Robust Programming and the Secure Programming Clinic

One goal of this class is to teach you how to program with robustness in mind. Robustness here is defined as assuming problems will arise from interactions with the environment, and writing your program to handle these cases. Examples include not checking input or function arguments for validity, or not checking for buffer overflow.

To that end, we are experimenting with a “secure programming clinic”. The purpose of this clinic is to review programs with an eye to helping you understand potential robustness problems and working around them. The name of the clinic comes from the fact that problems with robustness introduce vulnerabilities into programs and, through those, computer systems.

To obtain help from the clinic, go to the web site Click on the Appointment button, then the “UC Davis Clinic Visit” . You can then sign up to meet with one of the two clinicians and go over your program. The meeting may be in person, over Skype, or some other remote communication mechanism, depending on schedules. Then you can revise your program as appropriate before you submit it.

The clinicians will not check that your program produces the correct output. They will simply help you understand how to ensure your program is robust. Of course, some of the input may test this, so the clinic may help you with correctness.

Robustness is a key part of style, so as much as 40% of the points will come from the robustness of the program to errors in input and other problems that might cause the program to give incorrect results. If you submit your program and lose points for these (we will say this in the grading), we will give you a week from the time we turn back the homework to consult with the clinic and fix the problems. Then we will regrade anything you resubmit. You can get back up to 80% of the points you lost for non-robustness problems.

You are required to visit the clinic at least once, either before you submit the program or after it is returned and before you resubmit it.

This clinic is part of an NSF research project. You will be asked to participate in the project.

The instructors will not know whether you participate in the research project associated with the Secure Programming Clinic at any time, either during or after the class. Participating or not participating will have no effect on your grade.

If you agree to participate, the clinicians will assign you a random number. They will retain copies of your programs when you visit the clinic and the final, graded ones. They will then replace all identifying data such as your name and student ID by the random number. This will allow them to correlate programs and questionnaires. The clinicians will retain a mapping of student ID to random numbers, and at the end of the term will delete this file. Data will be sent to researchers at Purdue University for analysis. The Purdue researchers will never see your name or student ID; all they will see is the random number and the associated data.

You may also be asked to participate in an interview; details of this will be made available through the clinic.

You can also obtain a PDF version of this. Version of October 11, 2016 at 8:49PM