Foundations of Software Security
USF CIS 6930, Spring 2014
Announcements
Final grades are posted in Canvas.
Course materials
Grades
Please use Canvas to check your grades.
Schedule (filled in as the semester progresses)
| Dates | Topics | Reading |
|---|---|---|
| 01/06 | Introduction and definitions | |
| 01/08 | Runtime monitoring and policy-specification languages | The first 16 pages of Composing Expressive Run-time Security Policies |
| 01/13 | Security definitions and models | The first 10 pages of Run-time Enforcement of Nonsafety Policies |
| 01/15 | Security definitions and models | Everything through Theorem 1 (on p.9), plus Section 8, in Modeling Runtime Enforcement with Mandatory Results Automata |
| 01/22 | Policy-specification languages and mobile-device security | A Location-based Policy-specification Language for Mobile Devices (article is accessible from the USF campus network) |
| 01/27 | Vulnerability rankings | (1) 2011 CWE/SANS Top 25 Most Dangerous Software Errors
(2) OWASP Top 10 2013 Project Please do not worry about memorizing the details of these lists! Please just focus on the high-level results. |
| 01/29 | Buffer overflows | StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks |
| 02/03 | Code injections | Sections 1-4 of Defining Code-injection Attacks |
| 02/05 | XSS | Sections 1-3 of Defeating Script Injection Attacks with Browser-Enforced Embedded Policies |
| 02/10 | Privacy | I Still Know What You Visited Last Summer |
| 02/12 | Game security | Sections I to VI of OpenConflict: Preventing Real Time Map Hacks in Online Games |
| 02/17 | Security usability | On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings |
| 02/19 | App permissions | Android Permissions: User Attention, Comprehension, and Behavior |
| 02/24 | Passwords | Measuring password guessability for an entire university |
| 02/26 | Firewall policies and enforcement | A Packet-classification Algorithm for Arbitrary Bitmask Rules, with Automatic Time-space Tradeoffs |
| 03/03 | Student presentations | (Project-proposal presentations) |
| 03/05 | Student presentations | (Project-proposal presentations) |
| 03/17 | Tracking | AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable |
| 03/19 | Side channels | Screenmilker: How to Milk Your Android Screen for Secrets |
| 03/24 | Noninterference and information flow | Principles of Secure Information Flow Analysis |
| 03/26 | Control-flow Integrity | Sections 1-5 of Control-Flow Integrity: Principles, Implementations, and Applications |
| 03/31 | DRM | Lessons from the Sony CD DRM Episode |
| 04/02 | Temperature (hot) attacks | Using Memory Errors to Attack a Virtual Machine |
| 04/07 | Temperature (cold) attacks | Lest We Remember: Cold Boot Attacks on Encryption Keys |
| 04/09 | Trustworthiness and backdoors | Reflections on Trusting Trust |
| 04/14 | Student presentations | (Final project presentations) |
| 04/16 | Student presentations | (Final project presentations) |
| 04/21 | Student presentations | (Final project presentations) |
| 04/23 | Student presentations | (Final project presentations) |