EECS 700 - Security and Performance
	Prasad Kulkarni EECS Department University of Kansas Course Time: MWF 2:00PM - 2:50PM Course Location: Learned 1131 Office: Eaton 2030 Office Hours: MW: 4:30PM - 5:30PM,                            F: 3:00PM - 4:00PM                        (or by appointment)

Software security is a growing problem, and causes millions of dollars in business losses every year. Software defects that lead to security problems occur at various stages in the software lifecycle, most prominently during software design and code implementation. This course mostly focuses on the security issues that can be addressed by better code implementation practices.

We will look at the most common causes of software vulnerabilities and analyze proposed security measures for effectiveness and costs. In particular, we will focus on language, compiler, OS, and architecture level solutions developed to address security issues. This course is designed to enable students to:

• develop a low-level and detailed understanding of the most common software vulnerabilities, including buffer overflows, integer overflows, format-string defects, code injection, cross-site scripting, etc,
• develop the ability to detect code vulnerabilities, construct exploits for simple vulnerabilities, and understand techniques to write safer code,
• understand the role of language, static analysis, and runtime techniques to eliminate or detect software vulnerabilities,
• understand advanced defenses against code exploits as proposed by researchers, and available in commercial tools, and
• assess the cost and limitations of various defense mechanisms in different application domains.

Course Structure

The course is structured as a part-lecture and part-seminar class. After understanding the genesis of each class of security problems, discussion on their proposed solutions will be conducted as (student and instructor) seminars guided by research papers. Assignments/projects will involve implementing some software exploit, or coding/understanding static analysis and runtime techniques to devise detection abilities.

The students will be expected to:

• be comfortable in programming in a low-level imperative language, like C or C++,
• ideally enjoy, but at least not shy away from, looking at assembly level code, and deciphering or extending large code bases,
• read research papers and present their finding to the class, and
• engage in lively class discussions.

Grading will be based on class presentations (50%), programming projects and/or report (40%), and class presence and participartion (10%). The project presentations must be given on the day they are scheduled, or the presentee must find someone to swap with before the presentation. I do not anticipate a written exam for this class (yipee yay!!).

Textbooks

There are no official texts for this course. Below are some recommended books for additional reading

• The ShellCoder's Handbook, 2nd Edition, by Chris Anley, John Heasman, Felix Linder, and Gerardo Richarte.
• Secure Programming with Static Analysis, by Brian Chess and Jacob West
• Advanced Programming in the Unix Environment, by W. Richard Stevens.

Cheating

Students are encouraged to discuss programs in general and to help one another find bugs in existing programs. Copying another's code or writing code for someone else is cheating, and will be assesed a grade of 'F' on that project. Subsequent instances of cheating will result in an 'F' grade for the entire class. Please review the rules regarding academic ethics and plagiarism in your student handbook.