Secure Programming (HWS2016)

Lecturer: Zhi Guan

Time: Wednesday, 08:30h - 11:30h

Room: A5, C115


Kick-off Meeting

There will be a kick-off meeting on

Sep. 09, Friday (09:30 -10:00) at A5, C014

 Anyone interested in this course is requested to attend this kick-off meeting. At the meeting, we will also discuss the lecture schedule.

Doodle Link

Please select the course time slot in Doodle:


Course Description

This course introduces the knowledge, methods and techniques on the design, analysis and implementation of secure applications with less vulnerabilities. This course emphasizes real-world system security issues, engineering techniques and best practice. In particular, students will gather the following expertis

  1. Software security, including the exploits and defenses of memory bugs including stack overflow, heap overflow, format string bug, integer overflow bugs, etc. This course will also focus on some recent research results of this area.
  2. Hacking and secure programming of Web applications, focusing on Web vulnerabilities such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and injection. Application level solutions and browser mechanisms will be introduced.
  3. Authentication mechanisms such as Pluggable Authentication Modules (PAM), file system access control mechanisms and privileged application developing on Linux and Windows operating systems.
  4. Background and programming of cryptography primitives, security protocols such as SSL/TLS, Public Key Infrastructure (PKI) and certificates. The design and security analysis of programming interfaces.
  5. The Security Development Lifecycle (SDL). SDL is a set of software development process proposed by Microsoft. The goal is to "minimize security-related vulnerabilities in the design, code, and documentation and to detect and eliminate vulnerabilities as early as possible in the development life cycle." It has been used to improve the quality and security of Microsoft SQL Server, IIS, Windows, etc.
  6. Formal methods to develop verifiable code that can be proven to be secure and correct.
  7. The human factors in a security system.


The course is mostly self-contained. Background and knowledge required will be briefly introduced in the beginning of each lecture. The following background is preferred:

  • Some knowledge of operating system and networking.
  • Some experience on C/C++ and Web programming (HTML, JavaScript, PHP, etc.)
  • Students are encouraged to bring their laptops. A few programming projects are part of this course.