C語言安全程式設計 (Secure Coding in C and C++)

1. Course Number: 219172
2. 課程目標Course objectives: This course identifies and explains these root causes of software defects and vulnerability, and shows the steps that can be taken to prevent exploitation. Moreover, this course encourages students to adopt security best practices and to develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s. Drawing on the reports and conclusions from CERT (Computer Emergency Response Team), this course systematically identifies the program errors most likely to lead to security breaches, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives.
3. Course time: Wednesday 18:10-21:00 (3JKL)
4. Classroom: TC-209
5. 修課人數: 23
6. Textbook:
   1. [eBook] Michael Howard and David LeBlanc, "Writing Secure Code", 2nd Edition, Microsoft Press, 2003.
7. References:
   1. Robert Seacord, "Secure Coding in C and C++", Addison-Wesley Professional; 2nd edition (April 11, 2013). ISBN: 978-0321822130
   2. Robert C. Seacord, "CERT® C Coding Standard, Second Edition, The: 98 Rules for Developing Safe, Reliable, and Secure Systems"
   3. John Viega, "Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation and More", O'Reilly Media; 1st edition (August 5, 2003). ISBN:978-0596003944
8. 授課方式Teaching approach: Lectures, Oral Presentations, & Hands-On Exercises
9. Grading criteria:
   • Oral Presentation (30%)
   • Exercise (10%)
   • Midterm Exam (30%)
   • Term Project (30%)
10. 先修課程Prerequisites: 程式設計
11. Software:
    1. VirtualBox 6.1
    2. PuTTY 0.76
    3. Visual Studio 2022 Community Edition (English version)
12. TA協助事項Teaching Assistant tasks: Hands-On Assistance, Presentation Rehearsal

Syllabus

1. 9/14 Chapter 5: Buffer Overrun
   • [YouTube] Assembly Primer For Hackers
     1. Part 1 - System Organization
     2. Part 2 - Virtual Memory Organization
     3. Part 3 - Gdb Usage Primer
     4. Part 4 - Hello World
     5. Part 5 - Data Types
     6. Part 6 - Moving Data & Addressing Modes
     7. Part 7 - Working with Strings
     8. Part 8 - Unconditional Branch
     9. Part 9 - Conditional Branching
     10. Part 10 - Functions
     11. Part 11 - Functions Stack
   • [YouTube] Stack Canary
   • [YouTube] Stack Canary & Bypassing
   • [YouTube] How can a program tell if stack canary has changed?
2. 9/21 Chapter 3: Security Principles to Live By
   • gRPC (by Lawrence)
3. 9/28 Chapter 6: Access Control
4. 10/5 Chapter 7: Running with Least Privilege
5. 10/12 Chapter 8: Cryptographic Foibles
6. 10/19 Chapter 9: Protect Secret Data
7. 10/26 Chapter 10: Input Validation
8. 11/2 Chapter 11: Canonical Representation Issue
9. 11/9 Chapter 12: Database Input Issues
10. 11/16 Chapter 13: Web-Specific Input Issues
11. 11/23 Chapter 14: Internationalization Issues
12. 11/30 Chapter 15: Socket Security
13. 12/7 Chapter 16: Securing RPC (Remote Procedure Call)
14. 12/14 Chapter 17: Protecting Against DoS Attacks
15. 12/21 Rehearsal of Exam
16. 12/28 Exam

Websites

1. OpenSSF
   1. Mailing Lists
2. 教育部資訊安全人才培育計畫
   • 大學教材申請
   • 嘉義大學 安全程式設計
3. SecTools.Org: Top 125 Network Security Tools
4. Prossimo - Memory Safety
5. x86 Assembly Instrctions
6. Assembly Directives
7. GNU Assembler (as)
8. [Oracle] x86 Assembly Language Reference Manual
9. [Brown] x64 Cheat Sheet
   • The Cheat Sheet lists brief concepts about the X86 assembler, including registers, operands specifiers, instructions, and simple code practices.
10. [Yale] x86 Assembly Guide
    • The guide provides a clear explanation and example of each component in X86.