android Malware: Characterization and Evolution Cross-platform, secure message delivery for mobile devices
Week 4
09/18	Overruns and Overflows	DS 5,6,7 Smashing the Stack for Fun and Profit Beyond Stack Smashing
09/20	Exceptions and Error Handling	DS 9, 11
09/22	Student Presentations	A Green Software Development Life Cycle for Cloud Computing Agile Development of Secure Web Applications
Week 5
09/25	Leakage	DS 12,16,17
09/27	Race Conditions	DS 13 Race Condition Vulnerability Lecture [optional] Dirty COW Vulnerability
09/29	Student Presentations	Software Engineering for Security: a Roadmap Design and implementation of cloud security defense system with software defined networking technologies
Week 6
10/02	A Taxonomy of Coding Errors	SSBSI 12
10/04	Common Bugs and Flaws	OWASP Top 10 CWE/SANS Top 25 Avoiding the Top 10 Software Security Design Flaws
10/06	Student Presentations	Penetration Testing for Web Services Source Code Patterns of SQL Injection Vulnerabilities DynSec: On-the-fly Code Rewriting and Repair
Week 7
10/09	Software Security Touchpoints	SSBSI 3
10/11	Code Review I: Peer	Best Kept Secrets of Peer Code Review
10/13	Student Presentations	Loophole: Timing Attacks on Shared Event Loops in Chrome ~~Research of evaluation methods for software security~~ AEG: Automatic Exploit Generation
Week 8
10/16	Code Review II: Static Analysis	SSBSI 4
10/18	Code Review III: Dynamic Analysis	All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but might have been afraid to ask)
10/20	Project Workday
Week 9
10/23	Architectural Risk Analysis	SSBSI 5
10/25	Penetration Testing I	SSBSI 6
10/27	Project Workday
Week 10
10/30	Penetration Testing II
11/01	Fuzzing	SAGE: Whitebox Fuzzing for Security Testing
11/03	Project Workday
Week 11
11/06	Risk-Based Security Testing	SSBSI 7
11/08	Cryptographic Sins	DS 19, 20, 21
11/10	Project Workday
Week 12
11/13	Abuse Cases	SSBSI 8
11/15	Networking Sins	DS 22, 23, 24
11/17	Project Workday
Week 13
11/20	Security Requirements and Operations	SSBSI 9
11/22	Reading Day: No Class	Alice's Restaurant
11/24	Thanksgiving Break: No Class	SMBC #2425
Week 14
11/27	DEF CON 25 - Lee Holmes - Get $pwnd: Attacking Battle Hardened Windows Server
11/29
12/01	Student Presentations	Limits of static analysis for malware detection Practicality of Accelerometer Side Channels on Smartphones Your botnet is my botnet: analysis of a botnet takeover
Week 15
12/04	Student Presentations	StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks Venerable Variadic Vulnerabilities Vanquished OAuth Demystified for Mobile Application Developers
12/06	Student Presentations	DeepXplore: Automated Whitebox Testing of Deep Learning Systems Why Silent Updates Boost Security Protection Poker: The New Software Security "Game"
12/08	No Class	The Final Countdown
Week 16
12/12	Student Presentations Final Exam: 8:00am - 10:00am	The Use of Security Tactics in Open Source Software Projects A qualitative analysis of software security patterns What Cannot Be Read, Cannot Be Leveraged? Revisiting Assumptions of JIT-ROP Defenses