#acl MarioAlviano:read,write,delete,admin,revert EditorsGroup:read,write,delete,admin,revert All:read == Secure Software Design - Academic year 2019/2020 == <> === Course information === '''Lecturer''': [[http://www.alviano.net|Mario Alviano]] '''Office hours''': consult my [[http://www.alviano.net|homepage]] === Notice board === '''27/05/2020 11:00''': Exams and next edition on Microsoft Teams: [[https://teams.microsoft.com/l/team/19%3a701a358ed3bc4b968dc53ed7fea125a4%40thread.tacv2/conversations?groupId=7bb937db-5b8d-43fc-8a3a-68dd99dd5130&tenantId=7519d0cd-2106-47d9-adcb-320023abff57|follow this link]] '''20/12/2019 11:20''': Students who have attended at least 70% of the course: [[http://archives.alviano.net/teaching/ssd-2019-2020/FirmeFrequenza_2019-2020.pdf|download]] '''18/12/2019 10:50''': First exam will be at 14:00 '''29/10/2019 09:15''': No lecture on 30/10/2019: [[https://www.unical.it/portale/portaltemplates/view/view.cfm?94305|notice]] === Schedule === '''Lecture Hall''': MT15 ==== Lectures ==== ## 32 ore di lezione ## 24 ore di laboratorio ## 56 ore totali * 02/10/2019 10:30-13:30 - Introduction * 03/10/2019 08:30-10:30 - Low level attacks - Assembly Language (part 1) * 09/10/2019 10:30-13:30 - Low level attacks - Assembly Language (part 2) * 10/10/2019 08:30-10:30 - Low level attacks - Embedded Security exercises (part 1) * 16/10/2019 10:30-13:30 - Low level attacks - Disassembler and debugger * 17/10/2019 08:30-10:30 - Low level attacks - Shellcode (part 1) * 23/10/2019 10:30-13:30 - Low level attacks - Shellcode (part 2) * 24/10/2019 08:30-10:30 - Protostar - Stack * 30/10/2019 10:30-13:30 - NO LECTURE * 31/10/2019 08:30-10:30 - Low level attacks - Format string vulnerabilities and Protostar (part 1) * 06/11/2019 10:30-13:30 - Low level attacks - Format string vulnerabilities and Protostar (part 2) * 07/11/2019 08:30-10:30 - Low level attacks - Embedded Security exercises (part 2) * 13/11/2019 10:30-13:30 - Nebula - Privilege escalation * 14/11/2019 08:30-10:30 - Narnia - Low level attacks * 16/11/2019 13:30-18:30 - Exam simulation * 20/11/2019 10:30-13:30 - NO LECTURE * 21/11/2019 08:30-10:30 - NO LECTURE * 27/11/2019 10:30-13:30 - OWASP Top 10 * 28/11/2019 08:30-10:30 - Web Goat - Introduction, HTTP Basics and HTTP Proxies * 04/12/2019 10:30-13:30 - Web Goat - Injection * 05/12/2019 08:30-10:30 - Web Goat - Client Side * 11/12/2019 10:30-14:30 - Web Goat - Broken Authentication, Cross-Site Scripting, Broken Access Control, Sensitive Data Exposure * 14/12/2019 13:30-18:30 - Exam simulation ## * 18/01/2019 08:30-10:30 - Low level attacks - Summary exercises ## * 24/01/2019 10:30-13:30 - OWASP Mutillidae II - Summary exercises === Course material === ==== Slides ==== 1. Introduction: [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation01.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2019-2020/handout01.pdf|handout]] 1. Low level attacks - Assembly (part 1): [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation02.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2019-2020/handout02.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2019-2020/examples02.zip|examples]] 1. Low level attacks - Assembly (part 2): [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation03.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2019-2020/handout03.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2019-2020/examples03.zip|examples]] 1. Low level attacks - Disassembler and debugger: [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation04.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2019-2020/handout04.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2019-2020/examples04.zip|examples]] 1. Low level attacks - Shellcode: [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation05.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2019-2020/handout05.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2019-2020/examples05.zip|examples]] 1. Low level attacks - Final remarks: [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation06.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2019-2020/handout06.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2019-2020/examples06.zip|examples]] 1. Low level attacks - Format string vulnerabilities (part 1): [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation07.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2019-2020/handout07.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2019-2020/examples07.zip|examples]] 1. Low level attacks - Format string vulnerabilities (part 2): [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation08.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2019-2020/handout08.pdf|handout]], [[http://archives.alviano.net/teaching/ssd-2019-2020/examples08.zip|examples]] 1. OWASP Top 10: [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation09.pdf|presentation]] ## 1. Java - Input Validation and Data Sanitization (IDS), Object Orientation (OBJ): [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation09.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2019-2020/handout09.pdf|handout]] ## 1. Java - Expressions (EXP), Numeric Types and Operations (NUM), Methods (MET), Exceptional Behavior (ERR): [[http://archives.alviano.net/teaching/ssd-2019-2020/presentation10.pdf|presentation]], [[http://archives.alviano.net/teaching/ssd-2019-2020/handout10.pdf|handout]] ==== Exercises to Solve at Home ==== * Have a look at the end of the slides; some solutions written in the class can be found [[http://archives.alviano.net/teaching/ssd-2019-2020/SHARED.zip|here]] * Nebula * [[http://exploit-exercises.lains.space/nebula/|website]] * [[https://web.archive.org/web/20170417122617/https://exploit-exercises.com/nebula/|webarchive copy]] * [[https://drive.google.com/drive/folders/0B9RbZkKdRR8qLWZBcVBvanlLb1U|iso image]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/nebula-writeups.zip|Write-ups of suggested exercises]] * Protostar * [[http://exploit-exercises.lains.space/protostar/|website]] * [[https://web.archive.org/web/20170318192755/https://exploit-exercises.com/protostar/|webarchive copy]] * [[https://drive.google.com/drive/folders/0B9RbZkKdRR8qbkJjQ2VXbWNlQzg|iso image]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/protostar-stack-bin.zip|Binaries of stack exercises]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/protostar-stack-writeups.zip|Write-ups of stack exercises]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/protostar-format-bin.zip|Binaries of format string exercises]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/protostar-format-writeups.zip|Write-ups of format string exercises]] * Narnia (Over The Wire) * [[http://overthewire.org/wargames/narnia/|website]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/narnia.zip|Write-ups]] * Embedded security * [[https://microcorruption.com/cpu/debugger|website]] * [[http://archives.alviano.net/teaching/ssd-2018-2019/micro-corruption-writeups.zip|Write-ups of suggested exercises]] * Web Goat * [[https://github.com/WebGoat/WebGoat/releases|WebGoat and WebWolf]] * [[http://archives.alviano.net/teaching/ssd-2019-2020/WebGoat-writeups.zip|Write-ups of suggested exercises]] * SQL Injection on [[https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project|OWASP Mutillidae II]] up to Client-side Security 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Extract Data | User Info (SQL) 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Bypass Authentication | Login 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register * HTML Injection & XSS on [[https://www.owasp.org/index.php/OWASP_Mutillidae_2_Project|OWASP Mutillidae II]] up to Client-side Security 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | View Captured Data 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Add to your blog 1. OWASP 2013 | A1 Injection (SQL) | SQLi – Insert Injection | Register * [[https://www.root-me.org/en/Challenges/App-Script/|App-Script]] challenges from [[https://www.root-me.org|root-me.org]]: the goal is to read the content of file .passwd 1. [[https://www.root-me.org/en/Challenges/App-Script/ELF32-System-1|ELF32 - System 1]] 1. [[https://www.root-me.org/en/Challenges/App-Script/ELF32-System-2|ELF32 - System 2]] 1. [[https://www.root-me.org/en/Challenges/App-Script/Bash-cron|Bash - cron]]: the crontab of app-script-ch4-cracked runs a script that in turn runs everything in cron.d directory. 1. [[https://www.root-me.org/en/Challenges/App-Script/Perl-command-injection|Perl - Command injection]] 1. [[https://www.root-me.org/en/Challenges/App-Script/sudo-weak-configuration|sudo - weak configuration]]: use '''sudo -l''' to list the allowed (and forbidden) commands; the password is in ch1cracked/.passwd * [[https://www.root-me.org/en/Challenges/App-System/|App-System]] challenges from [[https://www.root-me.org|root-me.org]]: the goal is to read the content of file .passwd 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-1|ELF32 - Stack buffer overflow basic 1]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-2|ELF32 - Stack buffer overflow basic 2]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-3|ELF32 - Stack buffer overflow basic 3]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-6|ELF32 - Stack buffer overflow basic 6]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-BSS-buffer-overflow|ELF32 - BSS buffer overflow]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Race-condition|ELF32 - Race condition]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-string-bug-basic-1|ELF32 - Format string bug basic 1]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-string-bug-basic-2|ELF32 - Format string bug basic 2]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Format-String-Bug-Basic-3|ELF32 - Format string bug basic 3]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-4|ELF32 - Stack buffer overflow basic 4]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-overflow-basic-5|ELF32 - Stack buffer overflow basic 5]] 1. [[https://www.root-me.org/en/Challenges/App-System/ELF32-Stack-buffer-and-integer-overflow|ELF32 - Stack buffer and integer overflow]] ## ''Hint:'' Use %N$x, where N is a positive integer, to print the N-th dword after the format string. For example, printf("%2$x", 0x10, 0x20, 0x30) prints 0x20. Similarly, use %N$n to write into the N-th dword after the format string. This hint also applies to other format string bug exercises. ==== Virtual Machine ==== * Material for ASI Workshop on Cyber Security: [[http://archives.alviano.net/asi-alviano.7z|Virtual Machine (2 GB)]], [[http://archives.alviano.net/asi-alviano.pdf|slides]] ==== Books ==== * Gray Hat Hacking: The Ethical Hacker's Handbook, Daniel Regalado, Shon Harris, Allen Harper, Chris Eagle, Jonathan Ness, Branko Spasojevic, Ryan Linn, Stephen Sims [[http://www.mheducation.co.uk/9780071832380-emea-gray-hat-hacking-the-ethical-hackers-handbook-fourth-edition?aliId=48339208|web page of the book]] * The CERT Oracle Secure Coding Standard for Java, Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, David Svoboda [[http://www.informit.com/store/cert-oracle-secure-coding-standard-for-java-9780321803955|web page of the book]] * Elementary Information Security, Richard E. Smith [[http://www.jblearning.com/catalog/9781284055931/|web page of the book]] * System Forensics, Investigation and Response, Chuck Easttom [[http://www.classlearning.co.uk/books/system-forensics-investigation-and-response-third-edition-6049|web page of the book]] ==== Web Pages ==== * [[https://www.securecoding.cert.org/confluence/display/java/SEI+CERT+Oracle+Coding+Standard+for+Java|SEI CERT Oracle Coding Standard for Java]] * [[https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637|SEI CERT C++ Coding Standard]] * [[https://www.owasp.org/index.php/Main_Page|OWASP]] * [[https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project|WebGoat Project]] * [[https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project|ZAP]] * [[http://exploit-exercises.lains.space|Exploit Exercises]] ([[https://web.archive.org/web/20170417122617/https://exploit-exercises.com|webarchive copy]]) * [[https://xss-game.appspot.com/|XSS exercises]] * [[https://www.tutorialspoint.com/assembly_programming/index.htm|Assembly Programming Tutorial]] * [[http://www.cs.virginia.edu/~evans/cs216/guides/x86.html|x86 Assembly Guide]] * [[https://godbolt.org/|Online disassembler]] * [[https://microcorruption.com/cpu/debugger|Embedded security exercises]] * [[http://overthewire.org/wargames/|OverTheWire Wargames (suggested wargame: natas, leviathan)]] === Exams === * 30/01/2020 14:00 - Lab 31/b * 14/02/2020 09:00 - Lab 31/b * 08/07/2020 09:00 - Teams - [[http://archives.alviano.net/teaching/ssd-2019-2020/ExamFormat_SSD.pdf|exam format]] * 30/07/2020 09:00 - Teams - [[http://archives.alviano.net/teaching/ssd-2019-2020/ExamFormat_SSD.pdf|exam format]] * 05/09/2020 09:00 - Teams - [[http://archives.alviano.net/teaching/ssd-2019-2020/ExamFormat_SSD.pdf|exam format]] * 18/09/2020 09:00 - Teams - [[http://archives.alviano.net/teaching/ssd-2019-2020/ExamFormat_SSD.pdf|exam format]] === Previous editions === * [[SecureSoftwareDesign/2018-2019|Academic year 2018/2019]] * [[SecureSoftwareDesign/2017-2018|Academic year 2017/2018]] * [[SecureSoftwareDesign/2016-2017|Academic year 2016/2017]]