Secure Design Lifecycle

Instructor

Shreyas Sen, Assistant Professor in School of Electrical and Computer Engineering 

Course Description:

If nothing else, the goal of this course is to help designers embrace the mindset that security is not an afterthought, but a critical part to all stages of the design process. This course covers the integration of security in the design lifecycle, helping develop the security first mindset. Cyber security will be explored with a Systems focus covering topics on both computer software and hardware.

This course introduces students to a security design mindset. Upon completing the course, students will:

  • Recognize the importance of security as a key component of every step of the design lifecycle.
  • Describe different ways security can be incorporated into the designs of hardware and software.
  • Identify applications and techniques to ensure increased security. 

Topics Covered:

To highlights the systems nature to analyzing and developing cyber security we plan to adopt a crosscutting holistic approach as follows: Cyber security is the extremely important problem as it connects systems to wide variety of internet-connected adversaries. Cyber security threats could be efficiently analyzed and solved using a holistic view of system security. System security is further composed of both Hardware and software security.

Addressing a Varied Background of Participants:

There is an understanding students will have diverse backgrounds and background in software and hardware concepts needed to understand the variety of security issues addressed in the course. The two main knowledge domains we expect students to come from software background and hardware background, and we don’t assume students from one domain have detailed knowledge in the other.

To address this asymmetry, we have adopted the following strategies when dealing with advanced concepts in software and hardware. When dealing with software, algorithms and code will be presented as pseudocode to be accessible without knowledge of any programming languages. For those who are interested in learning more, resources will be provided with more detail and examples with real code. In dealing with hardware issues, the relevant physical phenomenon will be introduced, then the corresponding logic and equations will be given. For those interested in the derivation of equations and more detail on such physics, additional reading references will be provided. 

The course’s plan of presenting Crosscutting Security Concepts: 

To highlights the ‘systems’ nature to analyzing and developing cyber security we plan to adopt a crosscutting holistic approach as follows: Cyber security is the extremely important problem as it connects systems to a wide variety of internet-connected adversaries. Cyber security threats could be efficiently analyzed and solved using a holistic view of system security. System security is further composed of both Hardware and software security.

 

Course Content

  • Terminology

    • Lecture 1

      • SDL 101: Definition
      • SW/HW Design flow (Product development lifecycle)
      • SW/HW Bugs/Attacks (Need for SDL)
      • SW/HW SDL
    • Lecture 2
      • Intro to Software Attacks
        • Buffer Overflow
        • SQL Injection
      • Intro to Hardware Attacks
        • HW Trojans
        • Side-Channel Attacks
      • Bugs leading to Attacks 
  • Supply Chain

    • Lecture 3 Supply chain: Software + hardware
      • Credentialing of Participants
      • Ensuring Integrity
        • Software Design
        • Hardware Design
        • Trojans
        • Counterfeiting
      • Monitoring
      • Risk Analysis 
  • Design/Architecture
    • Lecture 4 Threat Modeling – Architecture
      • Security Requirements
      • Threat Modeling
      • Security Objectives
      • Risk Analysis
      • Metrics
      • Secure Architecture Comparison
      • Attack Surface Analysis and Reduction
    • Lecture 5: SDL – Root of Trust – SGX Hardware
    • Lecture 6: SDL – Root of Trust – SGX Software
    • Lecture 7: Blockchain for Secure Architectures and SDL
  • Development/Implementation
    • Lecture 8 Software Threats – Malware and Social Engineering
      • Malware
        • Viruses/Worms
        • Trojans
        • Rootkits
        • Ransomware
        • Spyware/Adware
        • Bots and Botnets
        • Denial of Service Attack
      • Social Engineering
        • Phishing
        • Watering Hole
        • Defenses
  • Development/Implementation continued
    • Lecture 9 Software Threats – IO Validation

      • Buffer Overflows
        • SQL Injection
        • XSS
        • Error Handling: Software Error Handling
      • Lecture 10 Software Implementation
        • Secure Session/Communications
          • Wi-Fi
          • Mobile Devices
          • SSL/TLS & Certificates
        • Secure Storage
          • Data at Rest Encryption
          • Password Hashing
          • Brute Force/Dictionary Attack
          • Rainbow Tables
        • Access Control
          • Authentication – includes 2FA/MFA
          • Access Control Models
        • Lecture 11 Software + Hardware Threats – Side Channel Attacks and Defenses
          • Cache Attacks
          • Power
          • EM
          • Timing
          • Others: Hardware Error Handling (Fault Injection)
        • Lecture 12 Hardware Attacks and defenses
          • Secure Boot
          • Debug and Security
          • FPGA Security
            • Secure Boot
            • Data Security
            • Key Management
        • Lecture 13 Hardware Implementations
          • PUF
            • PUF Background
            • PUF Types
            • PUF Security
          • Secure IO
            • RFID
            • Payment
            • Fingerprint authentication 
  • Testing/Verification
    • Lecture 14  Software Verification
      • Penetration Testing
      • Fuzz Testing
      • Code Review
      • Static Code Analysis
      • IDS – Intrusion detection
    • Lecture 15  Hardware Verification
      • Formal Methods
      • Proof-Carrying Hardware
      • Static Code Analysis
      • IDS – Intrusion detection – software to monitor hardware
      • More to secure design lifecycle: Runtime Protection