MC2 Symposium

Tutorials

MC2 faculty provide timely tutorials on technology and policy.

Secure Web Programming in Ruby on Rails

Jeff Foster - Associate Professor, Computer Science

Ruby on Rails is a popular web application framework used by sites including Twitter, Groupon, Github, and others. This tutorial will introduce attendees to the basics of web development using Rails, with a particular focus on building secure web applications. During the tutorial, we will develop a simple web app from scratch and briefly explore all major aspects of Rails, including its model-view-controller architecture; database migrations, validations, and associations; layout and rendering; routing; internationalization; deployment; and debugging. We will also examine possible attacks against Rails (and other) web applications, and learn about session management, authentication, and access control in Rails, along with Rails' approach to preventing cross-site scripting, other code-injection attacks, and cross-site request forgery. No prior knowledge of Ruby is required, but attendees should have some basic knowledge of programming and some familiarity with HTML.

http://www.cs.umd.edu/~jfoster/talks/mc2-tutorial-2012-slides

http://www.cs.umd.edu/~jfoster/talks/mc2-tutorial-2012

Jeff Foster

Bio: Jeffrey S. Foster is an Associate Professor in the Department of Computer Science at the University of Maryland, College Park. He received his Ph.D. in Computer Science from the University of California, Berkeley, and he received M.Eng. and B.S. degrees from Cornell University, also in Computer Science. Dr. Foster's research focuses on developing programming languages and software engineering approaches to making software easier to write and more reliable, secure, and available. Dr. Foster is a recipient of the NSF CAREER award (2004) and was a member of DARPA's Computer Science Study Group.

Dyninst: A Binary Analysis and Modification Framework

Jeff Hollingsworth - Professor and Associate Chair, Computer Science

Understanding the behavior of suspect binaries (potential malware) and blackbox testing of modules (as part of a code audit) require tools that can analyze binaries. In this tutorial we will provides a hands on introduction to Dyninst, and open source binary analysis and modification framework. Dyninst provides a way to develop platform independent (Windows, Linux, and VxWorks) based tools to work with binary programs for multiple processor architectures (x86, Power).

Slides

Tutorial Setup Slides

Jeff Hollingsworth

Bio: Jeffrey K. Hollingsworth is a Professor and Associate Chair of the Computer Science Department at the University of Maryland, College Park. He received his PhD and MS degrees in computer sciences from the University of Wisconsin. He received a B.S. in Electrical Engineering from the University of California at Berkeley. Dr. Hollingsworth’s research seeks to develop a unified framework to understand and optimize the performance of large systems, while assuring their overall quality and security.  He has served on the board of directors of the Computing Research Association. He is Editor in chief of the journal Parallel Computing, and is the general chair of the SC12 conference (the largest HPC conference in the world with over 10,000 attendees).

Effective use of FindBugs in large software development efforts

Bill Pugh - Professor Emeritus, Computer Science

FindBugs is a static analysis tool that finds coding mistakes in Java programs. It is widely popular, with more than a million downloads. In a study involving hundreds of engineers at Google, the issues identified by FindBugs were evaluated as should fix or must fix 81% of the time. However, many projects and developers use FindBugs on an ad-hoc basis, with individual developers running FindBugs sporadically. Some projects use FindBugs as part of their continuous build system, but find themselves unsure of the return on their investment and wondering if there might be a more effective way to use FindBugs. When first applying FindBugs is a large project and seeing hundreds or thousands of issues, others simply give up on using FindBugs.

I'll briefly review FindBugs, and describe techniques for cost-effective integration of FindBugs into the software development process for medium to huge software projects, with a focus on new features available in FindBugs 2.0. Topics include how to customize FindBugs to prioritize and filter issues important to your project, how to store bug data in a cloud so that everyone working on the project shares information about when the issue was first seen and whether people think the issue is important to fix, and ways to use annotations to help FindBugs detect even more errors in your code.

Slides

Bill Pugh

Bio: Bill Pugh is a Professor Emeritus in the Department of Computer Science at the University of Maryland, College Park.  He received his Ph.D. in Computer Science from Cornell University and is a Packard Fellow.  His research interests include program analysis, parallel computing, and security. He is the inventor of the skip lists data structure, and is the designer and maintainer of the freely available FindBugs program analysis tool, which is in use at companies such as Google and EBay and has been downloaded more than 1.5 million times.

An Overview of Cybersecurity Laws, Regulations, and Policies: From "Best Practices" to Actual Requirements

David Thaw - Research Faculty, University of Maryland Institute for Advanced Computer Studies

U.S. law imposes a variety of information security obligations on enterprises. Organizations are subject to state breach notification laws, various state information security regulations, and discretionary oversight by the Federal Trade Commission. Organizations working with financial, health or other sensitive information may also be subject to stringent industry-specific federal regulations. This complex, ad hoc legal framework creates substantial risk of business disruption resulting from decisions made unaware of regulatory responsibilities. This session will provide an overview of the current cybersecurity regulatory landscape in the U.S., connecting technical discussions to regulatory requirements. It provides context for technical requirements, explaining a key portion of the "why" behind cybersecurity measures recommended to organizations.

Slides

David Thaw

Bio: David Thaw is a member of the research faculty in the University of Maryland Institute for Advanced Computer Studies. He received his J.D. and Ph.D. from the University of California, Berkeley. His research focuses on the intersection of cybesecurity technology, policy, and law. David's current projects include a comparison of methods of cybersecurity regulation, examination of password complexity policies, and review of federal cybercrime laws in the context of cybersecurity counterattack measures and website vulnerabilities.