About CIS 4615
This page provides general information about CIS 4615 (Secure Software Development and Assurance) at the University of Central Florida. The course's home page is http://www.cs.ucf.edu/~leavens/CIS4615/.
This page is organized as follows:
- Meetings
- Course Textbooks
- Accommodations for Disabilities
- Course Description and Credit Hours
- Course Learning Objectives
- Course Learning Outcomes
- Prerequisites
- Acknowledgments
The course grading policy and syllabus (which includes the time of the final exam) are on separate web pages. Also on a separate page is our contact information.
Meetings
Lecture attendance is required. The meeting time and location is as follows:
Lectures: Tuesdays and Thursdays, at 9:00AM-10:15AM, in the Nicholson School of Communications Building (NSC), room 117.
Course Textbooks
Required Texts
There are two required textbooks for this course.
- John Viega and Gary McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley Professional, 2002. ISBN-13: 978-0321774958.
- Michael Sikorski and Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco, 2012. ISBN-13: 978-1-59327-290-6.
Recommended Texts
The following three books are recommended as supplements.
- Matt Bishop. Computer Security: Art and Science. Addison-Wesley Professional, 2002.
- Michael Howard, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill, 2010. ISBN: 978-0-07-162676-7.
- Chris Eagle. The IDA Pro Book: The Unofficial Guide to the World's Most Popular Disassembler. 2nd edition, No Starch Press, San Francisco, 2011. ISBN-13: 978-1593272890.
Additional Readings
We may use other material as described in the syllabus's bibliography.
See also the course resources page.
Accommodations for Disabilities
We are happy to help with reasonable accommodations for disabilities. The procedure is outlined in the following statement (quoted from the faculty center for teaching and learning's web site):
"The University of Central Florida is committed to providing reasonable accommodations for all persons with disabilities. This syllabus is available in alternate formats upon request. Students with disabilities who need accommodations in this course must contact the professor at the beginning of the semester to discuss needed accommodations. No accommodations will be provided until the student has met with the professor to request accommodations. Students who need accommodations must be registered with Student Disability Services, Student Resource Center Room 132, phone (407) 823-2371, TTY/TDD only phone (407) 823-2116, before requesting accommodations from the professor."
Course Description and Credit Hours
This 3 credit course is titled "Secure Software Development and Assurance."
From the University of Central Florida Catalog: "PR: (COP 4600 or CGS 3763) and (CIS 3360 or CIS 3362) or C.I. Threa[t] modeling, Secure code life-cycle, Buffer overflows, race conditions and format string problems, Inputs and clients, File system, Cryptography applications, UMLSec, Java security and Reverse engineering."
Explanation
Threat modeling, or risk analysis, is used to determine what resources to spend protecting an asset. Assets include money, tangible things (such as cars), and data (such as a database containing proprietary information). Risk analysis estimates the probability of an attack and the amount of loss (or harm) that would result from a successful attack.
The secure code life-cycle is the set of steps that are used to develop, test, and maintain secure code. In particular, this considers what kinds of tests, analysis, and reviews are needed to ensure code is secure.
The next several terms in the course description: "buffer overflows, race conditions, and format string problems" refer to common errors in software development that can have severe implications for security. A buffer overflow happens when code can write beyond the allocated space for a buffer (typically in C or C++); this can be used to change the control flow of a program, allowing the program's control flow to be hijacked by an attacker. A race condition happens when two threads of control both access a memory location without any way to control which thread accesses it first, and at least one of them changes it; if both try to write to it, one of the writes may be lost; if one writes and the other reads, the results of the read are unpredictable; this can also lead to exploits. A format string is used in C and C++ (and some other languages) to describe the appearance of output or input; these are vulnerable to attack if the format strings are obtained from the program's user (who could be an attacker).
In general, inputs from clients of a program should not be trusted and should not be used to control a program's behavior, doing so can lead to injection attacks, including SQL injection and command injection attacks.
File systems store information on computers, and as such they are important assets to secure and must be treated carefully in programming. It is important to check error return codes from system calls that manipulate the file system and to understand the permission model offered by the operating system for files and directories.
Crypography applications use encryption techniques to secure information or for authentication and integrity checking. It is important to know the pitfalls associated with writing your own cryptographic routines and protocols (don't: you'll probably fail to make it secure). It is also important also to understand the ways in which some cryptographic protocols and algorithms should be used, to securely use proven routines.
UMLSec is an extension of the Unified Modeling Language (UML) for recording requirements related to security. The book describing UMLSec is available at Springer's website. (From the preceding link, click on the button "Read this book on SpringerLink", and you should be able to read the book, assuming you are on the UCF network (or the VPN).
Java security refers to writing secure code in the Object-oriented Java programming language, especially when it comes to using Java applets and networking features.
Reverse engineering generically refers to understanding the design of some engineered artifact, such as a program, by examination of the finished product. In this course we specifically mean what is also called malware analysis; that is, using various teachniques to understand what some piece of malware does.
Motivation for the Course Objectives
Cyber attacks are frequently in the news. Businesses and governments are often being hacked and vital information stolen. People are robbed and their identities are stolen over the internet. Because so much important information is stored in computer systems, and because so much modern physical infrastructure (such as cars, water supplies, and power grids) is being (or will be) controlled by computer systems, cyber security affects our daily lives.
As a software developer or a manager of software developers, you need to know how to build software so that it is robust and secure. Following secure software development practices will help make the world's software more secure and trustworthy, and in particular will give your customers a more reliable product. While these practices will not eliminate security problems, they will make the problem of breaking your software harder and more expensive, which will reduce your company's risks and the risks undertaken by your customers.
To know if these practices are being successful and to make them objective, you need to know how to analyze software so that security problems can be detected; thus you need to understand both static and dynamic analysis techniques. The flip side of this secure software development is reverse engineering, which seeks to understand how software works, in order to determine if it is malicious (malware).
Motivation for the Course Plan
Broadly speaking, the technical skills and knowledge needed to accomplish the course objectives are skills related to secure software engineering and reverse engineering. After giving some high level background on attacks and security problems in general, we will start with secure software engineering and how to test software. That is, we will start with a high-level view of the subject, and proceed to the lower-level skills of reverse engineering, which are aided by static analysis and dynamic analysis.
This offering of the course should cover the following knowledge units from the NSA's Academic Requirements for Designation as a Center of Academic Excellence in Cyber Operaitons: Vulnerabilities, Secure Software Development, Software Security Analysis, and Software Reverse Engineering.
Course Learning Objectives
The objectives for this course are divided into two parts: a set of essential objectives, and a set of enrichment objectives. The essential objectives will be helpful for your career as a computer scientist or software engineer; hence they lead to the course's essential outcomes that we want to help you master. The enrichment objectives are less important for the course, but lead to enrichment outcomes that you are encouraged to explore both for their own sake and because learning more about those will help deepen your understanding of the essential objectives.
This course's objectives are linked to the computer science program's learning objectives (in references that look like this: [CSObj2]).
Essential Objectives
In one sentence, the course's main learning objective is that you will be able to implement software that is resilient to attack, and to use analysis techniques to demonstrate that your software is actually resilient to attack, and accurately identify attack in the form of binary (or compiled) programs. In more detail the objectives for this course are that you will be able to:
- [SecurelyImplement] Implement a software component so that it correctly implements a specification and is not subject to known attacks that would compromise its security [CSObj1] [ITObj1].
- [Analyze] Use tools and other means to analyze software to prevent or demonstrate security problems [CSObj1] [ITObj1].
- [ReverseEngineer] Explain the functionality of unknown software, including obfuscated malware [CSObj1] [ITObj1].
Enrichment Objectives
Enrichment objectives could be multiplied without limit, but the following seems important enough to warrant discussion.
The course's enrichment objectives are that you will be able to:
- [SoftwareEng] Explain how management can encourage/reward secure software engineering practices [CSObj1].
- [Research] Explore new avenues in secure software development and assurance [CSObj2]. [ITObj3].
Course Learning Outcomes
This course's learning outcomes are divided into two parts: a set of essential outcomes, and a set of enrichment outcomes. The essential outcomes are designed to support this course's essential learning objectives, and thus to be helpful for your career as a computer scientist or software engineer; hence we want to help you to master them. They also form the basis for grading and assessment of your learning. The enrichment outcomes are not used directly for assessment. However, you are encouraged to explore topics related to the enrichment outcomes both for their own sake and because learning more about those will help your performance relative to the essential outcomes.
The course's outcomes are linked to the course's objectives and to the computer science program's outcomes. The links to this course's objectives are shown in references that look like this: [SecurelyImplement]. The links to the computer science program's learning outcomes are shown in references that look like this: [CSITOut13]).
Essential Outcomes
In one sentence, the course's main learning outcome is that you will be able to use current tools and techniques to correctly and securely implement software, show that existing source code is correct or demonstrate its vulnerabilities, and to understand and explain the functionality of unknown software. These outcomes are linked to the objectives above.
In more detail the outcomes for this course are that you will be able to:
- [SecurelyConstruct] Explain how to specify program behavior, what well-known vulnerabilities are in software that affect security, and how they manifest themselves, and demonstrate how to construct software that is free of such vulnerabilities [SecurelyImplement] [CSITOut2] [CSITOut9] [CSITOut10] [CSOut11] [ITOut11].
- [Validate] Use tools to check existing source code for functional correctness and for the absence of security vulnerabilities [Analyze] [CSITOut1] [CSITOut3] [CSITOut9].
- [Reversing] Use tools to explain the functionality of unknown code in binary form [ReverseEngineer] [CSITOut1] [CSITOut9].
Other conditions: You will be permitted to use your own textbook and course notes for all graded quizzes, homework, and exams (and assessment).
An assessment plan for these outcomes is also available.
Enrichment Outcomes
Enrichment outcomes could be multiplied without limit, but the following seem important enough to warrant discussion.
The course's enrichment outcomes are that you will be able to:
- [Modeling] Explain the various kinds of threats that may affect the security of computer systems [SecurelyImplement] [Analyze] [CSITOut2].
- [Architect] Explain the risks to a computer system and plan for their mitigation [SecurelyImplement] [CSITOut1] [CSOut10] [ITOut10].
- [Cryptography] Explain proper and improper uses of cryptography [SecurelyImplement] [Analyze] [CSITOut1].
- [LegalEthical] Explain the legal and ethical issues surrounding security issues, designs, and decisions [SecurelyImplement] [Analyze] [ReverseEngineer] [CSITOut5].
- [DevelopTools] Develop tools (or tool integrations) that aid in reverse engineering or secure software development [SecurelyImplement] [ReverseEngineer] [CSITOut1] [CSITOut9].
- [Writing] Write clear reports about security issues or the behaviors seen in malware [ReverseEngineer] [CSITOut6].
Prerequisites
The formal prerequisite in the University of Central Florida catalog is successful completion of one course from each of the following sets:
- COP 4600 (Operating Systems) or CGS 3763 (Operating System Concepts), and
- CIS 3360 (Security in Computing) or CIS 3362 (Cryptography and Information Security).
Understanding basic operating system concepts is essential for understanding attacks and how to prevent them in writing software.
From CIS 336 and CIS 3362 we will assume knowledge of numeric formats, basics of cryptography, and basics of computer architecture and networking.
See the professor if you have questions about the prerequisites.
Acknowledgments
Many thanks to Curtis Clifton for his initial work on the HTML for these web pages, which I have adapted from another course, and his style sheets, which I have also adapted. Thanks to Steve Shaner for getting me to use an RSS feed for these web pages, and thanks to Evagoras Charalambous for the XSL style sheet and style sheet for showing such RSS feeds as a web page.
I thank the many people I have talked to over the years about computer security, including Golden Richard, Ratan Guha, and David Naumann.
Last modified Sunday, September 27, 2015.
This web page is for CIS 4615 at the University of Central Florida. The details of this course are subject to change as experience dictates. You will be informed of any changes. Please direct any comments or questions to Gary T. Leavens at leavens@eecs.ucf.edu. Some of the policies and web pages for this course are quoted or adapted from other courses I have taught, in particular, Com S 342 and COP4020.