TU Delft
print this page print this page     
2016/2017 Electrical Engineering, Mathematics and Computer Science Master Computer Science
Dynamic and Static Program Analysis for Software Security
Responsible Instructor
Name E-mail
Dr. S.T. Erdweg    S.T.Erdweg@tudelft.nl
Prof.dr. E. Visser    E.Visser@tudelft.nl
Contact Hours / Week x/x/x/x
0/4/0/0 lecture + lab
Education Period
Start Education
Exam Period
Course Language
Course Contents
Security vulnerabilities often arise due to programming errors in the source code of an application. Recent programming errors with severe security implications include Heartbleed (buffer over-read), Shellshock (code injection), and goto-fail (ill-formated code). Programming languages can help developers to prevent programming errors like these by defining coding principles and detecting violations of those principles, for example, through dynamic or static code analysis. Such language-based countermeasures to security vulnerabilities relieve software developers of part of the burden of ensuring software security. But how to select and apply language-based countermeasures?

This course studies the nature of security vulnerabilities in software systems and state-of-the-art language-based countermeasures to security vulnerabilities. In particular, we will investigate and compare the trade-offs of the following countermeasures:

- Language design: Prevent a security vulnerability by preventing it to occur in the first place.
- Dynamic analysis: Monitor a running application to detect security violations.
- Static analysis: Inspect the source code of the application in order to detect security vulnerabilities.
- Verification: Inspect the source code of the application in order to guarantee the absence of security vulnerabilities.

We will also apply these countermeasures in hands-on lab assignments.

- Software security vulnerabilities: buffer overruns, cross-site scripting, code injection, exposing information flow
- Language-design countermeasures: code style, feature exclusion, high-level abstractions, domain-specific languages
- Dynamic-analysis countermeasures: monitoring, runtime instrumentation
- Static-analysis countermeasures: type systems, data-flow analysis
- Verification countermeasures: lightweight verification via static analysis, model checking
Study Goals
The student will acquire:

- Understanding of the nature of security vulnerabilities in software systems.
- Understanding of different language-based countermeasures to security vulnerabilities and their respective trade-offs.
- Ability to compare programming languages based on the countermeasures to security vulnerabilities they provide.
Education Method
Lectures + lab assignments + reading assignments
Homework assignments and oral or written exam
Programming concepts
Programming Software
Software Engineering