Language-Based Security VT17

Latest news

• (25/5) By popular demand, the deadline for project reports has been extended to June 2.
• (11/5) Slides for the advanced web application security lecture have been updated.
• (11/5) Notes from the course evaluation meeting with student representatives are now available.
• (5/5) A list that maps group numbers to email addresses has been posted to the discussion group. Please, go ahead and exchange project report drafts with your opposing group by email before the deadline.
• (5/5) Project presentation schedule is now available (see below). Note that the presentation time is 7 minutes + 1 minute for questions. Groups listed together are each others' "opponents".
• (26/4) A new lab supervision slot is added on Apr 28, on that day we will have supervisions 10-12 in 3507 and 13-15 in 3354.
• (30/3) Registration to the OWASP Gothenburg event on Apr 6 is now open - first come, first served (link below)!
• (30/3) Slides from Sebastian Lekies' invited lecture are up.
• (28/3) To meet the increase in the number of students, we have added three new lab supervision slots: on Apr 7, 21, and 28.
• (21/3) Slides for lecture 1 have been updated.
• (10/3) The lab submission system is now online. For submission instructions, see here.
• (6/3) The student representatives for course evaluation are:

  MPALG fayaz AT student.chalmers.se IBRAHIM FAYAZ
  MPSOF gunnarg AT student.chalmers.se GUNNAR ÖRN GUNNARSSON
  GU    gusingad AT student.gu.se ADAM INGMANSSON
  MPALG ludlin AT student.chalmers.se LUDWIG LINDBERG
  GU    guskvase AT student.gu.se SEBASTIAN KVARNSTRÖM
  MPALG yagublu AT student.chalmers.se LAMIYA YAGUBLU
  

• (6/3) For the labs and the project, you need to work in groups of two. There will be an opportunity for group matching at the break of the first lecture. If you have difficulties finding a partner, please use the discussion group.
• (27/2) Course discussion group is up and running. Discussions of general questions, labs, and projects are welcome. Helping each other to find answers is encouraged, but of course without giving away solutions.
• (24/2/2017) First lecture: Monday, Mar 20.

Security specialization

This course is a part of the Chalmers and GU Security Specialization, a package of four courses in computer security.

Why language-based security?

Traditionally, computer security has been largely enforced at the level of operating systems. However, operating-system security policies are low-level (such as access control policies, protecting particular files), while many attacks are high-level, or application-level (such as email worms that pass by access controls pretending to be executed on behalf of a mailer application). The key to defending against application-level attacks is application-level security. Because applications are typically specified and implemented in programming languages, this area is generally known as language-based security. A direct benefit of language-based security is the ability to naturally express security policies and enforcement mechanisms using the developed techniques of programming languages.

Who should study language-based security?

You should have previously studied a course in programming languages (and of course basic programming skills are assumed) and basics of computer security. It is an advantage if you have studied courses such as semantics of programming languages and compiler construction.

You should be interested in some of the following:

• Obtaining a deeper understanding of programming language-based concepts for computer security.
• The design and implementation of security mechanisms.
• Computer science research in the area of programming languages and security.

What will you learn?

After the course, you should be able to apply practical knowledge of security for modern programming languages. This includes the ability to identify application- and language-level security threats, design and argue for application- and language-level security policies, and design and argue for the security, clarity, usability, and efficiency of solutions, as well as implement such solutions in expressive programming languages. You should be able to demonstrate the critical knowledge of principles behind such application-level attacks as race conditions, buffer overruns, and code injections. You should be able to master the principles behind such language-based protection mechanisms as static security analysis, program transformation, and reference monitoring.

Content

This course combines practical and cutting-edge research material. For the practical part, the dual perspective of attack vs. protection is threaded through the lectures, laboratory assignments, and projects. For the cutting-edge research part, the course's particular emphasis is on the use of formal, or semantic, models of program behaviour for specifying and enforcing security properties.

Prerequisites

Knowledge of the material covered in the courses Programming Languages and Computer Security is recommended although not required as a prerequisite.

Instructor and TAs

Instructor: Andrei Sabelfeld, office 5476, voice 1018 (Chalmers).

Teaching assistants: Alexander Sjösten, office 5449, voice 6167, and Daniel Hausknecht, office 5447, voice 6163.

Course literature

No specific book is used as a course book. The material consists of hand-outs, papers, etc. However, I recommend the following book for complimentary reading on the subject:

• Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw, Addison-Wesley, 2001, 528 pages.

Lecture/supervision schedule and deadlines

The schedule is subject to change. Stay tuned!

Last year's lecture slides are already on the web, but changes and updates may be done before the actual lecture. If these updates are substantial then it will be indicated in the latest news section.

In order to view the slides, you need to be under the .se domain. Otherwise, let us know your domain - we will include it in the permission set.

All deadlines are firm.

When	Topic	Reading
Mon, Mar 20, 10-12, EF	Introduction to language-based security. Overview of the course. Slides: here.	Language-based security Sect. I of Saltzer and Schroeder, Protection of Information in Computer Systems, 1975.
Wed, Mar 22, 13-15, EC	Information flow security Slides: here.	Sabelfeld and Myers, Language-Based Information-Flow Security, 2003. Try this information flow exercise. See below for exercise supervision time. Bonus: JSFlow challenge.
Mon, Mar 27, 10-12, ED-5476	Office hours to consult on project proposals
Wed, Mar 29, 10-12, ED-3507	Exercise: Information Flow Challenge	Bonus: JSFlow challenge.
Wed, Mar 29, 13-15, EC	Breaking and Fixing Web-based Mitigations. Invited lecture by Sebastian Lekies, Google Zurich. Slides: here.
Fri, Mar 31	Project proposal deadline
Mon, Apr 3, 10-12, EF	Data races, randomness, and determinism Slides: here.	Savage, Burrows, Nelson, Sobalvarro, and Anderson, Eraser: A Dynamic Data Race Detector for Multithreaded Programs, 1997. Rafnsson and Sabelfeld, Secure Multi-Execution: Fine-grained, Declassification-aware, and Transparent, 2013. Clark and Hunt, Noninterference for Deterministic Interactive Programs, 2008.
Wed, Apr 5, 10-12, ED-3507	ToCToU lab supervision
Wed, Apr 5, 13-15, EC	Buffer overruns; Database security; Privacy-violating information flow in web applications Slides: here.	Aleph One, Smashing the Stack for Fun and Profit. Claes Nyberg's slides and tutorial with exercises. Jang et al, An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, 2010.
Thu, Apr 6	OWASP Gothenburg event: On the Feasibility of Large-Scale Web Vulnerability Notification by Ben Stock. Registration is here. First come, first served!
Fri, Apr 7, 10-12, ED-3507	ToCToU lab supervision
Fri, Apr 7	ToCToU lab deadline
Wed, Apr 19, 10-12, ED-3507	r00tshell lab supervision
Wed, Apr 19, 13-15, EF	Web-application security Slides: here.	OWASP Excess XSS, tutorial by Jakob Kallin and Irene Lobo Valbuena, from their course project in 2013
Fri, Apr 21, 10-12, ED-3507	r00tshell lab supervision
Fri, Apr 21, 13-15, ED-3507	r00tshell lab supervision
Fri, Apr 21	r00tshell lab deadline
Mon, Apr 24, 10-12, EF	Advanced web application security Lecture by Steven Van Acker. Slides: part 1 and part 2.
Wed, Apr 26, 10-12, ED-3507	WebAppSec lab supervision
Fri, Apr 28, 10-12, ED-3507	WebAppSec lab supervision
Fri, Apr 28, 13-15, ED-3354	WebAppSec lab supervision
Fri, Apr 28	WebAppSec lab deadline
Wed, May 3, 10-12, ED-5476	Office hours to consult on projects
Wed, May 3, 13-15, EC	Java security, Stack inspection and access control Certifying compilation; Typed Assembly Languages, Proof-Carrying Code; Copyright protection and code obfuscation Slides: here.	Wallach, Felten, Understanding Java Stack Inspection, 1998. Morrisett, Walker, Crary, Glew, From System F to Typed Assembly Language, 1999.
Wed, Mar 10, 13-15, EC	Design principles for security protocols	Abadi and Needham, PrudentEngineering Practice for Cryptographic Protocols, 1995.
Thu, May 11	Project draft to opponents
Mon, May 15, 10-12, EF	Project presentations Presentation time: 7 minutes + 1 minute for questions (strict limit!), following the presentation guidelines. If you are unable to use your laptop for the presentation, just email your powerpoint/pdf presentation to me in advance. The opponent group must be present and ask at least two questions. The groups (as in Fire) to present projects: Groups 18-17 27-20 4-2 5-6 7-8 9-10 Groups listed together are each others' "opponents". For example, groups 18 and 17 oppose each other and so on.
Mon, May 22, 10-12, EF	Project presentations continued. Groups 28-29 11-1 12 14-15 21-19 22-23
Wed, May 24, 10-12, EC	Project presentations continued. Groups 32-33 26-16 24-25 30 34-35 37
Wed, May 24, 13-15, EC	Project presentations continued. Groups 48-46 38-39 40-41 42-43 44-45
Fri, June 2	Project report deadline

Exercises

In order to get up to speed on information flow, try this information flow challenge. See the schedule for the supervision slot for working on this exercise. Bonus: JSFlow challenge.

Lab assignments and project

You are expected to find a lab partner, with whom you will do the assignments (laborations). If you have difficulties finding a partner, please use the discussion group. No one-person or three-person groups are allowed unless there is a well-justified reason and permission from the instructor.

There are three assignments ("laborations") and a project. The lab are about specific problems whereas projects can be more open-ended (some ideas for projects are supplied below). Further information on the lab and project:

• ToCToU lab (on data races)
• r00tshell lab (on buffer overruns)
• WebAppSec lab (on web application security)
• Project

The supervision takes place according to the schedule above.

In case you have passed some of the labs and/or project in previous years, no need to resumbit the solutions. However, you still need to submit a short text file for each passed lab/project saying when (what year) you passed it.

Course requirement and examinations

To pass the course, you must pass the labs and the project part. You need to make a presentation of the project in class and pass the requirements on a written report that documents your project. There is no written question-style exam. Note that a top grade is not possible when failing to play the opponent role during the project presentations.

Student directions for the use of the IT resources at Chalmers

Students are expected to be familiar with the Student directions for the use of the IT resources at Chalmers, which we strictly follow. While we study both attacks and protection, our attitude is exclusively white-hat.

Academic integrity and honesty

Students are expected to be familiar with the Chalmers policy on academic integrity and honesty, which we strictly follow. Cheating includes collaboration between groups and not citing your sources.