This course aims at introducing basic concepts and techniques for the development of secure systems and networks. The course is formally split in two modules [CM0475] Security 1 (system security) and [CM0494] Security 2 (network security). This course used to cover cryptography which is now a separate course.
This course is part of the Laurea Magistrale (Master degree) in Computer Science at Ca’ Foscari, Venice.
- [7 Feb. 2017] Course starts today!
- [26 Feb. 2017] The class of Tuesday 28 Feb. 2017 is cancelled (see timetable below)
Oral exam, plus an evaluation on the lab based on challenges and a live CTF.
- J. Erickson, Hacking, the art of exploitation, No starch press, 2008.
- R. J. Anderson, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, 2008.
- A. J. Menezes, P. C. van Oorschot, S. A. Vanstone, Handbook of Applied Cryptography, CRC Press.
Virtual meeting point
We set up a 32bit Linux virtual machine called testbed to let you experiment with the proposed exercises. Testbed is also the warbox where we host most challenges on reversing and binary exploitation.
Access is granted to the VM via SSH by typing:
ssh -p 2222 email@example.com
where username is pythonically defined as
(first_name + last_name[:8]).lower() and the password is the one you use to connect to the CTF portal. After logging in, you automatically join a persistent tmux session. We are using the default keybindings, hence starting multiple shells within your session is as easy as typing
Ctrl-b c. To cycle between the windows (i.e., the spawned shells) you can use
Ctrl-b n. We strongly encourage you to read the man page of tmux in order to get familiar with the amazing capabilities of this tool. For instance, if you want to keep an eye on the clock, try
Keep in mind that your session is monitored and we may suddenly jump into your shell to give you some useful hints. Don’t be scared, there’s no ghost in the shell.
Table of contents (updated during the semester!)
- Background and tools
- [7/2/2017] Unix shell
- [8/2/2017] Exercises on Unix shell (online class)
- [9-10/2/2017] Bandit! (Lab 3 + online class)
- Extra material on shell scripting
- [14/2/2017] Introduction to Python (Lab 3)
- [15/2/2017] Exercises on Python (online class)
- [16/2/2017] Python files, regexp, processes (Lab 3)
- [17/2/2017] Challenge – ALIENQUIZ
- Program Exploitation and System Security
- [21/2/2017] Intel assembly
- [22/2/2017] Challenge – VADERMAIL
- [23/2/2017] Program analysis with gdb (Lab 3)
- [24/2/2017] Exercises on gdb (online class)
- [1/3/2017] Tutoring on program analysis and challenges (online class)
- [2/3/2017] Program analysis with IDA (Lab 3)
- [3/3/2017] Exercise on IDA: starcrack (online class)
- [7/3/2017] Overflow and stack protection
- [8/3/2017] Challenge – overSHAde
- [9/3/2017] Overwriting return address
- [10/3/2017] Exercises on canary
- [14/3/2017]Format strings
- [15/3/2017] Challenge – STARCALC
- [16/3/2017] Secure coding
- [17/3/2017] Online tutoring
- [21/3/2017] CTF bootstrap! (read some useful tips for the CTF)
- [22/3/2017] First CTF service: robofs
- [23/3/2017] Access Control
- [24/3/2017] CTF starts! (read how to use sockets in python)
- Network security
- Web security
- [11/4/2017] SQL injections
- [12/4/2017] Challenge – 2STEP
- [18/4/2017] Blind SQL injections
- [19/4/2017] Exercise on blind injections
- [TBA] Cross site scripting (XSS)
- [TBA] Exercise: the multi-room chat service (open this in an incognito window!)
- [TBA] Cross site request forgery (CSRF)
- [TBA] CSRF Exercises
- [TBA] Web malware: samy, the MySpace worm
- [TBA] Third CTF service: php
- Applied Cryptography
NOTE: These pages will be continuously updated during the whole semester. If you have comments/questions please post them.