CMSI 662: Final Exam Preparation

Logistics

You will take this exam on BrightSpace. It will be multiple choice with a 120 minute time limit. You MAY use books, notes, and web searches to look things up. You will not be spied on: there is no browser lock down and hence no need to hide a mobile device in a bag of potato chips. However, you MAY NOT solicit answers in any way. There is to be no asking for help, no posting on forums, no communication with other humans or intelligent bots in any way; you can only “look things up.” You also MAY NOT post answers or help any other test taker either. You are bound by an honor code to follow these rules.

The exam will be made available on the Monday of Finals Week and must be completed by the Friday of Finals week at at 11:59pm, America/Los Angeles time. Choose any two-hour period in this range to take the exam. You must complete the exam in two hours.

How to Study

You should:

Review the course learning objectives from the syllabus
Review the course notes
Do plenty of practice problems!
Browse the suggested self-study resources below

Course Notes Review

Review the course notes if you can, but to help you a little, here’s an outline of the topics we covered:

INTRODUCTION TO COMPUTER AND SOFTWARE SECURITY
1. INTRO TO COMPUTER SECURITY
  1. Different types of security and their definitions
  2. Correctness vs security
  3. Assets
  4. Threats
  5. Philosophical questions about security
  6. Pillars of security strategy: protection, detection, reaction
  7. Security mindset: every input is a potential threat
  8. Attacks
    1. What they can do: eavesdrop, spoof, deny service, break in
    2. What they compromise: Confidentiality, Integrity, Availability (CIA)
  9. What happened at the Öst-Götha Bank in 1854
  10. Security at all levels: hardware, OS, network, application, human
  11. Security architecture vs. Secure software
  12. Vocab: defect, vulnerability, exploit, threat, risk, failure
2. INTRO TO SOFTWARE SECURITY
  1. Computer security (cybersecurity) vs Software security
  2. Percentage of security incidents due to bad software: 90%
  3. Security at all phases of the SDLC
  4. Different means of attacks
    1. Low-level memory attacks (e.g., C)
    2. Web and network security
  5. "BUILD SECURITY IN"
    1. So you can cover everything (whitebox)
    2. To avoid ad-hoc security feature checking
    3. To catch errors at domain objects (that's the best)
      - User Ids are not strings
      - Quantities are not integers
    4. Why do we not take security out of software development?
      - If delayed, might not ever happen, and you will get destroyed
      - If delayed, pentesters will show you why your project is bad and should not be deployed
  6. How to define security requirements (and how NOT to!)
  7. Defense in depth
  8. Defense in breadth
  9. Principles
    1. Set Trust Boundaries
    2. Design for Least Privilege
    3. Maintain Integrity
    4. Fail Fast
    5. Audit
    6. Don’t Rely on Secrets
    7. Keep It Simple
    8. Prevent Leaks
  10. Tactics
    1. We named, but did not describe, several dozen of these
  11. Various Software Security Guidelines and Standards
  12. Links to software security resources
PROGRAMMING LANGUAGE BASICS
1. C BASICS
  1. Hello world
  2. Types
    1. Numbers, booleans
    2. Structs
    3. Pointers
    4. Arrays (NOT bounds checked!!)
  3. printf
    1. format string can be hacked
  4. Functions
  5. Memory layout
    1. Static storage, stack, heap
    2. Pointers to stack storage (be careful)
    3. malloc() for pointers to the heap
    4. free()
    5. Memory Leaks
    6. Dangling Pointers
    7. Structs are copied
    8. Arrays
    9. Arrays are passed as pointers
    10. Frames passed on stack so return address can be overwritten in buffer overflow
  6. Strings (char*)
    1. Also not bounds checked
    2. strlen is linear time
    3. strcpy/strcat vs strncpy/stncat
2. C++ BASICS
  1. References
  2. Raw Pointers
  3. Structs and Classes
    1. Constructors
    2. Fields
    3. Methods
  4. Smart Pointers
  5. Standard Library Containers and Algorithms
3. JAVASCRIPT BASICS
  1. Browser-based vs Server-based apps
  2. Types
    1. Primitives vs. References
    2. Null vs Undefined, Number vs BigInt
    3. Weakly typed
  3. Objects, identity, shallow vs deep copy
  4. Destructuring
  5. Prototypes
  6. Arrays
  7. First Class Functions!
  8. This, methods, and arrow functions
  9. Class Syntax
    1. Just a surface syntax
    2. Basics
    3. Private and static properties
  10. Optional Chaining and Coalescing
  11. Promises
4. JAVA BASICS
  1. Only classes at the top-level
  2. Types
    1. Primitives vs. References
    2. Reference types: Class, array, record, interface, enum
    3. Assignment and equality require care for reference types
    4. Billion Dollar Mistake
  3. Strings (UTF-16 oh no!)
  4. Arrays (weird, covariant) vs lists (invariant)
  5. Interfaces
  6. Records
  7. Optionals
  8. Streams
SECURITY IN THE SOFTWARE DEVELOPMENT LIFECYCLE
1. OVERVIEW OF THE SDLC
  1. Phases of the SDLC
  2. Security Concerns in Each Phase
2. SECURITY IN DESIGN
  1. Threat Modeling
    1. Asset Identification
    2. Threat Identification
    3. Attacker Identification
    4. Vulnerability Identification
    5. Prioritized Strategies for Defense, Detection, Mitigation, Recovery
  2. Domain-Driven Design
    1. Put the checks in the domain objects themselves!
    2. Don't be afraid to make more classes
3. SECURITY IN PROGRAMMING
  1. Immutability
    1. Why is so great
    2. Immutable variables vs Immutable Objects
    3. Persistent Data Structures
    4. Non-extensibility
    5. If you must have mutability, consider preventing copying or doing defensive copying
  2. Design by Contract
    1. Preconditions
    2. Postconditions
    3. Declarative contracts
  3. Validation
    1. Validate in order
      1. Origin
      2. Authentication
      3. Authorization
      4. State
      5. Size
      6. Lexical
      7. Syntactic
      8. Semantic
    2. Validate in the domain model
    3. Validate in an assertion-style
    4. Be careful with sanitization
  4. Secure Error Handling
    1. Fail fast, fail loudly, rollback if necessary
    2. Best practices for handling failures
    3. Techniques
      1. Throwing errors
      2. Returning errors (together with success values in union or tuple)
      3. Let-It-Crash Philosophy
  5. Reducing Complexity
    1. State-based thinking
    2. Dispatch is better than if-statements
4. SECURITY IN TESTING
  1. Testing Goals
  2. Static Analysis
  3. Types of Software Testing
  4. Fuzz Testing
  5. Penetration Testing
5. SECURITY IN OPERATIONS
  1. SecOps
  2. Best Practices
  3. Continuous Integration
LANGUAGE-SPECIFIC SECURITY
1. SECURE C
2. SECURE C++
3. SECURE JAVA
4. SECURE JAVASCRIPT
SECURITY IN DISTRIBUTED SYSTEMS
1. Cryptology
  1. Vocabulary
  2. Kinds of Ciphers
  3. Secret Key Cryptography
  4. Key Exchange
  5. Public Key Cryptography
  6. Cryptographic Hashing
  7. Message Authentication Codes
  8. Digital Signatures
  9. Cryptanalysis
  10. Security Best Practices for Cryptography
2. Authentication and Authorization
  1. IAM
  2. Authentication
    1. Factors
      1. Something you know
      2. Something you have
      3. Something you are
    2. Password Strength
    3. Password Storage
    4. Handling Authentication Failures
    5. Identity Tokens
    6. MFA
    7. Password Reset
    8. One-time Password
  3. Authorization
    1. Permission
    2. Grant
    3. Identity
    4. Resource
    5. Session
    6. User
    7. Role
    8. Group
    9. Policy
    10. Principal
  4. Differences between Authentication and Authorization
3. Network Security
  1. Network Basics
  2. Network Attacks and Defenses
  3. Tools for Network Security
4. Web Security
  1. WWW Basics
    1. HTTP and HTTPS
      1. Syntax of requests and responses
      2. Headers
      3. Response Codes
      4. REST principles
    2. Web Application Architecture
    3. Cookies
    4. Same Origin Policy
  2. OWASP
  3. Web Security Principles
    1. Probe.ly Checklist
    2. OWASP Checklist
  4. Classic Web Vulnerabilities and Attacks
    1. XSS
    2. CSRF
    3. SQL Injection
    4. URL Injection
    5. Enumeration
  5. Web Browser Client-Side Security
  6. Server-Side and Transport Security
  7. Testing Tools
  8. Implementing XSS, SQL Injection and CSRF in Flask
5. Privacy
  1. Privacy vs. Security
  2. Expectations of Privacy
  3. Topics
    1. Information Safeguards
    2. RTBF
    3. Differential Privacy
    4. Privacy Policies
  4. Case Studies
    1. PGP
    2. GPDR
Practice Problems

On the course practice page, do all of the reinforcement problems and try as many of the find-the-vulnerability problems as you have time for.

Other Study Resources

Keep in mind that our (world’s) knowledge culture is far more literary than oral, so read, or reread, or watch the guidelines, standards, presentations and the online guides mentioned near the end of the course notes on Software Security.
You have to put in the time for effortful self-study. Although the exam is open resources, you will not have time to look everything up. Those who come in with a strong comfort level with the material will finish on time. I am assessing your fluency and your proficiency with the material, not your Google-Fu.

Logistics

How to Study

Course Notes Review

Practice Problems

Other Study Resources