Insegnamento CYBERSECURITY LABORATORY

Nome del corso di laurea Informatica
Codice insegnamento A002079
Curriculum Cybersecurity
Docente responsabile Stefano Bistarelli
Docenti
  • Stefano Bistarelli
  • Francesco Santini (Codocenza)
Ore
  • 36 Ore - Stefano Bistarelli
  • 36 Ore (Codocenza) - Francesco Santini
CFU 6
Regolamento Coorte 2020
Erogato Erogato nel 2020/21
Erogato altro regolamento
Attività Caratterizzante
Ambito Discipline informatiche
Settore INF/01
Periodo Secondo Semestre
Tipo insegnamento Obbligatorio (Required)
Tipo attività Attività formativa monodisciplinare
Lingua insegnamento Inglese. Se richiesto in Italiano.
Contenuti 1 Introduzione
2 ACM curriculum guidelines per IAS
3 Storia della Sicurezza
4 IAS/Foundational Concepts in Security
5 IAS/Principles of Secure Design
6 IAS/Defensive Programming
7 IAS/Threats and Attacks
8 IAS/Network Security
9 IAS/Cryptography
10 laboratory activity
11 Capture the Flag competition (CTF)
Testi di riferimento Dispense docente e libri di testo consigliati a lezione:

Obiettivi formativi Capire e applicare il significato di sicurezza informatica nei suoi attributi di confidenzialità, integrità e disponibilità.
Capire e applicare le problematiche dei sistemi Sicuri ma connessi su reti insicure.
Capire e applicare le nozioni più importanti di sicurezza informatica, sicurezza di rete e sicurezza dei dati e dei programmi.
Capire e saper gestire attacchi e compromissioni di sistemi, reti e dispositivi mobili.
Prerequisiti Computer Programming in C
Basic character encoding system (e.g. ASCII)
Computer Networks
Basic understanding of common programming languages:JavaScript, PHP, Python, Bash, SQL
Basic Networking Skills
Basic Operating Systems Skills
Knowledge about binary executable formats and their structure
Basic understanding of the HTTP Protocol
Basic Linux system knowledge
Basic Linux CLI knowledge
Metodi didattici Lezioni frontali e di laboratorio. Possibili seminari ed esercitazioni di ospiti.
Altre informazioni Frequenza è fortemente consigliata.
Modalità di verifica dell'apprendimento Colloquio orale della durata media di 30 minuti su argomenti di tutto il programma che evidenzia le capacità espositive dello studente, le sue capacità d'utilizzo appropriato di tecniche e nozioni fondamentali e l'approfondimento dello studio.
Possibilità di specifici progetti o seminari.
Su richiesta dello studente l'esame può' essere sostenuto in lingua Italiana o Inglese.

Per informazioni sui servizi di supporto agli studenti con disabilità e/o DSA visita la pagina http://www.unipg.it/disabilita-e-dsa
Programma esteso 01 - Introduction and Ethics
The goal of the lecture is twofold: from the one hand it aims at introducing the Cybersecurity lab activities, presenting the concept of Capture the Flag competitions and some details of the overall training program. From the other hand, it presents some legal and ethical issues related to privacy and data protection, outlining the "limits" a hacker should never overpass.
Some warm-up challenges are also proposed: these are relatively easy exercises and come with no explanation. Use Google, learn, try, and enjoy!
02 - Software Security 1
This section is the first one of a set of 3 sections aimed at introducing attendees in the wide area of software security. The 3 sections are scheduled in week #2, 7, and 10, respectively.
After an introduction to basic principles of Secure Programming, students will learn common the techniques and tools that can be used to analyze statically and dynamically binary executables. Moreover, possible attacks based on memory corruption and code reuse are introduced together with the techniques that allow to mitigate their effects.
03 - Cryptography 1
This lecture is the former one of a set of two sections aimed at giving attendees an insight into cryptography. The two lessons, scheduled in weeks #3 and #6, respectively, will cover both theoretical and practical aspects of cryptography starting from the historical ciphers to the modern encryption techniques.
Topics covered are:
Introduction and history of cryptography
Symmetric encryption and block ciphers
Asymmetric encryption and key exchange algorithms
Hash functions
Basic steganography techniques
04 - Web Security 1
This section is the former one of a set of two sections aimed at giving attendees an insight into the most prevalent web security vulnerabilities. The two lessons, scheduled in weeks # 4 and week # 9, respectively, will cover both technical arguments and both methodological aspects of web security. Students will learn how to recognize security problems in web applications and how to properly exploit them using the correct toolset. Every module has a tutorial challenge with the basics of the considered vulnerability plus some more advanced challenges. Topics covered are:
An intro to how HTTP works and web security
File disclosure and Server-Side request forgery vulnerabilities
Code and Command injections
SQL injections
An intro to cross-site scripting and client-side vulnerabilities
05 - Network Security
Students will acquire the fundamental network security concepts, menaces, and underlying technologies. They will understand the basic internet security principles within the state-of-the-art security scenario and the available defense strategies, solutions and tools through specific case studies.
Upon successful completion of this unit, the students should be able to understand the basic principles for communication security, and apply these principles to the evaluation and critical analysis of the fundamental network security properties
They should also identify common vulnerabilities of network infrastructures and recognize the basic attack and defense mechanisms, as well as apply them to design and evaluate the proper countermeasures.
06 - Cryptography 2
This lecture is the former one of a set of two sections aimed at giving attendees an insight into cryptography. The two lessons, scheduled in weeks #4 and #6, respectively, will cover both theoretical and practical aspects of cryptography starting from the historical ciphers to the modern encryption techniques.
Topics covered are:
Introduction and history of cryptography
Symmetric encryption and block ciphers
Asymmetric encryption and key exchange algorithms
Hash functions
Basic steganography techniques
07 - Software Security 2
This section is the second one of a set of 3 sections aimed at introducing attendees in the wide area of software security. The 3 sections are scheduled in week # 2, 7, and 10, respectively.
After an introduction to basic principles of Secure Programming, students will learn common the techniques and tools that can be used to analyze statically and dynamically binary executables. Moreover, possible attacks based on memory corruption and code reuse are introduced together with the techniques that allow to mitigate their effects.
08 - Cryptographic Protocols
In this self-contained lecture we will cover the basics of cryptographic protocols. A basic background module about cryptographic protocols introduce motivations, attacks and notations. Two protocols (Needham-Schroeder and Kerberos) are introduced in the next modules.
Modules
CP_1.1 – Cryptographic protocols background
Introduction to cryptographic protocols
Motivations an definitions
Alice and Bob notation
Attacks in protocols
Replay attack
Man-in-the-middle attack
Reflection attack
Type flaw attack
CP_1.2 – Needham-Schroeder Protocols
Needham-Schroeder Public Key Authentication Protocol
Attack on NSPK
Needham-Schroeder Shared-Key Protocol
CP_1.3 – Kerberos Protocol
Kerberos Authentication Protocols
Authentication phase
Authorization phase
Service phase
09 - Web Security 2
This section is the latter one of a set of two sections aimed at giving attendees an insight into the most prevalent web security vulnerabilities. The two lessons, scheduled in weeks # 3 and week # 9, respectively, will cover both technical arguments and both methodological aspects of web security. Students will learn how to recognize security problems in web applications and how to properly exploit them using the correct toolset. Every module has a tutorial challenge with the basics of the considered vulnerability plus some more advanced challenges. Topics covered are:
An intro to how HTTP works and web security
File disclosure and Server-Side request forgery vulnerabilities
Code and Command injections
SQL injections
An intro to cross-site scripting and client-side vulnerabilities
10 - Software Security 3
This section is the last one of a set of 3 sections aimed at introducing attendees in the wide area of software security. The 3 sections are scheduled in week # 2, 7, and 10, respectively.
After an introduction to basic principles of Secure Programming, students will learn common the techniques and tools that can be used to analyze statically and dynamically binary executables. Moreover, possible attacks based on memory corruption and code reuse are introduced together with the techniques that allow to mitigate their effects.
11 - Access Control
The goal of this lesson is to give students an insight into how access control system works, as well as common attacks. This lesson will cover both theoretical and practical aspects of access control, such as UNIX file permissions.

Students will learn how to design and configure an access control system, and how to attack a weakly configured one.
12 - Hardware Security
The section aims at introducing some basic concepts related to the role that Hardware plays in security. The lectures focus on both Hardware Vulnerabilities and Hardware Attacks, whereas the proposed challenges exploit reverse engineering to detect hardware trojans inserted into systems of increasing complexity.
Since a basic knowledge of hardware systems, their representations, design and programming are required, several Crash Courses are provided, aimed at covering the various aspects.

Condividi su