#acl MarioAlviano:read,write,delete,admin,revert EditorsGroup:read,write,delete,admin,revert All:read == Secure Software Design - Academic year 2017/2018 == <> === Course information === '''Lecturer''': [[http://www.alviano.net|Mario Alviano]] '''Office hours''': consult my [[http://www.alviano.net|homepage]] '''Assistant''': Davide Fuscà === Notice board === * '''13/01/2018 13:30''': Students who have attended at least 70% of the course: [[http://archives.alviano.net/teaching/ssd-2017-2018/FirmeFrequenza_2017-2018.pdf|download]] * '''21/09/2017 11:45''': The course will start on the 4th of October 2017. === Schedule === '''Lecture Hall''': MT15 ==== Lectures ==== * 04/10/2017 11:30-13:30 - Introduction * 05/10/2017 15:00-17:00 - Low level attacks - Assembly Language (part 1) * 11/10/2017 11:30-13:30 - Low level attacks - Assembly Language (part 2) * 12/10/2017 15:00-17:00 - Low level attacks - Assembly exercises * 18/10/2017 11:30-13:30 - Low level attacks - Embedded Security exercises (part 1) * 19/10/2017 15:00-17:00 - Low level attacks - Disassembler and debugger * 25/10/2017 11:30-13:30 - Low level attacks - Shellcode (part 1) * 26/10/2017 15:00-17:00 - Low level attacks - Shellcode (part 2) * 01/11/2017 11:30-13:30 - NO LECTURE * 02/11/2017 15:00-17:00 - Protostar - Stack (part 1) * 08/11/2017 11:30-13:30 - Protostar - Stack (part 2) * 09/11/2017 15:00-17:00 - Low level attacks - Format string vulnerabilities (part 1) * 15/11/2017 11:30-13:30 - NO LECTURE * 16/11/2017 15:00-17:00 - NO LECTURE * 22/11/2017 11:30-13:30 - Low level attacks - Format string vulnerabilities (part 2) * 23/11/2017 15:00-17:00 - Protostar - Format string vulnerabilities (part 1) * 25/11/2017 08:30-13:30 - Exam simulation * 29/11/2017 11:30-13:30 - Protostar - Format string vulnerabilities (part 2) * 30/11/2017 15:00-17:00 - Low level attacks - Embedded Security exercises (part 2) * 06/12/2017 11:30-13:30 - Java - IDS, OBJ * 07/12/2017 15:00-17:00 - Java - EXP, NUM, MET, ERR * 13/12/2017 11:30-13:30 - Web Goat - Insecure Communication, Authentication Flaws, Code Quality * 14/12/2017 15:00-17:00 - Web Goat - Injection Flaws * 20/12/2017 11:30-13:30 - Web Goat - Ajax Security, Cross-Site Scripting * 21/12/2017 15:00-17:00 - Web Goat - Parameter Tampering, Session Management Flaws * 10/01/2018 11:30-13:30 - Nebula - Privilege escalation (part 1) * 11/01/2018 15:00-17:00 - Nebula - Privilege escalation (part 2) * 13/01/2018 08:30-13:30 - Summary exercises (lab 31/b) ## * 18/01/2018 15:00-17:00 - Low level attacks - Summary exercises ## * 24/01/2017 11:30-13:30 - OWASP Mutillidae II - Summary exercises === Course material === ==== Slides ==== 1. Introduction: [[http://archives.alviano.net/teaching/ssd-2017-2018/presentation01.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2017-2018/handout01.pdf|handout]] 1. Low level attacks - Assembly (part 1): [[http://archives.alviano.net/teaching/ssd-2017-2018/presentation02.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2017-2018/handout02.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2017-2018/examples02.zip|examples]] 1. Low level attacks - Assembly (part 2): [[http://archives.alviano.net/teaching/ssd-2017-2018/presentation02.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2017-2018/handout03.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2017-2018/examples03.zip|examples]] 1. Low level attacks - Disassembler and debugger: [[http://archives.alviano.net/teaching/ssd-2017-2018/presentation04.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2017-2018/handout04.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2017-2018/examples04.zip|examples]] 1. Low level attacks - Shellcode: [[http://archives.alviano.net/teaching/ssd-2017-2018/presentation05.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2017-2018/handout05.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2017-2018/examples05.zip|examples]] 1. Low level attacks - Final remarks: [[http://archives.alviano.net/teaching/ssd-2017-2018/presentation06.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2017-2018/handout06.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2017-2018/examples06.zip|examples]] 1. Low level attacks - Format string vulnerabilities (part 1): [[http://archives.alviano.net/teaching/ssd-2017-2018/presentation07.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2017-2018/handout07.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2017-2018/examples07.zip|examples]] 1. Low level attacks - Format string vulnerabilities (part 2): [[http://archives.alviano.net/teaching/ssd-2017-2018/presentation08.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2017-2018/handout08.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2017-2018/examples08.zip|examples]] 1. Java - Input Validation and Data Sanitization (IDS), Object Orientation (OBJ): [[http://archives.alviano.net/teaching/ssd-2017-2018/presentation09.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2017-2018/handout09.pdf|handout]] 1. Java - Expressions (EXP), Numeric Types and Operations (NUM), Methods (MET), Exceptional Behavior (ERR): [[http://archives.alviano.net/teaching/ssd-2017-2018/presentation10.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2017-2018/handout10.pdf|handout]] ==== Exercises to Solve at Home ==== * Have a look at the end of the slides; some solutions written in the class can be found [[http://archives.alviano.net/teaching/ssd-2017-2018/SHARED.zip|here]] * Nebula * [[https://exploit-exercises.com/nebula/|website]] * [[http://archives.alviano.net/teaching/ssd-2017-2018/nebula.zip|Write-ups of suggested exercises]] * Protostar * [[https://exploit-exercises.com/protostar/|website]] * [[http://archives.alviano.net/teaching/ssd-2017-2018/protostar-stack.zip|Write-ups of stack exercises]] * [[http://archives.alviano.net/teaching/ssd-2017-2018/protostar-format.zip|Write-ups of format string exercises]] * Embedded security * [[https://microcorruption.com/cpu/debugger|website]] * [[http://archives.alviano.net/teaching/ssd-2017-2018/micro-corruption.zip|Write-ups of suggested exercises]] * SQL Injection on [[https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project|OWASP Mutillidae II]] up to Client-side Security 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Extract Data | User Info (SQL) 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Bypass Authentication | Login 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register * HTML Injection & XSS on [[https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project|OWASP Mutillidae II]] up to Client-side Security 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | View Captured Data 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register * [[https://www.root-me.org/en/Challenges/App-Script/|App-Script]] challenges from [[https://www.root-me.org|root-me.org]]: the goal is to read the content of file .passwd 1. [[https://www.root-me.org/en/Challenges/App-Script/ELF32-System-1|ELF32 - System 1]] 1. [[https://www.root-me.org/en/Challenges/App-Script/ELF32-System-2|ELF32 - System 2]] 1. [[https://www.root-me.org/en/Challenges/App-Script/Bash-cron|Bash - cron]]: the crontab of app-script-ch4-cracked runs a script that in turn runs everything in cron.d directory. 1. [[https://www.root-me.org/en/Challenges/App-Script/Perl-command-injection|Perl - Command injection]] 1. [[https://www.root-me.org/en/Challenges/App-Script/sudo-weak-configuration|sudo - weak configuration]]: use '''sudo -l''' to list the allowed (and forbidden) commands; the password is in ch1cracked/.passwd * [[https://www.root-me.org/en/Challenges/App-System/|App-System]] challenges from [[https://www.root-me.org|root-me.org]]: the goal is to read the content of file .passwd 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-1|ELF32 - Stack buffer overflow basic 1]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-2|ELF32 - Stack buffer overflow basic 2]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-3|ELF32 - Stack buffer overflow basic 3]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-6|ELF32 - Stack buffer overflow basic 6]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-BSS-buffer-overflow|ELF32 - BSS buffer overflow]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Race-condition|ELF32 - Race condition]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-string-bug-basic-1|ELF32 - Format string bug basic 1]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-string-bug-basic-2|ELF32 - Format string bug basic 2]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-String-Bug-Basic-3|ELF32 - Format string bug basic 3]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-4|ELF32 - Stack buffer overflow basic 4]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-5|ELF32 - Stack buffer overflow basic 5]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-and-integer-overflow|ELF32 - Stack buffer and integer overflow]] ## ''Hint:'' Use %N$x, where N is a positive integer, to print the N-th dword after the format string. For example, printf("%2$x", 0x10, 0x20, 0x30) prints 0x20. Similarly, use %N$n to write into the N-th dword after the format string. This hint also applies to other format string bug exercises. ==== Programs ==== ### * Pigeon Hole Problem: [[http://archives.alviano.net/teaching/km-2013-2014/php.pl|perl]], [[http://archives.alviano.net/teaching/km-2013-2014/php.py|python]] * --- ==== Books ==== * Gray Hat Hacking: The Ethical Hacker's Handbook, Daniel Regalado, Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Branko Spasojevic, Ryan Linn, Stephen Sims [[http://www.mheducation.co.uk/9780071832380-emea-gray-hat-hacking-the-ethical-hackers-handbook-fourth-edition?aliId=48339208|web page of the book]] * The CERT Oracle Secure Coding Standard for Java, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda [[http://www.informit.com/store/cert-oracle-secure-coding-standard-for-java-9780321803955|web page of the book]] * Elementary Information Security, Richard E. Smith [[http://www.jblearning.com/catalog/9781284055931/|web page of the book]] * System Forensics, Investigation and Response, Chuck Easttom [[http://www.classlearning.co.uk/books/system-forensics-investigation-and-response-third-edition-6049|web page of the book]] ==== Web Pages ==== * [[https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java|SEI CERT Oracle Coding Standard for Java]] * [[https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637|SEI CERT C++ Coding Standard]] * [[https://www.owasp.org/index.php/Main_Page|OWASP]] * [[https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project|WebGoat Project]] * [[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project|ZAP]] * [[https://exploit-exercises.com/|exploit-exercises.com]] * [[https://xss-game.appspot.com/|XSS exercises]] * [[https://www.tutorialspoint.com/assembly_programming/index.htm|Assembly Programming Tutorial]] * [[http://www.cs.virginia.edu/~evans/cs216/guides/x86.html|x86 Assembly Guide]] * [[https://godbolt.org/|Online disassembler]] * [[https://microcorruption.com/cpu/debugger|Embedded security exercises]] * [[http://overthewire.org/wargames/|OverTheWire Wargames (suggested wargame: narnia)]] === Exams === * 07/02/2018 9:00 - Lab 31/b * 28/02/2018 9:00 - Lab 31/b * 05/05/2018 9:00 - Lab 31/b * 04/07/2018 9:00 - Lab 31/b * 25/07/2018 9:00 - Lab 31/b * 19/09/2018 9:00 - Lab 31/b === Previous editions === * [[SecureSoftwareDesign/2016-2017|Academic year 2016/2017]]