Projects Assignments 2015
Assignment of the project topics
Francesco Maida- "CWE-79 : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
Mohamed Mohamed Osman - "CWE-306: Missing Authentication for Critical Function"
Luigi Olivella - "CWE-798: Use of Hard-coded Credentials"
Marco Cosentino- "CWE-311: Missing Encryption of Sensitive Data"
Danilo Ruffolo - "CWE-434: Unrestricted Upload of File with Dangerous Type"
- AVAILABLE - "CWE-250: Execution with Unnecessary Privileges"
Serafino D'angelillo - "CWE-352: Cross-Site Request Forgery (CSRF)"
Davide Gallo - "CWE-494: Download of Code Without Integrity Check"
Aldo Marzullo - "CWE-863: Incorrect Authorization"
- AVAILABLE - "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"
Francesco Cosco - "CWE-732: Incorrect Permission Assignment for Critical Resource"
- AVAILABLE - "CWE-676: Use of Potentially Dangerous Function"
Mostafa Sheikhalishahi- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
Luccisano Girolamo - "CWE-131: Incorrect Calculation of Buffer Size"
Alessandro Cozza - "CWE-307: Improper Restriction of Excessive Authentication Attempts"
I'm not in the assignment list, how can I get assigned a project topic?
You can request the assignment of a project by sending an e-mail to the professor and to Davide Fuscà fusca_AT_mat.unical.it Projects can be either individual or assigned to 2 persons.
Seminar preparation instructions
The project consists of two parts: the first part consists in preparing and exposing, in a presentation of maximum 15 minutes (about 12 slides), technical aspects related to the topic assigned. The technical discussion should present an overview of the topic, together with real life examples. For instance, for a given CWE number, the student can present a few CVEs cases which are related to the given CWE. The second part consists in presenting a working demo related to the assigned project. Your work must include both parts: partial projects will not be evaluated. In rare circumstances, it is possible to not present a demo, e.g. if the assigned topic appears evidently theoretical. Your demo can be based on a netkit laboratory or other technology, depending on your topic. You might consider using specifically prepared server virtual machines, or containers (like docker containers www.docker.com).
The discussion of the project is interactive and will include questions on the course program. Your presentation must respond to the following points:
1. Description of the specific CWE number 1. Whenever applicable, description of the technological context of the CWE (e.g. for an HTTP CWE, provide the related background) 1. Examples 1. Possible countermeasures or programming disciplines to be put in place for avoiding to fall in that particular CWE
The presentation style should be at a technical level (for experts) and not exclusively anedoctical. The presentation should not be considered separated from the context of the course program (for example: in an analysis of a protocol related to PKI, IT IS assumed that the student knows how the PKI works)
- Demo: implement a practical situation in which the assigned CWE manifests itself;
For example, in the case you are describing an SMTP weakness, the short demonstration may include a netkit lab in which you have configured an SMTP server with secure authentication. You might add the demonstration of a potential attack, the description of how the authentication works by analyzing a corresponding Wireshark capture, etc.. etc..
Release of your project
The slides and the demo content must be sent to the professor at least 24 hours before the scheduled exam date.
You are not admitted to the exam if: 1. The slides were not technical (i.e. I will not accept a biography of Mark Zuckerberg as the correct answer for a project about the Facebook security infrastructure), or without answers to the questions mentioned above, or 2. The demo, if submitted, is not working / not pertaining to topic of the project.