CMSI 662
Midterm Preparation

Logistics

The exam will be in class on paper. You will have one hour, from 7:30-8:30 pm on Monday, March 30, 2026.

The exam is closed-people, closed-book, closed-computer, closed-everything-except-2-pages-of-cheatsheet-notes.

How to Study

You should:

  1. Review the course learning objectives from the syllabus
  2. Review the course notes on the topics we have covered so far
  3. Do plenty of practice problems!
  4. Browse the suggested self-study resources below

Course Notes Review

Review the course notes if you can, but to help you a little, here’s an outline of the topics we covered:

  1. INTRODUCTION TO COMPUTER AND SOFTWARE SECURITY
    1. INTRO TO COMPUTER SECURITY
      1. Different types of security and their definitions
      2. Correctness vs security
      3. Assets
      4. Threats
      5. Philosophical questions about security
      6. Pillars of security strategy: protection, detection, reaction
      7. Security mindset: every input is a potential threat
      8. Attacks
        1. What they can do: eavesdrop, spoof, deny service, break in
        2. What they compromise: Confidentiality, Integrity, Availability (CIA)
      9. What happened at the Öst-Götha Bank in 1854
      10. Security at all levels: hardware, OS, network, application, human
      11. Security architecture vs. Secure software
      12. Vocab: defect, vulnerability, exploit, threat, risk, failure
    2. INTRO TO SOFTWARE SECURITY
      1. Computer security (cybersecurity) vs Software security
      2. Percentage of security incidents due to bad software: 90%
      3. Security at all phases of the SDLC
      4. Different means of attacks
        1. Low-level memory attacks (e.g., C)
        2. Web and network security
      5. "BUILD SECURITY IN"
        1. So you can cover everything (whitebox)
        2. To avoid ad-hoc security feature checking
        3. To catch errors at domain objects (that's the best)
          • User Ids are not strings
          • Quantities are not integers
        4. Why do we not take security out of software development?
          • If delayed, might not ever happen, and you will get destroyed
          • If delayed, pentesters will show you why your project is bad and should not be deployed
      6. How to define security requirements (and how NOT to!)
      7. Defense in depth
      8. Defense in breadth
      9. Principles
        1. Set Trust Boundaries
        2. Design for Least Privilege
        3. Maintain Integrity
        4. Fail Fast
        5. Audit
        6. Don’t Rely on Secrets
        7. Keep It Simple
        8. Prevent Leaks
      10. Tactics
        1. We named, but did not describe, several dozen of these
      11. Various Software Security Guidelines and Standards
      12. Links to software security resources
  2. PROGRAMMING LANGUAGE BASICS
    1. C BASICS
      1. Hello world
      2. Types
        1. Numbers, booleans
        2. Structs
        3. Pointers
        4. Arrays (NOT bounds checked!!)
      3. printf
        1. format string can be hacked
      4. Functions
      5. Memory layout
        1. Static storage, stack, heap
        2. Pointers to stack storage (be careful)
        3. malloc() for pointers to the heap
        4. free()
        5. Memory Leaks
        6. Dangling Pointers
        7. Structs are copied
        8. Arrays
        9. Arrays are passed as pointers
        10. Frames passed on stack so return address can be overwritten in buffer overflow
      6. Strings (char*)
        1. Also not bounds checked
        2. strlen is linear time
        3. strcpy/strcat vs strncpy/strncat
    2. C++ BASICS
      1. References
      2. Raw Pointers
      3. Structs and Classes
        1. Constructors
        2. Fields
        3. Methods
      4. Smart Pointers
      5. Standard Library Containers and Algorithms
    3. JAVASCRIPT BASICS
      1. Browser-based vs Server-based apps
      2. Types
        1. Primitives vs. References
        2. Null vs Undefined, Number vs BigInt
        3. Weakly typed
      3. Objects, identity, shallow vs deep copy
      4. Destructuring
      5. Prototypes
      6. Arrays
      7. First Class Functions!
      8. This, methods, and arrow functions
      9. Class Syntax
        1. Just a surface syntax
        2. Basics
        3. Private and static properties
      10. Optional Chaining and Coalescing
      11. Promises
    4. JAVA BASICS
      1. Only classes at the top-level
      2. Types
        1. Primitives vs. References
        2. Reference types: Class, array, record, interface, enum
        3. Assignment and equality require care for reference types
        4. Billion Dollar Mistake
      3. Strings (UTF-16 oh no!)
      4. Arrays (weird, covariant) vs lists (invariant)
      5. Interfaces
      6. Records
      7. Optionals
      8. Streams
  3. LANGUAGE-SPECIFIC SECURITY
    1. SECURE C
    2. SECURE C++
    3. SECURE JAVA
    4. SECURE JAVASCRIPT

Practice

Make sure to do the recall questions at the bottom of the course notes.

Tips

There will be questions on CIA, Immutability, C specifics, JavaScript specifics, Java specifics, C++ specifics, Heartbleed, Billion Laughs, terminology, buffer overflowing, freezing, and secure classes, among other topics.

Other Study Resources

Keep in mind that our (world’s) knowledge culture is far more literary than oral, so read, or reread, or watch the presentations and the online guides mentioned near the end of the course notes on Software Security.