Security

This course aims at introducing basic concepts and techniques for the development of secure systems and networks. The course is formally split in two modules [CM0475] Security 1  (system security) and [CM0494] Security 2 (network security). This course used to cover cryptography which is now a separate course.

This course is part of the Laurea Magistrale (Master degree) in Computer Science at Ca’ Foscari, Venice.

News

  • [7 Feb. 2017] Course starts today!
  • [26 Feb. 2017] The class of Tuesday 28 Feb. 2017 is cancelled (see timetable below)

Assessment

Oral exam, plus an evaluation on the lab based on challenges and a live CTF.

Recommended books

Virtual meeting point

The virtual meeting point for the on-line classes is on Slack! You can automatically signup with either your @stud.unive.it or @unive.it e-mail account.

Testbed

We set up a 32bit Linux virtual machine called testbed to let you experiment with the proposed exercises. Testbed is also the warbox where we host most challenges on reversing and binary exploitation.

Access is granted to the VM via SSH by typing:

ssh -p 2222 username@seclab.dais.unive.it

where username is pythonically defined as (first_name[0] + last_name[:8]).lower() and the password is the one you use to connect to the CTF portal. After logging in, you automatically join a persistent tmux session. We are using the default keybindings, hence starting multiple shells within your session is as easy as typing Ctrl-b c. To cycle between the windows (i.e., the spawned shells) you can use Ctrl-b n. We strongly encourage you to read the man page of tmux in order to get familiar with the amazing capabilities of this tool. For instance, if you want to keep an eye on the clock, try Ctrl-b t.

Keep in mind that your session is monitored and we may suddenly jump into your shell to give you some useful hints. Don’t be scared, there’s no ghost in the shell.

Table of contents (updated during the semester!)

Part 1

Part 2

  • Network security
    • [28/3/2017] Identification
    • [29/3/2017] Challenge – BANKROBBER
    • [TBA] Eavesdropping and intercepting
    • [TBA] ARP spoofing
    • [TBA] Firewalls
    • [TBA] Second CTF service: FW
    • [TBA] Mignis (slides)
    • [TBA] Exercise: configure a Mignis firewall
  • Web security
    • [TBA] SQL injections
    • [TBA] Challenges: 2sa, 2safixed
    • [TBA] Blind SQL injections
    • [TBA] Challenge: rmb
    • [TBA] Cross site scripting (XSS)
    • [TBA] Exercise: the multi-room chat service (open this in an incognito window!)
    • [TBA] Cross site request forgery (CSRF)
    • [TBA] CSRF Exercises
    • [TBA] Web malware: samy, the MySpace worm
    • [TBA] Third CTF service: php
  • Applied Cryptography
    • [TBA] Introduction to cryptography
    • [TBA] Challenge: cryptocat
    • [TBA] Attacks on PKCS#11
    • [TBA] Online tutoring on challenges
    • [TBA] Programming with PKCS#11
    • [TBA] Final challenge on PKCS#11

NOTE: These pages will be continuously updated during the whole semester. If you have comments/questions please post them.

Links

Leave a Reply

Your email address will not be published. Required fields are marked *