Subject: SVILUPPO DI SOFTWARE SICURO (A.A. 2022/2023)
Unit Sviluppo di software sicuro
Information Technology (lesson)
This course is an introduction to secure software development. At the end of the course the student will be able to:
- develop a perception of security risks in source code of applications;
- become able to evaluate the security level of an existing source code base;
- become able to harden an existing source code base;
- design ex-novo an application with security, safety, privacy by default.
* Operating systems: knowledge of the inner workings of a modern operating system
* Command line interface: BASH shell, UNIX base system commands
* Languages: C plus one among Java, Python, Ruby or Perl
* Software Development: basic library functions (I/O, memory management, process management), UNIX software development and debugging tools
The course is taught in the first semester of the second year and lasts 63 hours, split into theory (main concepts are introduced and shown) and practice (exercises are introduced and solved). Training sessions are not formally split from theory; they rather complement each other.
The proposed hour split is purely indicative; it can change based on student participation and feedback.
Introduction (6 hours).
Introduzione to the course. Historic perspective.
Definitions (2 hours).
Asset. Threat. STRIDE classification. Users classification. Defect. Bug. Weakness. Vulnerability. Exploit. Attack vector. Attack surface. Security policy. Security mechanisms. Prevention, detection, reaction. Confidentiality, integrity, availability.
Software vulnerability (12 hours).
Vulnerability life cycle. 0-day vulnerabilities. CVE. CVSS. CWE. CWSS. CPE. OVAL. ATT&CK.
Execution with elevated privileges (12 hours).
Manual and automatic elevation. SETUID and SETGID bits. Historic evolution of privilege management in UNIX operating systems. Capabilities. Source code audit of the ping command.
Local injection (8 hours).
Attack tree. Nebula virtual machine. Path injection. Command injection. Library injection.
Remote injection (16 hours).
Remote command injection. Damn Vulnerable Web Application virtual machine. Basic SQL injection. Fuzzing. Cross Site Scripting. Cross Site Request Forgery.
Memory corruption (14 hours).
Protostar virtual machine. Stack based buffer overflow. Buffer overflow with a shellcode. Buffer overflow based on ret2libc.
Web attacks (7 hours).
Web for Pentester virtual machine. SQL injection. File inclusion. Directory Traversal. File upload. Enumeration of the target system. Defense bypass. Hardening.
Teaching activities are usually performed through class lectures, using presentations in electronic format that introduce and discuss the main topics. At the end of every topic described in the "Course contents" section, the teacher proposes a set of guided exercises to allow students to assess their knowledge. Questions and comments are always welcome and encouraged. In order to encourage in-depth analysis, every week the teacher provides optional, more complex exercises that require individual research. Attendance is strongly recommended, although not obligatory. The course is taught in Italian. Course-related information (syllabus, teaching material, class schedule, announcements) is provided by the course Web site, which is reachable through the Dolly platform by a Web link. Students are strongly encouraged to consult the Web site frequently. (*) Due to the ongoing COVID19 pandemic, this year teaching activities could be performed online with the Google Meet platform, by means of live sessions which will be recorded and made available to studentes.
Assessment is performed through a 30 minutes long exam aimed at evaluating, on one hand, the practical and theoretical aspects covered in the course and, on the other hand, a student's attitude to problem solving. Each student is asked three questions in sequence. The first question acts as a pass/fail barrier; in case of failure, the student is failed immediately. For each question a student obtains at most 10 points; each mistake costs a point. The final grade is the sum of the grades obtained over the three questions plus bonus points obtained during class or by solving the optional weekly exercises. The exams might be performed online through the Google Meet platform depending on the evolution of the COVID19 pandemic. The final grade is communicated to the students right after the exam.
1) Knowledge and understanding.
- Comprehend the historic evolution of cyber attacks.
- Comprehend the main threats at the design and implementation level.
- Comprehend the classic attacks and their mitigations.
2) Applied knowledge and understanding.
- Enumerate the attack surface of an information system.
- Identify, exploit and mitigate classic vulnerabilities in an information system.
- Identify and mitigate weaknesses in source code.
3) Making judgements.
- Express critical judgement on the security of an existing application.
- Evaluate the risk of introducing a vulnerability in its own code base.
4) Communicating skills.
- Discuss own findings (obtained through the work on the optional exercises) in the appropriate jargon.
- Express (through the final exam) the concepts learned in class with an appropriate language and sustain a technical discussion on the related topics.
5) Learning skills.
- Develop independent learning abilities through the study of literature, discussions with the teacher, aimed exercises.
* Presentazioni in formato elettronico, pubblicate dal docente durante lo svolgimento della didattica.