Foundations of Software Security
USF CIS 6930, Spring 2013
Announcements
Final grades are now posted on Blackboard.
Course materials
Grades
Please use Blackboard to check your grades.
Schedule (filled in as the semester progresses)
| Dates | Topics | Reading |
|---|---|---|
| 01/07 | Introduction and definitions | Class notes |
| 01/09 | Security definitions and models | Sections 1-2, Section 3.0 to Theorem 3.1, Section 3.2 to Theorem 3.3, and Section 4 of Run-time Enforcement of Nonsafety Policies |
| 01/14 | Definitions and models | Modeling Runtime Enforcement with Mandatory Results Automata (manuscript handed out in class) |
| 01/16 | Stack inspection; policy-specification languages | IRM Enforcement of Java Stack Inspection |
| 01/23 | Policy-specification languages | A Location-based Policy-specification Language for Mobile Devices (local version here) |
| 01/28 | Mobile-device security | Android Permissions Demystified |
| 01/30 | Vulnerability trands; Buffer overflows | (1) 2011 CWE/SANS Top 25 Most Dangerous Software Errors
(2) StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks (Please just turn in a summary of the second paper.) |
| 02/04 | Code injections | Defining Code-injection Attacks |
| 02/06 | XSS | Defeating Script Injection Attacks with Browser-Enforced Embedded Policies |
| 02/11 | Web vulnerabilities | Scriptless Attacks - Stealing the Pie Without Touching the Sill |
| 02/13 | Side channels; Social networks | Deanonymizing Mobility Traces: Using Social Networks as a Side-Channel |
| 02/18 | Security usability | (1)
On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings
(2) Android Permissions: User Attention, Comprehension, and Behavior (Please just turn in a summary of the second paper.) |
| 02/20 | Security usability | How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation |
| 02/25 | Search-engine tricks | SURF: Detecting and Measuring Search Poisoning |
| 02/27 | Game security | OpenConflict: Preventing Real Time Map Hacks in Online Games |
| 03/04 | Student presentations | (Project-proposal presentations) |
| 03/06 | Student presentations | (Project-proposal presentations) |
| 03/18 | Privacy | I Still Know What You Visited Last Summer: Leaking browsing history via user interaction and side channel attacks |
| 03/20 | Cryptographic protocols | Programming Satan's Computer |
| 03/25 | Control-flow integrity | Control-Flow Integrity: Principles, Implementations, and Applications |
| 03/27 | Noninterference and information flow | Principles of Secure Information Flow Analysis |
| 04/01 | DRM | Lessons from the Sony CD DRM Episode |
| 04/03 | Temperature (hot) attacks | Using Memory Errors to Attack a Virtual Machine |
| 04/08 | Temperature (cold) attacks | Lest We Remember: Cold Boot Attacks on Encryption Keys |
| 04/10 | Backdoors | Reflections on Trusting Trust |
| 04/15 | Student presentations | (Final project presentations) |
| 04/17 | Student presentations | (Final project presentations) |
| 04/22 | Student presentations | (Final project presentations) |
| 04/24 | Student presentations | (Final project presentations) |