Foundations of Software Security
USF CIS 6373, Spring 2019
Announcements
Final grades are posted.
Course materials
Grades
Please use Canvas to check your grades.
Schedule (filled in as the semester progresses)
| Dates | Topics | Reading |
|---|---|---|
| 01/07 | Introduction | Class notes |
| 01/09 | Enforceability theory | Sections 1-2 of Enforceable Security Policies |
| 01/14 | Enforceability theory | Enforceable Security Policies (all) |
| 01/16 | Enforceability theory | Sections 1-3 of Modeling Runtime Enforcement with Mandatory Results Automata |
| 01/23 | Enforceability theory | Sections 1-5 and 8 of Modeling Runtime Enforcement with Mandatory Results Automata |
| 01/28 | Enforceability theory | A Theory of Gray Security Policies |
| 01/30 | Policy specification and composition | Sections 1-3 of Composing Expressive Run-time Security Policies (article is accessible from the USF campus network) |
| 02/04 | Policy visualization | (reading handed out in class) |
| 02/06 | Location-based policies and mobile-device security | A Location-based Policy-specification Language for Mobile Devices (article is accessible from the USF campus network) |
| 02/11 | User authentication | Sections 1-3 of Coauthentication |
| 02/13 | User authentication | Coauthentication (the whole paper) |
| 02/18 | Firewall policies; Packet classification | A Packet-classification Algorithm for Arbitrary Bitmask Rules, with Automatic Time-space Tradeoffs |
| 02/20 | Vulnerability categories and trends | Please look over, and try to get the high-level information from: 2011 CWE/SANS Top 25 Most Dangerous Software Errors and OWASP Top 10 - 2017 |
| 02/25 | Buffer overflows; StackGuard | StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks |
| 02/27 | Code-injection attacks: XSS and HTML5 | Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation |
| 03/04 | Code-injection attacks | Sections 1-4 of Defining Code-injection Attacks |
| 03/06 | Noncode-injection attacks | Defining Injection Attacks |
| 03/18 | Student presentations | (Project-proposal presentations) |
| 03/20 | Information flow; Noninterference | Principles of Secure Information Flow Analysis |
| 03/25 | Security usability | On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings |
| 03/27 | (no class) | (extra time to study the next paper) |
| 04/01 | Control Flow Integrity | Sections 1-5 of Control-Flow Integrity: Principles, Implementations, and Applications |
| 04/03 | Control-flow integrity; ROP | Losing Control: On the Effectiveness of Control-Flow Integrity under Stack Attacks (paper is accessible from the USF campus network) |
| 04/08 | Temperature (hot) attacks | Using Memory Errors to Attack a Virtual Machine |
| 04/10 | Temperature (cold) attacks | Lest We Remember: Cold Boot Attacks on Encryption Keys |
| 04/15 | DRM | Lessons from the Sony CD DRM Episode |
| 04/17 | SQL-Identifier Injection Attacks | SQL-Identifier Injection Attacks |
| 04/22 | Trustworthiness | Reflections on Trusting Trust |
| 04/24 | Student presentations | (Final presentations) |