Secure Programming Educational Material
This is the third reincarnation of a secure programming class I taught at Purdue, re-designed thanks to support from Symantec corporation.
The class originated as an optional class associated with an operating systems class taught on UNIX (CS 354).
It has now been split into three classes. Each is designed to take 2.5 days or 5 half-days total. In a university setting, instructors should mix and match material from the three courses to meet the required work according to the number of credits of their class. As an example, a 1 credit class could comprise the slides on shells and environments from course 1, and all of course 2 materials.
I spent several months in spring 2004 working with Symantec engineers to design this new version of the class. It uses a different teaching style. Instead of keeping students passive in class and then giving them long lab assignments, we have shorter programming exercises and discussions interspersed throughout the lectures, with longer classes. In essence, the lectures and labs have become intermingled. This is a much more dynamic and interesting format for the students because it engages them, and allows me to cover more variations on different issues. It requires more work on the part of the instructor, but the students benefit.
List of files(some files available only to instructors)
For course 1, students require access to a web browser, an internet connection and a pdf document reader.
For course 2, students require access to:
For course 3, a copy of the Knoppix-std (security tools distribution) CD and a computer able to boot from it are required to use the lab exercises as written. A Windows machine was used as a vulnerability scan target to show the surprising quantity of information that can be extracted from an unsecured host, even if all the patches had been applied. The material itself tries to address both UNIX and Windows environments.
- gcc (the free UNIX C compiler, due to its various capabilities for detecting string format issues)
- either perl or PHP
- a shell
- MySQL (the Knoppix Live CD was ideal for this; I expect that the students will be able to use their Purdue-provided, personal MySQL access for this exercise)
- a web browser
I welcome notes, comments, suggestions, or modified slides.
Pascal Meunier, Ph.D., M.Sc., CISSP
Purdue University CERIAS
You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions.
Copyright (2004) Purdue Research Foundation. All rights reserved.
- You must give the original author and other contributors credit.
- The work will be used for personal or non-commercial educational uses
only, and not for commercial activities and purposes.
- For any reuse or distribution, you must make clear to others the terms
of use for this work.
- Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification.
- For other uses please contact the Purdue Office of Technology Commercialization.
Developed thanks to the support of Symantec Corporation,
NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center
Jennifer Richardson, Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera
Thanks to Michael Howard for reviewing several sets of slides!
CERIAS, Purdue University / Recitation Building / 656 Oval Drive / West Lafayette IN 47907-2039
phone (800)494-4419 / fax (765)496-3181