P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg titulka PA193 Secure coding principles and practices Overview of the subject •Petr Švenda, Petr Ročkai, Marek Sýs, Kamil Dudka, Mirek Jaroš, Martin Ukrop •I PA193 - Introductory info •1 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg PA193 Secure coding principles and practices •Secure coding –How to write code in a more secure way –So that the program is harder to be attacked/exploited –Selected basic building blocks of security applications •2/2/2 –Lecture: 2 hours weekly –Seminar: 2 hours weekly (2 seminar groups) –Homework: about 6-8 hours/each (6+1 bonus) –Project: about 30-40 hours/person •I PA193 - Introductory info •2 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg People •Main contact: Petr Švenda (CRoCS@FI MU) –Office hours: Monday 13:00-13:50, A406 –svenda@fi.muni.cz, @rngsec –https://crocs.fi.muni.cz/people/svenda •Petr Ročkai (FI MU) –Office hours: Tuesday 12:00-12:50, A406 –xrockai@fi.muni.cz •Other lectures and seminars –Marek Sýs (FI), Kamil Dudka (RedHat), Mirek Jaroš (RedHat), Martin Ukrop (FI) – 3 I PA193 - Introductory info P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Aims of the subject •To learn how to program in a way that the resulting application is more secure –Decrease number of security related bugs –Increase difficulty of exploitation •To understand security consequences of decisions made by programmer •Most issues are independent on particular programming language –examples will be mostly based on C/C++ and Java •I PA193 - Introductory info •4 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Previous knowledge requirements •Basic knowledge of (applied) cryptography and IT security –symmetric vs. asymmetric cryptography, PKI –block vs. stream ciphers and usage modes –hash functions –random vs. pseudorandom numbers –basic cryptographic algorithms (AES, DES, RSA, EC, DH) –risk analysis •Basic knowledge in formal languages and compilers •User-level experience with Windows and Linux OS •Practical experience with C/C++/Java language • •I PA193 - Introductory info •5 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Organization •Lectures + seminars + assignments + project + exam •Assignments –6 homework assignments (+ 1 bonus) –Individual work of each student –Lab A403 available to students (except teaching hours) •Project –Team work (2-3 members) –Details at seminars, parser for a cryptocurrency blockchain •Exam –Written exam, open questions, pencil-only • •I PA193 - Introductory info •6 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Grading •Credits –2+2+2 credits, plus 2 for the final exams •Points [Notice minimal number of points required!] –Homework (30) – [minimum 15 required] –Project (20) – [minimum 10 required] –Written exam (50) – [no minimum limit] –Occasional bonuses J •Grading –A ≥ 90% of maximum number of points –B ≥ 80% of maximum number of points –C ≥ 70% of maximum number of points –D ≥ 60% of maximum number of points –E ≥ 50% of maximum number of points –F < 50% of maximum number of points – • •I PA193 - Introductory info •7 100 (max) 90 80 70 60 50 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Attendance •Lectures –Attendance not obligatory, but highly recommended •Seminars –Attendance obligatory –Absences must be excused at the department of study affairs –2 absences are OK (even without excuse) •Assignments and projects –Done during students free time (e.g. at the dormitory) –Access to network lab and CRoCS lab is possible •I PA193 - Introductory info •8 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Discussion forum in Information System •Discussion forum in Information System (IS) –https://is.muni.cz/auth/cd/1433/podzim2017/PA193/ •Mainly for discussion among the students –Not observed by stuff all the time! –Write us email if necessarry •What to ask? –OK to ask about ambiguities in assignment –NOT OK to ask for the solution –NOT OK to post your own code and ask what is wrong 9 I PA193 - Introductory info P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Plagiarism •Homeworks –Must be worked out independently by each student •Projects –Must be worked out by a team of 3 students –Every team member must show his/her contribution •Plagiarism, cut&paste, etc. is not tolerated –Plagiarism is use of somebody else words/programs or ideas without proper citation –Automatic tools used to recognize plagiarism –If plagiarism is detected student is assigned -7 points –More serious cases handled by the Disciplinary committee •I PA193 - Introductory info •10 opisovani P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Reuse of existing code •Code reuse is generally great thing, but.. •NOT in homework or assignments! •It is NOTOK: –Take any code from web when you should create code completely on your own (project - parser) –Share code of your solution with others (homework) 11 I PA193 - Introductory info P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 12 I PA193 - Introductory info P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg 13 I PA193 - Introductory info P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Course resources •Lectures (PDF) available in IS –IS = Information System of the Masaryk University –https://is.muni.cz/auth/el/1433/podzim2017/PA193/ •Homeworks/assignments available in IS –Submissions also done via IS (Homework vaults) •Additional tutorials/papers/materials from time to time will also be provided in IS –To better understand the issues discussed •Recommended literatures –To learn more … •I PA193 - Introductory info •14 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg Recommended literature •Ross Anderson - Security engineering, Wiley •Michael Howard, Steve Lipner - Secure Development Lifecycle, MS Press •John Viega, Matt Messier - Secure programming cookbook, O'Reilly •Michael Howard - Writing secure code, MS Press • book2coverlarge 0735637474 cat X •I PA193 - Introductory info •15 P:\CRCS\2012_0178_Redesign_loga_a_JVS\PPT_prezentace\sablona\pracovni\normalni.jpg • 16 I PA193 - Introductory info question •Questions