Responsible Instructor |
|
Contact Hours / Week x/x/x/x |
0/4/0/0 lecture + lab
|
Education Period |
|
Start Education |
|
Exam Period |
|
Course Language |
|
Course Contents |
Motivation: Security vulnerabilities often arise due to programming errors in the source code of an application. Recent programming errors with severe security implications include Heartbleed (buffer over-read), Shellshock (code injection), and goto-fail (ill-formated code). Programming languages can help developers to prevent programming errors like these by defining coding principles and detecting violations of those principles, for example, through dynamic or static code analysis. Such language-based countermeasures to security vulnerabilities relieve software developers of part of the burden of ensuring software security. But how to select and apply language-based countermeasures?
Synopsis: This course studies the nature of security vulnerabilities in software systems and state-of-the-art language-based countermeasures to security vulnerabilities. In particular, we will investigate and compare the trade-offs of the following countermeasures:
- Language design: Prevent a security vulnerability by preventing it to occur in the first place. - Dynamic analysis: Monitor a running application to detect security violations. - Static analysis: Inspect the source code of the application in order to detect security vulnerabilities. - Verification: Inspect the source code of the application in order to guarantee the absence of security vulnerabilities.
We will also apply these countermeasures in hands-on lab assignments.
Topics: - Software security vulnerabilities: buffer overruns, cross-site scripting, code injection, exposing information flow - Language-design countermeasures: code style, feature exclusion, high-level abstractions, domain-specific languages - Dynamic-analysis countermeasures: monitoring, runtime instrumentation - Static-analysis countermeasures: type systems, data-flow analysis - Verification countermeasures: lightweight verification via static analysis, model checking
|
Study Goals |
The student will acquire:
- Understanding of the nature of security vulnerabilities in software systems. - Understanding of different language-based countermeasures to security vulnerabilities and their respective trade-offs. - Ability to compare programming languages based on the countermeasures to security vulnerabilities they provide.
|
Education Method |
Lectures + lab assignments + reading assignments
|
Assessment |
Homework assignments and oral or written exam
|
Tags |
Programming
|
Programming concepts
|
Programming Software
|
Software
|
Software Engineering
|
|