NYU, Graduate Division, Computer Science Course, CSCI-GA.3033-014 

 Principles of Software Security 

 Patrick Cousot 

 Spring 2012 

Prerequisites, Description, Schedule, Textbook, First class, Office Hours, Homework, Personal Project, Midterm, Final, Academic integrity, Requirements, Grading, Course content


The course is opened to PhD students and Master students eager to study at the PhD level, which presupposes basic knowledge and includes reading recent, up to date, and possibly difficult research papers.

Therefore students are assumed to have previously successfully studied courses in mathematics (set theory and logic), programming languages, compilation, and operating systems, to have a good practice of programming in any high-level programming language, and to have a basic knowledge in formal methods.

Students without this minimal background will not really benefit from the course.

Course Description:

Objective of the course: secure programming

Modern societies are increasingly dependent upon the proper functioning of their computing infrastructure. Yet, that infrastructure is riddled with flaws that at best mean systems fail, and at worst, allow a malicious attacker to take control. Broadly speaking, this course will address two questions.
  1. What are common security problems, what are their underlying causes, why programmers do not correctly foresee and fix them?
  2. What are programming principles, guidelines, methods, techniques, and tools that can help to detect and even prevent them?

     Traditionally, computer security is enforced by the operating system, which uses special hardware support to ensure security properties at application boundaries. However, the proliferation of successful attacks, such as viruses, worms, SQL injection, and cross-site scripting, shows that traditional approaches to security based on the control of containers not their content are totally insufficient. Adversaries exploit weaknesses both in the operating system itself, bypassing any protection mechanisms, and more and more frequently at the application level, where the operating system provides very limited or no guarantees. In this class we consider how programming language techniques can be used to fill the security gap by defending against application-level attacks.

Language-based security

This course will introduce and survey the emerging field of "Language-based Security" that is application-level security. It discusses the use of programming-language techniques and programming language analyses to reason about, and enforce security of software applications. It includes basic foundational material on formal methods applied to software security. Much beyond hacking recipies, the course aims at bridging practical and theoretical issues and at giving the students a feel for ongoing advanced research in programming language technologies related to software security (as published e.g. in annual specialized conferences such as the
ACM Conference on Computer and Communications Security (CCS), the IEEE Computer Security Foundations Symposium (CSF), the IEEE Symposium on Security and Privacy or more generalist conferences such as ACM PLDI, ACM POPL, and ESOP).


     A non-exhaustive list of topics possibly covered in this course is the following


This course provides a deeper understanding of programming language-based concepts for computer security. The design and implementation of security mechanisms. Computer science research in the area of programming languages and security.

Class Hours:

Mondays, 7:10—9:00, Room TBA

Office Hours:

By email appointment on Mondays, 6:00PM—7:00PM, CIWW 405


None, all information (including course notes) is provided online by the instructor.

First class:



The reading of the course notes is mandatory. The homework exercices are facultative and given for encouraging the improvement of one's knowledge and self-training in the perspective of the exams. No answers to homeworks are given. Students are encouraged to discuss and compare their solutions with other students and, in case of doubts, to ask during office hours

Personal project:

Midterm exam:

Date TBA, 1 hour, 7:10PM - 8:10PM, Room TBA. Questions on all previous classes.

Final exam:

Date TBA, 2 hours, 7:10PM - 9:00PM, Room TBA. Questions on all previous classes.

Academic integrity:

See the
NYU computer science department commitment to academic integrity and the Academic Integrity of the College of Arts and Science

Course requirements:

Personal project, midterm and final exam. Class attendance highly recommended.


Personnal project (25%), midterm exam (25%), and final exam (50%).

The course content is online

© P. Cousot