Sicurezza

This page contains the material of (new) undergraduate course Sicurezza held by Prof. Riccardo Focardi . Course is taught in Italian but this page and all the material is in English.

On-line classes and exams

  • due to Coronavirus emergency all classes from March 2, 2020 until end of emergency will be taught online.
  • the written test will be a on-line Moodle quiz, with questions and exercises picked at random from a pool.
    • NEW: Exam of June 10, 2020 (google meet, at 9.00)

Exam and optional assignments (challenges)

The exam consists of a written test that aims at verifying the knowledge of the different topics of the course. Assignments are optional and consist of a problem (challenge) to solve, giving an extra score with respect to the the mark of the written test.

Textbooks

Course if strongly based on on-line material since there exists no textbook covering practical security in a satisfactory way. All slides, links and extra material will be made available in this page. For program exploitation it is possible to refer to the (not so recent) book: J. Erickson, Hacking, the art of exploitation, No starch press, 2008.

Useful links

Program and on-line material

Classes and labs will take place in labs 3 and 5. The course program will be updated during the semester.

IMPORTANT NOTE: Trying attacks on real systems is against law and you might be prosecuted. Always do experiments with test hosts and users.

Background e TOOLS

Program analysis

Program exploitation

  • [10/03/2020] Buffer overflow (slides, class-first part, ex. solution)
  • [12/03/2020] Stack overflow (slides, class)
  • [17/03/2020] Lab on stack protector (on-line lab)
  • [19/03/2020] Format strings (slides, class)
  • [24/03/2020] Secure coding (slides ,class)
  • [25/03/2020] Challenge 2: Program Exploitation (challenge)

    System and network security

  • [31/03/2020] Identification (slides, class)
  • [02/04/2020] Access control (slides, class)
  • [07/04/2020] Firewalls (slides, class)
  • [09/04/2020] Challenge 3: Identification (challenge, we meet on slack)

    web security (server)

  • [14/04/2020] Web attacks – server side  (slides, class)
  • [16/04/2020] Web attacks and defences – server side (slides, class)
  • [20/04/2020] Lab on server side web attacks (on-line lab, we do not meet at any specific time for this class)
  • [21/04/2020] Side channels (Blind SQLi) (slides, class)
  • [23/04/2020] Challenge 4: SQL injections (challenge, we meet on slack)

    WEB SECURITY (client)

  • [28/04/2020] Client side security (slides, class)
  • [30/04/2020] Client side attacks (XSS and CSRF) (slides, class, examples)