SECURITY

This course aims at introducing basic concepts and techniques for the development of secure applications, systems and networks. The first part is devoted to basic scripting and program analysis tools. Then, the course illustrates the main attack and defence techniques for applications, systems and networks, with a particular focus on secure programming principles. Students will be challenged with practical problems requiring to find and exploit a vulnerability on example applications.

- knowledge of basic concepts and techniques for the development of secure systems and networks;
- knowledge of attack and defence techniques related to program exploitation, system, network and web security;
- skills related to securing real systems and networks, developed through practical exercises.

It is required basic knowledge of programming, computer architectures, operating systems and computer networks.

1. Background and tools
1.1 Introduction to Unix shell
1.2 Stream editor and regular expressions
1.3 Introduction to Python

2. Program analysis
2.1 Assembly x86-64
2.2 Dynamic program analysis

3. Program exploitation
3.1 Buffer overflow
3.2 Stack overflow
3.3 Format strings
3.4 Secure coding

4. System and network security
4.1 Identification
4.2 Access control
4.3 Firewalls

5. Web security (server side)
5.1 Web attacks
5.2 SQL injections and defences
5.3 Blind SQL injections

6. Web security (client side)
6.1 Security mechanisms
6.2 Attacks: XSS and CSRF

J. Erickson, Hacking, the art of exploitation, No starch press, 2008.

The exam consists of a written test that aims at verifying the knowledge of the different topics of the course. Assignments are not mandatory and aim at putting into practice the knowledge acquired and at verifying the competence in attacking and securing IT systems. Assignments consist of a problem (challenge) to solve, giving an extra score with respect to the the mark of the written test.

Grading criteria for the written test:

A. Scores in the range of 18-22 will be awarded when there is:
- Sufficient knowledge of the course subjects;
- Limited skills in performing practical exercises related to the course labs;
- Sufficient communication skills, particularly in the use of specific terminology related to IT security.
B. Scores in the range of 23-26 will be awarded when there is:
- Reasonable knowledge of the course subjects;
- Reasonable skills in performing practical exercises related to the course labs;
- Fair communication skills, particularly in the use of specific terminology related to IT security.
C. Scores in the range of 27-30 will be awarded when there is:
- Good to excellent knowledge of the course subjects;
- Good to excellent skills in performing practical exercises related to the course labs;
- Fully appropriate communication skills, particularly in the use of specific terminology related to IT security.
D. Honors will be awarded for excellent knowledge, skills, and communication abilities.

Criteria for Awarding Challenge Bonuses:
A. Score from 0.1 to 0.3
- Sufficient skills in performing the exercise;
- Adequate communication skills in writing a report that describes the proposed solution.
B. Score from 0.4 to 0.5
- Good skills in performing the exercise;
- Good communication skills in writing a report that describes the proposed solution.
C. Score from 0.6 to 0.7
- Excellent skills in performing the exercise;
- Excellent communication skills in writing a report that describes the proposed solution.

Theoretical and practical lectures in class;
Online resources (lecture notes, slides, videos);
Chat and forum;
Challenges on various topics that give extra score.

Italian

written