Foundations of Software Security
USF CIS 6930, Spring 2015
Announcements
Final grades are posted in Canvas.
Course materials
Grades
Please use Canvas to check your grades.
Schedule (filled in as the semester progresses)
| Dates | Topics | Reading |
|---|---|---|
| 01/06 | Introduction | Class notes |
| 01/08 | Enforceability theory | Sections 1-2 of Enforceable Security Policies |
| 01/13 | Enforceability theory | Enforceable Security Policies (all) |
| 01/15 | Enforceability theory | Sections 1-2 of Run-time Enforcement of Nonsafety Policies |
| 01/20 | Enforceability theory | Run-time Enforcement of Nonsafety Policies (all, but please don't worry about the details; as always, read to get the main ideas) |
| 01/22 | Enforceability theory | Sections 1-3 of Modeling Runtime Enforcement with Mandatory Results Automata |
| 01/27 | Enforceability theory | Modeling Runtime Enforcement with Mandatory Results Automata (all) |
| 01/29 | Stack inspection; Policy specification | IRM Enforcement of Java Stack Inspection |
| 02/03 | Policy specification and composition | Sections 1-3 of Composing Expressive Run-time Security Policies |
| 02/05 | Policy visualization | (reading handed out in class) |
| 02/10 | Location-based policies and mobile-device security | (1) A Location-based Policy-specification Language for Mobile Devices (article is accessible from the USF campus network); (2) Optional: the classic New Directions in Cryptography, which we've been discussing in class |
| 02/12 | Firewall policies; Packet classification | A Packet-classification Algorithm for Arbitrary Bitmask Rules, with Automatic Time-space Tradeoffs |
| 02/17 | Vulnerability trends; Buffer overflows | (1) Please look over, and try to get the high-level information from: 2011 CWE/SANS Top 25 Most Dangerous Software Errors; (2) then please study StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks |
| 02/19 | Code-injection attacks: XSS and HTML5 | Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation |
| 02/24 | Code-injection attacks | Sections 1-4 of Defining Code-injection Attacks |
| 02/26 | Noncode-injection attacks | Defining Injection Attacks |
| 03/10 | Student presentations | (Project-proposal presentations) |
| 03/12 | Student presentations | (Project-proposal presentations) |
| 03/17 | Web security | Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections |
| 03/19 | Web security | Characterizing Large-Scale Click Fraud in ZeroAccess |
| 03/24 | Control-flow integrity | Sections 1-5 of Control-Flow Integrity: Principles, Implementations, and Applications |
| 03/26 | Control-flow integrity | Out Of Control: Overcoming Control-Flow Integrity |
| 03/31 | Cryptographic protocols | Programming Satan's Computer |
| 04/02 | Information flow | Principles of Secure Information Flow Analysis |
| 04/07 | DRM | Lessons from the Sony CD DRM Episode |
| 04/09 | Temperature (hot) attacks | Using Memory Errors to Attack a Virtual Machine |
| 04/14 | Temperature (cold) attacks | Lest We Remember: Cold Boot Attacks on Encryption Keys |
| 04/16 | Trustworthiness | Reflections on Trusting Trust
Alternate link |
| 04/21 | Student presentations | (Final project presentations) |
| 04/23 | Student presentations | (Final project presentations) |