Course syllabus
Course-PM
TDA602 / DIT101 Language-based security lp4 vt19 (7.5 hp)
Course is offered by the department of Computer Science and Engineering
Contact details
Instructor: Andrei Sabelfeld, office 5476.
Teaching assistants: Benjamin Eriksson, office 5447, and Alexander Sjösten, office 5449.
Course purpose
Modern attacks often succeed at circumventing standard security mechanisms. While operating-system security policies are low-level (such as access control policies, protecting particular files), many attacks are high-level, or application-level (such as email worms that pass by access controls pretending to be executed on behalf of a mailer application). Because applications are typically specified and implemented in programming languages, application-level security is a part of the more general area of language-based security. A direct benefit of language-based security is the ability to naturally express security policies and enforcement mechanisms using the techniques of the well-developed area of programming languages.
Schedule
Course literature
No specific book is used as a course book. The material consists of hand-outs, papers, etc. However, I recommend the following book for complimentary reading on the subject:
- Building Secure Software: How to Avoid Security Problems the Right Way by John Viega and Gary McGraw, Addison-Wesley, 2001, 528 pages.
Course design
This course combines practical and cutting-edge research material. For the latter part, the courses particular emphasis is on the use of formal, or semantic, models of program behavior for specifying and enforcing security properties. The dual perspective of attack vs. protection is threaded through the lectures, laboratory assignments, and projects.
The course consists of lectures, group meetings and project presentations.
Learning objectives and syllabus
After the course, you should be able to apply practical knowledge of security for modern programming languages. This includes the ability to identify application- and language-level security threats, design and argue for application- and language-level security policies, and design and argue for the security, clarity, usability, and efficiency of solutions, as well as implement such solutions in expressive programming languages.
You should be able to demonstrate the critical knowledge of: principles behind application-level attacks (such as Trojan horses,worms, buffer overrun attacks, web application attacks, covert channels, and malicious code) and language-based protection mechanisms (such as static security analysis, reference monitoring, program transformation, and stack inspection). You should gain experience in technical writing.
Link to the syllabus on Studieportalen: here
Examination form
To pass the course, the students must pass the laboratory assignments and the exam. In order to pass the exam, the students need to make a presentation of the project in class and pass the requirements on a written report/position paper that documents the project.
Course summary:
| Date | Details | Due |
|---|---|---|