                    <meta charset="utf-8" emacsmode="-*- markdown -*">
                            **Language-based Security**
          [*Marco Vassena*](https://webspace.science.uu.nl/~4110161/)


Building secure systems is notoriously hard. Despite every security patch,
attackers always seem to find new exploits. A huge part of the problem is that
developers do not have the right tools to write secure software. They build
complex systems that handle sensitive data using programming languages that do
not account for security or privacy. Thus, developers can too easily introduce
bugs that attackers can exploit as security vulnerabilities to breach their
systems. Language-based security applies rigorous programming language
techniques to help developers address the security problems of their systems.

This course studies techniques to develop programming languages and analyses
that prevent security bugs.  In the first part of the course, we will learn how
attackers can exploit memory safety vulnerabilities to hijack programs and how
compilers mitigate these attacks. Then, we will learn how WebAssembly prevents
sandbox breakouts by design, allowing web browsers and edge platforms to safely
run untrusted code. Lastly, we will study basic program analysis techniques and
apply them to prevent information leaks in untrusted and cryptographic code.

The course combines theoretical foundations and hands-on experience. We will
design programming languages and analyses using formal semantics to specify and
establish their security guarantees. The practical assignments will provide
experience implementing static analyzers and WebAssembly interpreters.


Learning Objectives
===============================================================================

After successfully passing the course, you will be able to

 * Identify security vulnerabilities and assess their impact in simple settings

 * Design defense mechanisms and establish their security guarantees using formal semantics

 * Develop programming languages, compiler passes, and program analyses that prevent specific types of security bugs

About
===============================================================================

**Staff**:
- [Marco Vassena](https://webspace.science.uu.nl/~4110161/)
- Ivo Gabe de Wolff

**Lectures and lab sessions** are in [DALTON 500 -
6.27](https://www.uu.nl/en/daltonlaan-500):
  - Wednesday, 13:15-17:00
  - Friday, 9:00-12:45


Schedule
===============================================================================

*This schedule is preliminary and subject to change.*

Wed Apr 23 2025: Introduction
  * [Fill intro
      survey](https://docs.google.com/forms/d/e/1FAIpQLSeB60voosrAWMNE0tl-gePrBs0EWDz7sOeHlbZu9DwWEAMsqQ/viewform)
  * [Join the MS Teams channel][teams-link] 
  * Start working on assignment 0
  * Find project partner
  * [Slides](slides/1-intro.pdf)
  
Fri Apr 25 2025: **[A0: setup](labs/0-setup/README.html)**

Fri Apr 25 2025: Buffer overflows
  * [Slides](slides/2-buffer-overflows.pdf)
  * [Demo](extra/2-buffer-overflows-demo.tar)

Wed Apr 30 2025: Memory defenses

Fri May 2 2025: **[A1: HackDonalds](labs/1-c/README.html)**

Fri May 2 2025: Rust: Ownership

Wed May 7 2025: Rust: Traits

Fri May 9 2025:  **A2: TBD**

Fri May 9 2025:  **Project proposal**

    Proposals should be 1 page long and include a clear problem statement,
    proposed approach, and brief risk analysis (e.g., to understand the best and
    worst case outcome of the project).
    
    Once per group:
    1. Create a repository for the project on Gitlab
    2. Invite instructors and group members
    3. Include name and student number of group members in proposal

Fri May 9 2025: WebAssembly 1

Wed May 14 2025: WebAssembly 2

Fri May 16 2025: **A3: TBD**

Fri May 16 2025: Information-Flow Control

Wed May 21 2025: IFC Libraries

Fri May 23 2025: **A4: TBD**

Fri May 23 2025: Constant-time programming

Wed May 28 2025: Spectre attacks

(Fri May 30 2025): **Holiday**

Fri May 30 2025: **A5: TBD** 

Wed Jun 4 2025: Types and effect system 1

Fri Jun 6 2025: Types and effect system 2

Fri Jun 6 2025: **Project demo**
    * Briefly introduce the problem you're trying to solve and your approach.
    * Demonstrate what works _and_ what doesn't live.
    * Get folks excited about your research project and receive early feedback!
    * Duration: TBD

Wed Jun 11 2025: Work on project

Fri Jun 13 2025: Work on project

Wed Jun 18 2025: Work on project

Fri Jun 20 2025: Work on project

Sun Jun 22 2025: **Project due**
    - Include final version of code, tests, and reoprt in your project repo

Fri Jun 25 2025: Exam

  - EDUC - GAMMA, 13:30 - 16:30

Fri Jul 9 2025: Retake exam

  - RUPPERT - 029, 13:30 - 16:30

Assessment
===============================================================================

Your final grade is a weighted average of programming assignments, a project,
and a digital exam. The result of each part must be at least 5 to pass the
course. To qualify for a repair of the final result the mark needs to be at
least a 4.

Assignments (30%)
--------------------------------------------------------------------------------

You work on assignments in groups of one or two, but you submit individually.
You may discuss your work with other groups, but you may not share any code. 

(###) Deadlines

The calendar above marks the day in which each assignment (A0, A1, A2, A3, A4,
A5) is due.  Deadlines are at 23:59 CEST sharp on those days: prefer submitting
half-finished work to missing the dealine.  Start working early on the
assignments and take advantage of the lab sessions to get help.

Assignments instructions are published in the course [course repository][].

Project (30%)
--------------------------------------------------------------------------------

You work on a project in groups of two. 

The goal of the project is to conduct original resarch in language-based
security.  You are encouraged to come up with your own project idea, but we have
a few [ideas](project.md.html) that are well-scoped for this course. At the end
of the course, you will demo your project and turn in a short report. 

We expect successful projects to lead to excellent thesis and research papers!

(###) Tips

- Start early, start small! 
- Use git and get a lot of work done at home.
- Get help from instructors and discuss face to face in class.
- Don't wait for lectures to get started on a topic: last year's
    website is [here](https://ics-websites.science.uu.nl/docs/vakken/mlbs/24).

Written exam (40%)
--------------------------------------------------------------------------------

The exam covers all the course material and will be taken digitally.

Links
================================================================================

* [Course repository][]

* [LBS Teams
    channel][teams-link]

* [Feedback form](https://docs.google.com/forms/d/e/1FAIpQLSf8ATDWL_1HNRSlqpW1LkMKD5B-nU3gvFAZuBStalG28JaimQ/viewform) 

* [Rust Book](https://rust-book.cs.brown.edu)

* [MyTimetable](https://mytimetable.uu.nl/schedule)

[course repository]: https://git.science.uu.nl/4110161/lbs-25

[teams-link]: https://teams.microsoft.com/l/team/19%3AGZivnQExe0vBC1NGT5y8aavF3E2GFaqCeFOo4fjxR6g1%40thread.tacv2/conversations?groupId=7c343b3b-b191-4e62-976f-a560a9f29a33&tenantId=d72758a0-a446-4e0f-a0aa-4bf95a4a10e7

<!-- Markdeep: -->
<style class="fallback">body{visibility:hidden;white-space:pre;font-family:monospace}</style><script src="markdeep.min.js"></script>
<script src="https://morgan3d.github.io/markdeep/latest/markdeep.min.js"
        charset="utf-8"></script>
<script>
  window.alreadyProcessedMarkdeep || (document.body.style.visibility="visible");
  markdeepOptions= {tocStyle: 'short', sortScheduleLists: false };
</script>