Foundations of Software Security
USF CIS 6930, Spring 2015


Schedule (filled in as the semester progresses)

Dates Topics Reading
01/06 Introduction Class notes
01/08 Enforceability theory Sections 1-2 of Enforceable Security Policies
01/13 Enforceability theory Enforceable Security Policies (all)
01/15 Enforceability theory Sections 1-2 of Run-time Enforcement of Nonsafety Policies
01/20 Enforceability theory Run-time Enforcement of Nonsafety Policies (all, but please don't worry about the details; as always, read to get the main ideas)
01/22 Enforceability theory Sections 1-3 of Modeling Runtime Enforcement with Mandatory Results Automata
01/27 Enforceability theory Modeling Runtime Enforcement with Mandatory Results Automata (all)
01/29 Stack inspection; Policy specification IRM Enforcement of Java Stack Inspection
02/03 Policy specification and composition Sections 1-3 of Composing Expressive Run-time Security Policies
02/05 Policy visualization (reading handed out in class)
02/10 Location-based policies and mobile-device security (1) A Location-based Policy-specification Language for Mobile Devices (article is accessible from the USF campus network); (2) Optional: the classic New Directions in Cryptography, which we've been discussing in class
02/12 Firewall policies; Packet classification A Packet-classification Algorithm for Arbitrary Bitmask Rules, with Automatic Time-space Tradeoffs
02/17 Vulnerability trends; Buffer overflows (1) Please look over, and try to get the high-level information from: 2011 CWE/SANS Top 25 Most Dangerous Software Errors; (2) then please study StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks
02/19 Code-injection attacks: XSS and HTML5 Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation
02/24 Code-injection attacks Sections 1-4 of Defining Code-injection Attacks
02/26 Noncode-injection attacks Defining Injection Attacks
03/10 Student presentations (Project-proposal presentations)
03/12 Student presentations (Project-proposal presentations)
03/17 Web security Hunting the Red Fox Online: Understanding and Detection of Mass Redirect-Script Injections
03/19 Web security Characterizing Large-Scale Click Fraud in ZeroAccess
03/24 Control-flow integrity Sections 1-5 of Control-Flow Integrity: Principles, Implementations, and Applications
03/26 Control-flow integrity Out Of Control: Overcoming Control-Flow Integrity
03/31 Cryptographic protocols Programming Satan's Computer
04/02 Information flow Principles of Secure Information Flow Analysis
04/07 DRM Lessons from the Sony CD DRM Episode
04/09 Temperature (hot) attacks Using Memory Errors to Attack a Virtual Machine
04/14 Temperature (cold) attacks Lest We Remember: Cold Boot Attacks on Encryption Keys
04/16 Trustworthiness Reflections on Trusting Trust
04/21 Student presentations (Final project presentations)
04/23 Student presentations (Final project presentations)