Never Ending Security

It starts all here

CS 390S: Secure Programming

CS 390S: Secure Programming

If you wonder how vulnerabilities are created, and what are the various types of vulnerabilities, this class is for you. If you want to be more employable and have an edge, this class will show employers that you are less likely to cause them embarrassment and cost them through mistakes. They also won’t have to pay huge sums to send you to secure programming seminars and classes. This one-credit class will explain the fundamental issues in secure programming: trust management, design issues, and the many stupid little mistakes with big consequences that programmers are likely to do. No book purchase is required, as the material is entirely provided on slides. We will focus on how to do things correctly, and not on exploits (although examples will be provided for entertainment and motivational reasons). Students interested in how some exploits work may consult “Secure Coding in C/C++” (Seacord 2005, Addison-Wesley) while taking this class. This one-credit class emphasizes low-level mistakes, and also covers secure programming principles and ideas. However, other important topics such as the proper use of cryptography, software development methods, requirement specification, architecture, testing and other software assurance subjects are not covered due to time limitations.

Topics covered

  • Shell and environment
  • Buffer overflows
  • Integer overflows
  • Format strings
  • Meta-character vulnerabilities (code injection) and Input Validation
  • Web Application issues (including cross-site scripting vulnerabilities)
  • Race conditions
  • File system issues
  • Randomness

Slides will be posted on the same day as the class.

January 9: Introduction to Secure Programming & Motivation

  • Definitions of vulnerabilities, attacks, exploits, exposures, flaws
  • Need for secure programming
  • NIST: NVD (National Vulnerability Database), NIST guides
  • NIST CVSS (Common Vulnerability Scoring System)

Week 1 (pdf)
Classes of Vulnerabilities and Attacks (Pascal Meunier) Wiley Handbook of Science and Technology for Homeland Security (distributed in class, or by email). You should read the first 4 pages this week and be done reading it by the mid-term.

January 16: Secure Programming Principles & Assurance
Week 2 (pdf)

January 23: Buffer Overflows
Week 3, version 2 with clipped text fixed (pdf)

January 30: Buffer Overflows, part 2
Week 4

February 6: Integer Overflows, Format String Vulnerabilities
Week 5

February 13: Shells and Environment
Week 6

February 20: Exec calls, Trust Boundaries
Week 7, v2 (v2 changes: reworked the “exec” and “file descriptors” slides)

February 27: Mid-term
Does not include material seen on February 20. Remember, taking the mid-term is mandatory for a passing grade…

March 5: Meta-character vulnerabilities and code injection
Week 9

March 12: Spring Break

March 19: Web Applications
Week 11

  • Domain Security
  • JavaScript Injection (a.k.a. XSS, Cross-site scripting vulnerabilities)

March 26: Race Conditions
Week 12

April 2: File System Issues: Links, Directory Crawls, and Race Conditions
Week 13 (abridged version so we can catch up)

April 9: Randomness and Canonicalization
Week 14

April 16: Last Exam

April 23: Solution to last exam, grades, discussions

Remember, there is no final, regardless of whether a final is scheduled by Purdue.


Student’s choice: 2 out of these 6 possibilities.
Labs are described at the SEED project. The choices are:

  1. Buffer Overflow Vulnerability Lab: exploit the buffer overflow vulnerability.
  2. Return-to-libc Attack Lab: exploit the buffer-overflow vulnerabilities using return-to-libc attacks.
  3. Format String Vulnerability Lab: exploit the format string vulnerability.
  4. Race Condition Vulnerability Lab: exploit the race condition vulnerability.
  5. Chroot Sandbox Vulnerability Lab: explore how the chroot sandbox can be broken.
  6. Cross-site Scripting Attack Lab: exploiting cross-site scripting vulnerabilities.

Turn in your first choice by February 20 and your second by April 9 extended by request to April 16, but note that I will be traveling and unable to answer lab questions from Saturday to Wednesday morning.

CS 390S: Secure Programming

Slides will be posted on the same day as the class.

January 10: Introduction to Secure Programming
Special Guest: Scott David Miller, Ph.D. student and Arxan employee
Also: Vulnerability definitions and secure programming resources
Week 1 (pdf)
Week 1 (powerpoint)
Scott’s slides (pdf)
Scott’s slides (powerpoint)

January 17: Lab 1. Buffer Overflows Part 1
Week 2 (pdf)
Week 2 (powerpoint)
Submitted links:
Anti-Virus Defence (sic) In Depth (
Defense in Depth (Wikipedia)

January 24: Buffer Overflows Part 2
Week 3 (pdf)
Week 3 (powerpoint)

January 31: Format String Vulnerabilities and Integer Overflows
Week 4 (pdf)
Week 4 (powerpoint)

February 7: Shells and Environment, Lab 2
Week 5 (pdf)
Week 5 (powerpoint)
Lab 1 is due!

February 14: Snow storm, classes cancelled

February 21: Exec calls, Trust
Week 7 (pdf)
Week 7 (powerpoint)
CWE coverage starts now! Issues covered:

    -Trust Boundary Problems
        - "Inconsistent validation mechanisms"
            - Same source handled differently in different code locations
            - At different times
            - In different circumstances
            - From different sources
                -Authentication Bypass by Alternate Path/Channel (288)
                -Unprotected Alternate Channel ID 420
        -Ill-defined trust boundaries
        -Trust Boundary Violation (diverges from ID 501 definition)
        -Misplaced or Absent Trust Boundaries
            -Self-reported information
                - "Trusting self-reported IP address, ID 291
                - "Trusting self-reported DNS name", ID 292
                - Using referrer field for authentication, ID 293
            -"Trusting the client"  no ID
                - "Client-Side Makes Server Security Decisions"  no ID
                - "Server trusting client-side-controlled data" no ID
                    -"Trusting Cookie Information" is Use of Cookies ID 565
                    -Web Parameter Tampering, ID 472
                        -Access Control Bypass Through User-Controlled SQL Primary Key, ID 566
            -Trusting Events
                -Trust of system event data ID 360
                -Unprotected Windows Messaging Channel ('Shatter') ID 422
    -Cryptographic Trust Assurance
        -Certificate Issues, ID 295
           -Failure to follow chain of trust in certificate validation ID 296
           -"Failure to validate host-specific certificate data" ID 297
           -No OpenSSL Certificate Check Performed before this Use ID 599
           -Failure to validate certificate expiration (298)
           -Failure to check for certificate revocation (299)
           -Race condition in checking for certificate revocation (370) 
        -Use of Encrypted Cookies 
           -Counterexample: Plaintext Storage in Cookie, ID 315 (different perspective on ID 565, but essentially the same mistake)

February 28: Mid-term
Does not include material seen on February 21. Remember, taking the mid-term is mandatory for a passing grade…

March 7: Meta-character vulnerabilities and code injection
Week 9 (pdf)
Week 9 (powerpoint)
CWE coverage:

Special elements (characters or reserved words), CWE ID 138
   Quoting elements " ' (149)
   Control characters and escape sequences (150)
   Delimiters (tabs, commas, etc...) (140)
   Input terminators (147)
   Wildcards (155)
   Comment element (151)
   dot dot and more
Code Injection attacks, CWE ID 77
   Shell commands, CWE ID 77
   SQL, CWE ID 89
   XPATH (no CWE ID yet)
   Custom special character injection, CWE ID 92
   Escape, meta, or control character/sequence, CWE ID 150
   LDAP, CWE ID 90
   Direct dynamic code evaluation, CWE ID 95
Input cleansing
   Collapse of Data into Unsafe Value (182)
      Path Issue - doubled dot dot slash - '....//' (34)
      Path Issue - doubled triple dot slash - '.../...//' (35)
Escaping and Encoding Issues
   URL-encoding, CWE ID 177
   Unicode, CWE ID 176
   Alternate Encoding, CWE ID 173
   Double Encoding, CWE ID 174

March 14: Spring Break

March 21: Web Applications: JavaScript Injection (a.k.a. XSS, Cross-site scripting vulnerabilities)
Week 10 (pdf)
Week 10 (powerpoint)

Cross-site Scripting Vulnerabilities (ID 79)
Cross-site request forgeries (attack type, ID 352)
Session fixation (ID 384)

March 28: Race Conditions (Lab 2 due! Last mini-lab)
Week 11 (pdf)
Week 11 (powerpoint)

Signal handler race condition 364
Race condition in switch (365)
Race condition within a thread (366)
Time-of-check Time-of-use race condition (367)
Context Switching Race Condition (368)
Concurrency Issues (557)
Link Following (59)
   Windows Shortcut Following (.LNK) (64)
   UNIX symbolic link (symlink) following (61)
   UNIX hard link (62)
   Windows hard link (65)

April 4: File System Issues: Links, Directory Crawls, and Race Conditions
Week 12 (pdf)
Week 12 (powerpoint)

Improper temporary file opening, ID 378
Privilege Dropping / Lowering Errors, ID 271

April 11: Randomness and Canonicalization (Last mini-lab due!)
Week 13 (pdf)
Week 13 (powerpoint)

also look at the canonicalization slides at

April 18: Last Exam

April 25: Solution to last exam, grades, discussions

Remember, there is no final, regardless of whether a final is scheduled by Purdue.

Secure Programming Educational Material

This is the third reincarnation of a secure programming class I taught at Purdue, re-designed thanks to support from Symantec corporation.

The class originated as an optional class associated with an operating systems class taught on UNIX (CS 354). It has now been split into three classes. Each is designed to take 2.5 days or 5 half-days total. In a university setting, instructors should mix and match material from the three courses to meet the required work according to the number of credits of their class. As an example, a 1 credit class could comprise the slides on shells and environments from course 1, and all of course 2 materials.
I spent several months in spring 2004 working with Symantec engineers to design this new version of the class. It uses a different teaching style. Instead of keeping students passive in class and then giving them long lab assignments, we have shorter programming exercises and discussions interspersed throughout the lectures, with longer classes. In essence, the lectures and labs have become intermingled. This is a much more dynamic and interesting format for the students because it engages them, and allows me to cover more variations on different issues. It requires more work on the part of the instructor, but the students benefit.

Course Descriptions
List of files(some files available only to instructors)
Class 1
Class 2
Class 3

For course 1, students require access to a web browser, an internet connection and a pdf document reader.
For course 2, students require access to:

  • gcc (the free UNIX C compiler, due to its various capabilities for detecting string format issues)
  • either perl or PHP
  • a shell
  • MySQL (the Knoppix Live CD was ideal for this; I expect that the students will be able to use their Purdue-provided, personal MySQL access for this exercise)
  • a web browser

For course 3, a copy of the Knoppix-std (security tools distribution) CD and a computer able to boot from it are required to use the lab exercises as written. A Windows machine was used as a vulnerability scan target to show the surprising quantity of information that can be extracted from an unsecured host, even if all the patches had been applied. The material itself tries to address both UNIX and Windows environments.

I welcome notes, comments, suggestions, or modified slides.

Pascal Meunier, Ph.D., M.Sc., CISSP
Purdue University CERIAS


You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions.

  • You must give the original author and other contributors credit.
  • The work will be used for personal or non-commercial educational uses only, and not for commercial activities and purposes.
  • For any reuse or distribution, you must make clear to others the terms of use for this work.
  • Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification.
  • For other uses please contact the Purdue Office of Technology Commercialization.

Copyright (2004) Purdue Research Foundation. All rights reserved.

Developed thanks to the support of Symantec Corporation,
NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center
Jennifer Richardson, Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera
Thanks to Michael Howard for reviewing several sets of slides!

Files for Class 1

1.Security overview and patching (ppt)
2.Public vulnerability databases (ppt)
3.Secure design principles and process (ppt)
4.Security assessment and testing (ppt)
5.Shell and environment (pdf)|(ppt)
6.Resource exhaustion (ppt)
7.Trust management (pdf)|(ppt)

Files for Class 2

1.Buffer_Overflows (pdf)|(ppt)
2.Format_Strings (pdf)|(ppt)
4.XSS (pdf)|(ppt)
5.Links & Races(pdf)|(ppt)
6.Temporary storage & Randomness(pdf)|(ppt)
7.Canonicalization and Directory Traversal(pdf)|(ppt)
8.Integer Overflows(pdf)|(ppt)

Supporting Files:

Files for Class 3

1.Architecture (ppt)
2.Physical Link Layer (ppt)
3.Network (pdf)|(ppt)
4.Transport (pdf)|(ppt)
5.DNS, RPC, NFS (pdf)|(ppt)
6.Routing (pdf)|(ppt)
7.Wireless (pdf)|(ppt)
8.xSEC & IPv6 (ppt)

Supporting Files:

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s