Course syllabus adopted 2026-02-10 by Head of Programme (or corresponding).
Overview
- Swedish nameSpråkbaserad datasäkerhet
- CodeTDA602
- Credits7.5 Credits
- OwnerMPCSC
- Education cycleSecond-cycle
- Main field of studyComputer Science and Engineering, Software Engineering
- DepartmentCOMPUTER SCIENCE AND ENGINEERING
- GradingTH - Pass with distinction (5), Pass with credit (4), Pass (3), Fail
Course round 1
- Teaching language English
- Application code 42123
- Maximum participants120 (at least 10% of the seats are reserved for exchange students)
- Open for exchange studentsYes
- Only students with the course round in the programme overview.
Credit distribution
Module | Sp1 | Sp2 | Sp3 | Sp4 | Summer | Not Sp | Examination dates |
|---|---|---|---|---|---|---|---|
| 0112 Project 4.5 c Grading: TH | 4.5 c | ||||||
| 0212 Laboratory 3 c Grading: UG | 3 c |
In programmes
- MPALG - Computer Science - Algorithms, Languages and Logic, Year 1 (compulsory elective)
- MPCSC - Computer Systems and Cybersecurity, Year 1 (compulsory elective)
- MPSOF - Software Engineering and Technology, Year 2 (elective)
Examiner
- Andrei Sabelfeld
- Full Professor, Computing Science, Computer Science and Engineering
Eligibility
General entry requirements for Master's level (second cycle)Applicants enrolled in a programme at Chalmers where the course is included in the study programme are exempted from fulfilling the requirements
Specific entry requirements
English 6 (or by other approved means with the equivalent proficiency level)Applicants enrolled in a programme at Chalmers where the course is included in the study programme are exempted from fulfilling the requirements
Course specific prerequisites
The entry requirement for the course is to have successfully completed
- BSc degree in Computer Science or equivalent,
- 15 hec in programming , and
- Completed 7.5 hec in computer security
Aim
Modern attacks often succeed at circumventing standard security mechanisms. While operating-system security policies are low-level (such as access control policies, protecting particular files), many attacks are high-level, or application-level (such as email worms that pass by access controls pretending to be executed on behalf of a mailer application). Because applications are typically specified and implemented in programming languages, application-level security is a part of the more general area of language-based security. A direct benefit of language-based security is the ability to naturally express security policies and enforcement mechanisms using the techniques of the well-developed area of programming languages.
Learning outcomes (after completion of the course the student should be able to)
Knowledge and understanding- apply practical knowledge of security for modern programming languages
- demonstrate critical knowledge of principles behind application-level attacks (such as data races, buffer overrun attacks, web application attacks, covert channels, and malicious code)
- define language-based protection mechanisms (such as static and dynamic code analysis, program monitoring, and sandboxing)
- identify application- and language-level security threats,
- specify and argue for application- and language-level security policies,
- design and claim the security, clarity, usability, and efficiency of solutions
- implement such solutions in expressive programming language
- demonstrate the ability to judge which security mechanisms are appropriate for a given scenario
Content
This course combines practical and cutting-edge research material. The course consists of lectures, labs, exercises and project presentations. The theme of attack-vulnerability-defense is threaded through all parts of the course. More details on the course content:- Foundations of Language-based Security
- Introduction to language-based security
- Principles of information flow security
- Saltzer & Schroeders design principles for protection of information
- Program Analysis and Security Mechanisms
- Static analysis and program transformation
- Reference monitoring and enforcement mechanisms
- Noninterference and secure multi-execution
- Concurrency and Low-level Attacks
- Data races, randomness, and determinism
- Time-of-check to time-of-use (TOCTOU) vulnerabilities
- Buffer overruns and memory safety
- Application and Platform Security
- Database security
- Android app security
- Copyright protection and code obfuscation
- JavaScript sandboxing
- Web and Software Security
- Web application security (OWASP Top 10)
- Browser extension security
- Regular expression security (input validation, ReDoS)
- Security tooling and practical web security
Organisation
The course consists of lectures, group meetings and project presentations.Literature
No specific book is used as a course book. The material consists of papers and various electronic resources.
Examination including compulsory elements
To pass the course, the students must pass the laboratory assignments and the exam. In order to pass the exam, the students need to make a presentation of the project in class and pass the requirements on a written report/position paper that documents the project.The course examiner may assess individual students in other ways than what is stated above if there are special reasons for doing so, for example if a student has a decision from Chalmers about disability study support.