Announcements
None.Overview
Users of software and hardware products are consistently placed in the untenable position of
reacting to cyber emergencies. Responding on a crisis-by-crisis basis often leaves them on their
heels, and those securing systems on the front lines should not be expected to bear the full weight
of this burden. The intense reactive posture demanded by the current status quo reduces defenders’
ability to predict and prepare for the next wave of incoming attacks.
However, even if every known vulnerability were to be fixed, the prevalence of undiscovered
vulnerabilities across the software ecosystem would still present additional risk. A proactive
approach that focuses on eliminating entire classes of vulnerabilities reduces the potential attack
surface and results in more reliable code, less downtime, and more predictable systems. Ultimately,
this approach enables the United States to foster economic growth, accelerate technical innovation,
and protect national security. Leaving these risks unmitigated comes with a costly price tag and
may allow America’s adversaries to attempt to take advantage of the circumstances.
Back to the Building Blocks: a Path Toward Secure and Measurable Software
This course explores a proactive approach that focuses on eliminating entire classes of
vulnerabilities
.
In particular, we focus on methods for using programming languages and
language semantics to build provably secure software. We will cover the
techniques, such as
- program Semantics
- security type systems
- runtime monitoring
- formal methods
- symbolic execution
as well as their applications to enforcing security, such as
- information flow security
- quantitative security measures
- differential privacy
- side channel mitigation
We will read papers for each topic in this course.
Coursework
There will be no examinations for this course. The main work for students will be:
- Assignments checking your understanding of the foundations of language-based security, as well as programming assignments providing hands-on experience of using those techniques.
- A couple of recent and classic papers for selected topics. You will be reading these papers and being prepared to discuss them in depth in class. Students will be responsible for periodically presenting papers and leading discussion.
- A final project with two options. Implementation track: implement any language-based security mechanism that we cover in this course. You will be submitting the source code, as well as a project report. Research track: conduct research in any topic covered in this course. Ideally, your project should, to some extent, advance the state-of-the-art in the topic of your choice. But a comprehensive survey that goes beyond the papers we discussed in this course is also acceptable.
Instructor: Danfeng Zhang