www.crcs.cz/rsa @CRoCS_MUNI
PV286+PA193 - Secure coding
principles and practices
Overview of the subject(s)
Łukasz Chmielewski chmiel@fi.muni.cz (email me with your questions/feedback)
Centre for Research on Cryptography and Security, Masaryk University
Consultation hours: Friday 9.30-11.00 in A406 (but email me before).
www.crcs.cz/rsa @CRoCS_MUNI
PV286+PA193: Secure coding principles and practices
• Main goal: secure coding
– How to write code in a more secure way
– So that the program is harder to be attacked/exploited
– Selected basic building blocks of security applications
• PV286: > 80 students
– Lecture: 2 hours weekly on Wednesdays
– Project: about 30-40 hours/person
• PA193: < 40 students
– Seminar: 2 hours weekly, usually corresponding to the lecture, on Thursdays
– Homework: about 6-? hours/each
• In case of questions: please email me!
– I will address all questions at the beginning of next lecture
I PA286+PA193 - Introductory info2
www.crcs.cz/rsa @CRoCS_MUNI
PV286+PA193: Secure coding principles and practices
• PV286 project – more in the presentation by Jan Kvapil
• For everyone following PA193: you have to also follow PV286!
• PA193 is more practical with hands-on exercises and homeworks.
– There are still some places to register for that course.
I PA286+PA193 - Introductory info3
www.crcs.cz/rsa @CRoCS_MUNI
People
• Main contact: Łukasz Chmielewski (CRoCS@FI MU)
– Office hours: Friday 9:30-11:00, A406
– chmiel@fi.muni.cz,
– https://keybase.io/grasshoppper
– @chmiel:fi.muni.cz
• Other lectures, seminars, and the project
– Kamil Dudka (Red Hat), Václav Lorenc (HERE Technologies), Marek Sýs (FI),
Lukas Rucka (FI), Martin Čarnogurský (RootLUG), Lumir Honus (AT&T).
– Project: Jan Kvapil, Milan Šorf, Roman Lacko, Štěpánka Trnková, Jiří Gavenda,
Tomáš Jaroš, and Antonín Dufka.
I PA286+PA193 - Introductory info4
www.crcs.cz/rsa @CRoCS_MUNI
PV286: planned lectures (+ HW only for PA193) tentative
21.2. Language level vulnerabilities: Buffer overflow, type overflow, strings (Łukasz Chmielewski) +HW
28.2. Security testing: static analysis (Łukasz Chmielewski)
6.3. Security testing: dynamic analysis (Łukasz Chmielewski) +HW
13.3. Static and dynamic analysis @ RedHat (Kamil Dudka) and Legal Implications (Pavel Loutocký)
20.3. Integrity of modules, parameters, and temporary files (Lukas Rucka) +HW
27.3. Programming in the presence of side channels / faults (Łukasz Chmielewski)
3.4. Programming with trusted hardware, Securing API, automata-based programming (Ł. Ch.) +HW
10.4. Defense in depth (Lukas Rucka)
17.4. Supply-chain attacks, 3rd party libs security, patch management (Martin Čarnogurský)
24.4. Cloud programming security (AWS, Azure..) (Lumir Honus)
1.5. (V) (Pseudo) Random Data (Marek Sýs)
8.5. (V) Code review (Łukasz Chmielewski) +HW
15.5. Threat Modelling (Václav Lorenc)
+ Project Presentations (contact person: Jan Kvapil)
I PA286+PA193 - Introductory info5
www.crcs.cz/rsa @CRoCS_MUNI
Aims of the subject
• To learn how to program in a way that the resulting application is
more secure
– Decrease number of security related bugs
– Increase difficulty of exploitation
• To understand security consequences of decisions made by
programmer
• Most issues are independent on particular programming language
– examples will be mostly based on C/C++ and Java
I PA286+PA193 - Introductory info6
www.crcs.cz/rsa @CRoCS_MUNI
Previous knowledge requirements
• Basic knowledge of (applied) cryptography and IT security
– symmetric vs. asymmetric cryptography, PKI
– block vs. stream ciphers and usage modes
– hash functions
– random vs. pseudorandom numbers
– basic cryptographic algorithms (AES, DES, RSA, EC, DH)
– risk analysis
• Basic knowledge in formal languages and compilers
• User-level experience with Windows and Linux OS
• Practical experience with C/C++/Java language
• More is required for seminars (PA193) but the exam and the project will require
that too!
I PA286+PA193 - Introductory info7
www.crcs.cz/rsa @CRoCS_MUNI
Organization
• PV286 = Lectures + project + exam
• Project
– Team work (2-3 members)
– Details by Jan Kvapil later
• Exam
– Written exam, open questions, pencil-only
• PA193 = corresponding seminars + assignments
– 6 homework assignments
– Individual work of each student
I PA286+PA193 - Introductory info8
www.crcs.cz/rsa @CRoCS_MUNI
Grading PV286
• Points [Notice minimal number of points required!]
– Questionnaire from lectures (10) [no minimum limit]
– Project (45) – [minimum 23 required]
– Exam (45) – [must known basics] + 95% correct from drill questions
– Occasional bonuses ☺
• Grading 100 (max)
– A ≥ 90
– B ≥ 80
– C ≥ 70
– D ≥ 60
– E ≥ 50
– F < 50
– Z ≥ 50 (including minimum numbers from the Project)
• About PA193:
– 60% points from the assignments
– More at the first seminar
I PA286+PA193 - Introductory info9
www.crcs.cz/rsa @CRoCS_MUNI
Attendance
• Lectures (PV286)
– Attendance not obligatory, but highly recommended
– I will try to record giving the lectures but that is not guaranteed and depend on the teacher
– 2 lectures will be only available in video form due to public holidays
– For some lectures, old pre-recorded lecture videos are in IS
– 1-2 hour lecture on selected topics + Q&A (depends on the teacher)
• Assignments and projects (PV286)
– Done during student free time (e.g. at a dormitory)
– Access to network lab and CRoCS lab possible
• Seminars (PA193)
– Attendance obligatory
– Absences must be excused at the department of study affairs
– 2 absences are OK (even without excuse)
I PA286+PA193 - Introductory info10
www.crcs.cz/rsa @CRoCS_MUNI
Discussion forum in Information System
• Discussion forum in Information System (IS)
– https://is.muni.cz/auth/discussion/predmetove/fi/jaro2024/PV286/
– https://is.muni.cz/auth/discussion/predmetove/fi/jaro2024/PA193/
• Mainly for discussion among the students
– Not observed by stuff all the time!
– Write us an email if necessary please
• What to ask?
– OK to ask about ambiguities in assignment
– NOT OK to ask for the solution
– NOT OK to post your own code and ask what is wrong
I PA286+PA193 - Introductory info11
www.crcs.cz/rsa @CRoCS_MUNI
Plagiarism
• Homework assignments
– Must be worked out independently by each student
• Projects
– Must be worked out by a team of 3 students
– Every team member must show his/her contribution
• Plagiarism, cut&paste, etc. is not tolerated
– Plagiarism is use of somebody else words/programs or ideas without
proper citation
– Automatic tools used to recognize plagiarism
– If plagiarism is detected student is assigned -7 points
– More serious cases handled by the Disciplinary committee
I PA286+PA193 - Introductory info12
www.crcs.cz/rsa @CRoCS_MUNI
Reuse of existing code
• Code reuse is generally great thing, but..
• NOT in homework or assignments!
• It is NOTOK:
– Take any code from web when you should create code completely on your own
(project - parser)
– Share code of your solution with others (homework)
I PA286+PA193 - Introductory info13
www.crcs.cz/rsa @CRoCS_MUNI
Example of Plagiarism
I PA286+PA193 - Introductory info14
www.crcs.cz/rsa @CRoCS_MUNI
Example of Plagiarism
I PA286+PA193 - Introductory info15
www.crcs.cz/rsa @CRoCS_MUNI
Course resources
• Lectures (video, PDF) available in IS
– IS = Information System of the Masaryk University
– Lecture questionares in IS opened till end of Monday
• Assignments (what to do) available in IS
– Submissions done also via IS (homework Vault)
• Additional tutorials/papers/materials from time to time will also be
provided in IS
– To better understand the issues discussed
• Recommended literature
– To learn more …
I PA286+PA193 - Introductory info16
www.crcs.cz/rsa @CRoCS_MUNI
Recommended literature
• Ross Anderson - Security
engineering, Wiley
• Michael Howard, Steve Lipner - Secure Development Lifecycle, MS
Press
• John Viega, Matt Messier - Secure
programming cookbook, O'Reilly
• Michael Howard - Writing
secure code, MS Press
I PA286+PA193 - Introductory info17
www.crcs.cz/rsa @CRoCS_MUNI
Questions
I PA286+PA193 - Introductory info18