Presentation is loading. Please wait.

Presentation is loading. Please wait.

KATHOLIEKE UNIVERSITEIT LEUVEN 1.NET Curriculum Workshop Teaching Software Security: Case Studies on the.NET Framework Frank Piessens and Wouter Joosen.

Published byKathryn Singleton Modified over 9 years ago

Similar presentations

Presentation on theme: "KATHOLIEKE UNIVERSITEIT LEUVEN 1.NET Curriculum Workshop Teaching Software Security: Case Studies on the.NET Framework Frank Piessens and Wouter Joosen."— Presentation transcript:

1 KATHOLIEKE UNIVERSITEIT LEUVEN 1.NET Curriculum Workshop Teaching Software Security: Case Studies on the.NET Framework Frank Piessens and Wouter Joosen (Frank.Piessens@cs.kuleuven.ac.be Wouter.Joosen@cs.kuleuven.ac.be)

2 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop2 Who am I Professor at the Department of Computer Science, KULeuven, Belgium Member of the DistriNet research group on distributed systems and computer networks Research focus: –Software security: secure programming languages, security in component models and frameworks, security engineering

3 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop3 Why am I here? Our university has a “security-intensive” computer science curriculum The “secure software” course was an early adopter of.NET technologies in university course Report on our experiences integrating.NET into that course

4 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop4 Outline of the presentation Introduction Overview of the secure software course Case studies and projects on.NET Zooming in on some project assignments Conclusion

5 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop5 Introduction Software is more and more Internet accessible => importance of software security increases Developing secure software is a complex matter –Complex technologies –Binding security technologies to an application is hard –Implementation vulnerabilities –Hard to test security –… Hence, it is important to integrate courses on secure software development in computer science curricula

6 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop6 Introduction At the K.U.Leuven, we started developing such a course 5 years ago –It is being taught for the 5 th time to an average of some 100 students per year –Fragments of the course have been presented At industry conferences At academic conferences –Teaching materials for the course are available on the web (see URL at the end of the presentation)

7 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop7 Outline of the presentation Introduction Overview of the secure software course Case studies and projects on.NET Zooming in on some project assignments Conclusion

8 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop8 Overview of the course Part I: Introduction Part II : Security Technologies –Security technology = reusable algorithm/ model/ service that realizes a security objective Part III: Building Secure Applications –Secure application: application that enforces correct rules of usage By correct and appropriate use of security technologies By ensuring high quality of implementation Part IV: Conclusion

9 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop9 Overview of the course Part I: Introduction –General security concepts: threat, vulnerability, countermeasure, risk, … –Security for an administrator versus security for a developer –Case study: perform a threat and vulnerability analysis on a simplified e-mail system

10 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop10 Overview of the course Part II: Software Security Technologies –Cryptographic primitives –Cryptographic Service Provider based libraries –Cryptographic protocols –Software interfaces to protocols –Access control models –Access control in operating systems and application servers –Untrusted code security

11 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop11 Overview of the course Part III: Secure Software Applications –Threat analysis –Secure design principles –Integrating security technologies in applications –Implementation vulnerabilities –Enriching a software engineering process for security Part IV: Conclusion –Case study revisited –Current challenges

12 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop12 Overview of the course What is available online? –The course is given at our university as a 20h course with 30h time for exercises/projects Slides are available for most of the lectures Lecture notes are available for approximately half of the lectures A web site with related links for all covered material Project assignments (not solutions)

13 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop13 Outline of the presentation Introduction Overview of the secure software course Case studies and projects on.NET Zooming in on some project assignments Conclusion

14 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop14 Case studies and projects on.NET The course is a conceptual course, but illustrates concepts with their implementation in real-life systems The.NET Framework is used to illustrate implementation of most of the security technologies in Part II of the course –The cryptographic libraries in.NET are discussed as an example implementation of a CSP based crypto library –Code Access Security is discussed as an example implementation of untrusted code sandboxing –.NET declarative role based access control is discussed as an example implementation of application level access control

15 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop15 Case studies and projects on.NET The.NET material is relatively new –Before: Java and Windows 2000 –Does the.NET case add value with respect to the Java case? Two examples: –Comparison of crypto libraries in Java and.NET –Comparison of sandboxing in Java and.NET

16 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop16 Crypto libraries All modern cryptographic libraries are structured around the concept of Cryptographic Service Providers (CSP) Cryptographic framework CSP1CSP2CSP3 … SPI API App1App2App3 …

17 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop17 Crypto libraries Java and.NET implement decoupling differently –Java: decoupling based on the bridge design pattern API objects encapsulate an SPI object that does the real work –.NET: decoupling based on inheritance SPI classes inherit from API classes

18 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop18 Sandboxing in Java and.NET Both Java and.NET implement stack inspection based configurable sandboxing But again, both implementations differ significantly –Integration of user based access control is different –Granularity of permissions and stack walk modifiers is different –Extensibility is different –…

19 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop19 Projects and exercises on.NET Students can do projects and exercises on the.NET framework or the SSCLI (Rotor) We distinguish three “levels”: –Simple exercises: a few hours of work –Implementation projects: 20 – 40 hours of teamwork –Advanced projects: several hundred hours of work, typically in the context of a master thesis Some of them closely linked to our research E.g. Context bound objects for application level access control

20 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop20 Outline of the presentation Introduction Overview of the secure software course Case studies and projects on.NET Zooming in on some project assignments Conclusion

21 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop21 Example implementation project: pluggable authentication Problem statement: In the.NET framework, authentication can be done: –By relying on Windows authentication –By custom developed authentication code Both approaches have their disadvantages.

22 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop22 Example implementation project: pluggable authentication Assignment: Design an authentication framework for.NET. The framework should offer a simple uniform authentication API to applications. Implementations of authentication mechanisms should be easy to plug into the framework. The selection of what authentication mechanisms to use should be set by a configuration file. Authentication should be well integrated with role based authorization.

23 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop23 Example implementation project: pluggable authentication Discussion: The project introduces students to many aspects of.NET security: –Use of the crypto API’s –User based access control –Building a secure assembly An example solution (PAM.NET) that runs on Rotor and the CLR was developed by Bert Lagaisse.

24 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop24 Example advanced project: typing information as evidence Problem statement: –Type systems increase security in a number of ways. –Supporting a new type system in a programming language or in MSIL is a substantial effort. –Can the Code Access Security system be used to check security-related type information?

25 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop25 Example advanced project: typing information as evidence Assignment: Pick a security relevant type system (e.g. types for safe concurrency), and design a new kind of evidence that captures the type information in that system. Design typing rules for IL, and implement a verifier. Integrate the verifier with the Code Access Security system.

26 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop26 Example advanced project: typing information as evidence Discussion: Students gain deep knowledge about: –IL and IL typing –The Code Access Security System A simplified version of the assignment was implemented by a master thesis student.

27 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop27 Some other projects Implementing a Cryptographic Service Provider –Last year, two students integrated the Belgian EID in the.NET Crypto Libraries Reusing Code Access Security checks for role based access control Design and implement a SOAP firewall Design and implementation of applications that use the security API’s intensively –Secured chat application –Simple encrypting file system –Runtime extensible applications –…

28 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop28 Outline of the presentation Introduction Overview of the secure software course Case studies and projects on.NET Zooming in on some project assignments Conclusion

29 KATHOLIEKE UNIVERSITEIT LEUVEN.NET Curriculum Workshop29 Conclusion Importance of software security is high and growing Inclusion of dedicated courses in curricula is desirable Our software security course is still in evolution but is slowly stabilizing as a: – Conceptual course –With illustrations of the concepts on the two application development platforms of the future (Java and.NET), as well as on operating systems/middleware/databases Course materials are available (in draft form) at: http://securitytf.cs.kuleuven.ac.be/teaching/ http://securitytf.cs.kuleuven.ac.be/teaching/

Download ppt "KATHOLIEKE UNIVERSITEIT LEUVEN 1.NET Curriculum Workshop Teaching Software Security: Case Studies on the.NET Framework Frank Piessens and Wouter Joosen."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
.NET MSc in Distributed Systems David Grey Rob Miles University of Hull, UK.

.NET MSc in Distributed Systems David Grey Rob Miles University of Hull, UK.
Department of Mathematics and Computer Science www.uncp.edu.

Department of Mathematics and Computer Science
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Reseach in DistriNet (department of computer science, K.U.Leuven) General overview and focus on embedded systems task-force.

Reseach in DistriNet (department of computer science, K.U.Leuven) General overview and focus on embedded systems task-force.
CIM2564 Introduction to Development Frameworks 1 Overview of a Development Framework Topic 1.

CIM2564 Introduction to Development Frameworks 1 Overview of a Development Framework Topic 1.
Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.

Introducing the Common Language Runtime for.NET. The Common Language Runtime The Common Language Runtime (CLR) The Common Language Runtime (CLR) –Execution.
1 CMSC 132: Object-Oriented Programming II Software Development III Department of Computer Science University of Maryland, College Park.

1 CMSC 132: Object-Oriented Programming II Software Development III Department of Computer Science University of Maryland, College Park.
CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: 509-359-6908 Office.

CSCD 434 Spring 2011 Lecture 1 Course Overview. Contact Information Instructor Carol Taylor 315 CEB Phone: Office.
Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 1999 by Carnegie.

Version # Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie.
VS.NET Course Introduction By Peter Huang. About Me Peter Huang –Microsoft Certified Solution Developer (MCSD) –Sun Certified Java 2 Programmer (SCJP)

VS.NET Course Introduction By Peter Huang. About Me Peter Huang –Microsoft Certified Solution Developer (MCSD) –Sun Certified Java 2 Programmer (SCJP)
UNIT-V The MVC architecture and Struts Framework.

UNIT-V The MVC architecture and Struts Framework.
New experiences with teaching Java as a second programming language Ioan Jurca “Politehnica” University of Timisoara/Romania

New experiences with teaching Java as a second programming language Ioan Jurca “Politehnica” University of Timisoara/Romania
Windows.Net Programming Series Preview. Course Schedule - 2014 CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.
1 Why C# and Why.NET in the Undergraduate IS Curriculum ISECON November 3 -7, 2004, Newport, RI Association of Information Technology Professionals Mehdi.

1 Why C# and Why.NET in the Undergraduate IS Curriculum ISECON November 3 -7, 2004, Newport, RI Association of Information Technology Professionals Mehdi.
Copyright © 2009 On The Edge Software Consulting Advanced Enterprise Java Instructional Plan Presentation Tier Design using an Event Driven Design Methodology.

Copyright © 2009 On The Edge Software Consulting Advanced Enterprise Java Instructional Plan Presentation Tier Design using an Event Driven Design Methodology.
Introduction to the Enterprise Library. Sounds familiar? Writing a component to encapsulate data access Building a component that allows you to log errors.

Introduction to the Enterprise Library. Sounds familiar? Writing a component to encapsulate data access Building a component that allows you to log errors.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.
Computer Network Fundamentals CNT4007C

Computer Network Fundamentals CNT4007C
Introduction to .Net Framework

Introduction to .Net Framework

Similar presentations

Ads by Google