Secure Programming (CIS-3720) Home Page

This is the home page for Peter Chapin's Secure Programming course notes for the Fall 2019 semester. Here you will find electronic versions of class handouts, homework assignments, lecture slides, and links to other references of interest. If you are a student taking Secure Programming you should bookmark this page.

• The course syllabus gives an overview of the course and its content, lists course resources, and describes the grading policy and related issues.
• The official course outline: CIS-3720.
• The homework submission area and gradebook are on Canvas. All other course resources are here.
• I've prepared some general information on submitting assignments.
• My home page contains other resources of potential interest.

Lecture Topics

Lectures will be done over Zoom at URL https://zoom.us/j/686783159. You do not need a Zoom account to participate. The list below shows the topics covered in each lecture. You can use this information to guide your study or to get an idea about what was covered in any missed lectures. All lectures will be recorded with links to the recordings added to the list below. It may take up to one business day for the link to appear. If no link appears after that, don't hesitate to contact me.

• 2019-08-27. Introduction to the course and overview of some basic concepts in secure programming.
• 2019-08-29. Overview of C language error types as defined by the C standard. Introduction to IntelliJ and Homework #1.
• 2019-09-03. Discussed the first input validation example (reading an integer age). Introduced regular expressions.
• 2019-09-05. Discussed the GPS input validation sample in both Java and, for illustration purposes only, C++.
• 2019-09-10. Presented Homework #2. Discussed the use of assertions in C and Java.
• 2019-09-12. Described taint mode in Perl. Introduced the general topic of secure information flow.
• 2019-09-17. Discussed secure information flow in general terms.
• 2019-09-19. Discussed an example of a Java information flow analysis tool: Jif.
• 2019-09-24. Described and demonstrated the SpotBugs tool for statically analyzing Java code.
• 2019-09-26. Described and demonstrated the Splint tool for statically analyzing C code.
• 2019-10-01. Demonstrated Ada and SPARK, showing how the language and tools can improve the security of programs.
• 2019-10-03. Introduced using cryptography in Java programs by demonstrating a program that does AES encryption and decryption.
• 2019-10-08. Discussed some basic concepts in cryptography.
• 2019-10-10. Finished discussing basic issues in cryptography. Introduced Obscura.
• 2019-10-22. Described the Obscura project infrastructure.
• 2019-10-24. Described the basic OpenPGP example and its format. Described the skeleton architecture of Obscura.
• 2019-10-29. Described the skeleton code for Homework #4, an incremental enhancement to the Obscura code base.
• 2019-10-31. Finalized the description of the skeleton code. I made some changes to the organization of the code base since the last lecture. Homework #4 is now ready.
• 2019-11-05. Introduced buffer overflow attacks.
• 2019-11-07. More detail on buffer overflow attacks. Demonstrated a stack smashing program.
• 2019-11-12. Demonstration of a C program that uses the OpenSSL crypto library. Introduced the "safer" C library.
• 2019-11-14. CWE catch up (short).
• 2019-11-19. Discussed POSIX ACLs and introduced how to read them in a C program.
• 2019-11-21. Discussed Homework #5.
• 2019-12-03. Introduced how to make a basic HTTP request using C (without TLS).
• 2019-12-05. Introduced how to make a basic HTTP request using C with TLS (and the OpenSSL library).
• 2019-12-10. No class.
• 2019-12-12. Discussion about final exam.

Slides

• Introduction
• C Language Behaviors
• Secure Information Flow
• Analysis Tools
• Symmetric Cryptography
• Cryptography
• Buffer Overflow Attacks.

Homework

1. Homework #1. Development Tools Due: 2019-09-05.
2. Homework #2. Input Validation Due: 2019-09-19
3. Homework #3. Analysis Tools Due: 2019-10-04
4. Homework #4. Obscura Due: 2019-11-08
5. Homework #5. Access Control Lists Due: 2019-12-06

Samples

1. InputValidation.java. This sample shows how one can do some basic input validation for integer inputs.
2. Another input validation example using GPS coordinates. Java: (GPS.java, InputGPS.java), C++: (GPS.hpp, GPS.cpp)
3. The file taint_demo.pl is a Perl script that illustrates the operation of taint mode. Create a file iHello.txt in your working folder containing a few lines of text, and run the script both without and with the -T command line option. Enter a base file name of Hello.txt into the program. Does it create the output file oHello.txt?
4. The archive SPARK-buffers.zip contains an Ada/SPARK package that implements fixed length character buffers. It demonstrates some of the features that protect Ada programs from security vulnerabilities.
5. EncryptDecrypt.java. This sample illustrates the basics of doing simple encryption and decryption with the javax.crypto API.
6. The Obscura GitHub site. This program is a Java implementation of the OpenPGP standard.
7. A zip archive of a stack smashing program that illustrates one way of executing a buffer overflow attack. Aleph One's original paper Smashing the Stack for Fun and Profit is also a good read (comfort with assembly language required).
8. acl_demo.c. This sample shows how to read POSIX access control lists.
9. webclient.c. This sample shows how to send a basic GET request to a web server without any encryption being used.
10. webclient-TLS.c. This sample is similar in effect to the previous space except that it uses the OpenSSL library to create a TLS connection with the server.

CWEs

• 2019-08-27. CWE-197: Numeric Truncation Error
• 2019-08-29. CWE-839: Numeric Range Comparison Without Minimum Check
• 2019-09-03. CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
• 2019-09-05. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
• 2019-09-10. CWE-793: Only Filtering One Instance of a Special Element
• 2019-09-12. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• 2019-09-17. CWE-252: Unchecked Return Value
• 2019-09-19. CWE-248: Uncaught Execption
• 2019-09-24. CWE-200: Information Exposure
• 2019-09-26. CWE-190: Integer Overflow or Wraparound
• 2019-10-01. CWE-476: NULL Pointer Dereference
• 2019-10-03. CWE-798: Use of Hard-coded Credentials
• 2019-10-08. CWE-125: Out-of-bounds Read
• 2019-10-10. CWE-787: Out-of-bounds Write
• 2019-10-15. CWE-732: Incorrect Permission Assignment for a Critical Resource
• 2019-10-17. CWE-502: Deserialization of Untrusted Data
• 2019-10-22. CWE-434: Unrestircted of File with Dangerous Type
• 2019-10-24. CWE-295: Improper Certificate Validation
• 2019-10-29. CWE-426: Untrusted Search Path
• 2019-10-31. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• 2019-11-05. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
• 2019-11-07. CWE-94: Improper Control of Generation of Code
• 2019-11-12. CWE-400: Uncontrolled Resource Consumption
• 2019-11-14. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
• 2019-11-19. ?
• 2019-11-21. ?
• 2019-12-03. ?
• 2019-12-05. ?
• 2019-12-10. ?
• 2019-12-12. ?

Resources/Articles

• Common Vulnerabilities and Exposures (CVE) website. CVEs are specific vulnerabilities in publicly released software.
• Common Weakness Enumeration (CWE) web site. CWEs are vulnerability types. Many pieces of software might suffer from the same vulnerability type.
• Java 11 Documentation
• The Java API documentation for class Pattern documents the regular expression language used by the JDK library.
• The Java assert statement.
• Documentation on Perl's taint mode. This is used to dynamically check for various input validation and output integrity concerns.
• Information Flow is a general concept that encompases input validation as well as other things.
• Jif is an extended version of Java that supports secure information flow labels. It is a research project at Cornell University.
• SpotBugs is a tool for statically finding errors in Java programs. It is the successor of the older FindBugs tool.
• Splint is a tool for statically finding errors and security issues in C programs.
• Improving Security Using Extensible Lightweight Static Analysis by Evans and Larochelle is a paper about using Splint to address security vulnerabilities in C programs.
• Information on CWEs detected by AdaCore's CodePeer and SPARK tools.
• Wikipedia's page on Block Cipher Modes of Operation has some nice diagram showing various encryption modes.
• Java Security Developer's Guide
• API Documentation for package javax.crypto.
• The OpenPGP file format is described in RFC-4880.
• GnuPG is an open source program that implements the OpenPGP format. Gpg4win is a Windows version of GnuPG along with a GUI wrapper program.
• A document describing the basics of using Git.

Last Revised: 2019-12-30
© Copyright 2019 by Peter C. Chapin <pchapin@vtc.edu>