On-line classes from 2 marzo 2020
NEW: due to Coronavirus emergency all classes from March 2, 2020 until end of emergency will be taught online.
Exam and optional assignments (challenges)
The exam consists of a written test that aims at verifying the knowledge of the different topics of the course. Assignments are optional and consist of a problem (challenge) to solve, giving an extra score with respect to the the mark of the written test.
Course if strongly based on on-line material since there exists no textbook covering practical security in a satisfactory way. All slides, links and extra material will be made available in this page. For program exploitation it is possible to refer to the (not so recent) book: J. Erickson, Hacking, the art of exploitation, No starch press, 2008.
- Linux testbed (host linux for lab exercises)
- Virtual meeting point is Slack! Please register here using your
Program and on-line material
Classes and labs will take place in labs 3 and 5. The course program will be updated during the semester.
IMPORTANT NOTE: Trying attacks on real systems is against law and you might be prosecuted. Always do experiments with test hosts and users.
Background e TOOLS
- [04/02/2020] Introduction and Unix shell (slides, Bandit wargame)
- [06/02/2020] Stream editor and regular expressions (slides, manual, solutions)
- [11/02/2020] Introduction to Python (slides, official tutorial)
- [13/02/2020] Exercises in Python (slides, solutions)
- [18/02/2020] Assembly x86-64 (slides)
- [20/02/2020] Program analysis (slides, gdb docker profile)
- [05/03/2020] Challenge 1: program analysis (on-line) (challenge, video: decompile, gdbscript)
- [10/03/2020] Buffer overflow (slides, class-first part, ex. solution)
- [12/03/2020] Stack overflow (slides, class)
- [17/03/2020] Lab on stack protector (on-line lab)
- [19/03/2020] Format strings (slides, class)
- [24/03/2020] Secure coding (slides ,class)
- [25/03/2020] Challenge 2: program exploitation (challenge, on-line at 10:30 on slack)
System and network security
- Access control
- Network security
web security (server)
- SQL injections
- Blind SQL injections
- Prevention of SQL injections
WEB SECURITY (client)
- Cross site scripting (XSS)
- Cross site request forgery (CSRF)
- Client-side security