CEN 5079 - Secure Application Programming
General Information
| Professor: | Amin Kharraz |
| Classroom: | Online via Zoom |
| Time: | Tuesdays and Thursdays at 7:50 PM |
| Office Hours (via Zoom): | Thursdays 11 AM to 12:00 PM or via Email |
| Wall of Fame | Here |
| Class Forum: | On Piazza |
| Videos | Here |
News
11/13/2020 Project8 is online now. Good luck!11/06/2020 Project7 is online now. Good luck!
10/30/2020 The deadlines of project 5 and project 6 were extended!
10/23/2020 Project6 is now online. Good luck!
10/22/2020 Check out the video section and watch demos on low-level attacks.
10/16/2020 Project5 is online now. Good luck!
10/02/2020 Project4 is online now. Good luck!
09/22/2020 Project3 is online now. Good luck!
09/11/2020 Project2 is online now. Good luck!
09/02/2020 Project1 is online now. Good luck!
08/30/2020 The class has a Wall of Fame now. The faster you solve the challenges, the higher is your rank ;-).
08/27/2020 Project0 is online now.
08/24/2020 Zoom meeting details will be posted on the Video section.
08/24/2020 Students' accounts were created and emailed.
07/10/2020 The course website got published.
Course Description
Internet security has become part of everyday life where security problems impact practical aspects of our lives. Even though there is a considerable corpus of knowledge about tools and techniques to protect systems, information about what are the actual vulnerabilities and how they are exploited is not generally available. This situation hampers the effectiveness of security research and practice. Understanding the details of attacks is a prerequisite for the design and implementation of secure systems.
This course deals with common programming, configuration, and design mistakes and ways to detect and avoid them. Examples are used to highlight general error classes, such as stack and heap overflows. Possible protection and detection techniques are examined. The course includes a number of practical lab assignments where participants are required to apply their knowledge as well as a discussion of the current research in the field. Students will learn how the security of systems can be violated, and how such attacks can be detected and prevented.
The course aims to make the students "security aware", and gain an in-depth understanding about security issues.
Prerequisites
CEN 5079 requires significant programming experience. If you are a beginner, this course is not for you. For instance, constructing SQL queries, writing code in C/C++ should not be very difficult for you. Also, knowledge of the Unix/Linux command line is essential. You should know how to write code using emacs/vim, write a makefile, compile code using makefiles, use SSH and SCP, write very simple shell scripts, work with gdb, check for running processes, kill runaway processes, and create compressed archives.
Class Forum
The class forum is on Piazza. Why Piazza? Because they have a nice web interface, as well as iPhone and Android apps. Piazza is the best place to ask questions about projects, programming, debugging issues, exams, etc. To keep things organized, please tag all posts with the appropriate hashtags, e.g. #lecture1, #project3, etc. I will also use Piazza to broadcast announcements to the class. Bottom line: unless you have a private problem, post to Piazza before writing me an email.
Ethics
In this class, you will learn about security techniques and tools that can potentially be used for offensive purposes; "hacking" in other words. It is imperative that students only use these tools and techniques on systems they own (your personal computers) or systems that are sanctioned by the instructor. NEVER perform attacks against public systems that you do not control. As we will discuss in class, it is ethically problematic to attack systems that you do not own, and may violate the law.
Lecture Format and In-class Prep
This class will use a traditional, lecture-style format, punctuated with in-class examples. Slides are available in the course schedule below.I recommend that students bring a laptop to class that has access to a local Unix/Linux-style command line. You can rely on SSH or PuTTY to get a remote command line on the College machines, but you run the risk of Wifi connection issues leaving you unable to work. macOS users should be able to use the default Mac command line and Homebrew; Windows users can install Linux in a virtual machine, or, if you have a recent version of Windows 10, you can install the Windows Subsystem for Linux (WSL) and then download a copy of Ubuntu right from the Windows Store.
Schedule and Lecture Slides
| Dates | Slides | Readings | Comments | |
|---|---|---|---|---|
| Aug. 25-27 | Intro, History | Chal.0 on Lab Basics, Due Sep. 5 | ||
| Sep. 01-03 | Threat Modeling, Security Architecture | Chal. 1, Due Sep. 16 | ||
| Sep. 08-10 | Isolation | Setuid Demystified | Chal. 2 on Unix Security, Due Sep. 25 | |
| Sep. 15-17 | Authentication, Passwords | That Was Then, This Is Now
Understanding Password Choices |
||
| Sep. 22-24 | Web Security 1 | Chal. 3 on Password, Due October. 08 | ||
| Sep. 29-Oct. 01 | Web Security 2 | You Are What You Include
Midterm Study Guide |
Chal. 4 on SQL Injection, Due Oct. 13 | |
| Oct. 06-08 | Intro to Systems, Midterm on Oct 08 | |||
| Oct. 13-15 | Memory Layout, Stack | Smashing the Stack for Fun and Profit | Chal. 5 on Parameter Injection, Due Nov. 06 | |
| Oct. 20-22 | Shellcode, Buffer OverFlow
ROP, Return to Libc, Heap Spraying |
Chal. 6 on Buffer OverFlow, Due Nov. 13 | ||
| Oct. 27-29 | Reverse Engineering | |||
| Nov. 03-05 | Malicious Code, Analysis | Chal. 7 on Reverse Engineering, Due Nov. 20 | ||
| Nov. 10-12 | Evasion, Forensics | Chal. 8 on Forensics Analysis, Due Nov. 27 | ||
| Nov. 17-20 | Botnets and Crimeware | |||
| Nov. 24-26 | DDoS | |||
| Dec. 1 | Study Guide | |||
| Dec. 8 | Final Exam |
Assignments
There will be eight practical set of challenges throughout the semester. Assignments are due at 11:59:59pm on the specified date. You will use a turn-in script to create a compressed archive of the necessary files for the assignments, timestamp them, and submit them for grading. I highly recommend that students start assignments early!
| Assignment | Description | Due Date | Piazza Tag | % of Final Grade | |
|---|---|---|---|---|---|
| Project 0 | Lab Basics | September 5 | #project0 | 2% | |
| Project 1 | Warm-up | September 16 | #project1 | 6% | |
| Project 2 | Unix Security | September 25 | #project2 | 6% | |
| Project 3 | Passwords | October 08 | #project3 | 6% | |
| Project 4 | SQL Injection | October 16 | #project4 | 6% | |
| Project 5 | Parameter Injection | October 30 | #project5 | 6% | |
| Project 6 | Buffer Overflow | November 06 | #project6 | 6% | |
| Project 7 | Reverse Engineering | November 20 | #project7 | 6% | |
| Project 8 | Forensics Analysis | November 27 | #project8 | 6% |
Most projects can be programmed in a language of your choice. The only universal requirement is that your projects must compile and run on an unmodified Linux machine that we give you access to. Notice the stress on unmodified: if you're relying on libraries or tools that are only available in your home directory, then we will not be able to run your code and you will fail the assignment. You are welcome to develop and test code on your home machines, but in the end everything needs to work on the course Linux machines. If you have any questions about the use of particular languages or libraries, post them to Piazza.
Exams
There will be one midterm and one final. All exams will be closed book. The exams will cover material from lectures, readings, and the projects. The final will be cumulative, so review everything!
Quizzes
Throughout the semester, there will be five in-class quizzes. These quizzes will be brief; they are designed to be completed in 15 minutes or less. They are not meant to cause students grief, and the questions will be straightforward. The goals of the quizzes are to incentivize attendance and encourage careful study of the lecture material. If you need to miss class for any reason, please let me know ahead of time, just in case there is a quiz. Makeups will be provided on a needs-driven basis.
Participation
I do not require students to attend class and I won't be taking attendance, although as stated above, there will be in-class quizzes. That said, I prefer an interactive classroom, and I encourage everyone to attend, ask questions, and participate!
Grading
To calculate final grades, I simply sum up the points obtained by each student (the points will sum up to some number x out of 100) and then use the following scale to determine the letter grade: [0-55] F, [56-69] D, [70-76] C, [77-79] C+, [80-82] B-, [83-87] B, [87-89] B+, [90-94] A-, [95-100] A. I do not curve the grades in any way. All fractions will be rounded up.
Request for Grading
In this class, each student is allotted two (2) challenges each semester to use on projects submitted before the specified due date. You cannot exercise the challenges on late projects. If you want a project or a test to be regraded, you must make a formal challenge specifying (a) the problem or problems you want to be regraded, and (b) for each of these problems, why you think the problem was misgraded. If it turns out that there has been an error in grading, the grade will be corrected, and you get to keep your challenge. However, if the original grade was correct, then you permanently lose your challenge. Once your two challenges are exhausted, you will not be able to request regrades. You may not challenge the use of slip days, or any points lost due to lateness.
Cheating Policy
It's ok to ask your peers about the concepts, algorithms, or approaches needed to do the assignments. We encourage you to do so; both giving and taking advice will help you to learn. However, what you turn in must be your own, or for projects, your group's own work. Looking at or copying code or homework solutions from other people or the Web is strictly prohibited. In particular, looking at other solutions (e.g., from other groups or students who previously took the course) is a direct violation. Projects must be entirely the work of the students turning them in, i.e. you and your group members. If you have any questions about using a particular resource, ask the course staff or post a question to the class forum.
All students are subject to the FIU's Academic Integrity Policy. Per College policy, all cases of suspected plagiarism or other academic dishonesty must be referred to the Office of Student Conduct and Conflict Resolution (OSCCR). This may result is deferred suspension, suspension, or expulsion from the university.
Accommodations for Students with Disabilities
If you have a disability-related need for reasonable academic accommodations in this course and have not yet met with a Disability Specialist, please visit FIU's DRC and follow the outlined procedure to request services. If the Disability Resource Center has formally approved you for an academic accommodation in this class, please present the instructor with your "Professor Notification Letter" at your earliest convenience, so that we can address your specific needs as early as possible.
Title IX
Title IX makes it clear that violence and harassment based on sex and gender are Civil Rights offenses subject to the same kinds of accountability and the same kinds of support applied to offenses against other protected categories such as race, national origin, etc. If you or someone you know has been harassed or assaulted, you can find the appropriate resources here.