Title: CS 7301-002: Language-based Security
Course Registration Number: 21422
Times: TR 2:30-3:45
Location: ECSS 2.203
Instructor: Dr. Kevin Hamlen (hamlen AT utdallas)
Instructor's Office Hours: TBA, ECSS 3.704
This course will introduce and survey the emerging field of Language-based Security, in which techniques from compilers and programming language theory are leveraged to address issues in computer security. Topics include:
The aim of the course is to allow each student to develop a solid understanding of at least one of these topics, along with a more general familiarity with the range of research in the field. In-course discussion will highlight opportunities for cutting-edge research in each area. If you do research involving software security, this course will provide you with an array of powerful tools for addressing software security issues. If you do research involving programming languages or compilers, this course will show you how to take techniques that you already know and apply them to a new and important problem domain. If your career involves management or development of high-assurance software systems, this course will provide a comparative analysis of traditional versus language-based techniques.
The course is open to Ph.D. students and Masters students. Interested undergraduates should see the instructor for permission to take the course.
Suggested (non-mandatory) prerequisite: CS 6371 Advanced Programming Languages (or taken concurrently)
Homework: Homeworks will consist of assigned readings, usually one required paper per class session. Students must thoroughly read each paper before class in order to adequately prepare for in-class quizzes and discussions.
Quizzes (25%): Each class will begin with a short quiz testing the students comprension of the assigned reading for the day. Questions will typically be multiple choice or short answer. The easier questions will be designed to test whether the student has read the material at all, and the harder ones will test deep understanding of more subtle points.
Presentations (25%): Each student will be assigned 1-2 days during the semester during which they will present the assigned reading for that day in a 45-minute lecture. Each presentation should provide a technical overview of the paper, a description of how the paper fits into the broader context of the material covered in the course, and should pose interesting questions or challenges for in-class discussion. Students will also present their class projects at the conclusion of the class (see below), and this constitutes part of their presentation grade.
Class Participation (10%): Students are expected to come to class having read the assigned paper(s), and prepared with questions, critiques, and discussion topics. Regular attendance and class participation will count 10% towards their grades in the course.
Project (40%): Students will work individually or in a team of two to four to complete a course-related project. All project ideas are individually approved by the instructor. Project proposals will be due early in the semester (deadline to be announced). A typical project involves implementing one of the concepts described in one of the assigned readings, or by using one or more of the research-level software packages covered in class to do an interesting program analysis or to address a non-trivial vulnerability. Some overlap of class projects with the student's doctoral or masters thesis research is both permitted and encouraged.
The course has no required textbook, but two electronic texts available through the UTD library may be useful:
Date | Topic | Presenter(s) |
Introduction and Review | ||
Tue 1/11 | Introduction: Software Security | Instructor |
Thu 1/13 | Introduction: Language-based Security Foundations and Notations
|
Instructor |
Tue 1/18 | Introduction: Static vs. Dynamic Analysis
|
Instructor |
Automated Theorem-proving | ||
Thu 1/20 | ACL2
|
Vishwath (ACL2 tutorial) |
Tue 1/25 | Coq
|
Vishwath (ACL2 tutorial cont.) |
Thu 1/27 | No Class (POPL Conference) | |
Tue 2/1 | No Class: University closed due to weather | |
Thu 2/3 | No Class: University closed due to weather | |
In-lined Reference Monitors | ||
Tue 2/8 | SASI
|
Micah Slides |
Thu 2/10 | SPoX
|
Micah Slides |
Tue 2/15 | Type-based IRM Certification
|
Instructor |
Thu 2/17 | Mobile
|
Instructor |
Tue 2/22 | Model Checking
|
Meera |
Thu 2/24 | Model-Checking IRM's
|
Meera |
Software Fault Isolation | ||
Tue 3/1 | Google Native Client
|
Richard |
Thu 3/3 | CISC SFI Without Source Code
|
Richard |
Tue 3/8 | Intro to Information Flow
|
Instructor Slides |
Thu 3/10 | Robusta
|
Elmer |
Tue 3/15 | No Class (Spring Break) | |
Thu 3/17 | No Class (Spring Break) | |
Malware | ||
Tue 3/22 | Mimimorphism
|
Trev |
Thu 3/24 | Hybrid Static-Dynamic Analysis
|
Joseph |
Tue 3/29 | Exploiting Malware Bugs for Defense
|
John |
Thu 3/31 | Instruction Set Obfuscation
|
Erik |
Information Flow | ||
Tue 4/5 | Info Flow Vulnerabilities
|
Lily |
Thu 4/7 | IRM-based Info Flow Enforcement
|
Kevin |
Tue 4/12 | Declassification
|
Eric |
Thu 4/14 | Distributed Info Flow
|
Gil |
Project Presentations | ||
Tue 4/19 | Project Presentation Course Evaluations |
Joseph, Vishwath, and Trevor |
Thu 4/21 | Project Presentation | Kevin, Eric, and Meera |
Tue 4/26 | Project Presentation | Erik, Gil, and Richard |
Thu 4/28 | Project Presentation | Micah, Lily, and Elmer |