Modules

A draft of the lecture slides for each module will be made available the evening before the module begins. The final version of the lecture slides will be made available after the module is completed and replaces the draft. Use of the draft is at your own risk!

Readings marked as mandatory contain required material for the course, and must be read before the date of the corresponding lecture.

Module - Introduction to Software and System Security

Resources: slides.pdf
Jan 09: Lecture: Course logistics; Lecture: Basis concepts in security; Textbook Pfleeger et al. chapters 1.1 - 1.8; Textbook van Oorschot chapters 1.1 - 1.4, 1.6; Optional reading The 10 privacy principles of PIPEDA; Optional reading A terminology for talking about privacy; Optional reading Federal privacy reform in Canada: The Consumer Privacy Protection Act; Optional reading Modernizing Canada’s Privacy Act; Optional reading Microsoft’s report on Russian Cyberattacks in Ukraine; Optional reading Social Security Employees in Illinois Sentenced in Federal Court on Charges Including Bribery and Identity Theft

Module - Program Security

Resources: slides.pdf
Jan 11: Lecture: Flaws and failures; Textbook Pfleeger et al. chapters 3.1; Textbook van Oorschot chapters 6.1 - 6.8; Mandatory reading before class Smashing The Stack For Fun And Profit; Optional reading On the Evolution of Buffer Overflows; Optional reading Exploiting Format String Vulnerabilities; Optional reading Example format string vulnerabilities (November 2011); Optional reading Example format string vulnerabilities (May 2012); Optional reading A Taxonomy of Computer Program Security Flaws, with Examples
Jan 16: Lecture: Unintentional Security flaws and malicious code; Textbook Pfleeger et al. chapters 3.2; Textbook van Oorschot chapters 7.1 - 7.4; Optional reading Morris worm; Optional reading The Spread of the Sapphire/Slammer Worm; Optional reading Slammed!; Optional reading Technical analysis of client identification mechanisms
Jan 18: Lecture: Defenses against security flaws; Textbook Pfleeger et al. chapters 3.2; Textbook van Oorschot chapters 7.5 - 7.9; Mandatory reading before class Reflections on Trusting Trust; Optional reading US Federal Student Aid website has a Facebook web bug; Optional reading Linux Kernel “Back Door” Attempt; Optional reading The backdooring of SquirrelMail; Optional reading Clickjacking attack (Interface illusion); Optional reading MITM Malware Re-Writes Online Bank Statements
Jan 23: Lecture: Defenses against security flaws (continued); Textbook Pfleeger et al. chapters 3.3; Textbook van Oorschot chapters 1.7, 6.9; Optional reading An operating system kernel with a formal proof of security; Optional reading Bugs in open source software: #gotofail; Optional reading Bugs in open source software: Heartbleed

Module - Operating System Security

Resources: slides.pdf
Jan 25: Lecture: Protecting OSes and access control; Textbook Pfleeger et al. chapters 5.1; Textbook van Oorschot chapters 5.1 - 5.2; Optional reading Android permissions demystified; Optional reading Google launches its third major operating system, Fuchsia
Jan 30: Lecture: User authentication; Textbook Pfleeger et al. chapters 5.1; Textbook van Oorschot chapters 5.1 - 5.2; Optional reading Breaking SMS-based two-factor authentication: Attacking the cellular network; Optional reading Breaking SMS-based two-factor authentication: Android malware for stealing SMS messages; Optional reading Passphrases that you can memorize — But that even the NSA can’t guess; Optional reading The top 50 woeful passwords exposed by the Adobe security breach; Optional reading Password Security: A Case History; Optional reading Facebook’s password hashing scheme; Optional reading LinkedIn Revisited - Full 2012 Hash Dump Analysis; Optional reading Anatomy of a password disaster - Adobe’s giant-sized cryptographic blunder; Optional reading Largest password data breach in history has been leaked online
Feb 01: Lecture: Security policies and trusted OSes; Textbook Pfleeger et al. chapters 5.2; Textbook van Oorschot chapters 3.5; Optional reading ‘Fake fingerprint’ Chinese woman fools Japan controls; Optional reading Politician’s fingerprint ‘cloned from photos’ by hacker; Optional reading Vietnamese security firm: Your face is easy to fake; Optional reading Android facial recognition based unlocking can be fooled with photo; Optional reading Breaking Windows Hello Face Authentication; Optional reading Reverse-Engineered Irises Look So Real, They Fool Eye-Scanners; Optional reading Border Drones with Facial Recognition
Feb 06: Lecture: Security policies and trusted OSes (continued); Textbook Pfleeger et al. chapters 5.2; Textbook van Oorschot chapters 1.7; Mandatory reading before class The Protection of Information in Computer Systems, section I.A.; Optional reading The Security Principles of Saltzer and Schroeder, illlustrated with scenes from Star Wars; Optional reading Reliably Erasing Data From Flash-Based Solid State Drives; Optional reading SELinux

Module - Mobile Security

Resources: slides.pdf
Feb 08: Lecture: Mobile security ecosystem
Feb 13: Lecture: Mobile application security
Feb 15: Lecture: Advanced topics in Android security

Module - Non-techincal Aspects in Security

Feb 27: Lecture: Ethical and legal issues; Lecture: Administering security
Feb 29: Lecture: A brief introduction on blockchains

Module - Common Bugs and Vulnerabilities

Mar 05: Lecture: Memory errors and data races
Mar 07: Lecture: Other typical bug types

Module - Bug Finding Tools and Practices

Mar 12: Lecture: Fuzz testing
Mar 14: Lecture: Static and symbolic reasoning

Module - Defenses against Common Vulnerabilities

Mar 19: Lecture: Runtime sanity checks
Mar 21: Lecture: Moving-target defense
Mar 26: Lecture: Compartmentalization / sandboxing
Mar 28: Lecture: Authentication and capabilities

Module - Hardware Security

Apr 02: Lecture: Hardware security accelerators
Apr 04: Lecture: Side channel attacks and defenses