#acl MarioAlviano:read,write,delete,admin,revert EditorsGroup:read,write,delete,admin,revert All:read == Secure Software Design - Academic year 2018/2019 == <> === Course information === '''Lecturer''': [[http://www.alviano.net|Mario Alviano]] '''Office hours''': consult my [[http://www.alviano.net|homepage]] '''Assistant''': Arnel Zamayla === Notice board === * '''18/09/2019 20:10''': Edition 2019/2020 of the course will begin on 2 October 2019 * '''15/12/2018 09:30''': Students who have attended at least 70% of the course: [[http://archives.alviano.net/teaching/ssd-2018-2019/FirmeFrequenza_2018-2019.pdf|download]] * '''18/10/2018 15:20''': Writeups of Protostar Stack updated ## * '''13/01/2018 13:30''': Students who have attended at least 70% of the course: [[http://archives.alviano.net/teaching/ssd-2017-2018/FirmeFrequenza_2017-2018.pdf|download]] === Schedule === '''Lecture Hall''': MT15 ==== Lectures ==== ## 32 ore di lezione ## 24 ore di laboratorio ## 56 ore totali * 26/09/2018 10:30-13:30 - Introduction * 27/09/2018 08:30-10:30 - Low level attacks - Assembly Language (part 1) * 03/10/2018 10:30-13:30 - Low level attacks - Assembly Language (part 2) * 04/10/2018 08:30-10:30 - Low level attacks - Embedded Security exercises (part 1) * 10/10/2018 10:30-13:30 - Low level attacks - Disassembler and debugger * 11/10/2018 08:30-10:30 - Low level attacks - Shellcode (part 1) * 17/10/2018 10:30-13:30 - Low level attacks - Shellcode (part 2) * 18/10/2018 08:30-10:30 - Protostar - Stack * 24/10/2018 10:30-13:30 - Low level attacks - Format string vulnerabilities and Protostar (part 1) * 25/10/2018 08:30-10:30 - Low level attacks - Embedded Security exercises (part 2) * 31/10/2018 10:30-13:30 - Low level attacks - Format string vulnerabilities and Protostar (part 2) * 01/11/2018 08:30-10:30 - NO LECTURE * 07/11/2018 10:30-13:30 - Narnia - Low level attacks * 08/11/2018 08:30-10:30 - Nebula - Privilege escalation * 10/11/2018 09:00-13:00 - Exam simulation * 14/11/2018 10:30-13:30 - Java - IDS, OBJ, EXP * 15/11/2018 08:30-10:30 - Java - NUM, MET, ERR * 21/11/2018 10:30-13:30 - Web Goat - Introduction, HTTP Basics and HTTP Proxies * 22/11/2018 08:30-10:30 - Web Goat - Injection Flaws * 28/11/2018 10:30-13:30 - Web Goat - Authentication Flaws, Cross-Site Scripting, Access Control Flaws, Insecure Communication * 29/11/2018 08:30-10:30 - Web Goat - Client Side * 15/12/2018 09:00-13:00 - Exam simulation ## * 18/01/2018 08:30-10:30 - Low level attacks - Summary exercises ## * 24/01/2018 10:30-13:30 - OWASP Mutillidae II - Summary exercises === Course material === ==== Slides ==== 1. Introduction: [[http://archives.alviano.net/teaching/ssd-2018-2019/presentation01.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2018-2019/handout01.pdf|handout]] 1. Low level attacks - Assembly (part 1): [[http://archives.alviano.net/teaching/ssd-2018-2019/presentation02.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2018-2019/handout02.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2018-2019/examples02.zip|examples]] 1. Low level attacks - Assembly (part 2): [[http://archives.alviano.net/teaching/ssd-2018-2019/presentation03.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2018-2019/handout03.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2018-2019/examples03.zip|examples]] 1. Low level attacks - Disassembler and debugger: [[http://archives.alviano.net/teaching/ssd-2018-2019/presentation04.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2018-2019/handout04.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2018-2019/examples04.zip|examples]] 1. Low level attacks - Shellcode: [[http://archives.alviano.net/teaching/ssd-2018-2019/presentation05.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2018-2019/handout05.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2018-2019/examples05.zip|examples]] 1. Low level attacks - Final remarks: [[http://archives.alviano.net/teaching/ssd-2018-2019/presentation06.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2018-2019/handout06.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2018-2019/examples06.zip|examples]] 1. Low level attacks - Format string vulnerabilities (part 1): [[http://archives.alviano.net/teaching/ssd-2018-2019/presentation07.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2018-2019/handout07.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2018-2019/examples07.zip|examples]] 1. Low level attacks - Format string vulnerabilities (part 2): [[http://archives.alviano.net/teaching/ssd-2018-2019/presentation08.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2018-2019/handout08.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2018-2019/examples08.zip|examples]] 1. Java - Input Validation and Data Sanitization (IDS), Object Orientation (OBJ): [[http://archives.alviano.net/teaching/ssd-2018-2019/presentation09.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2018-2019/handout09.pdf|handout]] 1. Java - Expressions (EXP), Numeric Types and Operations (NUM), Methods (MET), Exceptional Behavior (ERR): [[http://archives.alviano.net/teaching/ssd-2018-2019/presentation10.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2018-2019/handout10.pdf|handout]] ==== Exercises to Solve at Home ==== * Have a look at the end of the slides; some solutions written in the class can be found [[http://archives.alviano.net/teaching/ssd-2018-2019/SHARED.zip|here]] * Nebula * [[https://exploit-exercises.com/nebula/|website]] * [[https://web.archive.org/web/20170417122617/https://exploit-exercises.com/nebula/|webarchive copy]] * [[https://drive.google.com/drive/folders/0B9RbZkKdRR8qLWZBcVBvanlLb1U|iso image]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/nebula-writeups.zip|Write-ups of suggested exercises]] * Protostar * [[https://exploit-exercises.com/protostar/|website]] * [[https://web.archive.org/web/20170318192755/https://exploit-exercises.com/protostar/|webarchive copy]] * [[https://drive.google.com/drive/folders/0B9RbZkKdRR8qbkJjQ2VXbWNlQzg|iso image]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/protostar-stack-bin.zip|Binaries of stack exercises]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/protostar-stack-writeups.zip|Write-ups of stack exercises]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/protostar-format-bin.zip|Binaries of format string exercises]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/protostar-format-writeups.zip|Write-ups of format string exercises]] * Narnia (Over The Wire) * [[http://overthewire.org/wargames/narnia/|website]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/narnia.zip|Write-ups]] * Embedded security * [[https://microcorruption.com/cpu/debugger|website]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/micro-corruption-writeups.zip|Write-ups of suggested exercises]] * SQL Injection on [[https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project|OWASP Mutillidae II]] up to Client-side Security 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Extract Data | User Info (SQL) 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Bypass Authentication | Login 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register * HTML Injection & XSS on [[https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project|OWASP Mutillidae II]] up to Client-side Security 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | View Captured Data 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register * [[https://www.root-me.org/en/Challenges/App-Script/|App-Script]] challenges from [[https://www.root-me.org|root-me.org]]: the goal is to read the content of file .passwd 1. [[https://www.root-me.org/en/Challenges/App-Script/ELF32-System-1|ELF32 - System 1]] 1. [[https://www.root-me.org/en/Challenges/App-Script/ELF32-System-2|ELF32 - System 2]] 1. [[https://www.root-me.org/en/Challenges/App-Script/Bash-cron|Bash - cron]]: the crontab of app-script-ch4-cracked runs a script that in turn runs everything in cron.d directory. 1. [[https://www.root-me.org/en/Challenges/App-Script/Perl-command-injection|Perl - Command injection]] 1. [[https://www.root-me.org/en/Challenges/App-Script/sudo-weak-configuration|sudo - weak configuration]]: use '''sudo -l''' to list the allowed (and forbidden) commands; the password is in ch1cracked/.passwd * [[https://www.root-me.org/en/Challenges/App-System/|App-System]] challenges from [[https://www.root-me.org|root-me.org]]: the goal is to read the content of file .passwd 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-1|ELF32 - Stack buffer overflow basic 1]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-2|ELF32 - Stack buffer overflow basic 2]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-3|ELF32 - Stack buffer overflow basic 3]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-6|ELF32 - Stack buffer overflow basic 6]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-BSS-buffer-overflow|ELF32 - BSS buffer overflow]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Race-condition|ELF32 - Race condition]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-string-bug-basic-1|ELF32 - Format string bug basic 1]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-string-bug-basic-2|ELF32 - Format string bug basic 2]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-String-Bug-Basic-3|ELF32 - Format string bug basic 3]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-4|ELF32 - Stack buffer overflow basic 4]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-5|ELF32 - Stack buffer overflow basic 5]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-and-integer-overflow|ELF32 - Stack buffer and integer overflow]] ## ''Hint:'' Use %N$x, where N is a positive integer, to print the N-th dword after the format string. For example, printf("%2$x", 0x10, 0x20, 0x30) prints 0x20. Similarly, use %N$n to write into the N-th dword after the format string. This hint also applies to other format string bug exercises. ==== Programs ==== ### * Pigeon Hole Problem: [[http://archives.alviano.net/teaching/km-2013-2014/php.pl|perl]], [[http://archives.alviano.net/teaching/km-2013-2014/php.py|python]] * --- ==== Books ==== * Gray Hat Hacking: The Ethical Hacker's Handbook, Daniel Regalado, Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Branko Spasojevic, Ryan Linn, Stephen Sims [[http://www.mheducation.co.uk/9780071832380-emea-gray-hat-hacking-the-ethical-hackers-handbook-fourth-edition?aliId=48339208|web page of the book]] * The CERT Oracle Secure Coding Standard for Java, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda [[http://www.informit.com/store/cert-oracle-secure-coding-standard-for-java-9780321803955|web page of the book]] * Elementary Information Security, Richard E. Smith [[http://www.jblearning.com/catalog/9781284055931/|web page of the book]] * System Forensics, Investigation and Response, Chuck Easttom [[http://www.classlearning.co.uk/books/system-forensics-investigation-and-response-third-edition-6049|web page of the book]] ==== Web Pages ==== * [[https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java|SEI CERT Oracle Coding Standard for Java]] * [[https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637|SEI CERT C++ Coding Standard]] * [[https://www.owasp.org/index.php/Main_Page|OWASP]] * [[https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project|WebGoat Project]] * [[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project|ZAP]] * [[https://exploit-exercises.com/|exploit-exercises.com]] ([[https://web.archive.org/web/20170417122617/https://exploit-exercises.com|webarchive copy]]) * [[https://xss-game.appspot.com/|XSS exercises]] * [[https://www.tutorialspoint.com/assembly_programming/index.htm|Assembly Programming Tutorial]] * [[http://www.cs.virginia.edu/~evans/cs216/guides/x86.html|x86 Assembly Guide]] * [[https://godbolt.org/|Online disassembler]] * [[https://microcorruption.com/cpu/debugger|Embedded security exercises]] * [[http://overthewire.org/wargames/|OverTheWire Wargames (suggested wargame: natas, leviathan)]] === Exams === * 01/02/2019 9:00 - Lab 31/b * 11/02/2019 9:00 - Lab 31/b * 05/07/2019 9:00 - Lab 31/b * 19/07/2019 9:00 - Lab 31/b * 18/09/2019 9:00 - Lab 31/b === Previous editions === * [[SecureSoftwareDesign/2017-2018|Academic year 2017/2018]] * [[SecureSoftwareDesign/2016-2017|Academic year 2016/2017]]