Unit CYBERSECURITY WITH LABORATORY

Course
Informatics
Study-unit Code
A002632
Curriculum
Cybersecurity
Teacher
Stefano Bistarelli
CFU
15
Course Regulation
Coorte 2022
Offered
2022/23
Type of study-unit
Obbligatorio (Required)
Type of learning activities
Attività formativa integrata

MOD. I - ADVANCED PRINCIPLES AND PRACTICES

Code A002637
CFU 9
Teacher Stefano Bistarelli
Teachers
  • Stefano Bistarelli
  • Francesco Santini (Codocenza)
Hours
  • 32 ore - Stefano Bistarelli
  • 31 ore (Codocenza) - Francesco Santini
Learning activities Caratterizzante
Area Discipline informatiche
Academic discipline INF/01
Type of study-unit Obbligatorio (Required)
Language of instruction English. If requested by the students, in Italian.
Contents 1 Introducion
2 ACM curriculum guidelines per IAS
3 Storia della Sicurezza
4 IAS/Foundational Concepts in Security
5 IAS/Principles of Secure Design
6 IAS/Defensive Programming
7 IAS/Threats and Attacks
8 IAS/Network Security
9 IAS/Cryptography
10 laboratory activity
11 Capture the Flag competition (CTF)
-------------------
The course offers the student elements of advanced security mainly concerning Defensive Programming, Identity Management, Security of OS and Containers (Docker), Security of smart contracts in Solidity language
Reference texts Hand-notes given by the professor, and books suggested during the lessons
Computer Security by Dieter Gollmann
Introduction to Computer Security by Matt Bishop
COMPUTER SECURITY by WILLIAM STALLINGS and Lawrie Brown
Principles of Information Security by Michael E. Whitman and Herbert J. Mattord
Security in Computing by Charles P. Pfleeger and Shari Lawrence Pfleeger
----------------------
Secure Coding in C and C++ Author: Robert Seacord Series: SEI Series in Software Engineering Paperback: 600 pages Publisher: Addison-Wesley Professional; 2 edition (April 12, 2013) Language: English ISBN-10: 0321822137 ISBN-13: 978-0321822130

Title: Container Security: Fundamental Technology Concepts that Protect Containerized Applications 1st Edition. O'Reilly Media; 1st edition (April 28, 2020). Paperback 200 pages. ISBN-10 : 1492056707
ISBN-13 : 978-1492056706

Title: Mastering Ethereum: Building Smart Contracts and DApps Author: Andreas M. Antonopoulos, Gavin Wood Ph. D. Paperback: 424 pages Publisher: O'Reilly Media; 1 edition (December 23, 2018) Language: English ISBN-10: 1491971940 ISBN-13: 978-1491971949

Solving Identity Management in Modern Applications: Demystifying OAuth 2.0, OpenID Connect, and SAML 2.0. Publisher : Apress; 1st ed. edition (December 19, 2019). Paperback : 337 pages. ISBN-10 : 148425094X
ISBN-13 : 978-1484250945
Educational objectives To understand the meaning of Information Security and of the Confidentiality, Integrity and Availability attributes.
Understand the problem of connectinf secure systems over unsecure networks.
Understand the basic notions of Information Security, Computer Security and Network Security.
Be able to recognize and handle attacks and be able to build countermesure, for attack on systems, networks and mobile devices
Prerequisites Knowledge of TCP / IP protocol (mandatory)
knowledge of C programming and procedure and function call (important),
knowledge of SQL (mandatory)
Have successfully passed the examination of Programming, Networking, Operating Systems, Databases (important)
Teaching methods Face-to-face and laboratory. possibility of seminars by different guests
Other information Frequency of the lessons is strongly suggested
Learning verification modality Oral interview lasting an average of 30 minutes on topics of covering all the program of the course. Possibility of specific projects or seminars.
At the request of the student examination can 'be done in Italian or English.
Extended program 1 Introduzione
Introduzione, prerequisiti, libro di testo, modalità esame
2 ACM curriculum guidelines per IAS
da ACM curriculum guidelines, con riferimenti a contenuti e parti dei libri di testo dove trovare le informazioni
3 Storia della Sicurezza
storia sicurezza
4 IAS/Foundational Concepts in Security
CIA (Confidentiality, Integrity, Availability):
RIF. Gollmann cap. 3, Bishop cap. 1, Stallings cap. 1, Whitman cap. 1, Pfleeger cap. 1, Anderson cap. 1
slides
Concepts of risk, threats, vulnerabilities, and attack vectors:
RIF. Gollmann cap. 2, Bishop cap. 1e18e23, Stallings cap. 1e14, Whitman cap. 1e2(e4), Pfleeger cap. 1
CH01-CompSec3e-note ... rif a security risk analysis, attack trees e indici,slides pamela ..
Authentication and authorization, access control (mandatory vs. discretionary):
RIF. Gollmann cap. 4e5, Bishop cap. 4(e5-8)e12, Stallings cap. 3e4, Whitman cap. 6prima_parte
Policies:
capitolo 4 Bishop
slides di riferimento
Bell-LaPadula:
capitolo 5 bishop
slides di riferimento, cascade problem (articolo, slides), secure reconfiguration (articolo, slides)
Biba e Clarck-Wilson:
capitolo 6 bishop,
slides di riferimento, alcune slides di riferimento addizionali, altre slides di riferimento addizionali, articolo su separation of duties, etc. (articolo, slides)
Chinese Wall Model, ORCON, RBAC:
capitolo 7 bishop,
slides di riferimento
Crittografia, firma digitale, pki e certificati, protocolli di autenticazione (Needham-Schroeder, Woo-Lam):
capitolo 8,9,10 bishop,
slides di riferimento, note su diffie-hellman
Metodi di autenticazione, Kerberos:
capitolo 9,11 bishop,
slides di riferimento
Concept of trust and trustworthiness:
RIF. Gollmann cap. 13, Bishop cap. 18e19, Stallings cap. 13, Pfleeger cap. 5
Ethics (responsible disclosure):
RIF. Stallings cap. 19, Whitman cap. 3ultima_parte, Pfleeger cap. 9ultima_parte
5 IAS/Principles of Secure Design
(RIF Bishop cap. 13)
Least privilege and isolation, Fail-safe defaults, Open design, End-to-end security, Defense in depth (e.g., defensive programming, layered defense), Security by design, Tensions between security and other design goals, Complete mediation, Use of vetted security components, Economy of mechanism (reducing trusted computing base, minimize attack surface), Usable security , Security composability Prevention, detection, and deterrence
6 IAS/Defensive Programming
Input validation and data sanitization, Choice of programming language and type-safe languages, Examples of input validation and data sanitization errors
Buffer overflows documentazione di riferimento
Integer errors
SQL Injection, documentazione di riferimento
XSS vulnerability, documentazione di riferimento
Race conditions
Correct handling of exceptions and unexpected behaviors
Correct usage of third-party components
Effectively deploying security updates
7 IAS/Threats and Attacks
Attacker goals, capabilities, and motivations
Examples of malware (e.g., viruses, worms, spyware, botnets, Trojan horses or rootkits)
Denial of Service (DoS) and Distributed Denial of Service (DDoS)
Social engineering (e.g., phishing)
Whitman cap. 2, Gollmann: cap 10, bishop: cap 22, 26, stalling: 6, 7, 10, 11, pfledger: cap 3
8 IAS/Network Security
RIF: Whitman cap. 2, Gollmann: cap 17, bishop: cap 29, stalling: 8, 9 , pfledger: cap 7
Network specific threats and attack types (e.g., denial of service, spoofing, sniffing and traffic redirection, man-in-the-middle, message integrity attacks, routing attacks, and traffic analysis)
Use of cryptography for data and network security
Architectures for secure networks
(e.g.,
secure channels,
secure routing protocols,
secure DNS, documentazione di riferimento
VPNs,
anonymous communication protocols,
isolation
)
Defense mechanisms and countermeasures
(e.g.,
network monitoring,
intrusion detection,
firewalls, slides e materiale
spoofing and DoS protection,
honeypots,
tracebacks
9 IAS/Cryptography
Basic Cryptography Terminology covering notions pertaining to the different (communication) partners, secure/unsecure channel, attackers and their capabilities, encryption, decryption, keys and their characteristics, signatures Cipher types (e.g., Caesar cipher, affine cipher) together with typical attack methods such as frequency analysis Public Key Infrastructure support for digital signature and encryption and its challenges
Parte di laboratorio
Competizione Capture the Flag (CTF)
-----------------------
Defensive programming taxonomy
Stack overflows
Heap overflows
Shellcode
Input validation and data sanitisation
Mitigation
Operating system support (e.g., address space randomisation, canaries)
Integer errors
Concurrency and race conditions
Static and dynamic analysis
Program Verification
Fuzz Testing
Identity management
OAuth2.0
OpenID Connect
SAML
File rights management in Linux
Cgroup, Namespace, Chroot
Contaner security
Introduction to Ethereum
Smart Contract Security in Solidity

MOD. II -LABORATORY

Code A002638
CFU 6
Teacher Stefano Bistarelli
Teachers
  • Stefano Bistarelli
  • Francesco Santini (Codocenza)
Hours
  • 36 ore - Stefano Bistarelli
  • 36 ore (Codocenza) - Francesco Santini
Learning activities Caratterizzante
Area Discipline informatiche
Academic discipline INF/01
Type of study-unit Obbligatorio (Required)
Language of instruction English
Contents The course has a strong laboratory connotation. Students will face and solve various types of CTFs and test attack and mitigation techniques in the laboratory.
Reference texts Handouts. Links and additional material for each topic.
Educational objectives The course has a strong laboratory connotation. Security concepts will be tested through Capture the Flag (CTF).
Prerequisites Notions about Programming, Operating Systems, Networks. All the topics in the program of Cybersecurity: ADVANCED PRINCIPLES AND PRACTICES (for which also passing the exam is required).
Teaching methods Lectures with slides in English. Lab training.
Other information Attendance of lectures is strongly suggested

For the exam schedule, see:
www.informatica.unipg.it
Learning verification modality Evaluation carried out by monitoring the CTFs performed during the laboratory activities. Oral examination.

For information on support services for students with disabilities and / or DSA visit the page http://www.unipg.it/disabilita-e-dsa
Extended program Different kinds of CTFs: reversing, pwn, web, crypto, forensics.
Condividi su