Insegnamento CYBERSECURITY LABORATORY
Nome del corso di laurea | Informatica |
---|---|
Codice insegnamento | A002079 |
Curriculum | Cybersecurity |
Docente responsabile | Stefano Bistarelli |
Docenti |
|
Ore |
|
CFU | 6 |
Regolamento | Coorte 2020 |
Erogato | Erogato nel 2020/21 |
Erogato altro regolamento | |
Attività | Caratterizzante |
Ambito | Discipline informatiche |
Settore | INF/01 |
Periodo | Secondo Semestre |
Tipo insegnamento | Obbligatorio (Required) |
Tipo attività | Attività formativa monodisciplinare |
Lingua insegnamento | Inglese. Se richiesto in Italiano. |
Contenuti | 1 Introduzione 2 ACM curriculum guidelines per IAS 3 Storia della Sicurezza 4 IAS/Foundational Concepts in Security 5 IAS/Principles of Secure Design 6 IAS/Defensive Programming 7 IAS/Threats and Attacks 8 IAS/Network Security 9 IAS/Cryptography 10 laboratory activity 11 Capture the Flag competition (CTF) |
Testi di riferimento | Dispense docente e libri di testo consigliati a lezione: |
Obiettivi formativi | Capire e applicare il significato di sicurezza informatica nei suoi attributi di confidenzialità, integrità e disponibilità. Capire e applicare le problematiche dei sistemi Sicuri ma connessi su reti insicure. Capire e applicare le nozioni più importanti di sicurezza informatica, sicurezza di rete e sicurezza dei dati e dei programmi. Capire e saper gestire attacchi e compromissioni di sistemi, reti e dispositivi mobili. |
Prerequisiti | Computer Programming in C Basic character encoding system (e.g. ASCII) Computer Networks Basic understanding of common programming languages:JavaScript, PHP, Python, Bash, SQL Basic Networking Skills Basic Operating Systems Skills Knowledge about binary executable formats and their structure Basic understanding of the HTTP Protocol Basic Linux system knowledge Basic Linux CLI knowledge |
Metodi didattici | Lezioni frontali e di laboratorio. Possibili seminari ed esercitazioni di ospiti. |
Altre informazioni | Frequenza è fortemente consigliata. |
Modalità di verifica dell'apprendimento | Colloquio orale della durata media di 30 minuti su argomenti di tutto il programma che evidenzia le capacità espositive dello studente, le sue capacità d'utilizzo appropriato di tecniche e nozioni fondamentali e l'approfondimento dello studio. Possibilità di specifici progetti o seminari. Su richiesta dello studente l'esame può' essere sostenuto in lingua Italiana o Inglese. Per informazioni sui servizi di supporto agli studenti con disabilità e/o DSA visita la pagina http://www.unipg.it/disabilita-e-dsa |
Programma esteso | 01 - Introduction and Ethics The goal of the lecture is twofold: from the one hand it aims at introducing the Cybersecurity lab activities, presenting the concept of Capture the Flag competitions and some details of the overall training program. From the other hand, it presents some legal and ethical issues related to privacy and data protection, outlining the "limits" a hacker should never overpass. Some warm-up challenges are also proposed: these are relatively easy exercises and come with no explanation. Use Google, learn, try, and enjoy! 02 - Software Security 1 This section is the first one of a set of 3 sections aimed at introducing attendees in the wide area of software security. The 3 sections are scheduled in week #2, 7, and 10, respectively. After an introduction to basic principles of Secure Programming, students will learn common the techniques and tools that can be used to analyze statically and dynamically binary executables. Moreover, possible attacks based on memory corruption and code reuse are introduced together with the techniques that allow to mitigate their effects. 03 - Cryptography 1 This lecture is the former one of a set of two sections aimed at giving attendees an insight into cryptography. The two lessons, scheduled in weeks #3 and #6, respectively, will cover both theoretical and practical aspects of cryptography starting from the historical ciphers to the modern encryption techniques. Topics covered are: Introduction and history of cryptography Symmetric encryption and block ciphers Asymmetric encryption and key exchange algorithms Hash functions Basic steganography techniques 04 - Web Security 1 This section is the former one of a set of two sections aimed at giving attendees an insight into the most prevalent web security vulnerabilities. The two lessons, scheduled in weeks # 4 and week # 9, respectively, will cover both technical arguments and both methodological aspects of web security. Students will learn how to recognize security problems in web applications and how to properly exploit them using the correct toolset. Every module has a tutorial challenge with the basics of the considered vulnerability plus some more advanced challenges. Topics covered are: An intro to how HTTP works and web security File disclosure and Server-Side request forgery vulnerabilities Code and Command injections SQL injections An intro to cross-site scripting and client-side vulnerabilities 05 - Network Security Students will acquire the fundamental network security concepts, menaces, and underlying technologies. They will understand the basic internet security principles within the state-of-the-art security scenario and the available defense strategies, solutions and tools through specific case studies. Upon successful completion of this unit, the students should be able to understand the basic principles for communication security, and apply these principles to the evaluation and critical analysis of the fundamental network security properties They should also identify common vulnerabilities of network infrastructures and recognize the basic attack and defense mechanisms, as well as apply them to design and evaluate the proper countermeasures. 06 - Cryptography 2 This lecture is the former one of a set of two sections aimed at giving attendees an insight into cryptography. The two lessons, scheduled in weeks #4 and #6, respectively, will cover both theoretical and practical aspects of cryptography starting from the historical ciphers to the modern encryption techniques. Topics covered are: Introduction and history of cryptography Symmetric encryption and block ciphers Asymmetric encryption and key exchange algorithms Hash functions Basic steganography techniques 07 - Software Security 2 This section is the second one of a set of 3 sections aimed at introducing attendees in the wide area of software security. The 3 sections are scheduled in week # 2, 7, and 10, respectively. After an introduction to basic principles of Secure Programming, students will learn common the techniques and tools that can be used to analyze statically and dynamically binary executables. Moreover, possible attacks based on memory corruption and code reuse are introduced together with the techniques that allow to mitigate their effects. 08 - Cryptographic Protocols In this self-contained lecture we will cover the basics of cryptographic protocols. A basic background module about cryptographic protocols introduce motivations, attacks and notations. Two protocols (Needham-Schroeder and Kerberos) are introduced in the next modules. Modules CP_1.1 – Cryptographic protocols background Introduction to cryptographic protocols Motivations an definitions Alice and Bob notation Attacks in protocols Replay attack Man-in-the-middle attack Reflection attack Type flaw attack CP_1.2 – Needham-Schroeder Protocols Needham-Schroeder Public Key Authentication Protocol Attack on NSPK Needham-Schroeder Shared-Key Protocol CP_1.3 – Kerberos Protocol Kerberos Authentication Protocols Authentication phase Authorization phase Service phase 09 - Web Security 2 This section is the latter one of a set of two sections aimed at giving attendees an insight into the most prevalent web security vulnerabilities. The two lessons, scheduled in weeks # 3 and week # 9, respectively, will cover both technical arguments and both methodological aspects of web security. Students will learn how to recognize security problems in web applications and how to properly exploit them using the correct toolset. Every module has a tutorial challenge with the basics of the considered vulnerability plus some more advanced challenges. Topics covered are: An intro to how HTTP works and web security File disclosure and Server-Side request forgery vulnerabilities Code and Command injections SQL injections An intro to cross-site scripting and client-side vulnerabilities 10 - Software Security 3 This section is the last one of a set of 3 sections aimed at introducing attendees in the wide area of software security. The 3 sections are scheduled in week # 2, 7, and 10, respectively. After an introduction to basic principles of Secure Programming, students will learn common the techniques and tools that can be used to analyze statically and dynamically binary executables. Moreover, possible attacks based on memory corruption and code reuse are introduced together with the techniques that allow to mitigate their effects. 11 - Access Control The goal of this lesson is to give students an insight into how access control system works, as well as common attacks. This lesson will cover both theoretical and practical aspects of access control, such as UNIX file permissions. Students will learn how to design and configure an access control system, and how to attack a weakly configured one. 12 - Hardware Security The section aims at introducing some basic concepts related to the role that Hardware plays in security. The lectures focus on both Hardware Vulnerabilities and Hardware Attacks, whereas the proposed challenges exploit reverse engineering to detect hardware trojans inserted into systems of increasing complexity. Since a basic knowledge of hardware systems, their representations, design and programming are required, several Crash Courses are provided, aimed at covering the various aspects. |