Latest news
- (7/5) Project presentation schedule is now available (see below). Note that the presentation time is 8 minutes + 2 minutes for questions. If you are group X then your opponent group is 38-X. Two exceptions are groups 25 and 26 who oppose each other.
- (7/5) Notes from the course evaluation meeting with student representatives are now available.
- (29/4) Due to popular demand, we're organizing an extra lab supervision session for lab 2 - on Thursday (April 30) at 10am at the usual room (3507).
While we're at lab 2, note the last deliverable: "Modern systems have ways to mitigate these problems. Enumerate them and discuss them." Due to a copy-and-paste error, there was apparently a point of time when this deliverable was not listed among the requirements, but we put it back already on Tuesday morning. - (7/4) Registration for the OWASP Gothenburg event on Defender Economics and Malware Defense on Apr 16 is open. First come, first served!
- (31/3) Invited Lecture by Benjamin Pierce, University of Pennsylvania, announced: Micro-Policies: Formally Verified, Tag-Based Security Monitors, Wednesday, May 6, 1:15pm, ED.
- (31/3) Office hours to consult on project proposals announced: 1:15pm-3pm, Wed, May 13.
- (29/3) The lab submission system is online now.
- (26/3) Office hours to consult on project proposals announced: 1:15pm-3pm, Wed, Apr 1.
- (26/3) The student representatives for course evaluation are:
MPALG daniea AT student.chalmers.se DANIEL ANDERSSON MPALG petre AT student.chalmers.se PETRE MIHAIL ANTON MPALG mjohn AT student.chalmers.se JOHN MARTINSSON MPCSN nyangira AT student.chalmers.se FAUSTINE NYANGIRA MPSOF radway AT student.chalmers.se ALEXANDER RADWAY
- (23/3) For the labs and the project, you need to work in groups of two. There will be an opportunity for group matching at the break of the first lecture. If you have difficulties finding a partner, please use the discussion group.
- (23/3) Course discussion group is up and running. Discussion of general questions, labs, and projects is welcome. Helping each other to find answers is encouraged, but of course without giving away solutions.
- (23/3) For GU students: you need to register on the date of the course start at GU's course portal.
- (17/2/2015) First lecture: Mon, Mar 23, 10am, EF. For the schedule of the course, please refer to the plan below (and not the TimeEdit schedule).
Security specialization
This course is a part of the Chalmers and GU Security Specialization, a package of four courses in computer security.Why language-based security?
Traditionally, computer security has been largely enforced at the level of operating systems. However, operating-system security policies are low-level (such as access control policies, protecting particular files), while many attacks are high-level, or application-level (such as email worms that pass by access controls pretending to be executed on behalf of a mailer application). The key to defending against application-level attacks is application-level security. Because applications are typically specified and implemented in programming languages, this area is generally known as language-based security. A direct benefit of language-based security is the ability to naturally express security policies and enforcement mechanisms using the developed techniques of programming languages.Who should study language-based security?
You should have previously studied a course in programming languages (and of course basic programming skills are assumed) and basics of computer security. It is an advantage if you have studied courses such as semantics of programming languages and compiler construction.You should be interested in some of the following:
- Obtaining a deeper understanding of programming language-based concepts for computer security.
- The design and implementation of security mechanisms.
- Computer science research in the area of programming languages and security.
What will you learn?
After the course, you should be able to apply practical knowledge of security for modern programming languages. This includes the ability to identify application- and language-level security threats, design and argue for application- and language-level security policies, and design and argue for the security, clarity, usability, and efficiency of solutions, as well as implement such solutions in expressive programming languages. You should be able to demonstrate the critical knowledge of principles behind such application-level attacks as race conditions, buffer overruns, and code injections. You should be able to master the principles behind such language-based protection mechanisms as static security analysis, program transformation, and reference monitoring.Content
This course combines practical and cutting-edge research material. For the practical part, the dual perspective of attack vs. protection is threaded through the lectures, laboratory assignments, and projects. For the cutting-edge research part, the course's particular emphasis is on the use of formal, or semantic, models of program behaviour for specifying and enforcing security properties.Prerequisites
Knowledge of the material covered in the courses Programming Languages and Computer Security is recommended although not required as a prerequisite.Instructor and TAs
Instructor: Andrei Sabelfeld, office 5476, voice 1018 (Chalmers).Teaching assistants: Luciano Bello, office 5483, voice 1791; Daniel Hausknecht, office 5447, voice 1757; and Alexander Sjösten.
Course literature
No specific book is used as a course book. The material consists of hand-outs, papers, etc. However, I recommend the following book for complimentary reading on the subject:- Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw, Addison-Wesley, 2001, 528 pages.
Lecture schedule and deadlines
The schedule is subject to change. Stay tuned!
Lectures are once or twice a week. They take place at EF at 10am on Mondays, and sometimes at ED at 1:15pm on Wednesdays.
Last year's lecture slides are already on the web, but changes and updates may be done before the actual lecture. If these updates are substantial then it will be indicated in the latest news section.
In order to view the slides, you need to be under the .se domain. Otherwise, let us know your domain - we will include it in the permission set.
All deadlines are firm.
Date | Topic | Reading | |||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Mon, Mar 23 | Introduction to language-based security. Overview of the
course.
Slides: here. |
McGraw and Morrisett, Attacking
Malicious Code: A Report to the Infosec Research
Council, 2000. Sect. I of Saltzer and Schroeder, Protection of Information in Computer Systems, 1975. | |||||||||||||||||||||||||||
Wed, Mar 25 | Information flow security
Slides: here. | Sabelfeld and Myers, Language-Based
Information-Flow Security, 2003. Try this information flow exercise. See below for exercise supervision time. Bonus: JSFlow challenge. | |||||||||||||||||||||||||||
Mon, Mar 30 | Data races, randomness, and determinism
Slides: here. | Savage, Burrows, Nelson, Sobalvarro, and Anderson, Eraser:
A Dynamic Data Race Detector for Multithreaded Programs, 1997.
Rafnsson and Sabelfeld, Secure Multi-Execution: Fine-grained, Declassification-aware, and Transparent, 2013. Clark and Hunt, Noninterference for Deterministic Interactive Programs, 2008. | |||||||||||||||||||||||||||
Thu, Apr 2 | Project proposal deadline | ||||||||||||||||||||||||||||
Wed, Apr 1 | Office hours to consult on project proposals, EDIT 5476, 1:15pm-3pm | ||||||||||||||||||||||||||||
Thu, Apr 16 | OWASP Gothenburg event: Defender Economics and Malware Defense. Registration is open. First come, first served! | ||||||||||||||||||||||||||||
Mon, Apr 20 | Buffer overruns; Database security; Privacy-violating information
flow in web applications Slides: here. | Aleph One, Smashing
the Stack for Fun and Profit.
Claes Nyberg's slides and tutorial with exercises. Jang et al, An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, 2010. | |||||||||||||||||||||||||||
Wed, Apr 22 | Paragon: practical programming with Information Flow Control
Lecture by Niklas Broberg | Paragon tutorial | |||||||||||||||||||||||||||
Fri, Apr 24 | ToCToU lab deadline | ||||||||||||||||||||||||||||
Mon, Apr 27 | Web-application security
Slides: here. | OWASP Excess XSS, tutorial by Jakob Kallin and Irene Lobo Valbuena, from their course project in 2013 | |||||||||||||||||||||||||||
Fri, May 1 | r00tshell lab deadline | ||||||||||||||||||||||||||||
Mon, May 4 | Java security, Stack inspection and access
control Certifying compilation; Typed Assembly Languages, Proof-Carrying Code; Copyright protection and code obfuscation Slides: here. | Wallach, Felten, Understanding
Java Stack Inspection, 1998. Morrisett, Walker, Crary, Glew, From System F to Typed Assembly Language, 1999. | |||||||||||||||||||||||||||
Wed, May 6 |
Micro-Policies: A Framework for Tag-Based Security Monitors Invited lecture by Benjamin Pierce, University of Pennsylvania
Micro-Policies:
Formally Verified, Tag-Based Security Monitors, 2015.
| Fri, May 8
| WebAppSec lab deadline
| Mon, May 11
| Design principles for security protocols
| Abadi and Needham, Prudent
Engineering Practice for Cryptographic Protocols, 1995.
| Wed, May 13
| Office hours to consult on projects, EDIT 5476, 1:15pm-3pm
| Thu, May 14
| Project draft to opponents
| Mon, May 18
| Project presentations | Presentation time: 8 minutes + 2 minutes for questions (strict limit!), following the presentation guidelines. If you are unable to use your laptop for the presentation, just email your powerpoint/pdf presentation to me in advance. Range of groups (as in Fire) to present projects: Groups 1-9. If you are group X then your opponent group is 38-X. Two exceptions are groups 25 and 26 who oppose each other. Wed, May 20 - 10:00-11:45
| Project presentations continued. Note that this slot
is on Wed morning! | Groups 21-29. Mon, May 25
| Project presentations continued: | Groups 30-37. Wed, May 27
| Project presentations continued: | Groups 10-20. Fri, May 29
| Project report deadline
| |
Exercises
In order to get up to speed on information flow, try this information flow challenge. There will be a supervision slot for working on this exercise on Wed, Apr 1, 10am -11:45am, room 3507. Bonus: JSFlow challenge.Lab assignments and project
You are expected to find a lab partner, with whom you will do the assignments (laborations). If you have difficulties finding a partner, please use the discussion group. No one-person or three-person groups are allowed unless there is a well-justified reason and permission from the instructor.
There are three assignments ("laborations") and a project. The lab are about specific problems whereas projects can be more open-ended (some ideas for projects are supplied below). Further information on the lab and project:
- ToCToU lab (on data races)
- r00tshell lab (on buffer overruns)
- WebAppSec lab (on web application security)
- Project
As common for advanced courses, there are only a few supervision times for the labs. The supervision takes place in room 3507 according to the following schedule:
ToCToU: Wed, Apr 22, 10am - 11:45am; r00tshell: Wed, Apr 29, 10am - 11:45am, and WebAppSec: Wed, May 6, 10am - 11:45am.
In case you have passed some of the labs and/or project in previous years, no need to resumbit the solutions. However, you still need to submit a short text file for each passed lab/project saying when (what year) you passed it.