CEN 5079 - Software Security and Vulnerabilities


General Information

Professor: Amin Kharraz
Classroom: Parking Garage 6 114
Time: Monday and Wednesday at 5:00 PM
Office Hours (via Zoom): Tuesdays 01:30 pm to 02:15 am
TAs: Javad Zand
Wall of Fame Here
Class Forum: To be announced
Videos Demos and more

News


04/18/2022 Project 8 is now online.
04/12/2022 Project 7 is now online.
04/01/2022 Project 6 is now online.
03/18/2022 Project 5 is now online.
03/08/2022 Project 4 is now online.
02/22/2022 Project 3 is now online.
02/11/2022 Project 2 is now online.
01/27/2021 Project 1 is now online.
01/14/2021 Project 0 is now online.
01/12/2021 You can access videos here.
01/12/2021 Please take a moment and read the academic misconduct
01/12/2021 User accounts were created and shared.
01/08/2021 The course website got published.


Course Description

Internet security has become part of everyday life where security problems impact practical aspects of our lives. Even though there is a considerable corpus of knowledge about tools and techniques to protect systems, information about what are the actual vulnerabilities and how they are exploited is not generally available. This situation hampers the effectiveness of security research and practice. Understanding the details of attacks is a prerequisite for the design and implementation of secure systems.

This course deals with common programming, configuration, and design mistakes and ways to detect and avoid them. Examples are used to highlight general error classes, such as stack and heap overflows. Possible protection and detection techniques are examined. The course includes a number of practical lab assignments where participants are required to apply their knowledge as well as a discussion of the current research in the field. Students will learn how the security of systems can be violated, and how such attacks can be detected and prevented.

The course aims to make the students "security aware", and gain an in-depth understanding about security issues.

COVID-19 Safety and Accommodations

We expect all students to do their utmost to protect the safety of their peers and instructors during these unprecedented times. This includes abiding by all safety guidelines as stated in FIU's safe reopening policy.

If you do not feel well, have tested positive for COVID, or have been in contact with a person with COVID while not yet being fully vaccinated, please do not come to class, immediately complete the P3 app to notify the COVID Response Team or call them at 305-348-1919, and contact me by email as soon as you can. To excuse absences for P3 failure/COVID, please contact the COVID Response Team at 305- 348-1919. If you are directed to quarantine because of COVID-19, your absences will be considered excused.

Missing excessive days may lead to failing a class or a grade of incomplete. For me to assist you, it is important for you to contact me as soon as you experience any events that might disrupt your course participation. For up- to-date information about COVID, please see the FAQs .

Lastly, as per the August 10th email from university leadership, all members of the FIU community are strongly advised to wear face masks indoors while on campus.

Prerequisites

CEN 5079 requires significant programming experience. If you are a beginner, this course is not for you. For instance, constructing SQL queries, writing code in C/C++ should not be very difficult for you. Also, knowledge of the Unix/Linux command line is essential. You should know how to write code using emacs/vim, write a makefile, compile code using makefiles, use SSH and SCP, write very simple shell scripts, work with gdb, check for running processes, kill runaway processes, and create compressed archives.

Class Forum

The class forum is on Piazza. Why Piazza? Because they have a nice web interface, as well as iPhone and Android apps. Piazza is the best place to ask questions about projects, programming, debugging issues, exams, etc. To keep things organized, please tag all posts with the appropriate hashtags, e.g. #lecture1, #project3, etc. I will also use Piazza to broadcast announcements to the class. Bottom line: unless you have a private problem, post to Piazza before writing me an email.

Ethics

In this class, you will learn about security techniques and tools that can potentially be used for offensive purposes; "hacking" in other words. It is imperative that students only use these tools and techniques on systems they own (your personal computers) or systems that are sanctioned by the instructor. NEVER perform attacks against public systems that you do not control. As we will discuss in class, it is ethically problematic to attack systems that you do not own, and may violate the law.

Lecture Format and In-class Prep

This class will use a traditional, lecture-style format, punctuated with in-class examples. Slides are available in the course schedule below.

I recommend that students bring a laptop to class that has access to a local Unix/Linux-style command line. You can rely on SSH or PuTTY to get a remote command line on the College machines, but you run the risk of Wifi connection issues leaving you unable to work. macOS users should be able to use the default Mac command line and Homebrew; Windows users can install Linux in a virtual machine, or, if you have a recent version of Windows 10, you can install the Windows Subsystem for Linux (WSL) and then download a copy of Ubuntu right from the Windows Store.

Schedule and Lecture Slides

Dates Slides Readings Comments
Jan 10-12 Intro, History
Jan 17-19 Threat Modeling Marin Luther King Day Chal.0 on Lab Basics
Jan. 24-26 Security Architecture, Reconnaissance Chal. 1 on Reconnaissance
Jan. 31-Feb 02 Isolation Quiz 1
Setuid Demystified
Understanding Password Choices
Chal. 2 on Unix Security
Feb. 07-09 Authentication That Was Then, This Is Now
Feb. 14-16 Web Security Fundamentals You Are What You Include
HoneyWords: Making Password-Cracking Detectable
Chal. 3 on Password
Feb. 21-23 Cont. Web Security Fundamentals Quiz 2
Feb. 28-02 Spring Break Midterm Study Guide
Mar. 07-09 Command Injection, SQL Injection Midterm on Wednesday 09th Chal. 4 on Parameter Injection
Mar. 14-16 Session Management, XSS
Smashing the Stack for Fun and Profit
Chal. 5 on SQL Injection
Mar. 21-23 Memory Layout
Mar. 28-30 Stack overflow Quiz 3 Chal. 6 on Buffer OverFlow
Apr. 04-06 Return to Libc, ROP, Reverse Engineering
Apr. 11-13 Reverse engineering Quiz 4 Chal. 7 on Reverse Engineering
Apr. 18-20 Forensics Chal. 8 on Forensics Analysis
Apr. 25th Final Exam Final Exam Guideline

Assignments

There will be eight practical set of challenges throughout the semester. Assignments are due at 11:59:59pm on the specified date. You will use a turn-in script to create a compressed archive of the necessary files for the assignments, timestamp them, and submit them for grading. I highly recommend that students start assignments early!

Assignment Description Due Date Piazza Tag % of Final Grade
Project 0 Lab Basics #project0 2%
Project 1 Warm-up #project1 6%
Project 2 Unix Security #project2 6%
Project 3 Passwords #project3 6%
Project4 Parameter Injection #project4 6%
Project 5 SQL Injection #project5 6%
Project 6 Buffer Overflow #project6 6%
Project7 Reverse Engineering #project7 6%
Project8 Forensics Analysis #project8 6%

Most projects can be programmed in a language of your choice. The only universal requirement is that your projects must compile and run on an unmodified Linux machine that we give you access to. Notice the stress on unmodified: if you're relying on libraries or tools that are only available in your home directory, then we will not be able to run your code and you will fail the assignment. You are welcome to develop and test code on your home machines, but in the end everything needs to work on the course Linux machines. If you have any questions about the use of particular languages or libraries, post them to Piazza.

Exams

There will be one midterm and one final. All exams will be closed book. The exams will cover material from lectures, readings, and the projects. The final will be cumulative, so review everything!

Quizzes

Throughout the semester, there will be five in-class quizzes. These quizzes will be brief; they are designed to be completed in 15 minutes or less. They are not meant to cause students grief, and the questions will be straightforward. The goals of the quizzes are to incentivize attendance and encourage careful study of the lecture material. If you need to miss class for any reason, please let me know ahead of time, just in case there is a quiz. Makeups will be provided on a needs-driven basis. We cannot accommodate requests after the test date.

Participation

I do not require students to attend class and I won't be taking attendance, although as stated above, there will be in-class quizzes. That said, I prefer an interactive classroom, and I encourage everyone to attend, ask questions, and participate!

Grading

To calculate final grades, I simply sum up the points obtained by each student (the points will sum up to some number x out of 100) and then use the following scale to determine the letter grade: [0-55] F, [56-69] D, [70-76] C, [77-79] C+, [80-82] B-, [83-87] B, [87-89] B+, [90-94] A-, [95-100] A. I do not curve the grades in any way. All fractions will be rounded up.

Request for Grading

In this class, each student is allotted two (2) challenges each semester to use on projects submitted before the specified due date. You cannot exercise the challenges on late projects. If you want a project or a test to be regraded, you must make a formal challenge specifying (a) the problem or problems you want to be regraded, and (b) for each of these problems, why you think the problem was misgraded. If it turns out that there has been an error in grading, the grade will be corrected, and you get to keep your challenge. However, if the original grade was correct, then you permanently lose your challenge. Once your two challenges are exhausted, you will not be able to request regrades. You may not challenge the use of slip days, or any points lost due to lateness.

Cheating Policy

It's ok to ask your peers about the concepts, algorithms, or approaches needed to do the assignments. We encourage you to do so; both giving and taking advice will help you to learn. However, what you turn in must be your own, or for projects, your group's own work. Looking at or copying code or homework solutions from other people or the Web is strictly prohibited. In particular, looking at other solutions (e.g., from other groups or students who previously took the course) is a direct violation. Projects must be entirely the work of the students turning them in, i.e. you and your group members. If you have any questions about using a particular resource, ask the course staff or post a question to the class forum. Please take a moment and read the academic misconduct

All students are subject to the FIU's Academic Integrity Policy. Per College policy, all cases of suspected plagiarism or other academic dishonesty must be referred to the Office of Student Conduct and Conflict Resolution (OSCCR). This may result is deferred suspension, suspension, or expulsion from the university.

Accommodations for Students with Disabilities

If you have a disability-related need for reasonable academic accommodations in this course and have not yet met with a Disability Specialist, please visit FIU's DRC and follow the outlined procedure to request services. If the Disability Resource Center has formally approved you for an academic accommodation in this class, please present the instructor with your "Professor Notification Letter" at your earliest convenience, so that we can address your specific needs as early as possible.

Title IX

Title IX makes it clear that violence and harassment based on sex and gender are Civil Rights offenses subject to the same kinds of accountability and the same kinds of support applied to offenses against other protected categories such as race, national origin, etc. If you or someone you know has been harassed or assaulted, you can find the appropriate resources here.