BBM461: Secure Programming Spring 2024 Instructor: Ahmet Burak Can Hours: Wednesday, 12:40-15:30 Class: Computer Engineering Building, D1 Course Material The course does not follow a particular textbook. Course slides are the primary material to follow the course. However, students can refer the following supplementary books: Counter Hack Reloaded:A Step-by-Step Guide to Computer Attacks and Effective Defenses, Edward Skoudis, Tom Liston, Prentice Hall Hacking Exposed 7: Network Security Secrets & Solutions, Stuart McClure, Joel Scambray, George Kurtz, McGraw-Hill Osborne Media Secure Coding: Principles and Practices, Mark G. Graff, Kenneth R. Van Wyk, O'Reilly Media Software Security: Building Security, Gary McGraw, Addison-Wesley Writing Secure Code: Practical Strategies and Proven Techniques for Building Secure Applications in a Networked World, Michael Howard, David LeBlanc, 2nd ed. Edition, Microsoft Press Foundations of Security: What Every Programmer Needs To Know, Neil Daswani, Christoph Kern, and Anita Kesavan Security in Computing. C. P. Pfleeger and S. L. Pfleeger, Prentice Hall Grading Policy Midterm Exam - %40 Final Exam - %60 Communication All course announcements will be done via Piazza BBM461 page. It is students' responsibility to register Piazza page and follow the announcements on the page. For the laboratory class of this course, please register to Piazza BBM459 communication group Week Subject Internet Resources 1 Introduction National Vulnerability Database CERT's Java Coding Guidelines 2 Shell and Environment Flaws A UNIX Shell Tutorial BASH Reference Manual 3 Buffer Overflow Attacks A Simple Buffer Overflow Example A Tutorial on Buffer Overflow Attacks Heart Bleed: A Recent Buffer Overflow Attack on SSL Servers A Simple Explanation of Heart Bleed A Video on Buffer Overflow with GDB Another Video on Buffer Overflow with GDB 4 Integer overflow attacks Integer Overflow Examples 5 Format string attacks A Short Tutorial on Format String Attacks A Tutorial on Format String Attacks A Longer Tutorial on Format String Attacks A Paper on Format String Attacks 6 Code Injection Attacks and Input Validation Command Injection Examples 7 Web Security Basics OWASP Web Security Testing 8 SQL Injection Slides from Foundations of Security book SQL Injection Page on Wikipedia Another Page on SQL Injection A Report on Detecting SQL Injection 9 Web Client State Manipulation OWASP Cheat Sheet on Session Management 9 Midterm Exam (17 April 2024) 11 XSS attacks OWASP XSS page Acunetix XSS page A comprehensive tutorial on XSS 12 CSRF attacks OWASP CSRF page OWASP CSRF Prevention Cheat Sheet page Acunetix CSRF page Wikipediage on CSRF Testing for CSRF 13 Link Attacks A Past Vulnerability on Samba Server A Past Vulnerability on Apache Server A Page on Crafting Symlinks 14 Canonicalization and Directory traversal problems A Wikipedia Page on Various Path Representations A Simple Definition of UNC A Wikipedia Page on Directory Traversal Attacks How to Obscure Any URL? OWASP Page on Unicode Encoding of URLs References US National Vulnerability Database Acknowledgements I thank to Pascal Menuer at Purdue University for publicly opening his course materials. This course materials are mostly derived from his course slides.