Language-Based Security VT11

TDA601/DIT101 - Språkbaserad datasäkerhet

Latest news

(9/5) Project presentation schedule is now available (see below).
(12/4) By request, we have set up lab supervision on Wed, Apr 13, 15-17, room ED2480.
(11/4) The student representatives for course evaluation are: Per Hallgren (per.zut AT gmail DOT com) and Henrik Engman (ehenrik AT student DOT chalmers DOT se).
(23/3) The Fire system for lab/project submission is online.
(22/3) Registration for an OWASP Gothenburg event on April 14 is now open.
(21/3) SkrivaPå Security Competition details announced.
(17/2/2011) First lecture: Mon, Mar 21, 1:15pm, EC. For the schedule of the course, please refer to the plan below (and not the TimeEdit schedule).

Lectures, exercises, and deadlines

Overview of the lectures and deadlines
Exercises

Assignments (Labs)

General information
Assignment deadlines

Examinations

Exam info

Why language-based security?

Traditionally, computer security has been largely enforced at the level of operating systems. However, as operating systems grow in size and complexity, it is becoming increasingly difficult to handle security. Consequently, modern attacks often succeed at circumventing operating-system security mechanisms. Furthermore, while operating-system security policies are low-level (such as access control policies, protecting particular files), many attacks are high-level, or application-level (such as email worms that pass by access controls pretending to be executed on behalf of a mailer application). This key to defending against application-level attacks is application-level security. Because applications are typically specified and implemented in programming languages, this area is generally known as language-based security. A direct benefit of language-based security is the ability to naturally express security policies and enforcement mechanisms using the developed techniques of programming languages.

Who should study language-based security?

You should have previously studied a course in programming languages (and of course basic programming skills are assumed) and basics of computer security. It is an advantage if you have studied courses such as semantics of programming languages and compiler construction.

You should be interested in some of the following:

Obtaining a deeper understanding of programming language-based concepts for computer security.
The design and implementation of security mechanisms.
Computer science research in the area of programming languages and security.

What will you learn?

The goal of this course is understanding the principles behind application-level attacks (such as Trojan horses, worms, buffer overrun attacks, exploit attacks, covert channels, and malicious code) and language-based protection mechanisms (such as static security analysis, program transformation, and stack inspection).

Instructor and TAs

Instructor: Andrei Sabelfeld, office 5476, voice 1018 (Chalmers).

Teaching assistants: Jonas Magazinius, office 5472, voice 5422, and Arnar Birgisson, office 5471, voice 5402.

Course literature

No specific book is used as a course book. The material consists of hand-outs, papers, etc. However, I warmly recommend the following book for complimentary reading on the subject:

Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw, Addison-Wesley, 2001, 528 pages.

Lecture schedule and deadlines

The schedule is subject to change. Stay tuned!

Lectures are once or twice a week. Monday lectures are at EC at 1:15pm, and Thursday lectures are at EB at 10am.

Last year's lecture slides are already on the web, but changes and updates may be done before the actual lecture. If these updates are substantial then it will be indicated in the latest news section.

In order to view the slides, you need to be under the .se domain. Otherwise, let us know your domain - we will include it in the permission set.

All deadlines are firm.

Date	Topic	Reading
Mon, Mar 21	Introduction to language-based security. Overview of the course. Slides: here.	McGraw and Morrisett, Attacking Malicious Code: A Report to the Infosec Research Council, 2000. Sect. I of Saltzer and Schroeder, Protection of Information in Computer Systems, 1975.
Thu, Mar 24	Information flow security Slides: here.	Sabelfeld and Myers, Language-Based Information-Flow Security, 2003. Try this and this information flow exercises. See below for exercise supervision time.
Mon, Mar 28	Data races, randomness, and determinism Slides: here.	Savage, Burrows, Nelson, Sobalvarro, and Anderson, Eraser: A Dynamic Data Race Detector for Multithreaded Programs, 1997.
Thu, Mar 31	Project proposal deadline
Mon, Apr 4	Buffer overruns; Database security; Privacy-violating information flow in web applications Slides: here.	Aleph One, Smashing the Stack for Fun and Profit. Claes Nyberg's slides and tutorial with exercises. Jang et al, An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, 2010.
Thu, Apr 7	Eraser lab deadline
Mon, Apr 11	Web-application security Jonas Magazinius' slides from 2011 here	OWASP
Thu, Apr 14	OWASP Gothenburg event, Scaniasalen, 5:30pm-8:00pm, prior signup required
Thu, Apr 14	r00tshell lab deadline
Mon, May 2	Java security, Stack inspection and access control Certifying compilation; Typed Assembly Languages, Proof-Carrying Code; Copyright protection and code obfuscation Slides: here.	Wallach, Felten, Understanding Java Stack Inspection, 1998. Morrisett, Walker, Crary, Glew, From System F to Typed Assembly Language, 1999.
Thu, May 5	WepAppSec lab deadline
Mon, May 9	Design principles for security protocols	Abadi and Needham, Prudent Engineering Practice for Cryptographic Protocols, 1995.
Mon, May 16	Project presentations Presentation time - no more than 15 minutes (strict), following the presentation guidelines. A PC and projector will be available; powerpoint/pdf presentations can be either emailed to me in advance or brought on a USB stick. The schedule of groups (as in FIRE) to present projects (if your group is not mentioned below, then you do not need to present the project): 20: Cookiemonster (Firesheep+) 14: OWASP TOP 10 with focusing on "Unvalidated Redirects and Forwards" 23: Analysis of JPEG flaws on applications 12: PDF Attacks 7: Advanced PDF attacks and defenses
Thu, May 19	Project presentations continued 18: An attack analysis in Android applications 9: Constructing secure mashups using Caja 2: Tools for race detection 3: Analysis of Information Leakage in Java Source Code 15: Why you should use Gentoo Harrdened? Understanding the security implications behind it.
Thu, May 19	Project report deadline
Fri, May 20	SkrivaPå seminar (5pm over skype) on project presentations (contact Lukas Duczko to sign up)

Exercises

In order to get up to speed on information flow, try this and this information flow exercises. There will be a supervision slot for working on this exercise on Mon, Mar 28, 15-17, room 3507.

Lab assignments and project

You are expected to find a lab partner, with whom you will do the assignments (laborations). If you have difficulties finding a partner, please use this facility. No one-person or three-person groups are allowed unless there is a well-justified reason and permission from the instructor.

There are three assignments ("laborations") and a project. The lab are about specific problems whereas projects can be more open-ended (some ideas for projects are supplied below). Further information on the lab and project:

Eraser lab (on data races)
r00tshell lab (on buffer overruns)
WebAppSec lab (on web application security)
Project

As common for advanced courses, there are only a few supervision times for the labs. The supervision takes place in room 3507 according to the following schedule:

Eraser: Monday, Apr 4, 15-17; r00tshell: Monday, Apr 11, 15-17, (extra supervision slot: April 13, 15-17, room ED2480) and WebAppSec: Monday, May 2, 15-17.

Watch out the latest news for booking a slot during the office hours to discuss project proposals and projects, respectively.

In case you have passed some of the labs and/or project in previous years, no need to resumbit the solutions. However, you still need to submit a short text file for each passed lab/project saying when (what year) you passed it.

Cheating

Unfortunately, cases of cheating are sometimes detected by us in lab solutions/reports and project reports. Students are expected to be familiar with the Chalmers policy on academic integrity and honesty, which we strictly follow. Cheating includes collaboration between groups and not citing your sources.

Course requirement and examinations

To pass the course, you must pass the labs and the exam. In order to pass the exam, you need to make a presentation of the project in class and pass the requirements on a written report/position paper that documents your project.

URL: http://www.cse.chalmers.se/edu/course/TDA601/