Language-Based Security VT13

TDA602/TDA601/DIT103/DIT101 - Språkbaserad datasäkerhet

Latest news

  • (15/5) A list that maps group numbers to email addresses has been sent out to the course mailing list. Go ahead and exchange project report drafts with your opposing group by email.
  • (15/5) Project presentation schedule is now available (see below). Note that the presentation time is 5 minutes + 2 minutes for questions. If your group is not mentioned below, then you do not need to present the project. Groups that present one after the other are each others' "opponents". For example, groups 5 and 19 oppose each other and so on.
  • (15/5) Notes from the course evaluation meeting with student representatives are now available.
  • (6/5) Registration for an OWASP Gothenburg event with Mario Heiderich on May 16 is now open.
  • (6/5) Slides for Ben Livshits' lecture on malware are now up.
  • (23/4) Welcome to attend a lecture by Alejandro Russo on Information-flow control via libraries, to be held in the programming languages seminar, Friday, Apr 26, 1:15pm, room ES51.
  • (17/4) Welcome to attend a lecture by Niklas Broberg on Paragon - Object-Oriented Programming with Information Flow Control, to be held in the programming languages seminar, Friday, Apr 19, 1:15pm-2:15pm, room ES51.
  • (8/4) The Fire system for lab/project submission is online. Note that we are running a beta-version of a new Fire system, please report any problems to Arnar.
  • (8/4) The student representatives for course evaluation are: Olivier Chatail, chatail AT, Gustav Freij, gufreij AT, Christoffer Karlsson, chrika AT, and Daniel Scho'epe, daniel AT
  • (22/3) Slides for lecture 2 have been updated.
  • (20/3) Slides for lecture 1 have been updated.
  • (12/3) For the labs and the project, you need to work in groups of two. There will be an opportunity for group matching at the break of the first lecture. If you have difficulties finding a partner, please use the discussion group.
  • (12/3) Course discussion group is up and running. Discussion of general questions, labs, and projects is welcome. Helping each other to find answers is encouraged, but of course without giving away solutions.
  • (11/3) For GU-student admitted to the course: This semester you have to register online in LPW at the Student portal. The registration is obligatory in order to attend the course. Note that you need to register yourself on the course the same day as the first lecture otherwise you will lose your place. For further information about registration and how to activate your student account, click here.
  • (4/3/2013) First lecture: Tue, Mar 19, 10:00m, EE. For the schedule of the course, please refer to the plan below (and not the TimeEdit schedule).


Lectures, exercises, and deadlines

Assignments (Labs)


Security specialization (NEW!)

This course is a part of the Chalmers and GU Security Specialization, a package of four courses in computer security.

Why language-based security?

Traditionally, computer security has been largely enforced at the level of operating systems. However, operating-system security policies are low-level (such as access control policies, protecting particular files), while many attacks are high-level, or application-level (such as email worms that pass by access controls pretending to be executed on behalf of a mailer application). The key to defending against application-level attacks is application-level security. Because applications are typically specified and implemented in programming languages, this area is generally known as language-based security. A direct benefit of language-based security is the ability to naturally express security policies and enforcement mechanisms using the developed techniques of programming languages.

Who should study language-based security?

You should have previously studied a course in programming languages (and of course basic programming skills are assumed) and basics of computer security. It is an advantage if you have studied courses such as semantics of programming languages and compiler construction.

You should be interested in some of the following:

What will you learn?

After the course, you should be able to apply practical knowledge of security for modern programming languages. This includes the ability to identify application- and language-level security threats, design and argue for application- and language-level security policies, and design and argue for the security, clarity, usability, and efficiency of solutions, as well as implement such solutions in expressive programming languages. You should be able to demonstrate the critical knowledge of principles behind such application-level attacks as race conditions, buffer overruns, and code injections. You should be able to master the principles behind such language-based protection mechanisms as static security analysis, program transformation, and reference monitoring.


This course combines practical and cutting-edge research material. For the practical part, the dual perspective of attack vs. protection is threaded through the lectures, laboratory assignments, and projects. For the cutting-edge research part, the course's particular emphasis is on the use of formal, or semantic, models of program behaviour for specifying and enforcing security properties.


Knowledge of the material covered in the courses Programming Languages and Computer Security is recommended although not required as a prerequisite.

Instructor and TAs

Instructor: Andrei Sabelfeld, office 5476, voice 1018 (Chalmers).

Teaching assistants: Arnar Birgisson, office 5449, voice 1061; and Jonas Magazinius, office 5472, voice 5422.

Course literature

No specific book is used as a course book. The material consists of hand-outs, papers, etc. However, I recommend the following book for complimentary reading on the subject:

Lecture schedule and deadlines

The schedule is subject to change. Stay tuned!

Lectures are once or twice a week. They take place at EE at 10am.

Last year's lecture slides are already on the web, but changes and updates may be done before the actual lecture. If these updates are substantial then it will be indicated in the latest news section.

In order to view the slides, you need to be under the .se domain. Otherwise, let us know your domain - we will include it in the permission set.

All deadlines are firm.

Date Topic Reading
Tue, Mar 19 Introduction to language-based security. Overview of the course.
Slides: here.
McGraw and Morrisett, Attacking Malicious Code:  A Report to the Infosec Research Council, 2000.
Sect. I of Saltzer and Schroeder, Protection of Information in Computer Systems, 1975.
Fri, Mar 22 Information flow security
Slides: here.
Sabelfeld and Myers, Language-Based Information-Flow Security, 2003.
Try this information flow exercise. See below for exercise supervision time.
Tue, Apr 9 Design principles for security protocols Abadi and Needham, Prudent Engineering Practice for Cryptographic Protocols, 1995.
Fri, Apr 12 Project proposal deadline
Tue, Apr 16 Data races, randomness, and determinism
Slides: here.
Savage, Burrows, Nelson, Sobalvarro, and Anderson, Eraser: A Dynamic Data Race Detector for Multithreaded Programs, 1997.
Clark and Hunt, Noninterference for Deterministic Interactive Programs, 2008.
Fri, Apr 19 Buffer overruns; Database security; Privacy-violating information flow in web applications
Slides: here.
Aleph One, Smashing the Stack for Fun and Profit.
Claes Nyberg's slides and tutorial with exercises.
Jang et al, An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications, 2010.
Fri, Apr 19 Eraser lab deadline
Tue, Apr 23 Malware
Invited lecture by Ben Livshits , Microsoft Research (Seattle).
Slides: here.
Fri, Apr 26 r00tshell lab deadline
Tue, Apr 30 Web-application security
Jonas Magazinius' slides from 2011 here
Fri, May 3 WepAppSec lab deadline
Tue, May 7 Java security, Stack inspection and access control
Certifying compilation; Typed Assembly Languages, Proof-Carrying Code; Copyright protection and code obfuscation
Slides: here.
Wallach, Felten, Understanding Java Stack Inspection, 1998.
Morrisett, Walker, Crary, Glew, From System F to Typed Assembly Language, 1999.
Wed, May 8 Office hours to consult on projects, EDIT 5476, 1:15pm-3pm
Tue, May 14 Authentication on the web (OAuth, OAuth2, OpenID) with real-world examples (Twitter, Facebook, Amazon, Google).
Invited lecture by Mattias Jidhage, Omegapoint and OWASP Gothenburg.
Fri, May 17 Advanced topics in web application security
Invited lecture by Mario Heiderich, Ruhr University (Bochum).
Fri, May 17 Project draft to opponents
Tue, May 21 Project presentations
Presentation time: 5 minutes + 2 minutes for questions, following the presentation guidelines. If you are unable to use your laptop for the presentation, just email your powerpoint/pdf presentation to me in advance. The schedule of groups (as in Fire) to present projects is below. If your group is not mentioned below, then you do not need to present the project. Groups that present one after the other are each others' "opponents". For example, groups 5 and 19 oppose each other and so on.
5: Operating-system level scripting language for security
19: Information-flow Security for Online Auctions using Jif

4: iOS security
10: Ruby on Rails parsing vulnerabilities

6: Exploit development
12: DFRWS 2010 Forensics Challenge

16: Security evaluation of Fire
23: Joomla vulnerabilities

21: Social Engineering with focus on phishing techniques and protection methods
7: Excess XSS: A Comprehensive Tutorial on Cross-Site Scripting

11: Advanced cross­site scripting (XSS) attacks and protection
26: Advanced cross-site scripting (XSS) attacks and protection
Fri, May 24 Project presentations continued
3: Tools for race detection in Java
18: Formal Security Analysis of Remote Diagnostics Authorisation Protocol

8: Android Application Security
22: Android App Security and Location Privacy

13: Android Security : Battle against the covert channels
9: Android App Hack

15: A Study of Security in Flash
27: Flash language security

17: Security Evaluation of Add-Ons for Firefox
28: Security review of the GNOME Shell Extensions web-based installation

14: Implementation of a web application secure from SQL injections

24a: Advanced SQL attacks
24b: Advanced SQL attacks
Fri, May 24 Project report deadline


In order to get up to speed on information flow, try this information flow challenge. There will be a supervision slot for working on this exercise on Wed, Apr 10, 8am -9:45am, room 3507.

Lab assignments and project

You are expected to find a lab partner, with whom you will do the assignments (laborations). If you have difficulties finding a partner, please use the discussion group. No one-person or three-person groups are allowed unless there is a well-justified reason and permission from the instructor.

There are three assignments ("laborations") and a project. The lab are about specific problems whereas projects can be more open-ended (some ideas for projects are supplied below). Further information on the lab and project: As common for advanced courses, there are only a few supervision times for the labs. The supervision takes place in room 3507 according to the following schedule:

Eraser: Wed, Apr 17, 8am - 9:45am; r00tshell: Wed, Apr 24, 8am - 9:45am, and WebAppSec: Fri, May 3, 8am - 8:45am.

Watch out the latest news for booking a slot during the office hours to discuss project proposals and projects, respectively.

In case you have passed some of the labs and/or project in previous years, no need to resumbit the solutions. However, you still need to submit a short text file for each passed lab/project saying when (what year) you passed it.

Course requirement and examinations

To pass the course, you must pass the labs and the exam. In order to pass the exam, you need to make a presentation of the project in class and pass the requirements on a written report that documents your project.

Academic integrity and honesty

Students are expected to be familiar with the Chalmers policy on academic integrity and honesty, which we strictly follow. Cheating includes collaboration between groups and not citing your sources.