Faculty Workshop on Secure Software Development

These are the exercises discussed at the Secure Software Workshop for Faculty held by SANS in 2008.

Introductory Programming

  1. Build a Robust Long-to-ASCII Conversion Function
    Synopsis: Write an inproved, error-handling version of atol(3)
    File: convert.html
  2. Crash the Standard I/O Library
    Synopsis: Write programs to force 3 C standard I/O library functions to crash
    File: crash.html
  3. Floating Point Imprecision
    Synopsis: Write a program to find the largest number ε for which 1+ε is 1
    File: fp.html
  4. Negative Amortization
    Synopsis: Use amortization to stress the importance of input checking
    File: negam.zip
  5. Arithmetic Issues Using the Quadratic Formula
    Synopsis: Examine various problems when using the quadratic formula naively
    File: quad.zip
  6. Irregularities in Time
    Synopsis: Examine the impact of daylight savings time changes when working with time
    File: time.html
  7. The Monty Hall Problem
    Synopsis: Write a program to solve the Monty Hall problem by simulation
    File: monty.html
  8. Web Input Validation
    Synopsis: Find a web page that does not validate input adequately
    File: webcheck.zip

Operating Systems

These exercises are all courtesy of Kevin Du, of Syracuse.

  1. Encrypted File System
    Synopsis: Design and implement an encrypted file system for the Minix operating system.
    URL: http://www.cis.syr.edu/~wedu/seed/Labs/EFS/
  2. Access Control Lab
    Synosis: Design and implement an access control mechanism for the Minix operating system based on the Role-Based Access Control and Capability concepts
    URL: http://www.cis.syr.edu/~wedu/seed/Labs/RBAC_Cap/

Other laboratories can be found at http://www.cis.syr.edu/~wedu/seed/all_labs.html.

Software Engineering

  1. SQL injection Attack/Defend exercise
    Synopsis: Demonstrate an SQL injection attack on an ASP.Netx web application, and fix it.
    File: SQL_Injection.zip
  2. Role-Based Access Control (RBAC) Exercise
    Synosis: Implement access control policies in the context of a commercial database management system
    URL: RBAC.zip
  3. Visual Basic Security Exercises
    Synosis: Several security exercises about Visual Basic applications, including some coding ones
    URL: VbSecurityExercises.doc
  4. Connection Pool Leak in ASP.net
    Synosis: Demonstrate, fix denial of service using a connection pool leak
    URL: ConnectionPool_Leak.zip
  5. Secure Updateable Views (WITH CHECK OPTION)
    Synosis: Demonstrate, fix two violations of a security policy on an updateable view of a database
    URL: SecureUpdatableViews.zip
  6. Real-World Report Exercises
    Synosis: Report on the impact that nonsecure code can have in a real-world scenario
    URL: realworld.html
  7. Detecting Vulnerabilities in C Code with a Static Analysis Tool
    Synosis: Use a static analysis tool to detect vulnerabilities such as buffer overflows in C code
    URL: static-c.zip