Secure Software Design - Academic year 2016/2017

Course information

Lecturer: Mario Alviano

Office hours: consult my homepage

Assistant: Davide Fuscà

Notice board

• 19/01/2017 17:00: Students who have attended at least 70% of the course: download

Schedule

Lecture Hall: MT15

Lectures

• 27/09/2016 15:00-17:00 - Introduction and Java DCL
• 29/09/2016 15:00-17:00 - Java - IDS
• 05/10/2016 17:00-19:00 - Java - EXP, NUM
• 06/10/2016 15:00-17:00 - Java - OBJ
• 12/10/2016 17:00-19:00 - Java - MET, ERR
• 13/10/2016 15:00-17:00 - Web Goat - Insecure Communication, Authentication Flaws, Code Quality
• 19/10/2016 17:00-19:00 - Web Goat - Injection Flaws
• 20/10/2016 15:00-17:00 - Web Goat - Ajax Security
• 26/10/2016 17:00-19:00 - Web Goat - Cross-Site Scripting
• 27/10/2016 15:00-17:00 - Web Goat - Parameter Tampering, Session Management Flaws
• 02/11/2016 17:00-19:00 - Java - VNA, LCK
• 03/11/2016 15:00-17:00 - Java - THI, TPS, TSM
• 09/11/2016 17:00-19:00 - Low level attacks - Assembly Language (part 1)
• 10/11/2016 15:00-17:00 - Low level attacks - Assembly Language (part 2)
• 16/11/2016 17:00-19:00 - Low level attacks - Disassembler and debugger
• 17/11/2016 15:00-17:00 - Low level attacks - Shellcode
• 23/11/2016 17:00-19:00 - Protostar - Stack (part 1)
• 24/11/2016 15:00-17:00 - Protostar - Stack (part 2)
• 30/11/2016 17:00-19:00 - Low level attacks - Format string vulnerabilities (part 1)
• 01/12/2016 15:00-17:00 - Low level attacks - Format string vulnerabilities (part 2)
• 07/12/2016 17:00-19:00 - Protostar - Format string vulnerabilities (part 1)
• 14/12/2016 17:00-19:00 - Protostar - Format string vulnerabilities (part 2)
• 15/12/2016 15:00-17:00 - Low level attacks - Final remarks
• 21/12/2016 17:00-19:00 - Nebula - Privilege escalation (part 1)
• 22/12/2016 15:00-17:00 - Nebula - Privilege escalation (part 2)
• 12/01/2017 15:00-17:00 - OWASP Mutillidae II - Summary exercises
• 18/01/2017 17:00-19:00 - Low level attacks - Summary exercises
• 19/01/2017 15:00-17:00 - Low level attacks - Summary exercises

Course material

Slides

1. Introduction and Java Declarations and Initialization (DCL): presentation, handout

2. Java - Input Validation and Data Sanitization (IDS): presentation, handout

3. Java - Expressions (EXP): presentation, handout

4. Java - Numeric Types and Operations (NUM): presentation, handout

5. Java - Object Orientation (OBJ): presentation, handout

6. Java - Methods (MET): presentation, handout

7. Java - Exceptional Behavior (ERR): presentation, handout

8. Java - Visibility and Atomicity (VNA): presentation, handout

9. Java - Locking (LCK): presentation, handout

10. Java - Thread APIs (THI): presentation, handout

11. Java - Thread Pools (TPS) and Thread-Safety Miscellaneous (TSM): presentation, handout

12. Low level attacks - Assembly (part 1): presentation, handout, examples

13. Low level attacks - Assembly (part 2): presentation, handout, examples

14. Low level attacks - Disassembler and debugger: presentation, handout, examples

15. Low level attacks - Shellcode: presentation, handout, examples

16. Low level attacks - Format string vulnerabilities (part 1): presentation, handout, examples

17. Low level attacks - Format string vulnerabilities (part 2): presentation, handout, examples

18. Low level attacks - Final remarks: presentation, handout, examples

Exercises to Solve at Home

• SQL Injection on OWASP Mutillidae II up to Client-side Security

  1. OWASP 2013 | A1 Injection (SQL) | SQLi – Extract Data | User Info (SQL)
  2. OWASP 2013 | A1 Injection (SQL) | SQLi – Bypass Authentication | Login
  3. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog
  4. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register

• HTML Injection & XSS on OWASP Mutillidae II up to Client-side Security

  1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | View Captured Data
  2. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog
  3. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register

• App-Script challenges from root-me.org: the scope is to read the content of file .passwd

  1. ELF32 - System 1

  2. ELF32 - System 2

  3. Bash - cron: the crontab of app-script-ch4-cracked runs a script that in turn runs everything in cron.d directory.

  4. Perl - Command injection

  5. sudo - weak configuration: use sudo -l to list the allowed (and forbidden) commands; the password is in ch1cracked/.passwd

• App-System challenges from root-me.org: the scope is to read the content of file .passwd

  1. ELF32 - Stack buffer overflow basic 1

  2. ELF32 - Stack buffer overflow basic 2

  3. ELF32 - Stack buffer overflow basic 3

  4. ELF32 - Stack buffer overflow basic 6

  5. ELF32 - BSS buffer overflow

  6. ELF32 - Race condition

  7. ELF32 - Format string bug basic 1

  8. ELF32 - Format string bug basic 2

  9. ELF32 - Format string bug basic 3

  10. ELF32 - Stack buffer overflow basic 4

  11. ELF32 - Stack buffer overflow basic 5

  12. ELF32 - Stack buffer and integer overflow

Programs

• ---

Books

• The CERT Oracle Secure Coding Standard for Java, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda

  web page of the book

• Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda

  web page of the book

• Secure Coding in C and C++, 2nd Edition, Robert C. Seacord

  web page of book

• The Shellcoder's Handbook: Discovering and Exploiting Security Holes (Second Edition), Chris Anley, John Heasman, Felix "FX" Linder, Gerardo Richarte

  web page of book

• Security Engineering, Ross J. Anderson

  Free book

• Hacking - The art of exploitation, Jon Erickson

  Wikipedia page of the book

• Secure Software Design, Theodor Richardson e Charles Thies

  web page of the book

Web Pages

• SEI CERT Oracle Coding Standard for Java

• SEI CERT C++ Coding Standard

• OWASP

• WebGoat Project

• exploit-exercises.com

• XSS exercises

• Assembly Programming Tutorial

• x86 Assembly Guide

Exams

• 08/02/2017 9:00 - Lab 31/b
• 01/03/2017 9:00 - Lab 31/b
• 05/07/2017 9:00 - Lab 31/b
• 26/07/2017 9:00 - Lab 31/b
• 20/09/2017 9:00 - Lab 31/b