Foundations of Software Security
USF CIS 6930, Spring 2013


Schedule (filled in as the semester progresses)

Dates Topics Reading
01/07 Introduction and definitions Class notes
01/09 Security definitions and models Sections 1-2, Section 3.0 to Theorem 3.1, Section 3.2 to Theorem 3.3, and Section 4 of Run-time Enforcement of Nonsafety Policies
01/14 Definitions and models Modeling Runtime Enforcement with Mandatory Results Automata (manuscript handed out in class)
01/16 Stack inspection; policy-specification languages IRM Enforcement of Java Stack Inspection
01/23 Policy-specification languages A Location-based Policy-specification Language for Mobile Devices (local version here)
01/28 Mobile-device security Android Permissions Demystified
01/30 Vulnerability trands; Buffer overflows (1) 2011 CWE/SANS Top 25 Most Dangerous Software Errors
(2) StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
(Please just turn in a summary of the second paper.)
02/04 Code injections Defining Code-injection Attacks
02/06 XSS Defeating Script Injection Attacks with Browser-Enforced Embedded Policies
02/11 Web vulnerabilities Scriptless Attacks - Stealing the Pie Without Touching the Sill
02/13 Side channels; Social networks Deanonymizing Mobility Traces: Using Social Networks as a Side-Channel
02/18 Security usability (1) On the Challenges in Usable Security Lab Studies: Lessons Learned from Replicating a Study on SSL Warnings
(2) Android Permissions: User Attention, Comprehension, and Behavior
(Please just turn in a summary of the second paper.)
02/20 Security usability How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation
02/25 Search-engine tricks SURF: Detecting and Measuring Search Poisoning
02/27 Game security OpenConflict: Preventing Real Time Map Hacks in Online Games
03/04 Student presentations (Project-proposal presentations)
03/06 Student presentations (Project-proposal presentations)
03/18 Privacy I Still Know What You Visited Last Summer: Leaking browsing history via user interaction and side channel attacks
03/20 Cryptographic protocols Programming Satan's Computer
03/25 Control-flow integrity Control-Flow Integrity: Principles, Implementations, and Applications
03/27 Noninterference and information flow Principles of Secure Information Flow Analysis
04/01 DRM Lessons from the Sony CD DRM Episode
04/03 Temperature (hot) attacks Using Memory Errors to Attack a Virtual Machine
04/08 Temperature (cold) attacks Lest We Remember: Cold Boot Attacks on Encryption Keys
04/10 Backdoors Reflections on Trusting Trust
04/15 Student presentations (Final project presentations)
04/17 Student presentations (Final project presentations)
04/22 Student presentations (Final project presentations)
04/24 Student presentations (Final project presentations)