Fall 2016 (Section 1, 74503; Section EX81, 75130) - 3 credit hours
JMU CS531 - Secure Programming
Help Policies Solutions Tools
Syllabus


Description: A computer program is a set of instructions that a computer can execute. Programming is the process of creating a computer program. Unfortunately, computer programs often contain faults that lead the program to fail. Some such failures occur under normal operating conditions and are considered reliability issues. Other such failures occur when the program is attacked and are considered security issues. This course considers various kinds of faults that make computer programs vulnerable to attack and how they can be prevented, detected, and removed.
Textbook: Readings for this course will come from the following sources, all of which are available on-line to members of the JMU community through Safari Books using the JMU VPN or proxy server.

Flanagan, D. (2011) JavaScript: The Definitive Guide, O'Reilly Media , Cambridge, MA.
(Order from amazon , order from Barnes and Noble , compare at bigwords , compare at CampusBooks4Less , order from Chegg , or search eFollett )

Henick, B. (2010) HTML and CSS: The Good Parts, O'Reilly Media , Cambridge, MA.
(Order from amazon , order from Barnes and Noble , compare at bigwords , compare at CampusBooks4Less , order from Chegg , or search eFollett )

Oaks, S. (2001) Java Security, O'Reilly Media , Cambridge, MA.
(Order from amazon , order from Barnes and Noble , compare at bigwords , compare at CampusBooks4Less , order from Chegg , or search eFollett )

Pauli, J. (2013) The Basics of Web Hacking, Syngress , Boston.
(Order from amazon , order from Barnes and Noble , compare at bigwords , compare at CampusBooks4Less , order from Chegg , or search eFollett )

Seacord, R.C. (2013) Secure Coding in C/C++, Addison Wesley , Upper Saddle River, NJ.
(Order from amazon , order from Barnes and Noble , compare at bigwords , compare at CampusBooks4Less , order from Chegg , or search eFollett )

Tatroe, K. , P. MacIntyre and R. Lerdorf (2013) Programming PHP, O'Reilly Media , Cambridge, MA.
(Order from amazon , order from Barnes and Noble , compare at bigwords , compare at CampusBooks4Less , order from Chegg , or search eFollett )

Outline: This course is organized as follows, though specific topics and dates may change. (Readings are listed in the right-most column.)
Part I: Introduction and Background
8/29 Introduction , About the Course and Software Security
Part II: Secure Programming for the WWW
8/31 HTML and CSS H
9/5-9/7 JavaScript Basics and JavaScript Client-Side Programming F
9/12-9/14 PHP Basics , HTTP , PHP Server-Side Programming , XML and JavaScript Communications T,M&L
9/19-9/21 XSS Vulnerabilities , XSRF Vulnerabilities and Other Vulnerabilities P 6
9/26-9/28 Work on the Project
Part III: Secure Programming in C
10/3-10/5 A Brief History of C/C++ , Properties of C , Scope/Duration/Linkage , C Calling Convention and Character Encodings Learn/Review C
10/10 C Variadic Functions , C I/O and C Formatted Output Vulnerabilities S 6
10/12 No Lecture
10/17-10/19 C String and Buffer Overflow Vulnerabilities S 2
10/24 C Memory Allocation , C Memory Management Vulnerabilities and C Integer Vulnerabilities S 4 and S 5
10/26-11/2 Work on the Project
Part IV: Secure Programming in Java
11/7 Java: Basics , Exceptions , Serialization and Reflection Learn/Review Java
11/9 Design Patterns: Decorator , Command , Factory Method and Proxy
11/14 Class Loaders , An Example Class Loader and The Java Security Architecture O 3 and O 6
11/16 Specification and Enforcement O 5 and O 4
11/28 Deployment and Object Security O 7 and O 9
11/30 Vulnerabilities and Mitigations
Part V: Some Language/Platform-Independent Topics
12/5 Command/SQL Injection Vulnerabilities , Error/Exception Handling Vulnerabilities , Information Leakage Vulnerabilities and User Interface Vulnerabilities P 4
12/7 No Lecture

Attendance at lectures is not mandatory but is strongly encouraged. You are expected to come to class prepared to ask and answer questions. Hence, you should complete the readings on a topic before it is discussed in lecture.

Grading: Final grades will be based on your performance on: 2 projects (30% each) and several programming assignments (40% total).
Programming Assignments: 8 programming assignments will be assigned during the semester. Note that their due dates are subject to change.
Programming Assignment 1 ; Due: 9/5, 2:00PM EST (HTML and CSS)
Programming Assignment 2 ; Due: 9/12, 2:00PM EST (Client-Side Programming in JavaScript)
Programming Assignment 3 ; Due: 9/19, 2:00PM EST(Extended to 9/20 11:59PM) (Server-Side Programming in PHP)
Programming Assignment 4 ; Due: 9/26, 11:59PM EST (Secure Programming for the WWW)
Programming Assignment 5 ; Due: 10/24, 11:59PM EST (Gaining a Deeper Understanding of C)
Programming Assignment 6 ; Due: 10/31, 11:59PM EST (Secure Programming in C)
Programming Assignment 7 ; Due: 12/5, 11:59PM EST (Java Programming)
Programming Assignment 8 ; Due: 12/12, 11:59PM EST (Secure Programming in Java)

Make sure you read and understand all of the policies related to programming assignments.

Projects: You must complete two projects during the semester, both of which will involve the construction of (hopefully) secure code and the review of the code written by your fellow students. For the WWW programming project, the code is due on 10/10 and the peer reviews are due on 10/17. For the C programming project, the code is due on 11/14 and the peer reviews are due on 11/18 (but you may submit them on 11/21, the Monday of the Thanksgiving break, with no penalty).
Office Hours: You may meet with Prof. Bernstein during his scheduled office hours or you may schedule an appointment with him.

Copyright 2019