www.crcs.cz/rsa @CRoCS_MUNI
PA193 - Secure coding principles and
practices
Overview of the subject
Petr Švenda svenda@fi.muni.cz @rngsec
Centre for Research on Cryptography and Security, Masaryk University
www.crcs.cz/rsa @CRoCS_MUNI2
• Place/upvote questions in slido
while listening to lecture video
• We will together discuss these
during every week lecture Q&A
(every Monday)#pa193_2022
I PA193 - Introductory info
www.crcs.cz/rsa @CRoCS_MUNI
PA193 Secure coding principles and practices
• Secure coding
– How to write code in a more secure way
– So that the program is harder to be attacked/exploited
– Selected basic building blocks of security applications
• 2/2/2
– Lecture: 2 hours weekly
– Seminar: 2 hours weekly
– Homework: about 6-? hours/each
– Project: about 30-40 hours/person
3
I PA193 - Introductory info
www.crcs.cz/rsa @CRoCS_MUNI
People
• Main contact: Petr Švenda (CRoCS@FI MU)
– Office hours: Friday 8:30-11:00, A403
– svenda@fi.muni.cz, @rngsec
– https://keybase.io/petrs
– https://crocs.fi.muni.cz/people/svenda
• Other lectures and seminars
– Lukasz Chmielewski (FI), Milan Patnaik (DRDO), Marek Sýs (FI), Jan Masarik
(Facebook) Kamil Dudka (Red Hat), Mirek Jaroš (Red Hat), Martin Ukrop (FI),
Antonín Dufka (FI)
4
I PA193 - Introductory info
www.crcs.cz/rsa @CRoCS_MUNI
Planned lectures (tentative)
14.2. Language level vulnerabilities: Buffer overflow, type overflow, strings (Petr Svenda)
21.2. Security testing: dynamic analysis, fuzzing (Petr Svenda)
28.2. Security testing: static analysis (Lukasz Chmielewski, Kamil Dudka)
7.3. Programming in the presence of side-channels / faults (Lukasz Chmielewski)
14.3. Securing API, automata-based programming (Petr Svenda)
21.4. Code review (Lukasz Chmielewski)
28.4. (Pseudo)Random Data (Marek Sys)
4.4. Integrity of modules, parameters, temp files (Lukas Rucka)
11.4. Defense in depth (Lukas Rucka)
18.4. Web security, 3rd party libs security, patch management (Jan Masarik)
25.4. Return Oriented Programming (Milan Patnaik)
2.5. Cloud programming security (AWS, Azure..) (Lumir Honus)
9.5. Project presentation (Antonin Dufka)
I PA193 - Introductory info
www.crcs.cz/rsa @CRoCS_MUNI
Aims of the subject
• To learn how to program in a way that the resulting application is
more secure
– Decrease number of security related bugs
– Increase difficulty of exploitation
• To understand security consequences of decisions made by
programmer
• Most issues are independent on particular programming language
– examples will be mostly based on C/C++ and Java
I
PA193
-
Introdu
6
www.crcs.cz/rsa @CRoCS_MUNI
Previous knowledge requirements
• Basic knowledge of (applied) cryptography and IT security
– symmetric vs. asymmetric cryptography, PKI
– block vs. stream ciphers and usage modes
– hash functions
– random vs. pseudorandom numbers
– basic cryptographic algorithms (AES, DES, RSA, EC, DH)
– risk analysis
• Basic knowledge in formal languages and compilers
• User-level experience with Windows and Linux OS
• Practical experience with C/C++/Java language
I PA193 - Introductory info
7
www.crcs.cz/rsa @CRoCS_MUNI
Organization
• Lectures + seminars + assignments + project + exam
• Assignments
– 6 homework assignments
– Individual work of each student
– Lab A403 available to students (except teaching hours)
• Project
– Team work (2-3 members)
– Details by Antonin Dufka later (bech32m parser…)
• Exam
– Written exam, open questions, pencil-only
I PA193 - Introductory info
8
www.crcs.cz/rsa @CRoCS_MUNI
Grading
• Credits: 2+2+2 credits, plus 2 if exam
• Points [Notice minimal number of points required!]
– Questionnaire from lectures (10) [no minimum limit]
– Assignments (30) – [minimum 15 required]
– Project (30) – [minimum 15 required]
– Exam (30) – [must known basics] + 95% correct from drill questions
– Occasional bonuses ☺
• Grading 100 (max)
– A ≥ 90
– B ≥ 80
– C ≥ 70
– D ≥ 60
– E ≥ 50
– F < 50
– Z ≥ 50 (including minimum numbers from Assignments and Project)
I PA193 - Introductory info
9
www.crcs.cz/rsa @CRoCS_MUNI
Attendance
• Lectures
– Attendance not obligatory, but highly recommended
– For some lectures, pre-recorded lecture video in IS (from Friday)
– 1-2 hour lecture on selected topics + Q&A (depends on the teacher)
• Seminars
– Attendance obligatory
– Absences must be excused at the department of study affairs
– 2 absences are OK (even without excuse)
• Assignments and projects
– Done during student free time (e.g. at a dormitory)
– Access to network lab and CRoCS lab possible
I PA193 - Introductory info
10
www.crcs.cz/rsa @CRoCS_MUNI
Discussion forum in Information System
• Discussion forum in Information System (IS)
– https://is.muni.cz/auth/cd/1433/jaro2022/PA193/
• Mainly for discussion among the students
– Not observed by stuff all the time!
– Write us email if necessary please
• What to ask?
– OK to ask about ambiguities in assignment
– NOT OK to ask for the solution
– NOT OK to post your own code and ask what is wrong
11
I PA193 - Introductory info
www.crcs.cz/rsa @CRoCS_MUNI
Plagiarism
• Homework assignments
– Must be worked out independently by each student
• Projects
– Must be worked out by a team of 3 students
– Every team member must show his/her contribution
• Plagiarism, cut&paste, etc. is not tolerated
– Plagiarism is use of somebody else words/programs or ideas without
proper citation
– Automatic tools used to recognize plagiarism
– If plagiarism is detected student is assigned -7 points
– More serious cases handled by the Disciplinary committeeI
PA193
-
Introdu
12
www.crcs.cz/rsa @CRoCS_MUNI
Reuse of existing code
• Code reuse is generally great thing, but..
• NOT in homework or assignments!
• It is NOTOK:
– Take any code from web when you should create code completely on your own
(project - parser)
– Share code of your solution with others (homework)
13I PA193 - Introductory info
www.crcs.cz/rsa @CRoCS_MUNI14I PA193 - Introductory info
www.crcs.cz/rsa @CRoCS_MUNI15I PA193 - Introductory info
www.crcs.cz/rsa @CRoCS_MUNI
Course resources
• Lectures (video, PDF) available in IS
– IS = Information System of the Masaryk University
– Lecture questionares in IS opened till end of Monday
• Assignments (what to do) available in IS
– Submissions done also via IS (homework Vault)
• Additional tutorials/papers/materials from time to time will also be
provided in IS
– To better understand the issues discussed
• Recommended literature
– To learn more …
I PA193 - Introductory info
16
www.crcs.cz/rsa @CRoCS_MUNI
Recommended literature
• Ross Anderson - Security
engineering, Wiley
• Michael Howard, Steve Lipner - Secure Development Lifecycle, MS
Press
• John Viega, Matt Messier - Secure
programming cookbook, O'Reilly
• Michael Howard - Writing
secure code, MS Press
I PA193 - Introductory info
17
www.crcs.cz/rsa @CRoCS_MUNI
18
I PA193 - Introductory info
Questions