Secure Programming 2011/2012

• Hayo Thielecke's Home Page
• Publications

Teaching 2011-2012

• Secure Programming
• Principles of Programming Languages
• Software Systems Components 1 (SSC1)

PhD and MSc topics

• PhD research topics
• MSc Computer Security topics
• MSc Advanced CS topics
• MSc Computer science topics

Facebook group for this module

Continuous assessment marks

The first class test counts for 40% of the continuous assessment mark and the second class test counts for 50%. The Peerwise marks (basic and bonus) count for 10% each. The continuous assessment mark is capped at 100%.

Marks for continuous assessment

Marks for the second class test It counts for 50% of the continuous assessment mark.

Marks for the first class test It counts for 40% of the continuous assessment mark.

Schedule of lectures

9.1. Intro to module and peerwise
12.1. Saltzer and Schroeder security principles
16.1. Intro to command injection
19.1. SQLCIA variants
23.1. command injection defences: why parametrized statements
26.1. command injection and trees; XML injection
30.1. DoS attacks and reg exp matching
2.2. Regular expressions and reg exp DoS
6.2. Class test 1
9.2. buffer overflow intro: C vs memory-safe languages
13.2. structure of the call stack
16.2. smashing the stack: canaries
20.2 format string attacks.
23.2. heap buffer overflow; memory manager and arbitrary pointer assignment
27.2. arbitrary code excution
1.3. non-executable stack (W^X) versus return-oriented programming
5.3. resources, control flow, and TOCTOU
8.3. static analysis for security
12.3. Class test 2
15.3. Java security and stack inspection

Peerwise

Please sign up for this module on Peerwise immediately; it only takes a few minutes.

10% of the continuous assessment mark will be given for participation in Peerwise. See the instructions for students on that page.

To gain points, you must write at least one multiple-choice question on a topic covered in the module, and answer at least three other questions.

Another 10% of the mark may be given as discretionary bonus points. The bonus marks may be awarded for active participation (e.g. leaderboard status), but in particular for writing insightful questions.

The more questions you create, answer, comment on, etc, the more you will learn and the more you will help other students on the module. If a fair number of students contribute good questions, there will be plenty of revision material for everyone before the exams. You may also enjoy winning badges and trying to get on the leaderboard.

You need to register on the Peerwise server.

• The course ID for this module is 5883.
• Your "identifier" on Peerwise is the same as your Bham student ID number.
• You can choose any username and password when registering.
• Please tag your questions with appropriate topics, so that others can find them more easily.

Required and further reading

This course will mostly rely on some links for required and further reading available on the Web rather than books.

I have tried to read and evaluate textbooks relevant for this module, and have made list of the most relevant books on secure programming.

Course overview

• Secure Programming (module code 20010) is one of the core modules for our MSc in Computer Security.
• The course introduces and explains the main classes of attacks on software and how to defend against them with secure programming techniques, best practices and tools.
• Sample examination paper for Secure Programming converted to XHTML.
• Another sample exam paper for Secure Programming, scanned in.

Pre- and corequisites of this course

As this is an advanced MSc course, it assumes some Computer Science background. The Computer Security module is relevant, but not a strict prerequisite.