Foundations of Software Security
USF CIS 6930, Spring 2012
Announcements
Final grades are now posted on Blackboard.
Course materials
Syllabus
Grades
Please use
Blackboard
to check your grades.
Schedule (filled in as the semester progresses)
Dates
Topics
Reading
01/09
Introduction and definitions
Class notes
01/11
Security definitions and models
Sections 1-2, Section 3.0 to Theorem 3.1, Section 3.2 to Theorem 3.3, and Section 4 of
Run-time Enforcement of Nonsafety Policies
01/18
Definitions and models
A Theory of Runtime Enforcement, with Results
01/23
Stack inspection; policy-specification languages
IRM Enforcement of Java Stack Inspection
01/30
Vulnerability trands; Buffer overflows
(1)
2011 CWE/SANS Top 25 Most Dangerous Software Errors
(2)
StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
02/01
Code injections
Defining Code-injection Attacks
02/06
XSS
Defeating Script Injection Attacks with Browser-Enforced Embedded Policies
02/08
Usability
(1)
Using Data Type Based Security Alert Dialogs to Raise Online Security Awareness
(2)
On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings
(Please only turn in a summary for the first of these two papers.)
02/13
Web-commerce security
How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores
02/15
Game security
OpenConflict: Preventing Real Time Map Hacks in Online Games
02/20
Search-engine Tricks
SURF: Detecting and Measuring Search Poisoning
02/22
Search-engine Tricks
Cloak and Dagger: Dynamics of Web Search Cloaking
02/27
Mobile Security
Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices
02/29
Mobile Security
Android Permissions Demystified
03/05
Student Presentations
(Project-proposal presentations)
03/07
Student Presentations
(Project-proposal presentations)
03/19
Privacy
I Still Know What You Visited Last Summer: Leaking browsing history via user interaction and side channel attacks
03/21
GPS Spoofing
On the Requirements for Successful GPS Spoofing Attacks
03/26
Noninterference and information flow
Principles of Secure Information Flow Analysis
03/28
Cryptographic protocols
Programming Satan's Computer
04/02
Control-flow integrity
Control-Flow Integrity: Principles, Implementations, and Applications
04/04
Non-control Data Attacks
Modular Protections against Non-control Data Attacks
04/09
Temperature (physical) attacks
(1)
Using Memory Errors to Attack a Virtual Machine
(2)
Lest We Remember: Cold Boot Attacks on Encryption Keys
(Please choose either of these two papers to summarize.)
04/11
Backdoors
Reflections on Trusting Trust
04/16
Student presentations
(Final project presentations)
04/18
Student presentations
(Final project presentations)
04/23
Student presentations
(Final project presentations)
04/25
Student presentations
(Final project presentations)