P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg titulka
PA193 Secure coding principles and practices
Overview of the subject
•Petr Švenda, Zdeněk Říha, Lukáš Němec, Marek Sýs, Kamil Dudka, Mirek Jaroš, Thenraja Vettivelraj
•I PA193 - Introductory info
•1

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
PA193 Secure coding principles and practices
•Relatively new subject
–First introduced in September 2013
•Secure coding
–How to write code in a more secure way
–So that the program is harder to be attacked/exploited
–≠ Programming of security applications
•2/2/2
–Lecture: 2 hours weekly
–Seminar: 2 hours weekly (2 seminar groups)
–Homework: about 3-6 hours weekly
–Project: about 20-30 hours
•I PA193 - Introductory info
•2

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
People
•Main contact: Petr Švenda (FI MU)
–Office hours: Monday 13-14, A406
–svenda@fi.muni.cz, @rngsec
–7 out of 12 lectures
•Other lectures and seminars
–Zdeněk Říha (EC), Lukáš Němec (FI), Marek Sýs (FI), Kamil Dudka (RedHat), Mirek Jaroš (RedHat),
Thenraja Vettivelraj (FI),
–
3
I PA193 - Introductory info

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Aims of the subject
•To learn how to program in a way that the resulting application is more secure
–Decrease number of security related bugs
–Increase difficulty of exploitation
•To understand security consequences of decisions made by programmer
•Many issues are independent on programming language
•Most examples are based on C/C++ and Java
•I PA193 - Introductory info
•4

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Requirements
•Basic knowledge of (applied) cryptography and IT security
–symmetric vs. asymmetric cryptography, PKI
–block vs. stream ciphers and usage modes
–hash functions
–random vs. pseudorandom numbers
–basic cryptographic algorithms (AES, DES, RSA, EC, DH)
–risk analysis
•Practical experience in programming with C/C++ language
•Basic knowledge in formal languages and compilers
•User-level experience with Windows and Linux OS
•I PA193 - Introductory info
•5

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Organization
•Lectures + seminars + homework + project + exam
•Homeworks
–assigned every second week/seminar (+ bonuses)
–individual work of each student
•Project
–groups of 2-3 students
–divided into three parts with 2 different deadlines
–expected workload: 30 hours/project/participant
1.Write own parser (using Github repo, Travis)
2.Analyze and attack parser of other group (code review)
3.Create bugfix(s) for problem(s) found (pull request)
•I PA193 - Introductory info
•6

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Grading
•Credits
–2+2+2 credits, plus 2 for the final exams
•Points
–Homework (45) – min 3 assignments with >1 points required
–Project (45)
–Written exam (60)
•Grading
–A ≥ 90% of maximum number of points
–B ≥ 80% of maximum number of points
–C ≥ 70% of maximum number of points
–D ≥ 60% of maximum number of points
–E ≥ 50% of maximum number of points
–F < 50% of maximum number of points
–
•
•I PA193 - Introductory info
•7
150+ (max)
135
120
105
90
75

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Attendance
•Lectures
–Attendance not obligatory, but highly recommended
•Seminars
–Attendance obligatory
–Absences must be excused at the department of study affairs
–2 absences are OK (even without excuse)
•Assignments and projects
–Done during students free time (e.g. at the dormitory)
–Access to network lab and CRoCS lab is possible
•Some assignments indeed require access to the network lab
•I PA193 - Introductory info
•8

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Discussion forum in Information System
•Discussion forum in Information System (IS)
–https://is.muni.cz/auth/cd/1433/podzim2016/PA193/
•Mainly for discussion among the students
–Not observed by stuff all the time!
•What to ask?
–OK to ask about ambiguities in assignment
–NOT OK to ask for the solution
–NOT OK to post your own code and ask what is wrong
9
I PA193 - Introductory info

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Plagiarism
•Homeworks
–Must be worked out independently by each student
•Projects
–Must be worked out by a team of 3 students
–Every team member must show his/her contribution
•Plagiarism, cut&paste, etc. is not tolerated
–Plagiarism is use of somebody else words/programs or ideas without proper citation
–Automatic tools used to recognize plagiarism
–If plagiarism is detected student is assigned -5 points
–More serious cases handled by the Disciplinary committee
•I PA193 - Introductory info
•10
opisovani

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Reuse of existing code
•Code reuse is generally great thing, but..
•NOT in homework or assignments!
•It is NOTOK:
–Take any code from web when you should create code completely on your own (project - parser)
–Share code of your solution with others (homework)
11
I PA193 - Introductory info

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
12
I PA193 - Introductory info

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
13
I PA193 - Introductory info

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Course resources
•Lectures (PDF) available in IS
–IS = Information System of the Masaryk University
–https://is.muni.cz/auth/el/1433/podzim2016/PA193/
•Homeworks/assignments available in IS
–Submissions also done via IS (Homework vaults)
•Additional tutorials/papers/materials from time to time will also be provided in IS
–To better understand the issues discussed
•Recommended literatures
–To learn more …
•I PA193 - Introductory info
•14

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
Recommended literature
•Ross Anderson - Security
engineering, Wiley •Michael Howard, Steve Lipner - Secure Development Lifecycle, MS Press •John
Viega, Matt Messier - Secure
programming cookbook, O'Reilly •Michael Howard - Writing
secure code, MS Press
•
book2coverlarge 0735637474 cat X
•I PA193 - Introductory info
•15

P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg
•
16
I PA193 - Introductory info
question
•Questions