Software Security

Cybersecurity Specialization- Coursera

Syllabus
The core content of the course is as follows, with one topic per week:
1. Low-level, memory-based attacks, including stack smashing, format string attacks, stale memory access
attacks, and return-oriented Programming (ROP)
2. Defenses against memory-based attacks, including stack canaries, non-executable data (aka W+X or
DEP), address space layout randomization (ASLR), memory-safety enforcement (e.g., SoftBound),
control-flow Integrity (CFI)
3. Web security, covering attacks like SQL injection, Cross-site scripting (XSS), Cross-site request forgery
(CSRF), and Session hijacking, and defenses that have in common the idea of input validation
4. Secure design, covering ideas like threat modeling and security design principles, including organizing
ideas like favor simplicity, trust with reluctance, and defend in depth; we present real-world examples of
good and bad designs
5. Automated code review with static analysis and symbolic execution, presenting foundations and
tradeoffs and using static taint analysis and whitebox fuzz testing as detailed examples
6. Penetration testing and Fuzz testing, presenting an overview of goals, techniques, and tools of the trade
Assessment
There will be an quiz each week covering the material presented that week. These quizzes will be
due after two weeks at 8am ET (i.e., just prior to the release of that week's material).
There will also be three hands-on projects.
1. Buffer overflow attacks: The lab walks you through how a buffer overflow occurs, and how it
can be exploited.
2. Web application security: The lab asks you to find and exploit common vulnerabilities in web
applications, like SQL injection and cross-site scripting
3. Static analysis for finding security bugs: The lab will give you some experience using tools that
aim to find security flaws automatically
Students will carry out the work of these projects at home, and to show that they have done so, will
take a project-specific quiz.
Computer Security aka Cyber Security
Correctness – What should a system do
Security – What system should not do.
Contd..
Contd..
Software Security
Contd..
Contd..
Contd..
Contd..
Learning Objective of this course
Contd..
Contd..
Contd..
Memory Based attacks
We will begin our discussion of software security by understanding one of the oldest and
pernicious attacks against software: the buffer overflow. We will see how buffer overflows are one
kind of memory-based attack that low-level software (written in C and/or C++, primarily) is
susceptible to, and we will consider other memory-based attacks as well. Your project for this
week will be to construct a simple exploit of a buffer overflow, to see how it works.

formatstring-1.2.pdf (stanford.edu)
CERN Computer Security Information – C common memory vulnerability

.:: Phrack Magazine ::.

Memory Layout of C Programs - GeeksforGeeks

How security flaws work: The buffer overflow | Ars Technica

PC Assembly Book (pacman128.github.io)

Smashing the Stack for Fun and Profit by Aleph One (insecure.org)
Week 1 - Low Level Security- Introduction
Week 1 - Low Level Security ..
Week 1 - Low Level Security ..
Week 1 - Low Level Security ..
Week 1 - Memory Layout
Week 1 - Memory Layout