Department of Computer Science and Technology

Course pages 2017–18

Paper 2: Software and Security Engineering

Lecturer: Professor R.J. Anderson

No. of lectures: 11

Suggested hours of supervisions: 3

This course is a prerequisite for the Group Project.

Aims

This course aims to introduce students to software and security engineering, and in particular to the problems of building large systems, safety-critical systems and systems that must withstand attack by capable opponents. Case histories of failure are used to illustrate what can go wrong, and current software and security engineering practice is studied as a guide to how failures can be avoided.

Lectures

What is a security policy or a safety case? Definitions and examples; one-way flows for both confidentiality and safety properties; separation of duties. Top-down and bottom-up analysis methods. What architecture can do, versus benefits of decoupling policy from mechanism.
Predicting user behaviour. Predicting and mitigating user errors. The hierarchy of harms. Attitudes to risk: expected utility, prospect theory, framing, status quo bias, gender. The characteristics of human memory; forgetting passwords versus guessing them.
Security protocols; how to enforce policy using cryptography and structured human interaction. Man-in-the-middle attacks. The role of verification and its limitations.
Bugs of different types: design errors, implementation errors affecting arithmetic, logic, syntax, and concurrency. Code injection attacks. Defensive programming: secure coding, contracts. Fuzzing.
The software crisis. Examples of large-scale project failure, such as the London Ambulance Service system and the NHS National Programme for IT. Intrinsic difficulties with complex software.
The software life cycle. The software life cycle. Getting the specification right; requirements analysis methods; modular design; the role of prototyping; the waterfall and spiral models.
Guest lecture. A guest lecture on design for testability.
Modern integrated development environments. Tools to support code management, code review and test case generation; git and Jenkins. Continuous integration, refactoring, release engineering, patch strategies.
Critical systems: where real-time performance, safety or security is essential. Examples of catastrophic failure; problems with usability and human error for both safety engineering and security engineering.
Quality assurance. The contribution of reviews and testing; reliability growth models; static analysis tools; programming philosophies; software maintenance life-cycle costs. The need for code indexing, code ownership, library management, design documentation and the maintenance of safety and security ratings.
Real-world challenges in combining safety and security. Project planning tools; PERT and GANTT charts. Open source: advantages and drawbacks. Evaluation and assurance; maintaining a security rating or a safety case.

Objectives

At the end of the course students should know how writing programs with tough assurance targets, in large teams, or both, differs from the programming exercises they have engaged in so far. They should appreciate the waterfall, spiral and evolutionary models of software development as well as the value of various development and management tools. They should understand the development life cycle and its basic economics. They should understand the various types of bugs, vulnerabilities and hazards, how to find them, and how to avoid introducing them. Finally, they should be prepared for the organizational aspects of their Part IB group project.

Paper 2: Software and Security Engineering

Aims

Lectures

Objectives

Recommended reading