16:198:673:01: Introduction to Software Security
RUSENIX Security 2007!
- (12/17/07) This course has concluded, and the grades have been posted.
Happy holidays! Archived announcements are available
here for your enjoyment and
Course number: 16:198:673:01, Index: 21652.
Class hours: Wednesdays from 3:20pm - 6:20pm.
Class location: Hill 254.
Instructor's office hours: Thursdays, 1:30pm-2:30pm, and
the hour immediately following class.
Security vulnerabilities in software cost the economy several billion dollars
a year. Why is today's software so vulnerable to exploits? What techniques are
attackers using to compromise software? How can we secure software to resist
such attacks? Can we design primitives that will help programmers create
software that resists such attacks?
This course will seek to answer such questions by covering an exciting range
of topics ranging from state-of-the-art techniques used to attack software,
as well as techniques to strengthen software to resist attacks. We will study
analysis techniques that can be used to understand security properties of
software systems and transform them to create secure software.
The course will be based upon readings of research papers, both classics as
well as from recent security conferences. A key goal of the course will be
to teach the student to think both as an attacker as well as a defender.
Consequently we will study both "attack" and "defense" papers. The most
exciting part of the course will be a course project where students get to
research a topic of their liking, and report their findings in a conference
Here is the reading list for this course.
We will discuss papers roughly in the order that they appear on this
list, though we will not be discussing all papers on the list. Please
see the class schedule for the assigned readings
for each week.
Students are expected to read and review the papers before they come
to class. We will use class hours to summarize the paper, discuss
its key ideas and shortcomings. Reading the paper before class will ensure
that we will have more meaningful in-class discussions.
Paper summaries must be sent to the instructor via email
by noon on the day of class. Please include "673-review" in the
subject of your email.
Each week, we will discuss two or three papers from our
reading list according to the schedule below.
The schedule below is still tentative, and may change over the course of the
- Readings (20%): For each paper that we read in class, students
will be expected to provide a short (at most 4 paragraphs) review of the paper.
The objective is to teach students to critically analyze a paper and distill
its key ideas into a few sentences.
- Class participation (10%): Active discussions are what makes
a class enjoyable, so I will also factor class participation into the
final grade. All the more incentive to contribute to the class discussion!
- Research project (70%): The research project
is the most important (and probably the most enjoyable) aspect of this class.
The course will be front-loaded so that students are exposed to key ideas
early and can apply them to their course projects. Front loading the course
will also mean that students can invest more time on their projects in the
latter half of the semester.
Students are expected to read and summarize the papers before they come to
class. Paper summaries must be sent by email to the instructor by noon on the
day of the class (with 673-review in the subject of the email).
Organize your review into three or four paragraphs, as follows:
- Problem description.:
What problem does the paper address?
Why is the problem important?
- Solution description:
What is the solution proposed by the paper?
Does it solve the problem in its entirety?
If not, what are the assumptions under which the solution works?
Are these assumptions reasonable?
What aspects of the solution were evaluated in the paper?
What aspects were not evaluated? Why not?
- Pros and cons -- your opinion:
What did you like about the paper? (i.e., What is the "Aha!" point in
Did you learn any new tricks from this paper that you can add to your
What did you dislike about the paper? Did the authors hype their solution?
What is the next logical step? Did you get any project ideas from this
paper? What about longer-term/more ambitious extensions?
The final project is the main ingredient of this course. Students are
expected to conduct original research and report their findings in a
conference paper-style project report. The project can either be a new
security system, extension of a previously-proposed system, or security
analysis of an existing system. Although I will suggest project ideas,
students are welcome and are encouraged to suggest their own projects.
The project will have the following checkpoints:
Choosing a project topic. You will first form a team and decide
on the project topic. During this phase, you will meet meet as a team,
brainstorm ideas, and meet with me to refine the project proposal.
Project proposal. You will submit a short (1-2 page) document stating
(i) the problem that you propose to solve; (ii) why the problem is relevant;
(iii) proposed solution methodology; and (iv) the research challenges that you
expect to face. Once you have submitted the project proposal and have it
approved by me, you will begin work on your project. Please start early and
work regularly! Don't put things off until the last minute.
Midpoint review + Related work.
By this time, you are expected to have made significant progress toward
achieving the goals stated in your project proposal, or must have a clear idea
of the difficulties that are hampering your progress. You will meet with me to
discuss your progress. You are also expected to have conducted a thorough
survey of related work in the area, and are expected to have a writeup of
related work (you will reuse this in your final project report as well).
Submission of title and abstract of presentation. You will submit a
short (1-2 paragraph) abstract describing your project. I will use this to
schedule your presentation and advertise your project to the rest of the
Class minisymposium. You will present your work to the rest of the
class. We will have 15-25 minute presentations, depending on the number of
class projects. The minisymposium will be open to the rest of the department,
too. Please make your presentations clear and concise. Please follow the links
from the resources section of the class webpage for advice on
Submission of final project report. Your final project report must
provide a clear description of the problem and solution, and your evaluation.
It must closely mimic the style of a conference paper. Since we will have
discussed several papers in class, you will be familiar with the format
expected. The resources
section of the class webpage also contains several links with advice on
writing good research papers.
| First two weeks of October
|| Choose a project topic
| October 19th, 2007
|| Project proposal due
|November 19th, 2007
||Midpoint review; Related work sections due
|December 5th, 2007
||Project titles and abstracts due
|December 12th, 2007
|December 14th, 2007
||Final project reports due
More information on the project, including project suggestions,
will be posted here over the course of the semester.
Tips for good technical writing
Tips for effective presentation