NYU, Graduate Division, Computer Science Course, CSCI-GA.3033-011
Principles of Software Security
The course is opened to PhD students and Master students eager to study at the PhD level, which presupposes basic knowledge and includes the ability to read and the effective reading of recent, up to date, and possibly difficult research articles.
Therefore students are assumed to have previously successfully studied courses in mathematics (set theory and logic), programming languages, compilation, and operating systems, to have a good practice of programming in any high-level programming language, and to have a basic knowledge in formal methods.
Students without this minimal background will not really benefit from the course.
Objective of the course: secure programming
Modern societies are increasingly dependent upon the proper functioning of their computing infrastructure. Yet, that infrastructure is riddled with flaws that at best mean systems fail, and at worst, allow a malicious attacker to take control. The Heartbleed buffer over-read security bug in the open-source OpenSSL cryptography library is a recent example among thousands of other less advertised ones.
Broadly speaking, this course will address three questions.
Traditionally, computer security is enforced by the operating system, which uses special hardware support to ensure security properties at application boundaries. However, the proliferation of successful attacks, such as viruses, worms, SQL injection, and cross-site scripting, shows that traditional approaches to security based on the control of containers not their content are totally insufficient. Adversaries exploit weaknesses both in the operating system itself, bypassing any protection mechanisms, and more and more frequently at the application level, where the operating system provides very limited or no guarantees. In this class we consider how programming language techniques can be used to fill the security gap by defending against application-level attacks.
© P. Cousot