Software Security and Testing (Spring 2014)    Chinese

Software security is a hot and difficult problem in the field of information security. Testing is an important means to ensure software security. This project will develop the courseware of the course "Software security and testing". The course introduces the basic concepts and methods of software security, introduces the basic methods and techniques of software testing, as well as in software development and software application.

Instructor

Shaoyin Cheng, sycheng@ustc.edu.cn, 713 DianSan Building

Other resources

SEED: Developing Instructional Laboratories for Computer SEcurity EDucation
Top 100 Network Security Tools http://sectools.org/ (Chinese edition)


Experiments

Experiment reports submission list

Course Reports


Choose a topic on Software Security, finish a course report.
The references require more than 10 papers, which include at least three papers from the rank A conferences in the past three years.
CCF recommended international academic conferences and journals( Table of Contents, Software, Security)

Syllabus

 
 
Part 0. Introduction

Course overview ( slides )
Resources:
Software Security(in Chinese)
Software Security: Building Security In
Software Testing (2nd edition)
 
Part 1. Software security

Introduction of information security ( slides ) (Optional)
Resources:
China Internet Security Conference
Analysis of the effect of Snowdon (in Chinese)
 

Introduction of software security ( slides )
Resources:
Hex-Rays.IDA.Pro.v6.1.Advanced.Tools
The IDA Pro book - The Unofficial Guide to the World's Most Popular Disassembler (2nd edition)     ( in Chinese 1st edition)
Reverse Engineering Code with IDA Pro (in Chinese)
 

Buffer overflow ( slides )
Resources:
Source codes of experiments: Package download
Virtual machine: Debian 2.4.18 (read readme.txt first)
The evolution of exploitation and exploit mitigation(in Chinese)
Exploiting Format String Vulnerabilities v1.2
Writing shellcode
AT&T assembly format (in Chinese)
GDB manual(in Chinese)
gcc 3.3 manual
Debugging with gdb (Ninth Edition, for gdb version 20030423)
 

Secure software development lifecycle( slides )
 

Software protection technology( slides1, slides2 )
Personally teach you how to crack the software ( doc ) (in Chinese)
"PE file format" v1.9 Chinese edition(with comments) ( mht )
ELF file format analysis ( pdf ) (in Chinese)
Resources:
Analysis target: formghost
Tools: language.exe, AspackDie.exe, W32Dasm, UltraEdit-32 v12, OllyDbg
 

Malicious software ( slides1, slides2 )
Resources:
How to write a win32 virus
an example of PE file virus
Carberp Bootkit source codes analysis
Computer Virus and Antivirus Technology (in Chinese)
 

Web vulnerabilities ( slides1, slides2 )
Resources:
Automatic Creation of SQL Injection and Cross-Site Scripting Attacks ( pdf )
Discuz!NT 2.5 vulnerability analysis ( mht )
Discuz!NT 2.5
webshell example
 

Secure programming ( slides )
 
Part 2. Software testing
 

Introduction of software testing ( slides )
 

Software security testing ( slides )
Resources:
Fuzzing based on FileFuzz
Application security testing
Study on vulnerabilities and APT attack
 

Security security experiments ( slides )
Resources:
IBM Rational PurifyPlus ( slides )
Experiment 1: Security testing based on Purify ( pdf )
Experiment 2: Performance testing based on Quantify ( pdf )
Experiment 3: Code coverage testing based on PureCoverage ( pdf )
Testing target source codes: IPMessenger, maliao(diy edition)
Tools: PurifyPlus v7.0,UltraISO v9.36
IBM developerWorks: Rational PurifyPlus resources
 

Software testing: Requirement & Design ( Requirement and design review, Testcase designment, Automatic testing )
 

Software testing: Unit VS. Function ( Unit testing, Functional testing )
Resources:
JUnit 3 minutes tutorial
Testcase generation experiments( pdf )
 

Software testing: System & Management ( System testing, International and localization testing, Bug reporting, Test plan and management )
 

Android application security testing ( slides )
Resources:
Static Detection of Dangerous Behaviors in Android Apps ( pdf )
DroidFuzzer: Fuzzing the Android Apps with Intent-Filter Tag ( pdf )
DroidPilot: http://www.droidpilot.cn, video introduction
 

Network and protocol testing ( Network testing introduction, Protocol testing, Network testing languages, TTCN-3 introduction )
Resources:
USTC TTCN Lab: http://ttcn.ustc.edu.cn
Book: TTCN-3 Language and application (in Chinese)Amazon.cn, Jing dong

Sponsors

University of Science and Technology of China, Intel Corporation
  
Last modified: February 11, 2015

Copyright (C) 2012-2015 sycheng@ustc.edu.cn. All Rights Reserved.