1. Software Security Lecture 0 Fang Yu Dept. of MIS National Chengchi University Spring 2011

2. Software Security  Instructor: Fang Yu  Office: 150409  Weekly Meeting on Tuesday 9:00-12:00

3. Errors and Failures  Software is developed by humans, and hence it is not perfect  A human error may introduce a bug in the system  When a bug get triggered, it may generate a failure

4. Security Bugs and Failures  A security bug is also called a vulnerability  When a vulnerability get triggered (exploited), it may generate a security failure (against the security policy) and compromise the system

5. Security Analysis  Security analysis is the process to determine the security posture of a system  It answers the question: is the system vulnerable with respect to the known vulnerabilities?

6. About this course  We will focus on Web application security and static analysis techniques  You will  Learn how to identify and detect vulnerabilities in web applications  Learn how to exploit vulnerabilities in web applications  Learn how to remove vulnerabilities and how to prevent exploits of vulnerabilities in web applications

7. Main topics  Web Application Security (8-10 weeks)  What are the most common vulnerabilities in web applications?  Common Vulnerability and Exposure  OWASP  Static Analysis Techniques (2-4 weeks)  (Automatic) Code Review  Taint analysis  String analysis  Advance Issues/Techniques/Tools (3-5 weeks)  Selected Papers/Tools

8. Text books  The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws.  By Dafydd Stuttard and Marcus Pinto, Wiley Publishing, Inc, 2007  全華圖書 02-22625666  Secure Programming with Static Analysis.  By Brain Chess and Jacob West, Addison- Wesley Professional, 2007

9. Selected Papers  Prateek Saxena, Devdatta Akhawe, Steve Hanna, Feng Mao, Stephen McCamant, Dawn Song. “A Symbolic Execution Framework for JavaScript.” In Proc. of the 31st IEEE Symposium on Security & Privacy (Oakland 2010)  Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code M. Cova, C. Kruegel, and G. Vigna Proceedings of the World Wide Web Conference (WWW 2010)  Prateek Saxena, Steve Hanna, Pongsin Poosankam, Dawn Song. “FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications.“ In Proc. of the 17th Network and Distributed System Security Symposium (NDSS 2010)  Toward Automated Detection of Logic Vulnerabilities in Web Applications V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna Proceedings of the USENIX Security Symposium Washington, 2010  Gary Wassermann and Zhendong Su. “Static Detection of Cross-site Scripting Vulnerabilities.” In Proc. of the 30th International Conference on Software Engineering (ICSE 2008)  Yichen Xie and Alex Aiken. “Static Detection of Security Vulnerabilities in Scripting Languages.” In Proc. of the 15th USENIX Security Symposium (USENIX 2006)

10. Some Related Tools  Stranger  a string analysis tool for PHP  http://www.cs.ucsb.edu/~vlab/stranger http://www.cs.ucsb.edu/~vlab/stranger  we are working on a web-based version  Java String Analyzer  a string analysis tool for Java  http://www.brics.dk/JSA/ http://www.brics.dk/JSA/

11. Course Requirement  Select a chapter* of the Hacker’s hand book to present  Select a paper* to present  Select a tool and find an application to analyze *Send me your topics as soon as you decide (first come first get)

12. Grade Policy  None of you will be failed  Participation 10%  Chapter and Paper Presentations 40%  Term paper 50%

13. Beyond the technical issues…  A comfortable environment for you to practice English  Don’t hesitate to ask questions  Feel free to drop by my office