On-line classes and exams
- due to Coronavirus emergency all classes from March 2, 2020 until end of emergency will be taught online.
- the written test will be a on-line Moodle quiz, with questions and exercises picked at random from a pool.
- NEW: Exam of June 10, 2020 (google meet, at 9.00)
Exam and optional assignments (challenges)
The exam consists of a written test that aims at verifying the knowledge of the different topics of the course. Assignments are optional and consist of a problem (challenge) to solve, giving an extra score with respect to the the mark of the written test.
Course if strongly based on on-line material since there exists no textbook covering practical security in a satisfactory way. All slides, links and extra material will be made available in this page. For program exploitation it is possible to refer to the (not so recent) book: J. Erickson, Hacking, the art of exploitation, No starch press, 2008.
- Linux testbed (host linux for lab exercises)
- Virtual meeting point is Slack! Please register here using your
Program and on-line material
Classes and labs will take place in labs 3 and 5. The course program will be updated during the semester.
IMPORTANT NOTE: Trying attacks on real systems is against law and you might be prosecuted. Always do experiments with test hosts and users.
Background e TOOLS
- [04/02/2020] Introduction and Unix shell (slides, Bandit wargame)
- [06/02/2020] Stream editor and regular expressions (slides, manual, solutions)
- [11/02/2020] Introduction to Python (slides, official tutorial)
- [13/02/2020] Exercises in Python (slides, solutions)
- [18/02/2020] Assembly x86-64 (slides)
- [20/02/2020] Dynamic program analysis (slides, gdb docker profile)
- [05/03/2020] Challenge 1: Program Analysis (challenge, video: decompile, gdbscript)
- [10/03/2020] Buffer overflow (slides, class-first part, ex. solution)
- [12/03/2020] Stack overflow (slides, class)
- [17/03/2020] Lab on stack protector (on-line lab)
- [19/03/2020] Format strings (slides, class)
- [24/03/2020] Secure coding (slides ,class)
- [25/03/2020] Challenge 2: Program Exploitation (challenge)
System and network security
- [31/03/2020] Identification (slides, class)
- [02/04/2020] Access control (slides, class)
- [07/04/2020] Firewalls (slides, class)
- [09/04/2020] Challenge 3: Identification (challenge, we meet on slack)
web security (server)
- [14/04/2020] Web attacks – server side (slides, class)
- [16/04/2020] Web attacks and defences – server side (slides, class)
- [20/04/2020] Lab on server side web attacks (on-line lab, we do not meet at any specific time for this class)
- [21/04/2020] Side channels (Blind SQLi) (slides, class)
- [23/04/2020] Challenge 4: SQL injections (challenge, we meet on slack)
WEB SECURITY (client)
- [28/04/2020] Client side security (slides, class)
- [30/04/2020] Client side attacks (XSS and CSRF) (slides, class, examples)