NYU, Graduate Division, Computer Science Course, CSCI-GA.3033-011 

 Principles of Software Security 

 Patrick Cousot 

 Fall 2014 

Prerequisites, Description, Schedule, First class, Office Hours, Textbook, Homework, Personal Project, Midterm, Final, Academic integrity, Requirements, Grading, Course content


The course is opened to PhD students and Master students eager to study at the PhD level, which presupposes basic knowledge and includes the ability to read and the effective reading of recent, up to date, and possibly difficult research articles.

Therefore students are assumed to have previously successfully studied courses in mathematics (set theory and logic), programming languages, compilation, and operating systems, to have a good practice of programming in any high-level programming language, and to have a basic knowledge in formal methods.

Students without this minimal background will not really benefit from the course.

Course Description:

Objective of the course: secure programming

Modern societies are increasingly dependent upon the proper functioning of their computing infrastructure. Yet, that infrastructure is riddled with flaws that at best mean systems fail, and at worst, allow a malicious attacker to take control. The
Heartbleed buffer over-read security bug in the open-source OpenSSL cryptography library is a recent example among thousands of other less advertised ones.
Broadly speaking, this course will address three questions.
  1. What are common security problems, what are their underlying causes, why programmers do not correctly foresee and fix them, why the hacky security industry pathetically fails?
  2. What are programming principles, guidelines, methods, techniques, and tools that can help to detect and even prevent them?
  3. What will be the security engineering and science of the future?

     Traditionally, computer security is enforced by the operating system, which uses special hardware support to ensure security properties at application boundaries. However, the proliferation of successful attacks, such as viruses, worms, SQL injection, and cross-site scripting, shows that traditional approaches to security based on the control of containers not their content are totally insufficient. Adversaries exploit weaknesses both in the operating system itself, bypassing any protection mechanisms, and more and more frequently at the application level, where the operating system provides very limited or no guarantees. In this class we consider how programming language techniques can be used to fill the security gap by defending against application-level attacks.

Language-based security

This course will introduce and survey the emerging field of "Language-based Security" that is application-level security. It discusses the use of programming-language techniques and programming language analyses to reason about, and enforce security of software applications. It includes basic foundational material on formal methods applied to software security. Much beyond hacking recipies, the course aims at bridging practical and theoretical issues and at giving the students a feel for ongoing advanced research in programming language technologies related to software security (as published e.g. in annual specialized conferences such as the ACM Conference on Computer and Communications Security (CCS), the IEEE Computer Security Foundations Symposium (CSF), the IEEE Symposium on Security and Privacy or more generalist conferences such as ACM PLDI, ACM POPL, and ESOP).


     A non-exhaustive list of topics possibly covered in this course is the following


This course provides a deeper understanding of programming language-based concepts for computer security, of the design and implementation of security mechanisms and of computer science research in the area of programming languages and security. The objective is to provide a scientific methodology paving the way for security engineering, not a short-term practice based on a series of recipies and hacks which ultimately fail.

Class Hours:

Mondays, 5:10 PM — 7:00 PM, Room WWH 312

First class:

Monday, September 8, 2014 (see the
academic calendar).

Office Hours:

By email appointment on Mondays, 4:00PM—5:00PM, CIWW 405


None, all information (including course notes) is provided online by the instructor.


The careful reading of the course notes is mandatory. The homework exercices are facultative and given for encouraging the improvement of one's knowledge and self-training in the perspective of the exams. No answers to homeworks are given. Students are encouraged to discuss and compare their solutions with other students and, in case of doubts, to ask for help during office hours.

Personal project:

Midterm exam:

Monday, November 3, 2014, 1 hour, 5:10PM—6:10PM, Room WWH 312. Questions on all previous classes.

Final exam:

Monday, December 15, 2014, 2 hours, 5:10PM—7:00PM, Room WWH 312. Questions on all previous classes.

Academic integrity:

See the
NYU computer science department commitment to academic integrity and the Academic Integrity of the College of Arts and Science

Course requirements:

Personal project, midterm and final exam. Class attendance highly recommended, studying course notes is mandatory.


Personnal project (25%), midterm exam (25%), and final exam (50%).

The course content is online

© P. Cousot