This page contains the material of (new) undergraduate course Sicurezza held by Prof. Riccardo Focardi . Course is taught in Italian but this page and all the material is in English.

IMPORTANT NOTE: In this course you will learn attack techniques. Remember that trying attacks on real systems is against law and you might be prosecuted. Always do experiments with test hosts and users.

On-line classes and exams

  • due to Coronavirus emergency classes will be taught both in class and online through the official Moodle page
  • the exact form of the written test will be announced during the semester

Exam and optional assignments (challenges)

The exam consists of a written test that aims at verifying the knowledge of the different topics of the course. Assignments are optional and consist of a problem (challenge) to solve, giving an extra score with respect to the the mark of the written test.


Course is strongly based on on-line material since there exists no textbook covering practical security in a satisfactory way. All slides, links and extra material will be made available in this page. For program exploitation it is possible to refer to the (not so recent) book: J. Erickson, Hacking, the art of exploitation, No starch press, 2008.

Useful links

Program and on-line material

Background e TOOLS

Program analysis

Program exploitation

  • [07/10/2021] Buffer overflow (slides, exercise solution)
  • [13/10/2021] Stack overflow (slides)
  • [14/10/2021] Lab on stack protector (on-line lab)
  • [20/10/2021] Format strings (slides)
  • [21/10/2021] Secure coding (slides)
  • [27/10/2021] Challenge 2: Program Exploitation (challenge)

    System and network security

  • [28/10/2021] Identification (slides)
  • [TBA] Access control (slides)
  • [TBA] Challenge 3: Identification (challenge)
  • [TBA] Firewalls – netfilter (slides)

    web security (server)

  • [TBA] Web attacks – server side  (slides)
  • [TBA] Web attacks and defences – server side (slides)
  • [TBA] Lab on server side web attacks (on-line lab)
  • [TBA] Side channels (Blind SQLi) (slides)
  • [TBA] Challenge 4: SQL injections (challenge) Class will be on slack from 15:45 to 17:15!

    WEB SECURITY (client)

  • [TBA] Client side web security (slides)
  • [TBA] Client side attacks (XSS and CSRF) (slides, examples)