CIS 6614 - Advanced Software Systems Security, Fall 2023

About CIS 6614

This page provides general information about CIS 6614 (Advanced Software Systems Security) at the University of Central Florida. The course's home page is www.cs.ucf.edu/~leavens/CIS6614/.

This page is organized as follows:

1. Meetings
2. Instructional Modes
3. Course Textbooks
4. Accessibility
5. Deployed Active Duty Military Students
6. Make-Up Assignments for Authorized University Events or Co-curricular Activities
7. Religious Observances
8. Course Description and Credit Hours
9. Course Learning Objectives
10. Course Learning Outcomes
11. Prerequisites
12. Acknowledgments

The course grading policy and syllabus are on separate web pages. Also on a separate page is our contact information.

Meetings

For class meetings, the time is as follows: Tuesdays and Thursdays from 9:00 AM to 10:15 AM. The meetings are in BA1, room O216.

Return to top

Instructional Modes

This course will be taught in several modes: in-person (P), Limited Attendance (RS), and Video (V), depending on the section you signed up for. (Section 0002 is in-person, section 0R01 is limited attendance, and section 0V91 is video mode.) According to UCF's Webcourses@UCF Support page these modalities are characterized as follows:

In Person (P)

"Courses have required classroom attendance and meet on a regularly scheduled basis in-person. Students may encounter online, video, or adaptive elements as part of the instruction, thus requiring a computer."

Limited Attendance (RS)

"Courses are primarily online in a blended format combining required in-person and online elements. In-person classroom activities may use up to 20% of the instructional time during the semester."

Video (V)

"Courses are online with extensive use of digital video, which may be supplemented by additional online activity, projects, or exams."

If you are attending remotely, then internet access, a browser, email, and a microphone is required. A webcam is highly desirable.

Testing for V Mode Students

You will take tests in this class based on the section you are enrolled in. (For example, students in the face-to-face or reduced seat time sections are required to take tests in class during class time.)

Students in the Video (V) section are required to take their tests with an approved in-person proctor. It is the students' responsibility to find and secure a proctor. If you are in the V section, you should have filled out the COVE Form found here: https://tinyurl.com/cove-form and have given your proctor information to Sarah Moore, who is the testing coordinator for the College of Engineering. If you have not yet given her your proctor information, she will need it no later than 2 weeks before your first test. If you have questions regarding proctoring or who qualifies as a proctor, please email her at sarah.moore2@ucf.edu. She will be distributing the test materials to the appropriate proctors.

If you are registered in the wrong section, you should correct that by the add/drop deadline.

Return to top

COVID-19 and Illness Notification

(The following is mostly quoted from the faculty center for teaching and learning's web site.)

Students who believe they may have a COVID-19 diagnosis should contact UCF Student Health Services (407-823-2509) so proper contact tracing procedures can take place.

Students should not come to campus if they are ill, are experiencing any symptoms of COVID-19, have tested positive for COVID, or if anyone living in their residence has tested positive or is sick with COVID-19 symptoms. See the CDC guidance for COVID-19 symptoms.

Students should contact their instructor(s) as soon as possible if they miss class for any illness reason to discuss reasonable adjustments that might need to be made. When possible, students should contact their instructor(s) before missing class.

In Case of Faculty Illness

If the instructor falls ill during the semester, there may be changes to this course, including having a backup instructor take over the course. Please look for announcements or mail in Webcourses@UCF or Knights email for any alterations to this course.

Return to top

Course Textbooks

There are no required textbooks for this course. However...

Recommended Texts

The following books are recommended.

• Matt Bishop. Computer Security: Art and Science. Addison-Wesley Professional, 2002.
• Michael Howard, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill, 2010. ISBN: 978-0-07-162676-7.

We may use other material as described in the syllabus's bibliography.

Return to top

Accessibility

We are happy to help with accessibility issues. The procedure is outlined in the following statement (modified from the faculty center for teaching and learning's web site):

The University of Central Florida is committed to providing access and inclusion for all persons. Students who have accessibility issues "due to course design limitations should contact the professor as soon as possible. Students should also connect with Student Accessibility Services (SAS) (Ferrell Commons 185, sas@ucf.edu, phone 407-823-2371). For students connected with SAS, a Course Accessibility Letter may be created and sent to professors, which informs faculty of potential course access and accommodations that might be necessary and reasonable. Determining reasonable access and accommodations requires consideration of the course design, course learning objectives and the individual academic and course barriers experienced by the student. Further conversation with SAS, faculty and the student may be warranted to ensure an accessible course experience."

Return to top

Deployed Active Duty Military Students

Quoting from the faculty center for teaching and learning's web site:

"Students who are deployed active duty military and/or National Guard personnel and require accommodation should contact their instructors as soon as possible after the semester begins and/or after they receive notification of deployment to make related arrangements."

Return to top

Make-Up Assignments for Authorized University Events or Co-curricular Activities

Quoting from the faculty center for teaching and learning's web site:

"Students who represent the university in an authorized event or activity (for example, student-athletes) and who are unable to meet a course deadline due to a conflict with that event must provide the instructor with documentation in advance to arrange a make-up. No penalty will be applied. For more information, see UCF policy 4-401."

Return to top

Religious Observances

Quoting from the faculty center for teaching and learning's web site:

"Students must notify their instructor in advance if they intend to miss class for a religious observance. For more information, see UCF regulation 5.020."

Return to top

Course Description and Credit Hours

CIS 6614 is a 3 credit course entitled "Advanced Software Systems Security."

From the University of Central Florida Catalog: "CIS 6614 ECS-CS 3(3, 0) Advanced Software Systems Security: PR: CIS 4615. This course will cover various advanced topics on software threat modeling, secure software development life cycle, common security issues, and mitigations in modern software operation. Odd Fall, Even Fall"

Explanation

Software is said to be secure when it can only be used as intended, and cannot be used to extract confidential information, undermine integrity, or facilitate unauthorized access. A secure software development process helps to ensure the security of software products. In particular it avoids known problems that could be used to attack a software product.

Threat modeling is the process of assessing what the most likely and important threats are to a computer system. This involves assessing what is important to clients of the system and what are the likely attacks (usually based on prior, known attacks).

Motivation for the Course Objectives

Software controls much of our modern world and impacts nearly all aspects of our lives. More and more physical devices that we depend on (such as automobiles and cell phones) are controlled by complex software systems. These software systems may allow attackers many different ways to undermine the system's security in ways that would benefit them and/or adversely affects the system's legitimate users. When such devices and information that they store become more important, then it becomes more important to secure them against attacks.

Software can be vulnerable to attacks either because it uses inherently insecure library functions (such as gets in C) or operating system calls, or because it has bugs. Analysis of the software before it is run (called static analysis) or monitoring of a system's execution while it is running (called dynamic analysis) can reveal insecurities before an attacker has a chance to cause (a great amount of) damage. A secure software development process often emphasizes static analysis (e.g., with code reviews) and static analysis, but can also use dynamic analysis as a kind of testing strategy. All of these techniques will be subjects for our study in this class.

Motivation for the Course Plan

To secure software systems, professionals will need to understand both static and dynamic analysis techniques and be able to put together a strategy to use these techniques in a cost-effective manner to secure a software system. Both research and practice in this area involve building tools to help with either threat modeling or mitigation.

Therefore, an important part of this course will be building tools to aid either threat modeling or static or dynamic analysis of software. Thus a major component of this course will be a team-based effort to build such tools.

Return to top

Course Learning Objectives

The objectives for this course are divided into two parts: a set of essential objectives, and a set of enrichment objectives. The essential objectives will be helpful for your career; hence they lead to the course's essential outcomes that we want to help you master. The enrichment objectives are less important for the course, but lead to enrichment outcomes that you are encouraged to explore both for their own sake and because learning more about those will help deepen your understanding of the essential objectives. The enrichment outcomes may also lead to avenues for research in software systems security.

Essential Objectives

In one sentence, this course's main objective is you will be able to supervise an enterprise's software system safety.

In more detail the essential objectives for this course are that you will be able to:

• [Strategize] plan a strategy to assure that an enterprise's software systems and/or products are secure from likely and important threats.
• [Design] Design a set of mitigations to the likely and important threats to software security and an architecture for tools to support that design.
• [Implement] Efficiently and correctly implement a tool to support a software system's secure development process.
• [Evaluate] Evaluate the adequacy of a threat model and mitigations to protect against those threats.

Enrichment Objectives

Enrichment objectives could be multiplied without limit, but the following seem most important, especially in relation to research in Computer Science and the Computer Science graduate program.

The course's enrichment objectives are that you will be able to:

• [Teamwork] Effectively participate in a team that can assure the security of an enterprise's software systems.
• [Writing] Convincingly and clearly write about the strategies, designs, architectures, and tool implementations in a way that could be published.

Course Learning Outcomes

This course's learning outcomes are divided into two parts: a set of essential outcomes, and a set of enrichment outcomes. The essential outcomes are designed to support this course's essential learning objectives, and thus to be helpful for your career as a computer scientist or software engineer; hence we want to help you to master them. They also form the basis for grading and assessment of your learning. The enrichment outcomes are not used directly for assessment. However, you are encouraged to explore topics related to the enrichment outcomes both for their own sake and because learning more about those will help your performance relative to the essential outcomes.

This course's outcomes are linked to this course's objectives (above). The links to this course's objectives are shown in references that look like this: [Strategize].

Essential Outcomes

In one sentence, this course's main expected learning outcome is that you will be able to effectively design and implement an enterprise's strategy for creating secure software systems, including building some of the necessary tools. [Strategize] [Design] [Implement]

In more detail, the essential objectives for this course are that you will be able to:

• [Plan] Plan a strategy for protecting a software system against important threats. [Strategize].
• [Architect] Create a plan for processes and tools that will protect a software system against important threats. [Design] [Evaluate].
• [Build] Create a tool that realizes an important part of a strategy to either reduce the possibility of important attacks or protect a software system from attacks. [Implement] [Evaluate].
• [Judge] Give a well-reasoned, critical judgment about the importance and implications (for security) of a strategy, architecture, or tool implementation, especially in terms of how it will the system's users and mitigate the important threats. [Evaluate].

Enrichment Outcomes

Enrichment outcomes could be multiplied without limit, but the following seem most important, especially in relation to research in software security.

The course's enrichment outcomes are that you will be able to:

• [Prioritize] Clearly explain which threats are most important to an enterprise (and its users) and the likelihood of the threat being realized (given other mitigations) [Strategize] [Evaluate] [Writing].
• [Collaborate] Work on a team to discover, evaluate, and communicate strategies, architectures, and tool designs [Teamwork].

Return to top

Prerequisites

The formal prerequisite in the University of Central Florida catalog is "CIS 4615 or C.I."

See the professor if you have questions about the prerequisites.

Return to top

Acknowledgments

Many thanks to David Mohaisen for discussions about this course.

Thanks to Curtis Clifton (now at Apple) for his initial work on the HTML for these web pages, which I have adapted from another course, and his style sheets, which I have also adapted.

Return to top

Last modified Tuesday, August 16, 2022.

This web page is for CIS 6614 at the University of Central Florida. The details of this course are subject to change as experience dictates. You will be informed of any changes. Please direct any comments or questions to Gary T. Leavens at Leavens@ucf.edu. Some of the policies and web pages for this course are quoted or adapted from other courses I have taught, in partciular, COP 4020.