Computer Science

The course presents methodological and practical aspects of software security, starting from some of the most widely known vulnerabilities. Topics include attacks on common ciphers like cryptanalysis and side channels, and software attacks like various forms of buffer and heap overflow, problems induced by input formatting, consequences of racing conditions, generation of random numbers, and code injection. The emphasis is on methodologies and tools to identify and eliminate such vulnerabilities. Techniques to prove the absence of vulnerabilities are presented, and approaches to avoid the introduction of vulnerabilities in the SW product discussed (such as the use of types in languages to ensure memory safety, type safety, policy-based information flow, and cryptographic tools). Basic notions of PCC and code/cryptographic obfuscation are also discussed. The students are exposed to methodologies to design software integrating risk analysis and management into the software life cycle. Improving Existing Code - Known vulnerabilities: Buffer overflow, SQL/code injection, TOCTOU - Static and Dynamic Code Analysis and Tools - Common Vulnerability Scoring System CVSS Evaluating Security - Principles - Testing Develop Secure Software - Secure code development / defensive coding - Java security Current Approaches - Language-based security - Information Flow Control - Proof-Carrying Code - Code Obfuscation Introduction to cryptographic primitives: - Common ciphers - Public-Key Encryption

- Introductory security course - Elementary OS and DB - Basic programming skills, in particular C/C++, Java, Bits of PHP and javascript

R. Anderson, Security Engineering: a guide to building dependable distributed systems, 2nd ed., John Wiley and Sons 2008 J.Viega, G.McGraw, Building Secure Software, Addison- Wesley 2002 G.McGraw, Software Security: Building Security in, Addison- Wesley 2006 G.Hoglung, G.McGraw, Exploiting Software: how to break code, Addison-Wesley 2004 G.McGraw, E.Felten, Securing Java, John Wiley and Sons 1999, D.A.Wheeler, Secure Programming for Linux and Unix HOWTO J. Katz, Y. Lindell, Introduction to Modern Cryptography (Chapman & Hall/CRC Cryptography and Network Security Series)

In presence

One or more individual projects - Static analysis of code fragments - Assertion-based code analysis - Testing/Evaluating given application Project/s are mandatory to pass the exam - Written exam on the subjects of the course

Classes related to security in software applications arguments where concepts and examples are introduced to the students.

The course presents methodological and practical aspects of software security, starting from some of the most widely known vulnerabilities. Topics include attacks on common ciphers like cryptanalysis and side channels, and software attacks like various forms of buffer and heap overflow, problems induced by input formatting, consequences of racing conditions, generation of random numbers, and code injection. The emphasis is on methodologies and tools to identify and eliminate such vulnerabilities. Techniques to prove the absence of vulnerabilities are presented, and approaches to avoid the introduction of vulnerabilities in the SW product discussed (such as the use of types in languages to ensure memory safety, type safety, policy-based information flow, and cryptographic tools). Basic notions of PCC and code/cryptographic obfuscation are also discussed. The students are exposed to methodologies to design software integrating risk analysis and management into the software life cycle. Improving Existing Code - Known vulnerabilities: Buffer overflow, SQL/code injection, TOCTOU - Static and Dynamic Code Analysis and Tools - Common Vulnerability Scoring System CVSS Evaluating Security - Principles - Testing Develop Secure Software - Secure code development / defensive coding - Java security Current Approaches - Language-based security - Information Flow Control - Proof-Carrying Code - Code Obfuscation Introduction to cryptographic primitives: - Common ciphers - Public-Key Encryption

- Introductory security course - Elementary OS and DB - Basic programming skills, in particular C/C++, Java, Bits of PHP and javascript

R. Anderson, Security Engineering: a guide to building dependable distributed systems, 2nd ed., John Wiley and Sons 2008 J.Viega, G.McGraw, Building Secure Software, Addison- Wesley 2002 G.McGraw, Software Security: Building Security in, Addison- Wesley 2006 G.Hoglung, G.McGraw, Exploiting Software: how to break code, Addison-Wesley 2004 G.McGraw, E.Felten, Securing Java, John Wiley and Sons 1999, D.A.Wheeler, Secure Programming for Linux and Unix HOWTO J. Katz, Y. Lindell, Introduction to Modern Cryptography (Chapman & Hall/CRC Cryptography and Network Security Series)

In presence

One or more individual projects - Static analysis of code fragments - Assertion-based code analysis - Testing/Evaluating given application Project/s are mandatory to pass the exam - Written exam on the subjects of the course

Classes related to security in software applications arguments where concepts and examples are introduced to the students.