Secure Programming (CIS-3720) Home Page
This is the home page for Peter Chapin's Secure Programming course notes for the Fall
2019 semester. Here you will find electronic versions of class handouts, homework
assignments, lecture slides, and links to other references of interest. If you are a student
taking Secure Programming you should bookmark this page.
- The course syllabus gives an overview of the course
and its content, lists course resources, and describes the grading policy and related
issues.
- The official course outline: CIS-3720.
- The homework submission area and gradebook are on Canvas. All other course resources are
here.
- I've prepared some general information on submitting
assignments.
- My home page contains other resources of potential
interest.
Lecture Topics
Lectures will be done over Zoom at URL https://zoom.us/j/686783159. You do not need a Zoom
account to participate. The list below shows the topics covered in each lecture. You can use
this information to guide your study or to get an idea about what was covered in any missed
lectures. All lectures will be recorded with links to the recordings added to the list
below. It may take up to one business day for the link to appear. If no link appears after
that, don't hesitate to contact me.
- 2019-08-27. Introduction to the course and overview of some basic concepts in secure
programming.
- 2019-08-29. Overview of C language error types as defined by the C standard.
Introduction to IntelliJ and Homework #1.
- 2019-09-03. Discussed the first input validation example (reading an integer age).
Introduced regular expressions.
- 2019-09-05. Discussed the GPS input validation sample in both Java and, for
illustration purposes only, C++.
- 2019-09-10. Presented Homework #2. Discussed the use of
assertions in C and Java.
- 2019-09-12. Described taint mode in Perl. Introduced the general topic of secure
information flow.
- 2019-09-17. Discussed secure information flow in general terms.
- 2019-09-19. Discussed an example of a Java information flow analysis tool: Jif.
- 2019-09-24. Described and demonstrated the SpotBugs tool for statically analyzing Java
code.
- 2019-09-26. Described and demonstrated the Splint tool for statically analyzing C
code.
- 2019-10-01. Demonstrated Ada and SPARK, showing how the language and tools can improve
the security of programs.
- 2019-10-03. Introduced using cryptography in Java programs by demonstrating a program
that does AES encryption and decryption.
- 2019-10-08. Discussed some basic concepts in cryptography.
- 2019-10-10. Finished discussing basic issues in cryptography. Introduced Obscura.
- 2019-10-22. Described the Obscura project infrastructure.
- 2019-10-24. Described the basic OpenPGP example and its format. Described the skeleton
architecture of Obscura.
- 2019-10-29. Described the skeleton code for Homework
#4, an incremental enhancement to the Obscura code base.
- 2019-10-31. Finalized the description of the skeleton code. I made some changes to the
organization of the code base since the last lecture. Homework #4 is now ready.
- 2019-11-05. Introduced buffer overflow attacks.
- 2019-11-07. More detail on buffer overflow attacks. Demonstrated a stack smashing
program.
- 2019-11-12. Demonstration of a C program that uses the OpenSSL crypto library.
Introduced the "safer" C library.
- 2019-11-14. CWE catch up (short).
- 2019-11-19. Discussed POSIX ACLs and introduced how to read them in a C program.
- 2019-11-21. Discussed Homework #5.
- 2019-12-03. Introduced how to make a basic HTTP request using C (without TLS).
- 2019-12-05. Introduced how to make a basic HTTP request using C with TLS (and the
OpenSSL library).
- 2019-12-10. No class.
- 2019-12-12. Discussion about final exam.
Slides
Homework
- Homework #1. Development Tools Due:
2019-09-05.
- Homework #2. Input Validation Due:
2019-09-19
- Homework #3. Analysis Tools Due: 2019-10-04
- Homework #4. Obscura Due: 2019-11-08
- Homework #5. Access Control Lists Due:
2019-12-06
Samples
- InputValidation.java. This sample shows
how one can do some basic input validation for integer inputs.
- Another input validation example using GPS coordinates. Java: (GPS.java, InputGPS.java), C++: (GPS.hpp, GPS.cpp)
- The file taint_demo.pl is a Perl script that
illustrates the operation of taint mode. Create a file iHello.txt in your working
folder containing a few lines of text, and run the script both without and with the -T
command line option. Enter a base file name of Hello.txt into the program. Does
it create the output file oHello.txt?
- The archive SPARK-buffers.zip contains an
Ada/SPARK package that implements fixed length character buffers. It demonstrates some of
the features that protect Ada programs from security vulnerabilities.
- EncryptDecrypt.java. This sample
illustrates the basics of doing simple encryption and decryption with the
javax.crypto API.
- The Obscura GitHub site. This program
is a Java implementation of the OpenPGP standard.
- A zip archive of a stack smashing program that
illustrates one way of executing a buffer overflow attack. Aleph One's original paper Smashing the Stack for Fun and Profit is also a good
read (comfort with assembly language required).
- acl_demo.c. This sample shows how to read POSIX
access control lists.
- webclient.c. This sample shows how to send a basic
GET request to a web server without any encryption being used.
- webclient-TLS.c. This sample is similar in
effect to the previous space except that it uses the OpenSSL library to create a TLS
connection with the server.
CWEs
- 2019-08-27. CWE-197:
Numeric Truncation Error
- 2019-08-29. CWE-839:
Numeric Range Comparison Without Minimum Check
- 2019-09-03. CWE-93:
Improper Neutralization of CRLF Sequences ('CRLF Injection')
- 2019-09-05. CWE-89:
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- 2019-09-10. CWE-793: Only
Filtering One Instance of a Special Element
- 2019-09-12. CWE-22:
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- 2019-09-17. CWE-252:
Unchecked Return Value
- 2019-09-19. CWE-248:
Uncaught Execption
- 2019-09-24. CWE-200:
Information Exposure
- 2019-09-26. CWE-190:
Integer Overflow or Wraparound
- 2019-10-01. CWE-476: NULL
Pointer Dereference
- 2019-10-03. CWE-798: Use
of Hard-coded Credentials
- 2019-10-08. CWE-125:
Out-of-bounds Read
- 2019-10-10. CWE-787:
Out-of-bounds Write
- 2019-10-15. CWE-732:
Incorrect Permission Assignment for a Critical Resource
- 2019-10-17. CWE-502:
Deserialization of Untrusted Data
- 2019-10-22. CWE-434:
Unrestircted of File with Dangerous Type
- 2019-10-24. CWE-295:
Improper Certificate Validation
- 2019-10-29. CWE-426:
Untrusted Search Path
- 2019-10-31. CWE-119:
Improper Restriction of Operations within the Bounds of a Memory Buffer
- 2019-11-05. CWE-78:
Improper Neutralization of Special Elements used in an OS Command ('OS Command
Injection')
- 2019-11-07. CWE-94:
Improper Control of Generation of Code
- 2019-11-12. CWE-400:
Uncontrolled Resource Consumption
- 2019-11-14. CWE-79:
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- 2019-11-19. ?
- 2019-11-21. ?
- 2019-12-03. ?
- 2019-12-05. ?
- 2019-12-10. ?
- 2019-12-12. ?
Resources/Articles
Last Revised: 2019-12-30
© Copyright 2019 by Peter C. Chapin
<pchapin@vtc.edu>