Secure Software Design - Academic year 2016/2017
Course information
Lecturer: Mario Alviano
Office hours: consult my homepage
Assistant: Davide Fuscà
Notice board
19/01/2017 17:00: Students who have attended at least 70% of the course: download
Schedule
Lecture Hall: MT15
Lectures
- 27/09/2016 15:00-17:00 - Introduction and Java DCL
- 29/09/2016 15:00-17:00 - Java - IDS
- 05/10/2016 17:00-19:00 - Java - EXP, NUM
- 06/10/2016 15:00-17:00 - Java - OBJ
- 12/10/2016 17:00-19:00 - Java - MET, ERR
- 13/10/2016 15:00-17:00 - Web Goat - Insecure Communication, Authentication Flaws, Code Quality
- 19/10/2016 17:00-19:00 - Web Goat - Injection Flaws
- 20/10/2016 15:00-17:00 - Web Goat - Ajax Security
- 26/10/2016 17:00-19:00 - Web Goat - Cross-Site Scripting
- 27/10/2016 15:00-17:00 - Web Goat - Parameter Tampering, Session Management Flaws
- 02/11/2016 17:00-19:00 - Java - VNA, LCK
- 03/11/2016 15:00-17:00 - Java - THI, TPS, TSM
- 09/11/2016 17:00-19:00 - Low level attacks - Assembly Language (part 1)
- 10/11/2016 15:00-17:00 - Low level attacks - Assembly Language (part 2)
- 16/11/2016 17:00-19:00 - Low level attacks - Disassembler and debugger
- 17/11/2016 15:00-17:00 - Low level attacks - Shellcode
- 23/11/2016 17:00-19:00 - Protostar - Stack (part 1)
- 24/11/2016 15:00-17:00 - Protostar - Stack (part 2)
- 30/11/2016 17:00-19:00 - Low level attacks - Format string vulnerabilities (part 1)
- 01/12/2016 15:00-17:00 - Low level attacks - Format string vulnerabilities (part 2)
- 07/12/2016 17:00-19:00 - Protostar - Format string vulnerabilities (part 1)
- 14/12/2016 17:00-19:00 - Protostar - Format string vulnerabilities (part 2)
- 15/12/2016 15:00-17:00 - Low level attacks - Final remarks
- 21/12/2016 17:00-19:00 - Nebula - Privilege escalation (part 1)
- 22/12/2016 15:00-17:00 - Nebula - Privilege escalation (part 2)
- 12/01/2017 15:00-17:00 - OWASP Mutillidae II - Summary exercises
- 18/01/2017 17:00-19:00 - Low level attacks - Summary exercises
- 19/01/2017 15:00-17:00 - Low level attacks - Summary exercises
Course material
Slides
Introduction and Java Declarations and Initialization (DCL): presentation, handout
Java - Input Validation and Data Sanitization (IDS): presentation, handout
Java - Expressions (EXP): presentation, handout
Java - Numeric Types and Operations (NUM): presentation, handout
Java - Object Orientation (OBJ): presentation, handout
Java - Methods (MET): presentation, handout
Java - Exceptional Behavior (ERR): presentation, handout
Java - Visibility and Atomicity (VNA): presentation, handout
Java - Locking (LCK): presentation, handout
Java - Thread APIs (THI): presentation, handout
Java - Thread Pools (TPS) and Thread-Safety Miscellaneous (TSM): presentation, handout
Low level attacks - Assembly (part 1): presentation, handout, examples
Low level attacks - Assembly (part 2): presentation, handout, examples
Low level attacks - Disassembler and debugger: presentation, handout, examples
Low level attacks - Shellcode: presentation, handout, examples
Low level attacks - Format string vulnerabilities (part 1): presentation, handout, examples
Low level attacks - Format string vulnerabilities (part 2): presentation, handout, examples
Low level attacks - Final remarks: presentation, handout, examples
Exercises to Solve at Home
SQL Injection on OWASP Mutillidae II up to Client-side Security
- OWASP 2013 | A1 Injection (SQL) | SQLi – Extract Data | User Info (SQL)
- OWASP 2013 | A1 Injection (SQL) | SQLi – Bypass Authentication | Login
- OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog
- OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register
HTML Injection & XSS on OWASP Mutillidae II up to Client-side Security
- OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | View Captured Data
- OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog
- OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register
App-Script challenges from root-me.org: the scope is to read the content of file .passwd
Bash - cron: the crontab of app-script-ch4-cracked runs a script that in turn runs everything in cron.d directory.
sudo - weak configuration: use sudo -l to list the allowed (and forbidden) commands; the password is in ch1cracked/.passwd
App-System challenges from root-me.org: the scope is to read the content of file .passwd
Programs
- ---
Books
- The CERT Oracle Secure Coding Standard for Java, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda
- Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda
- Secure Coding in C and C++, 2nd Edition, Robert C. Seacord
- The Shellcoder's Handbook: Discovering and Exploiting Security Holes (Second Edition), Chris Anley, John Heasman, Felix "FX" Linder, Gerardo Richarte
- Security Engineering, Ross J. Anderson
- Hacking - The art of exploitation, Jon Erickson
- Secure Software Design, Theodor Richardson e Charles Thies
Web Pages
Exams
- 08/02/2017 9:00 - Lab 31/b
- 01/03/2017 9:00 - Lab 31/b
- 05/07/2017 9:00 - Lab 31/b
- 26/07/2017 9:00 - Lab 31/b
- 20/09/2017 9:00 - Lab 31/b