Software Security (Secure Programming)

Course #: IOC5087 / 5247

News

• 2020-12-25: Slide list is updated.
• 2020-12-18: Slide list is updated.
• 2020-12-11: Slide list is updated.
• 2020-12-04: Slide list is updated.
• 2020-11-20: Slide list is updated.
• 2020-11-13: Slide list is updated.
• 2020-11-06: Slide list is updated.
• 2020-10-30: Slide list is updated.
• 2020-10-23: Slide list is updated.
• 2020-10-16: Slide list is updated.
• 2020-09-28: Homework 0x01 is out. The deadline is 9am on 2020-10-18. Please check the course web site. Alternativaly, you may download homework files from this course website.
• 2020-09-25: Solution for HW00 from TA is available at here.
• 2020-09-25: Slide list is updated.
• 2020-09-18: Our shared course website is located at edu-ctf.csie.org. You can only access the website from IP addresses belong to NCTU, NTU, NTHU, NCU, NTUST, and NTNU. If you were at home, please consider working with campus VPNs.
• 2020-09-18: Please complete homework 0x00 at your earliest convenience. The website is located at hw00.zoolab.org. The deadline for homework 0x00 is 9:00am, Sept. 25.
• 2020-09-16: For students who want to sign up this course, please 1) attend the course introduction class on Sept.18, and 2) complete Homework 0x00 of this course, which will be announced in our first class.
• 2020-09-16: Course web site refreshed.

Homework Submission Procedure

1. Solve homework assignments on the CTF website.
2. Pack all your files (source codes and write-ups) into a single archive.
3. Submit all your files to new E3 system.
4. Content in your write-ups:
   • Real name, Nickname on course website, Student ID
   • Explain the method you used for each problem. If some step of your solution cannot be written as scripts, you have to explain them in more detail here.
   • Please pack the scripts as seperated files in code/ folder, and briefly explain what they do in the writeup.

Downloads

• Slides: intro, 01 crypto, 02 crypto, 03 crypto, 04 web basic, 05 web, 06 web, 07 rev1, 08 rev2, 10 pwn1, 11 pwn2, 12 pwn3, .
• Downloads: hw01_poa, hw01_cor, hw02_rsa, hw02_lsb, hw03_bet, [No files for Web homework hw04 ~ hw06], hw07_gcrazy, hw08_wishMachine, hw08_curse, hw08_scp, hw0a_robot, hw0a_survey, hw0b_babynote, hw0b_childnote, .
• Binary exploit slides from angelboy [slideshare]

Course Information

• Lectures: Friday 9:30--12:10.
• Office Hours: Tuesday 10am--12pm @ EC417
• Classroom: EC316.
• Prerequisite: Assembly language, C/C++ programming, and UNIX programming.
• Reference books:
  1. Brian Chess and Jacob West, "Secure Programming with Static Analysis", Addison Wesley Professional, 2007, ISBN-10: 0-321-42477-8.
  2. Robert C. Seacord, "Secure Coding in C and C++", 2006 Pearson Education, Inc.
  3. Michael Howard and Davide LeBlanc, "Writing Secure Code", 2006 Microsoft Press.
  4. Mark G. Graff and Kenneth R. van Wyk, "Secure Coding Principles and Practices", 2003 O'Reilly and Associates, Inc
• TAs:
  • Lead TA @ NCTU: Ting-Yu Chen. Email: echo dGVycnluaW5pMzg1MTRAZ21haWwuY29tCg== | base64 -d
  • TA group. Email: echo Y3RmQGNzaWUubnR1LmVkdS50dwo= | base64 -d
• Course Topics:
  1. General: Tools, Assembly, and x86 Linux Programming
  2. Binary: BOF, FMT/ROP, Heap, and other advanced topics
  3. Web: Web overview, PHP basics, SQL basics, Web vulnerabilities, and case studies
  4. Reverse engineering: Game hacking, Malware reverse, Windows reverse
  5. Crypto: Symmetric algorithms, Asymmetric algorithms, and Crypto in CTF
  6. Others: Talks on specific topics
• Grading policy: (tentative) Homework (65%), Final CTF (25%), and class participation (10%).
• Bonus: additional performance in security contests or bug bounty programs
• Homework judgment policy: We do not welcome copycats. You are encourages to discuss with your classmates, but all your submissions must be your own work.