COLLEGE OF BUSINESS AND
INFORMATION SYSTEMS
INFA-719 Software
Security, Fall 2006
|
Instructor: |
Dr. Xinwen Fu |
|
Office: |
302D, East Hall |
|
Phone:
|
256-5820 |
|
E-Mail:
|
Xinwen.Fu@dsu.edu
|
|
Homepage: |
http://www.homepages.dsu.edu/fux/ |
|
Office Hours: |
Tue. Wed. Thu. Fri. 3:45PM ~ 5:45PM |
|
Course: |
Software Security |
|
Credits: |
3.00 |
|
Duration: |
08/28/06 - 12/15/06 |
|
Time: |
Tuesday, Thursday; 02:30PM - 03:45PM |
|
Location: |
|
NOTICE: Please follow rules and laws of the IA lab,
DSU,
If you are not sure about legal issues, please
never try tricks you learn in this class on any other people’s machines, even
on your own laptop based on DSU policies. If you find any violation of laws and
rules in our class, please report to me ASAP. If you apply attacks to other
people’s machines and police finds you, I will not be responsible for it. This
class is for securing systems, not attacking people.
COURSE
DESCRIPTION
Addresses design and implementation
techniques for assuring securities of software applications, concentrating on
developing software that is difficult for intruders to exploit. Emphasize the
security ramifications of class, field, and method visibility, sending data between
components of a distributed program, data integrity, as well as configuring the
security policy for distributed program components.
COURSE PREREQUISITES:
Prerequisites
CSC-509 System & Security Programming
Technology Skills
1. C and Assembly languages
2. Windows, Unix and Linux operating systems
(Redhat)
3. Linux software installation
4. Knowledge of networks
5. Creative thoughts
DESCRIPTION OF INSTRUCTIONAL METHODS
Class Preparation
· The course web site is located within WebCT (http://webct.dsu.edu/).
· Announcements, questions (and answers, etc. will be available through WebCT.
· Lecturing is based on the textbook with learning materials provided.
· Security techniques are practiced in lab.
· Discussions and questions/answers take place through WebCT, which should be checked approximately once every 48-hours.
· A Chat room is also likely to be used from time to time.
· You will be expected to be prepared for class, and you must complete the assignments by the due dates.
Class
Videos
Videos of each class will be posted on the
course WebCT site under Videos. Videos may be viewed using Windows Media
Player.
COURSE REQUIREMENTS
Textbooks
·
Ryan
Russell (Editor), Dan Kaminsky, Rain Forest Puppy, Joe Grand, K2, David Ahmad,
Hal Flynn, Ido Dubrawsky, Steve W. Manzuik, Ryan Permeh, Hack Proofing Your
Network (Second Edition), ISBN: 1928994709
o
Textbooks
may be purchased at the bookstore or electronically through: http://www.amazon.com or some other bookseller
·
On line sources from
the publisher: http://www.syngress.com/solutions/
Supplementary Materials
1. Greg Hoglund, Gary McGraw, Exploiting Software : How to Break Code (Paperback), ISBN: 0201786958
2. Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan "noir" Eren, Neel Mehta, Riley Hassell The Shellcoder's Handbook : Discovering and Exploiting Security Holes, ISBN: 0201786958
3. David A. Wheeler, Secure Programming for Linux and Unix HOWTO, http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/
Class Attendance Policy
Students are expected to attend and participate in class. Attendance may
be verified by quizzes delivered through WebCT or in class. There will be no
make-up opportunities for missed quizzes.
Cheating and Plagiarism Policy
All forms of academic dishonesty will result in an F for the course and notification of the Academic Dishonesty Committee. Academic dishonesty includes (but is not limited to) plagiarism, copying answers or work done by another student (either on an exam or assignment), allowing another student to copy from you, and using unauthorized materials during an exam.
Make-up
Exams
· Make-up exams will only be given in case of serious need and only when the instructor is notified prior to the exam time. If this is not done, the grade is automatically zero for that exam/quiz.
· Written verification for the student’s inability to take an exam will be required.
· The make-up exams will be different from those given to the class.
University Deadlines
|
Sept. 1 (Fri) |
Last day to drop a first half semester class and receive 100% refund |
|
Sept. 7 (Thu) |
Last day to add/drop a full
semester class and receive 100% refund |
|
Oct. 4 (Wed) |
Last day to withdraw from a first half semester class and receive a grade of “W” |
|
Oct. 27 (Fri) |
Last day to drop a second half semester class and receive 100% refund |
|
Nov. 13 (Mon) |
Last day to withdraw from a
full semester course or school and receive a grade of “W” |
|
Nov. 30 (Thu) |
Last day to withdraw from a second half semester
class and receive a grade of “W” |
COURSE GOALS
Upon completion of this course, students should be able to:
1. Do vulnerability analysis of software, i.e.,
how to hack software
A. Master basic classes of attacks
B. Be familiar with the widely used buffer and
heap overflow attacks
2. Understand the basic principle of how to
avoid being hacked
A. Understand the basic laws of software
security
B. Master the basic methodology of software
security
3. Write formal technical papers such as
conference/journal articles
EVALUATION PROCEDURES
Components of Course Grade:
|
Assignments (5) |
20 |
|
Midterm |
20 |
|
Final Exam |
20 |
|
Project/Presentation |
40 |
Grade Scale
|
90 ~ 100 |
A |
|
75 ~ 89.9 |
B |
|
60 ~ 74.9 |
C |
|
59.9 and below |
F |
Homework Assignments
·
All
assignments are to be turned in on or before the due date and time. If you try
and cannot turn in an assignment electronically because the campus network is
down, you will not be penalized.
· An assignment turned in up to 24-hours late will be reduced by 10% of the assignment’s worth, more than 24 hours late will be reduced 100%.
·
The due
date and time for each assignment will be specified on assignment postings.
·
All
assignments are expected to be individually and independently completed. Should
two or more students turn in substantially the same solution or program, in the
judgment of the instructor, the assignment will be given a grade of zero. A
second such incident will result in an F grade for the course.
· All
assignments are to be turned in through WebCT.
Exams
·
Exams
and quizzes will be based on textbooks, web sites, and assignments.
·
All
exams and quizzes are open book, but timed.
·
The
tentative exam format will be true/false, multiple choice, fill-in-the-blanks,
programs, and/or short essays.
Projects
· Each member of this
class is required to join a team of 4-5 persons. A team must have a team leader
coordinating the communication with members and the instructor.
· Each team must be
formed within 2 weeks from the semester start and the team leader will report
the list of members to the instructor once the team is formed.
· Team work is
encouraged since all members of a team will receive the same score based on the
entire team’s performance for team projects.
· Some of the
projects will be performed within a close laboratory.
EARLY ALERT STATEMENT
Academic Success Support
As your professor, I am personally committed to supporting YOUR academic success in this course. For that reason, if you demonstrate any academic performance or behavioral problems which may impede your success, I will personally discuss and attempt to resolve the issue with you. If the situation persists, I will forward my concern to the Student Development Office and your academic advisor to seek their support and assistance in the matter. My goal is to make your learning experience in this course as meaningful and successful as possible.
Americans with Disabilities
Act (
If you have a documented disability and/or anticipate needing
accommodations (e.g., non-standard note taking, test modifications) in this
course, please arrange to meet with the instructor. Also, please contact
WIRELESS
The tablet PC will be used as a supplementary instructional device. This technology will be valuable in the classroom and you are strongly encouraged to bring a wireless computing device to class to achieve the full educational benefit of in-class assignments.
LINKS TO OTHER SOURCES OF INFORMATION:
Graduate
Catalog: http://www.departments.dsu.edu/registrar/catalog/
Library: http://www.departments.dsu.edu/library/
Computer Services Support: http://support.dsu.edu/
Student Handbook: http://www.departments.dsu.edu/student_services/handbook/
DEWT Student Guide: http://www.departments.dsu.edu/disted/studentguide/guide.htm
Semester Calendar: http://www.departments.dsu.edu/registrar/catalog/schedule/
TENTATIVE CLASS SCHEDULE
The schedule may be adjusted based on the actual progress in the semester.
|
Date |
Content |
Reading Assignment |
Homework Assignment |
|
|
Aug. 29 |
Introduction of the class |
|
|
|
|
Aug. 31 |
Introduction to C Language - Analysis of backdoor |
Supplementary Materials |
|
|
|
Sep. 5 |
||||
|
Sep. 7 |
||||
|
Sep. 12 |
Introduction to Socket Programming by C |
Supplementary Materials |
|
|
|
Sep. 14 |
||||
|
Sep. 19 |
Introduction to Assembly language |
Supplementary Materials |
|
|
|
Sep. 21 |
Introduction of security and software security |
Chapter 1 |
|
|
|
Sep. 26 |
The Laws of Security |
Chapter 2 |
|
|
|
Sep. 28 |
||||
|
Oct. 3 |
Classes of Attack |
Chapter 3 |
|
|
|
Oct. 5 |
||||
|
Oct. 10 |
Methodology |
Chapter 4 |
|
|
|
Oct. 17 |
||||
|
Oct. 19 |
Diffing |
Chapter 5 |
|
|
|
Oct. 24 |
||||
|
Oct. 26 |
Reverse Engineering and Anti-reverse Engineering |
Supplementary Materials |
|
|
|
Oct. 31 |
||||
|
Nov. 2 |
Cryptography |
Chapter 6 |
|
|
|
Nov. 7 |
||||
|
Nov. 9 |
|
Assessment day (no class) |
||
|
Nov. 14 |
Format String Attacks |
Chapter 9 |
|
|
|
Nov. 16 |
||||
|
Nov. 21 |
||||
|
Nov. 23 |
|
Thanksgiving Day (no class) |
||
|
Nov. 28 |
Buffer overflow |
Chapter 8 |
|
|
|
Nov. 30 |
||||
|
Dec. 5 |
||||
|
Dec. 7 |
|
TBD |
|
|
|
Dec. 12 |
Final Exam |
3:10PM – 5:10PM |
|
|