Secure Coding

• 26 hrs lectures
• 26 hrs projects

• 55 pts final exam (written part)
• 45 pts projects

The aim of the course is to introduce students to the basic principles of secure programming and to explain the general principles of vulnerabilities and defenses against them. To ensure that applications are correctly designed and implemented to meet security requirements, secure coding practices must be incorporated as a normal part of all phases of the software development process. A key step is to educate developers so that they know the essential basic principles of secure coding and can apply them, regardless of the environment in which they work.

Students will learn the general principles and practices of writing programs securely.

• Fred Long et al. The Oracle/CERT Secure Coding Standard for Java, Addison-Wesley, 2011. Available online at http://www.cert.org/secure-coding/
• The OWASP web application security project: https://www.owasp.org/
• Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04232020.pdf
• Michael Howard, David LeBlanc: Writing Secure Code, Microsoft Press, Second Edition, ISBN-13: 978-0735617223
• John Viega, Matt Messier: Secure Programming Cookbook for C and C++, 2003, O'Reilly Media, Inc., ISBN: 9780596003944
• Michael Howard, Steve Lipner: The Security Development Lifecycle, 2006, Microsoft Press, ISBN: 0735622140
• Ross Anderson: Security Engineering: A Guide to Building Dependable Distributed Systems, 3rd Edition, ISBN: 978-1-119-64281-7

1. Introduction, recapitulation of concepts (robust code, secure code, self-protecting code, reentrant code, intermediate code, binary code, binary code for VMs, OS role, VM role, ...).
2. Attacker targets, sandbox escape, privilege elevation, path from vulnerability to exploit, CVE.
3. Basic vulnerabilities of compiled languages - buffer overflow, strings, integer overflow.
4. Memory protection mechanisms, stack protection, return oriented programming, ASLR. Basic vulnerabilities of interpreted languages - memory handling, use after free.
5. Usable security and the impact of UX on system security. Protocol implementation security, IoT, API security.
6. Input validation, testing, fuzzing.
7. Static and dynamic analysis.
8. Standards for secure coding, OWASP, SSDF.
9. Secure random number generation.
10. Seminar - Attack on javascript and how to defend against it.
11. Seminar - Attack on Java and how to defend against it.
12. Seminar - Attack on binary executable and how to defend against it.
13. Seminar - Demonstration of interesting projects, solutions.

Individual projects solved independently by each student without any further collaboration.

Scoring of the results of the developed projects.
Interim control and evaluation of projects, final exam. In order to obtain points from the exam, the exam must be prepared in such a way that it is evaluated with more than 20 points. Otherwise, the exam will be scored 0 points.