Modules

A draft of the lecture slides for each module will be made available the evening before the module begins. The final version of the lecture slides will be made available after the module is completed and replaces the draft. Use of the draft is at your own risk!

Readings marked as mandatory contain required material for the course, and must be read before the date of the corresponding lecture.

Module - Introduction to Software and System Security

Resources: slides.pdf
Sep 05: Lecture: Course logistics; Lecture: Basis concepts in security; Textbook Pfleeger et al. chapters 1.1 - 1.8; Textbook van Oorschot chapters 1.1 - 1.4, 1.6; Optional reading The 10 privacy principles of PIPEDA; Optional reading A terminology for talking about privacy; Optional reading Federal privacy reform in Canada: The Consumer Privacy Protection Act; Optional reading Modernizing Canada’s Privacy Act; Optional reading Microsoft’s report on Russian Cyberattacks in Ukraine; Optional reading Social Security Employees in Illinois Sentenced in Federal Court on Charges Including Bribery and Identity Theft

Module - Program Security

Resources: slides.pdf
Sep 10: Lecture: Flaws and failures; Textbook Pfleeger et al. chapters 3.1; Textbook van Oorschot chapters 6.3 - 6.8; Mandatory reading before class Smashing The Stack For Fun And Profit; Optional reading On the Evolution of Buffer Overflows; Optional reading Exploiting Format String Vulnerabilities; Optional reading Example format string vulnerabilities (November 2011); Optional reading Example format string vulnerabilities (May 2012); Optional reading A Taxonomy of Computer Program Security Flaws, with Examples
Sep 12: Lecture: Unintentional Security flaws and malicious code; Textbook van Oorschot chapters 6.1, 6.5 - 6.8; Optional reading Exploiting Format String Vulnerabilities; Optional reading Example format string vulnerabilities (November 2011); Optional reading Example format string vulnerabilities (May 2012)
Sep 17: Lecture: Defenses against security flaws; Textbook Pfleeger et al. chapters 3.2; Textbook van Oorschot chapters 7.5 - 7.9; Mandatory reading before class Reflections on Trusting Trust; Optional reading US Federal Student Aid website has a Facebook web bug; Optional reading Linux Kernel “Back Door” Attempt; Optional reading The backdooring of SquirrelMail; Optional reading Clickjacking attack (Interface illusion); Optional reading MITM Malware Re-Writes Online Bank Statements
Sep 19: Lecture: Defenses against security flaws (continued); Textbook Pfleeger et al. chapters 3.3; Textbook van Oorschot chapters 1.7, 6.9; Optional reading An operating system kernel with a formal proof of security; Optional reading Bugs in open source software: #gotofail; Optional reading Bugs in open source software: Heartbleed

Module - Operating System Security

Resources: slides.pdf
Sep 24: Lecture: Protecting OSes and access control; Textbook Pfleeger et al. chapters 5.1; Textbook van Oorschot chapters 5.1 - 5.2; Optional reading Android permissions demystified; Optional reading Google launches its third major operating system, Fuchsia
Sep 26: Lecture: User authentication; Textbook Pfleeger et al. chapters 5.1; Textbook van Oorschot chapters 5.1 - 5.2; Optional reading Breaking SMS-based two-factor authentication: Attacking the cellular network; Optional reading Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages; Optional reading Passphrases that you can memorize — But that even the NSA can’t guess; Optional reading The top 50 woeful passwords exposed by the Adobe security breach; Optional reading Password Security: A Case History; Optional reading Facebook’s password hashing scheme; Optional reading LinkedIn Revisited - Full 2012 Hash Dump Analysis; Optional reading Anatomy of a password disaster - Adobe’s giant-sized cryptographic blunder; Optional reading Largest password data breach in history has been leaked online
Oct 01: Lecture: Security policies and trusted OSes; Textbook Pfleeger et al. chapters 5.2; Textbook van Oorschot chapters 3.5; Optional reading ‘Fake fingerprint’ Chinese woman fools Japan controls; Optional reading Politician’s fingerprint ‘cloned from photos’ by hacker; Optional reading Vietnamese security firm: Your face is easy to fake; Optional reading Android facial recognition based unlocking can be fooled with photo; Optional reading Breaking Windows Hello Face Authentication; Optional reading Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners; Optional reading Border Drones with Facial Recognition
Oct 03: Lecture: Security policies and trusted OSes (continued); Textbook Pfleeger et al. chapters 5.2; Textbook van Oorschot chapters 1.7; Mandatory reading before class The Protection of Information in Computer Systems, section I.A.; Optional reading The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars; Optional reading Reliably Erasing Data From Flash-Based Solid State Drives; Optional reading SELinux

Module - Mobile Security

Resources: slides.pdf
Oct 08: Lecture: Mobile security ecosystem
Oct 10: Lecture: Mobile application security

Module - Common Bugs and Vulnerabilities

Oct 22

Lecture: Memory errors

Oct 24

Lecture: Other typical bug types

Optional Reading: extra-1-more-bugs.pdf; extra-2-weird-machine.pdf

Module - Bug Finding Tools and Practices

Oct 29: Lecture: Fuzz testing
Oct 31: Lecture: Static and symbolic reasoning

Module - Defenses against Common Vulnerabilities

Nov 05: Lecture: Runtime sanity checks
Nov 07: Lecture: Moving-target defense

Module - Secure System Design Principles

Nov 12: Lecture: Compartmentalization / sandboxing
Nov 14: Lecture: Authentication and capabilities

Module - Hardware Security

Nov 19: Lecture: Hardware security accelerators
Nov 21: Lecture: Side channel attacks and defenses

Module - Non-techincal Aspects in Security

Nov 26: Lecture: Ethical and legal issues; Lecture: Administering security
Nov 28: Lecture: A brief introduction on blockchains