Institute of Computer Science
  1. Courses
  2. 2024/25 spring
  3. Software Security (LTAT.03.024)
ET
Log in

Software Security 2024/25 spring

Course information

  • Home
  • Schedule
  • Exam

Related courses

  • Michael Hicks (Maryland)
  • Mathias Payer (EPFL)

Important links

  • AWS: Cedar
  • Meta: Infer

Infrastructure

  • Zulip
  • Moodle
  • GitHub

Introduction & Dafny

By the end of this introductory week (which hopefully will last no longer than two weeks), you should be able to

  • situate software security in the broader knowledge areas of cyber security,
  • advocate passionately for the software security approach, and
  • decide if exposure to the underlying theory of verification tools is not your cup of tea!

Background

Ensuring the security of a software-reliant organization involves a range of approaches; the field of cyber security is vast.

  • The Introduction to the CyBOK gives a good overview of the knowledge areas of cyber security. Figure 2 summarizes what each area is concerned with.
  • What is software security? The CyBOK chapter is useful (webinar), and you may listen to the first two videos from the Hicks's course.

Hands-On Demo

The goal is to get a little bit of hands-on experience with Dafny. First you need to install dafny. It is reasonably easy:

  • Install vscode.
  • Install the dafny plugin from the marketplace.
  • Try to open a file with .dfy extension, it should try to install dotnet.

1. Hello World!

Try create and a new file and name it abs.dfy: 

method Abs(i: int) returns (r: int)
ensures 0 <= r
{   
    if 0 <= i {
        r := i;
    } else {
        r := -i;
    }
}

Change the condition to -1 <= i to make sure Dafny complains.

2. Play around with assertions.

Now, you can try to use assertions to narrow down where the post-condition fails. The full tableaux proof for the program would look like this: 

method Abs(i: int) returns (r: int)
ensures 0 <= r
{   
    if 0 <= i {
        assert 0 <= i;
        r := i;
        assert 0 <= r;
    } else {
        assert i < 0;
        assert 0 <= -i;
        r := -i;
        assert 0 <= r;
    }
    assert 0 <= r;
}

Can you see how this relates to the theory slides?

3. Adapt to machine integers

Now, add the following to the top of the program to define 32 bit integers:

newtype {:nativeType "int"} int32 = x | -0x8000_0000 <= x < 0x8000_0000

Try to prove the program with this int32 data type. You can add a precondition with the keyword requires. In Java, Math.abs(int) does violate the post-condition in this way, while Math.absExact(int) will thrown and exception.

4. Partial Specifications

This the above is not a proper specification of the absolute value function.

  • Change the method to satisfy the current specification in a more stupid way...
  • Update the specification to fully say that it should be related to the input in some way.

To Be Continued ...

We will return to Dafny after having understood what it was used to implement.

  • Institute of Computer Science
  • Faculty of Science and Technology
  • University of Tartu
In case of technical problems or questions write to:

Contact the course organizers with the organizational and course content questions.
The proprietary copyrights of educational materials belong to the University of Tartu. The use of educational materials is permitted for the purposes and under the conditions provided for in the copyright law for the free use of a work. When using educational materials, the user is obligated to give credit to the author of the educational materials.
The use of educational materials for other purposes is allowed only with the prior written consent of the University of Tartu.
Terms of use for the Courses environment