CIS 6614 - Advanced Software Systems Security, Fall 2022

Course Syllabus

The table below gives the planned syllabus for the course. This syllabus will be changed as needed. When it becomes necessary to revise the schedule, this page will be updated to reflect the changes.

Material describing the course and its objectives and grading policies is available elsewhere.

All course meetings are concerned with all of the course's essential learning outcomes.

Dates	Topic(s)	Reading(s)	Assignment Due
Aug. 23	Introduction and Course Overview
Aug. 25	Real-world Security Bugs		hw1 (Friday)
Aug. 30	Threat Modeling	[Threat-Modeling21] [UcedaVelez21]
Sep. 1	Program Analysis (Data and Control flow Analysis)	[Nielson-Nielson-Hankin05], chapters 1-2
Sep. 6	Symbolic Execution	[King76]	hw2 problem 1 email
Sep. 8	Symbolic Execution and Concolic Testing	[Cadar-etal11] [Khurshid-Pasareanu-Visser03]
Sep. 13	Fuzzing	[Zhu-etal22] [Miller-Fredriksen-So90]
Sep. 15	Fuzzing	[Zhu-etal22] [Miller-Fredriksen-So90]
Sep. 20	Taint Analysis	[Shu-etal04] [Slowinska-Bos10]	hw2, problems 2-6
Sep. 22	Taint Analysis and Information Flow Security	[Slowinska-Bos10] [Denning-Denning77] [Sabelfeld-Myers03]
Sep. 27	Memory Attacks	[Mickens14]
Sep. 29	UCF closed for Hurricane Ian (no class)
Oct. 4	Memory Attacks and Defenses	[Mickens14] [Liu-Criswell17] [Akritidis-etal09] [Ding-etal12]
Oct. 6	Memory Attacks and Defenses	[Mickens14] [Liu-Criswell17] [Akritidis-etal09] [Ding-etal12]
Oct. 11	Project discussions and exam review
Oct. 13	Runtime Defenses: Reference Monitors (CFI, XFI)	[Abadi-etal05] [Erlingsson-etal06]	HW3
Oct. 18	Runtime Defenses: Reference Monitors (CFI, XFI)	[Abadi-etal05] [Erlingsson-etal06]
Oct. 20	Midterm exam		HW4,p1
Oct. 25	Web attacks: XSS	[Howard-LeBlanc-Viega10] Ch. 2, [OWASP21] [Mozilla22]
Oct. 27	XSS defenses: CSP; Web attacks: CSRF	[Howard-LeBlanc-Viega10] Ch. 2 [Weichselbaum-etal16]
Nov. 1	Detecting XSS/SQL injection/CSRF Vulnerabilities	[Kieyzun-etal09]	HW4,p2
Nov. 3	Semantic/logic Bugs	[Wang-etal11]
Nov. 8	Discussion about Reports	[Johnson-etal93, p. 435]
Nov. 10	Classess cancelled due to tropical storm Nicole
Nov. 15	Semantic/logic Bugs, Using Alloy to Detect Semantic/logic Bugs	[Wang-etal11] [Seater-Dennis22] [Jackson19]
Nov. 17	Using Alloy to Detect Semantic/logic Bugs	[Seater-Dennis22] [Jackson19]
Nov. 22	Discussion about projects (answering your questions), Side Channels and Detecting Side Channel Vulnerabilities	[Chen-etal10] [Chapman-Evans11]
Nov. 24	No class, Thanksgiving
Nov. 29	Side Channels and Detecting Side Channel Vulnerabilities (finishing this topic), Answering questions, Work on Project	[Chen-etal10] [Chapman-Evans11]
Dec. 1	Summary and Review		HW4,p3

Return to top

Bibliography

This syllabus is largely based on Suman Jana's course COMS W4995 (Secure Software Development: Theory and Practice). I also thank UCF's Dr. David Mohaisen for discussions about the content of this course.

[Abadi-etal05]

Martín Abadi, Mihai Budiu, Úlfar Erlingsson, and Jay Ligatti. Control-flow integrity. In Proceedings of the 12th ACM conference on Computer and communications security (CCS '05). ACM, New York, NY, USA, pages 340–353, Nov. 2005. https://doi.org/10.1145/1102120.1102165

[Akritidis-etal09]

P. Akritidis, M. Costa, M. Castro, and S. Hand. Baggy bounds checking: An efficient and backwards-compatible defense against out-of-bounds errors. In Proceedings of the Eighteenth Usenix Security Symposium, August 2009. https://www.usenix.org/legacy/event/sec09/tech/full_papers/sec09_memory.pdf

[Johnson-etal93]

Ralph E. Johnson, Kent Beck, Grady Booch, William Cook, Richard Gabriel, and Rebecca Wirfs-Brock. How to get a paper accepted at OOPSLA (panel). ACM SIGPLAN Notices, 28(10):429-436, Oct. 1993. https://doi.org/10.1145/167962.165934

[Cadar-etal11]

Christian Cadar, Patrice Godefroid, Sarfraz Khurshid, Corina S. Păsăreanu, Koushik Sen, Nikolai Tillmann, and Willem Visser. "Symbolic execution for software testing in practice: preliminary assessment". In ICSE '11: Proceedings of the 33rd International Conference on Software Engineering, pp. 1066-1071, May 2011. https://doi.org/10.1145/1985793.1985995

[Cadar-Sen13]

Christian Cadar and Koushik Sen. "Symbolic execution for Software Testing: Three Decades Later". CACM, 56(2), pp. 82- 90, Feb. 2013, https://doi.org/10.1145/2408776.2408795

[Chapman-Evans11]

Peter Chapman and David Evans. Automated black-box detection of side-channel vulnerabilities in web applications. In Proceedings of the 18th ACM conference on Computer and communications security (CCS '11). Association for Computing Machinery, New York, NY, USA, 263–274, 2011. https://doi.org/10.1145/2046707.2046737

[Chen-etal10]

S. Chen, R. Wang, X. Wang and K. Zhang. Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In 2010 IEEE Symposium on Security and Privacy, pp. 191-206. doi: 10.1109/SP.2010.20

[Denning-Denning77]

Dorothy E. Denning and Peter J. Denning. "Certification of programs for secure information flow." CACM 20(7):504-513, July 1977. https://doi.org/10.1145/359636.359712.

[Ding-etal12]

B. Ding, Y. He, Y. Wu, A. Miller and J. Criswell. Baggy Bounds with Accurate Checking. In IEEE 23rd International Symposium on Software Reliability Engineering Workshops, 2012, pages 195-200. DOI: 10.1109/ISSREW.2012.24.

[Erlingsson-etal06]

Úlfar Erlingsson, Martín Abadi, Michael Vrable, Mihai Budiu, and George C. Necula. XFI: Software guards for system address spaces. In Proceedings of the 7th symposium on Operating systems design and implementation (OSDI '06), pages 75-88, Usenix, Nov., 2006. https://www.usenix.org/legacy/event/osdi06/tech/full_papers/erlingsson/erlingsson.pdf

[Howard-LeBlanc-Viega10]

Michael Howard, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill, 2010. ISBN: 978-0-07-162676-7.

[Jackson19]

Daniel Jackson. Alloy: a language and tool for exploring software designs. Communications of the ACM62(9):66–76. September, 2019. https://doi.org/10.1145/3338843

[King76]

James C. King. "Symbolic execution and program testing." CACM, 19(7):385-394, July, 1976. http://doi.acm.org/10.1145/360248.360252

[Khurshid-Pasareanu-Visser03]

Sarfraz Khurshid, Corina S. Păsăreanu, and Willem Visser. "Generalized Symbolic Execution for Model Checking and Testing." In H. Garavel and J. Hatcliff (eds), Tools and Algorithms for the Construction and Analysis of Systems. TACAS 2003. Lecture Notes in Computer Science, vol 2619. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36577-X_40

[Kieyzun-etal09]

Adam Kieyzun, Philip J. Guo, Karthick Jayaraman, and Michael D. Ernst. Automatic creation of SQL Injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering (ICSE '09). IEEE Computer Society, USA, pp. 199–209, 2009. https://doi.org/10.1109/ICSE.2009.5070521

[Miller-Fredriksen-So90]

Barton P. Miller, Louis Fredriksen, and Bryan So. An empirical study of the reliability of UNIX utilities. Communications of the ACM33(12):32–44, Dec. 1990. https://doi.org/10.1145/96267.96279

[Mozilla22]

Mozilla Developer's Network (mdn). Content Security Policy (CSP). Accessed Oct. 23, 2022 https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[Nielson-Nielson-Hankin05]

Flemming Nielson, Hanne Riis Nielson, and Chris Hankin. Principles of Programming Analysis (second corrected printing), Springer-Verlag, 2005.

[OWASP21]

OWASP. Cross Site Scripting Prevention Cheat Sheet. Accessed Oct. 23, 2022. https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

[Sabelfeld-Myers03]

A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5-19, Jan. 2003. https://dx.doi.org/10.1109/JSAC.2002.806121

[Sen07]

Koushik Sen, "Concolic testing". In ASE '07: Proceedings of the twenty-second IEEE/ACM international conference on Automated software engineering. Nov. 2007, pp. 571–572. https://doi.org/10.1145/1321631.1321746

[Liu-Criswell17]

Zhengyang Liu and John Criswell. Flexible and efficient memory object metadata. In Proceedings of the 2017 ACM SIGPLAN International Symposium on Memory Management (ISMM 2017). ACM, New York, NY, USA, pages 36-46, 2017. https://doi.org/10.1145/3092255

[Mickens14]

James Mickens. Lecture 2: Control Hijacking Attacks. In MIT OCW 6.858: Computer Systems Security, 2014. Accessed September 29, 2022. https://youtu.be/r4KjHEgg9Wg

[Seater-Dennis22]

Tutorial for Alloy Analyzer 4.0 Rob Seater, Gred Dennis, Daniel Le Berre, and Felix Chang. Online at https://alloytools.org/tutorials/online/, retrieved November 7, 2022.

[Shu-etal04]

G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas. "Secure program execution via dynamic information flow tracking." In ASPLOS XI: Proceedings of the 11th international conference on Architectural support for programming languages and operating systems, pp. 85--96, ACM 2004. https://doi.org/10.1145/1024393.1024404

[Slowinska-Bos10]

Asia Slowinska and Herbert Bos. "Pointer tainting still pointless: (but we all see the point of tainting)". SIGOPS Oper. Syst. Rev. 44(3):88-92, July 2010. https://doi.org/10.1145/1842733.1842748

[Threat-Modeling21]

Threat Modeling Manifesto group. Threat Modeling Manifesto. Online at http://www.threatmodelingmanifesto.org/, accessed Aug. 29, 2022

[UcedaVelez21]

Tony UcedaVélez. What is PASTA Threat Modeling? https://versprite.com/blog/what-is-pasta-threat-modeling/ November 23, 2021, accessed Aug. 29, 2022.

[Wang-etal11]

Rui Wang, Shuo Chen, XiaoFeng Wang, and Shaz Qadeer. How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores. In IEEE Symposium on Security and Privacy, 2011, pp. 465-480. doi: 10.1109/SP.2011.26.

[Weichselbaum-etal16]

Lukas Weichselbaum, Michele Spagnuolo, Sebastian Lekies, and Artur Janc. CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). Association for Computing Machinery, New York, NY, USA, pp. 1376–1387. https://doi.org/10.1145/2976749.2978363

[Zhu-etal22]

Xiaogang Zhu, Sheng Wen, Seyit Camtepe, and Yang Xiang. Fuzzing: A Survey for Roadmap. ACM Computing Surveys 54(11s):Article 230, Jan. 2022. https://doi.org/10.1145/3512345

Return to top

Course Content and Policies

The course's content and grading polices are described on separate web pages. See the links on the top left of this page.

Return to top

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Last modified Monday, November 28, 2022.

This web page is for CIS 6614 at the University of Central Florida. The details of this course are subject to change as experience dictates. You will be informed of any changes. Please direct any comments or questions to Gary T. Leavens at Leavens@ucf.edu. Some of the policies and web pages for this course are quoted or adapted from other courses I have taught, in partciular, COP 4020.