DAKOTA STATE UNIVERSITY

COLLEGE OF BUSINESS AND INFORMATION SYSTEMS

 

INFA-719-D01 Software Security, Fall 2005

 

Instructor:

Dr. Xinwen Fu

Office: 

Room 6, East Hall

Phone: 

256-7341

E-Mail: 

Xinwen.Fu@dsu.edu         

Homepage: 

http://www.homepages.dsu.edu/fux/

Office Hours: 

Mon. Tue. Wed. Thu. 3:00PM ~ 5:30PM

 

Course:

Software Security 

Credits:

3.00

Duration:

08/30/2005-12/20/2005

Time:

Tuesday, Thursday; 08:00AM - 09:15AM

Location:

Technology Center Building, Room 111

 

NOTICE: Please follow the rules and laws.

 

If you are not sure about legal issues, please never try tricks you learn in this class on any other people’s machines. I will confine all the attacks that I demonstrate into the test bed that I own. Any attacking traffic I generate for demo purpose never leaks into other people’s machines including MY tabletpc in TCB 111, let alone the Internet.

 

We also emphasize countermeasures against those attacks in class. But I change the order that common educators follow in teaching security. We study attacks first and then countermeasures, because I believe that it is the good way to learn security.

 

If you find any violation of laws and rules in our class, please report to me ASAP. I hate to say this: if you apply attacks to other people’s machines and police finds you, I will not be responsible for it. This class is for securing systems by studying attacks, not applying attacks against people.

 

 

COURSE DESCRIPTION

Addresses design and implementation techniques for assuring securities of software applications, concentrating on developing software that is difficult for intruders to exploit. Emphasize the security ramifications of class, field, and method visibility, sending data between components of a distributed program, data integrity, as well as configuring the security policy for distributed program components.

 

COURSE PREREQUISITES:

Prerequisites

CSC-509 System & Security Programming

 

Technology Skills

1.      C and Assembly languages

2.      Windows, Unix and Linux operating systems (Redhat)

3.      Linux software installation

4.      Knowledge of networks

5.      Creative thoughts

 

DESCRIPTION OF INSTRUCTIONAL METHODS

Class Preparation

·      The course web site is located within WebCT (http://webct.dsu.edu/).

·      Announcements, questions (and answers, etc. will be available through WebCT.

·      Lecturing is based on the textbook with learning materials provided.

·      Security techniques are practiced in lab.

·      Discussions and questions/answers take place through WebCT, which should be checked approximately once every 48-hours. 

·      A Chat room is also likely to be used from time to time.

·      You will be expected to be prepared for class, and you must complete the assignments by the due dates.

Class Videos

Videos of each class will be posted on the course WebCT site under Videos. Videos may be viewed using Windows Media Player.

 

COURSE REQUIREMENTS

Textbooks

·      Ryan Russell (Editor), Dan Kaminsky, Rain Forest Puppy, Joe Grand, K2, David Ahmad, Hal Flynn, Ido Dubrawsky, Steve W. Manzuik, Ryan Permeh, Hack Proofing Your Network (Second Edition), ISBN: 1928994709

o        Textbooks may be purchased at the bookstore or electronically through: http://www.amazon.com or some other bookseller

·      On line sources from the publisher: http://www.syngress.com/solutions/

 

Supplementary Materials

1.      Greg Hoglund, Gary McGraw, Exploiting Software : How to Break Code (Paperback), ISBN: 0201786958

2.      Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan "noir" Eren, Neel Mehta, Riley Hassell The Shellcoder's Handbook : Discovering and Exploiting Security Holes, ISBN: 0201786958

3.      David A. Wheeler, Secure Programming for Linux and Unix HOWTO, http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/

 

Class Attendance Policy

Students are expected to attend and participate in class. Attendance may be verified by quizzes delivered through WebCT or in class. There will be no make-up opportunities for missed quizzes.

 

Cheating and Plagiarism Policy

All forms of academic dishonesty will result in an F for the course and notification of the Academic Dishonesty Committee.  Academic dishonesty includes (but is not limited to) plagiarism, copying answers or work done by another student (either on an exam or assignment), allowing another student to copy from you, and using unauthorized materials during an exam.

 

Make-up Exams

·      Make-up exams will only be given in case of serious need and only when the instructor is notified prior to the exam time. If this is not done, the grade is automatically zero for that exam/quiz.

·      Written verification for the student’s inability to take an exam will be required.

·      The make-up exams will be different from those given to the class.

 

University Deadlines

Add/Drop Deadline: September 8 is the last day to add a full semester class and last day to drop a full semester class and receive 100% refund.

Withdraw Deadline: Nov 15 is last day to withdraw from a full semester course or school and receive a grade of “W”.

 

COURSE GOALS

Upon completion of this course, students should be able to:

1.      Do vulnerability analysis of software, i.e., how to hack software

A.    Master basic classes of attacks

B.     Be familiar with the widely used buffer and heap overflow attacks

2.      Understand the basic principle of how to avoid being hacked

A.    Understand the basic laws of software security

B.     Master the basic methodology of software security

3.      Write formal technical papers such as conference/journal articles

 

 EVALUATION PROCEDURES

 Components of Course Grade:

Assignments (5)

20%

Midterm

20%

Final Exam

20%

Project/Presentation

40%

 

Grade Scale

85 ~ 100%

A

70 ~ 84.5%

B

60 ~ 69.5%

C

59.5% and below

F

 

Homework Assignments

·      All assignments are to be turned in on or before the due date and time. If you try and cannot turn in an assignment electronically because the campus network is down, you will not be penalized.

·      An assignment turned in up to 24-hours late will be reduced by 10% of the assignment’s worth, more than 24 hours late will be reduced 100%.

·      The due date and time for each assignment will be specified on assignment postings.

·      All assignments are expected to be individually and independently completed. Should two or more students turn in substantially the same solution or program, in the judgment of the instructor, the assignment will be given a grade of zero. A second such incident will result in an F grade for the course.

·      All assignments are to be turned in through WebCT.

 

Exams

·      Exams and quizzes will be based on textbooks, web sites, and assignments.

·      All exams and quizzes are open book, but timed.

·      The tentative exam format will be true/false, multiple choice, fill-in-the-blanks, programs, and/or short essays.

 

Projects

·      Each member of this class is required to join a team of 4-5 persons. A team must have a team leader coordinating the communication with members and the instructor.

·      Each team must be formed within 2 weeks from the semester start and the team leader will report the list of members to the instructor once the team is formed.

·      Team work is encouraged since all members of a team will receive the same score based on the entire team’s performance for team projects.

·      Some of the projects will be performed within a close laboratory.

 

EARLY ALERT STATEMENT

Academic Success Support

As your professor, I am personally committed to supporting YOUR academic success in this course.  For that reason, if you demonstrate any academic performance or behavioral problems which may impede your success, I will personally discuss and attempt to resolve the issue with you.  If the situation persists, I will forward my concern to the Student Development Office and your academic advisor to seek their support and assistance in the matter.  My goal is to make your learning experience in this course as meaningful and successful as possible.

 

Americans with Disabilities Act (ADA) Statement

If there is any student in this class who, due to a disability, has need for non-standard note-taking, test taking, or other course accommodations, please contact Dakota State University’s ADA coordinator, Keith Bundy, in the Science Development Office located in the Trojan Center Underground or at 256-5121, as soon as possible. Accommodations cannot be given until they have been applied for and the need confirmed. The Dakota State University ADA web site contains information and forms for students requesting an accommodation:  http://www.departments.dsu.edu/disability_services.

 

 WIRELESS MOBILE COMPUTING INITIATIVE (WMCI) STATEMENT

The tablet PC will be used as a supplementary instructional device.  This technology will be valuable in the classroom and you are strongly encouraged to bring a wireless computing device to class to achieve the full educational benefit of in-class assignments.

 

LINKS TO OTHER SOURCES OF INFORMATION:

 

Graduate Catalog:  http://www.departments.dsu.edu/registrar/catalog/

 

Library:  http://www.departments.dsu.edu/library/

 

Computer Services Support: http://support.dsu.edu/

 

Student Handbook: http://www.departments.dsu.edu/student_services/handbook/

 

DEWT Student Guide: http://www.departments.dsu.edu/disted/studentguide/guide.htm

 

Semester Calendar: http://www.departments.dsu.edu/registrar/catalog/schedule/

 

 

 

 

TENTATIVE CLASS SCHEDULE

The schedule may be adjusted based on the actual progress in the semester.

 

Index

Date

Content

Reading Assignment

Homework Assignment

Project Assignment

1

Aug. 30

Introduction of the class

 

 

 

2

Sep. 1

Introduction of security and software security Chapter 1 how to hack

Chapter 2

 

 

3

Sep. 6

Chapter 2 The Laws of Security

 

 

Project 1

Due on Oct. 6

4

Sep. 8

Chapter 3

 

5

Sep. 13

Chapter 3 Classes of Attack

 

 

 

6

Sep. 15

Chapter 4

 HW1

Due on Sep. 27

 

7

Sep. 20

Chapter 4 Methodology

 

 

 

8

Sep. 22

Chapter 5

 

 

9

Sep. 27

Chapter 5 Diffing

 

 

 

10

Sep. 29

Chapter 6

 

 

11

Oct. 4

Chapter 6 Cryptography

 

 

 

12

Oct. 6

Chapter 8

 

 

13

Oct. 11

Chapter 8 Buffer Overflow

·      Buffer overflow

·      Heap overflow

·      Related techniques

 

 

 

14

Oct. 13

 

 

 

15

Oct. 18

review

 

 

 

16

Oct. 20

Midterm

 

 

 

17

Oct. 25

 

 

 

 

18

Oct. 27

 

 

 

19

Nov. 1

 

 

 

20

Nov. 3

 

 

 

21

Nov. 8

Chapter 9 Format Strings

 

 

 

22

Nov. 10

Chapter 7

 

 

23

Nov. 15

Chapter 7 Unexpected Input

 

 

 

24

Nov. 17

Chapter 15

 

 

25

Nov. 22

Chapter 15 Viruses, Trojan Horses, and Worms

 

 

 

 

Nov. 24

Thanksgiving

 

 

 

26

Nov. 29

Presentation

 

 

 

27

Dec. 1

Presentation/Review for final

 

 

 

 

Dec. 6

 

 

 

 

 

Dec. 8

 

 

 

 

 

Dec. 13

Final Exam (8:00AM ~ 10:00AM)