Module information
Software engineering processes need to include security considerations in the modern world. This course familiarizes students to security issues in different stages of the software life-cycle. At the end of the course, the students are expected to understand secure programming practices, be able to analyze and check for impact of malicious inputs in programs, and employ specific testing techniques which can help detect software vulnerabilities.
For AY21/22 Sem 1, the module is taught by Prof. Roland Yap.
This module is only offered in Sem 1.
Schedule
- Lectures: Tuesdays 2pm - 4pm
- Tutorials: Wednesdays 5pm - 6pm
Module Breakdown
- Class Quizzes 10%
- Labs 30%
- Assignments 30%
- Final Exams 30%
Prerequisites
- CS3235
- CS2103/T or CS2113/T
Familiarity with the following is a plus:
- C/C++
- Assembly Code
- Unix like operating systems
Module Details
Topics that will be covered
- Introduction to Software Security
- Background
- Memory Errors
- Memory Defenses
- Control Flow Graphs
- Control Flow Attack & Defenses
- Black Box Fuzzing
- White Box Fuzzing
- Arithmetic Errors
- Operating Systems
- Miscellaneous Topics
Lectures
The Lectures were conducted video style over zoom. The chat from the zoom meeting was uploaded by Prof Roland at the end of every lecture.
Tutorials
Tutorials were very similar to lecture in style. They were held over zoom where Prof Roland would usually explain the solutions to the lab.
Labs
Labs were given out occasionally. There were about 7 labs over the entire semester.
The labs were mainly on writing / exploiting C programs as well as discovering the different mitigation (IE: Address Sanitizer) and how they work.
Projects
There were 2 projects throughout the entire semester. You can make groups of 5 (of your own choosing) to complete these projects.
The 1st project was to do research about a particular CVE and how it works. My group worked on CVE-2021-3177 where we had to write a report on what caused it, what is the effect of it and how it impacts python programs.
The 2nd project was to research a family of vulnerabilities. My group worked on Server Side Request Forgery (SSRF) and the link to our repository is here
We were free to decide which ones we want. The first project has to be a CVE of sufficient complexity (either shown by prof or propose your own to prof). The second project can be about any vulnerability(ies) that you want.
Ratings
Workload 5/10 (Moderate workload)
The workload for the modules were moderate. Outside of the lectures and tutorials, most of the time was spent on the Lab and the project. They were not as hectic as other Software engineering projects (like CS3203 and CS2103T).
More time was spent into understanding the concepts instead of programming a system.
Organization 7/10
The lectures were relatively well organized and each topic lays the foundation for future topics which are taught.
Learning 8/10
I’ve learnt a lot about Address Sanitizer, Shadow stacks and other mechanisms that were taught in the module about the different tools used to check for vulnerabilities.
Enjoyment 8/10
I enjoyed learning the module. It feels like a natural extension of CS3235.
Usefulness 8/10
The topics that were taught in this module were very useful in helping me become a more secure programming.
Overall 7.5/10
Overall the I enjoyed the module a lot and would definitely recommend this module to anyone who wants to specialize in Software Engineering and Computer Security focus areas at the same time (as it double counts). Concepts in this module were also useful to me as a software engineer and definitely trained my awareness on insecure programming practices in my day to day code.
Expected Grade: A
Actual Grade: A
Useful Links
Arithmetic Errors
Secure Programs
System issues
Secure Programming
Operating Systems
- The Performance Cost of Shadow Stacks and Stack Canaries
- EffectiveSan: type and memory error detection using dynamically typed C/C++