**Language-based Security** [*Marco Vassena*](https://webspace.science.uu.nl/~4110161/) Building secure systems is notoriously hard. Despite every security patch, attackers always seem to find new exploits. A huge part of the problem is that developers do not have the right tools to write secure software. They build complex systems that handle sensitive data using programming languages that do not account for security or privacy. Thus, developers can too easily introduce bugs that attackers can exploit as security vulnerabilities to breach their systems. Language-based security applies rigorous programming language techniques to help developers address the security problems of their systems. This course studies techniques to develop programming languages and analyses that prevent security bugs. In the first part of the course, we will learn how attackers can exploit memory safety vulnerabilities to hijack programs and how compilers mitigate these attacks. Then, we will learn how WebAssembly prevents sandbox breakouts by design, allowing web browsers and edge platforms to safely run untrusted code. Lastly, we will study basic program analysis techniques and apply them to prevent information leaks in untrusted and cryptographic code. The course combines theoretical foundations and hands-on experience. We will design programming languages and analyses using formal semantics to specify and establish their security guarantees. The practical assignments will provide experience implementing static analyzers and WebAssembly interpreters. Learning Objectives =============================================================================== After successfully passing the course, you will be able to * Identify security vulnerabilities and assess their impact in simple settings * Design defense mechanisms and establish their security guarantees using formal semantics * Develop programming languages, compiler passes, and program analyses that prevent specific types of security bugs About =============================================================================== **Staff**: - [Marco Vassena](https://webspace.science.uu.nl/~4110161/) - Ivo Gabe de Wolff **Lectures and lab sessions** are in [DALTON 500 - 6.27](https://www.uu.nl/en/daltonlaan-500): - Wednesday, 13:15-17:00 - Friday, 9:00-12:45 Schedule =============================================================================== *This schedule is preliminary and subject to change.* Wed Apr 23 2025: Introduction * [Fill intro survey](https://docs.google.com/forms/d/e/1FAIpQLSeB60voosrAWMNE0tl-gePrBs0EWDz7sOeHlbZu9DwWEAMsqQ/viewform) * [Join the MS Teams channel][teams-link] * Start working on assignment 0 * Find project partner * [Slides](slides/1-intro.pdf) Fri Apr 25 2025: **[A0: setup](labs/0-setup/README.html)** Fri Apr 25 2025: Buffer overflows * [Slides](slides/2-buffer-overflows.pdf) * [Demo](extra/2-buffer-overflows-demo.tar) Wed Apr 30 2025: Memory defenses Fri May 2 2025: **[A1: HackDonalds](labs/1-c/README.html)** Fri May 2 2025: Rust: Ownership Wed May 7 2025: Rust: Traits Fri May 9 2025: **A2: TBD** Fri May 9 2025: **Project proposal** Proposals should be 1 page long and include a clear problem statement, proposed approach, and brief risk analysis (e.g., to understand the best and worst case outcome of the project). Once per group: 1. Create a repository for the project on Gitlab 2. Invite instructors and group members 3. Include name and student number of group members in proposal Fri May 9 2025: WebAssembly 1 Wed May 14 2025: WebAssembly 2 Fri May 16 2025: **A3: TBD** Fri May 16 2025: Information-Flow Control Wed May 21 2025: IFC Libraries Fri May 23 2025: **A4: TBD** Fri May 23 2025: Constant-time programming Wed May 28 2025: Spectre attacks (Fri May 30 2025): **Holiday** Fri May 30 2025: **A5: TBD** Wed Jun 4 2025: Types and effect system 1 Fri Jun 6 2025: Types and effect system 2 Fri Jun 6 2025: **Project demo** * Briefly introduce the problem you're trying to solve and your approach. * Demonstrate what works _and_ what doesn't live. * Get folks excited about your research project and receive early feedback! * Duration: TBD Wed Jun 11 2025: Work on project Fri Jun 13 2025: Work on project Wed Jun 18 2025: Work on project Fri Jun 20 2025: Work on project Sun Jun 22 2025: **Project due** - Include final version of code, tests, and reoprt in your project repo Fri Jun 25 2025: Exam - EDUC - GAMMA, 13:30 - 16:30 Fri Jul 9 2025: Retake exam - RUPPERT - 029, 13:30 - 16:30 Assessment =============================================================================== Your final grade is a weighted average of programming assignments, a project, and a digital exam. The result of each part must be at least 5 to pass the course. To qualify for a repair of the final result the mark needs to be at least a 4. Assignments (30%) -------------------------------------------------------------------------------- You work on assignments in groups of one or two, but you submit individually. You may discuss your work with other groups, but you may not share any code. (###) Deadlines The calendar above marks the day in which each assignment (A0, A1, A2, A3, A4, A5) is due. Deadlines are at 23:59 CEST sharp on those days: prefer submitting half-finished work to missing the dealine. Start working early on the assignments and take advantage of the lab sessions to get help. Assignments instructions are published in the course [course repository][]. Project (30%) -------------------------------------------------------------------------------- You work on a project in groups of two. The goal of the project is to conduct original resarch in language-based security. You are encouraged to come up with your own project idea, but we have a few [ideas](project.md.html) that are well-scoped for this course. At the end of the course, you will demo your project and turn in a short report. We expect successful projects to lead to excellent thesis and research papers! (###) Tips - Start early, start small! - Use git and get a lot of work done at home. - Get help from instructors and discuss face to face in class. - Don't wait for lectures to get started on a topic: last year's website is [here](https://ics-websites.science.uu.nl/docs/vakken/mlbs/24). Written exam (40%) -------------------------------------------------------------------------------- The exam covers all the course material and will be taken digitally. Links ================================================================================ * [Course repository][] * [LBS Teams channel][teams-link] * [Feedback form](https://docs.google.com/forms/d/e/1FAIpQLSf8ATDWL_1HNRSlqpW1LkMKD5B-nU3gvFAZuBStalG28JaimQ/viewform) * [Rust Book](https://rust-book.cs.brown.edu) * [MyTimetable](https://mytimetable.uu.nl/schedule) [course repository]: https://git.science.uu.nl/4110161/lbs-25 [teams-link]: https://teams.microsoft.com/l/team/19%3AGZivnQExe0vBC1NGT5y8aavF3E2GFaqCeFOo4fjxR6g1%40thread.tacv2/conversations?groupId=7c343b3b-b191-4e62-976f-a560a9f29a33&tenantId=d72758a0-a446-4e0f-a0aa-4bf95a4a10e7