#acl MarioAlviano:read,write,delete,admin,revert EditorsGroup:read,write,delete,admin,revert All:read == Secure Software Design - Academic year 2016/2017 == <> === Course information === '''Lecturer''': [[http://www.alviano.net|Mario Alviano]] '''Office hours''': consult my [[http://www.alviano.net|homepage]] '''Assistant''': Davide Fuscà === Notice board === * '''19/01/2017 17:00''': Students who have attended at least 70% of the course: [[http://archives.alviano.net/teaching/ssd-2016-2017/FirmeFrequenza_2016-2017.pdf|download]] === Schedule === '''Lecture Hall''': MT15 ==== Lectures ==== * 27/09/2016 15:00-17:00 - Introduction and Java DCL * 29/09/2016 15:00-17:00 - Java - IDS * 05/10/2016 17:00-19:00 - Java - EXP, NUM * 06/10/2016 15:00-17:00 - Java - OBJ * 12/10/2016 17:00-19:00 - Java - MET, ERR * 13/10/2016 15:00-17:00 - Web Goat - Insecure Communication, Authentication Flaws, Code Quality * 19/10/2016 17:00-19:00 - Web Goat - Injection Flaws * 20/10/2016 15:00-17:00 - Web Goat - Ajax Security * 26/10/2016 17:00-19:00 - Web Goat - Cross-Site Scripting * 27/10/2016 15:00-17:00 - Web Goat - Parameter Tampering, Session Management Flaws * 02/11/2016 17:00-19:00 - Java - VNA, LCK * 03/11/2016 15:00-17:00 - Java - THI, TPS, TSM * 09/11/2016 17:00-19:00 - Low level attacks - Assembly Language (part 1) * 10/11/2016 15:00-17:00 - Low level attacks - Assembly Language (part 2) * 16/11/2016 17:00-19:00 - Low level attacks - Disassembler and debugger * 17/11/2016 15:00-17:00 - Low level attacks - Shellcode * 23/11/2016 17:00-19:00 - Protostar - Stack (part 1) * 24/11/2016 15:00-17:00 - Protostar - Stack (part 2) * 30/11/2016 17:00-19:00 - Low level attacks - Format string vulnerabilities (part 1) * 01/12/2016 15:00-17:00 - Low level attacks - Format string vulnerabilities (part 2) * 07/12/2016 17:00-19:00 - Protostar - Format string vulnerabilities (part 1) * 14/12/2016 17:00-19:00 - Protostar - Format string vulnerabilities (part 2) * 15/12/2016 15:00-17:00 - Low level attacks - Final remarks * 21/12/2016 17:00-19:00 - Nebula - Privilege escalation (part 1) * 22/12/2016 15:00-17:00 - Nebula - Privilege escalation (part 2) * 12/01/2017 15:00-17:00 - OWASP Mutillidae II - Summary exercises * 18/01/2017 17:00-19:00 - Low level attacks - Summary exercises * 19/01/2017 15:00-17:00 - Low level attacks - Summary exercises === Course material === ##==== Programme (in short) ==== ==== Slides ==== 1. Introduction and Java Declarations and Initialization (DCL): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation01.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout01.pdf|handout]] 1. Java - Input Validation and Data Sanitization (IDS): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation02.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout02.pdf|handout]] 1. Java - Expressions (EXP): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation03.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout03.pdf|handout]] 1. Java - Numeric Types and Operations (NUM): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation04.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout04.pdf|handout]] 1. Java - Object Orientation (OBJ): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation05.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout05.pdf|handout]] 1. Java - Methods (MET): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation06.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout06.pdf|handout]] 1. Java - Exceptional Behavior (ERR): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation07.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout07.pdf|handout]] 1. Java - Visibility and Atomicity (VNA): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation08.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout08.pdf|handout]] 1. Java - Locking (LCK): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation09.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout09.pdf|handout]] 1. Java - Thread APIs (THI): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation10.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout10.pdf|handout]] 1. Java - Thread Pools (TPS) and Thread-Safety Miscellaneous (TSM): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation11.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout11.pdf|handout]] 1. Low level attacks - Assembly (part 1): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation12.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout12.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2016-2017/examples12.zip|examples]] 1. Low level attacks - Assembly (part 2): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation13.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout13.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2016-2017/examples13.zip|examples]] 1. Low level attacks - Disassembler and debugger: [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation14.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout14.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2016-2017/examples14.zip|examples]] 1. Low level attacks - Shellcode: [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation15.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout15.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2016-2017/examples15.zip|examples]] 1. Low level attacks - Format string vulnerabilities (part 1): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation16.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout16.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2016-2017/examples16.zip|examples]] 1. Low level attacks - Format string vulnerabilities (part 2): [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation17.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout17.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2016-2017/examples17.zip|examples]] 1. Low level attacks - Final remarks: [[http://archives.alviano.net/teaching/ssd-2016-2017/presentation18.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2016-2017/handout18.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2016-2017/examples18.zip|examples]] ==== Exercises to Solve at Home ==== * SQL Injection on [[https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project|OWASP Mutillidae II]] up to Client-side Security 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Extract Data | User Info (SQL) 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Bypass Authentication | Login 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register * HTML Injection & XSS on [[https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project|OWASP Mutillidae II]] up to Client-side Security 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | View Captured Data 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register * [[https://www.root-me.org/en/Challenges/App-Script/|App-Script]] challenges from [[https://www.root-me.org|root-me.org]]: the scope is to read the content of file .passwd 1. [[https://www.root-me.org/en/Challenges/App-Script/ELF32-System-1|ELF32 - System 1]] 1. [[https://www.root-me.org/en/Challenges/App-Script/ELF32-System-2|ELF32 - System 2]] 1. [[https://www.root-me.org/en/Challenges/App-Script/Bash-cron|Bash - cron]]: the crontab of app-script-ch4-cracked runs a script that in turn runs everything in cron.d directory. 1. [[https://www.root-me.org/en/Challenges/App-Script/Perl-command-injection|Perl - Command injection]] 1. [[https://www.root-me.org/en/Challenges/App-Script/sudo-weak-configuration|sudo - weak configuration]]: use '''sudo -l''' to list the allowed (and forbidden) commands; the password is in ch1cracked/.passwd * [[https://www.root-me.org/en/Challenges/App-System/|App-System]] challenges from [[https://www.root-me.org|root-me.org]]: the scope is to read the content of file .passwd 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-1|ELF32 - Stack buffer overflow basic 1]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-2|ELF32 - Stack buffer overflow basic 2]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-3|ELF32 - Stack buffer overflow basic 3]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-6|ELF32 - Stack buffer overflow basic 6]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-BSS-buffer-overflow|ELF32 - BSS buffer overflow]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Race-condition|ELF32 - Race condition]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-string-bug-basic-1|ELF32 - Format string bug basic 1]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-string-bug-basic-2|ELF32 - Format string bug basic 2]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-String-Bug-Basic-3|ELF32 - Format string bug basic 3]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-4|ELF32 - Stack buffer overflow basic 4]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-5|ELF32 - Stack buffer overflow basic 5]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-and-integer-overflow|ELF32 - Stack buffer and integer overflow]] ## ''Hint:'' Use %N$x, where N is a positive integer, to print the N-th dword after the format string. For example, printf("%2$x", 0x10, 0x20, 0x30) prints 0x20. Similarly, use %N$n to write into the N-th dword after the format string. This hint also applies to other format string bug exercises. ==== Programs ==== ### * Pigeon Hole Problem: [[http://archives.alviano.net/teaching/km-2013-2014/php.pl|perl]], [[http://archives.alviano.net/teaching/km-2013-2014/php.py|python]] * --- ==== Books ==== * The CERT Oracle Secure Coding Standard for Java, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda [[http://www.informit.com/store/cert-oracle-secure-coding-standard-for-java-9780321803955|web page of the book]] * Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda [[http://www.informit.com/store/java-coding-guidelines-75-recommendations-for-reliable-9780133439519|web page of the book]] * Secure Coding in C and C++, 2nd Edition, Robert C. Seacord [[http://www.informit.com/store/secure-coding-in-c-and-c-plus-plus-9780321822130|web page of book]] * The Shellcoder's Handbook: Discovering and Exploiting Security Holes (Second Edition), Chris Anley, John Heasman, Felix "FX" Linder, Gerardo Richarte [[http://eu.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html|web page of book]] * Security Engineering, Ross J. Anderson [[http://www.cl.cam.ac.uk/~rja14/book.html|Free book]] * Hacking - The art of exploitation, Jon Erickson [[https://en.wikipedia.org/wiki/Hacking:_The_Art_of_Exploitation|Wikipedia page of the book]] * Secure Software Design, Theodor Richardson e Charles Thies [[http://www.jblearning.com/catalog/9781449626327/|web page of the book]] ==== Web Pages ==== * [[https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java|SEI CERT Oracle Coding Standard for Java]] * [[https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637|SEI CERT C++ Coding Standard]] * [[https://www.owasp.org/index.php/Main_Page|OWASP]] * [[https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project|WebGoat Project]] * [[https://exploit-exercises.com/|exploit-exercises.com]] * [[https://xss-game.appspot.com/|XSS exercises]] * [[https://www.tutorialspoint.com/assembly_programming/index.htm|Assembly Programming Tutorial]] * [[http://www.cs.virginia.edu/~evans/cs216/guides/x86.html|x86 Assembly Guide]] === Exams === * 08/02/2017 9:00 - Lab 31/b * 01/03/2017 9:00 - Lab 31/b * 05/07/2017 9:00 - Lab 31/b * 26/07/2017 9:00 - Lab 31/b * 20/09/2017 9:00 - Lab 31/b