Security 2015/2016

This page contains the theoretical and practical contents of the security course. For last year’s contents, please check prof André Zúquete web page. The contents on this page will be mostly replicated from the last edition but some changes may be made.

  1. General Information
  2. Planning
  3. Grading
  4. Theoretical Classes
  5. Practical Classes
  6. Documentation
  7. Useful Software
  8. Useful Links

General Information

This subject belong to the 4th year of the MIECT degree, following the description present at the official webpage

This years’ edition will be managed by professor João Paulo Barraca (email: jpbarraca@ua.pt). He will be permanently available by email, as well as during the allocated tutoring slots.

Classes will be presented in the Portuguese language, unless there is a foreign student attending. In this case English will be used. All content is developed in the English language.

As requirements, students should be aware that this subject requires a reasonable knowledge and comprehension of several networking, software and operating system topics, such as: the C and Java languages, Linux administration and console usage, Virtual Machines, x86 Assembly, Sockets, HTTP and HTML, asynchronous applications, hardware architectures.

(back to top)

Planning

According to the UA calendar classes start at September 14th, and end on December 18th. The subject is composed by a 2h theoretical class and a 2h practical class, making a total of 4 hours per week of lectures. It is expected that students spend an additional 2 hours per week exploring the concepts presented during the lectures. Theoretical classes will present key concepts related to the security of modern systems. The practical classes will be focused in the exploration of these concepts, or in the exploration and analysis of popular security attacks.

On Wednesdays at 11h, one of the professors will be available for assisting the students in the comprehension of the topics presented, and discussing the elaboration of the practical exercises and projects.

# Date Theoretical class Practical class
1 Sep 15-16 Introduction ARP Poisoning (Python, Linux, Networking)
2 Sep 22-23 Security of networked systems Cross Site Scripting (HTML, HTTP, JS)
3 Sep 29-30 Cryptography Buffer Overflows (C, GDB)
4 Oct 6-7 Cryptography Symmetric Ciphers (Java or Python)
5 Oct 13-14 Cryptography Asymmetric Ciphers (Java or Python)
6 Oct 20-21 Management of Asymmetric Keys Presentation of first project
7 Oct 27-28 Management of Asymmetric Keys SmartCards (PTEID, Java or Python)
8 Nov 3-4 Authentication Digital Signatures (Java or Python)
9 Nov 10-11 Authentication Delivery of first project
10 Nov 17-18 Access Control Models Pluggable Authentication Modules (Linux, Bash, C)
11 Nov 24-25 Security in Operating Systems Web Authentication (PTEID, Linux, Bash, PHP)
12 Dec 1-2 Secure File Storage OS level Confinement (Linux, C or Python)
13 Dec 8-9 - Secure File Systems (Linux, C or Python)
14 Dec 16 - SQL Injection (PHP, HTML, SQL)
Dec 18 Delivery of second project

Important Dates

  • Presentation of First Project: October 20nd-21st during the practical class.
  • Delivery of the First Project: November 10nd-11nd during the practical class.
  • Final delivery of the Second Project: December 29nd, 23.59 through the Code.UA platform.
  • Intermediate Test: November 11nd
  • Final Exam and Final Test: January 18th, 10AM

(back to top)

Grading

Grades will be posted in this page. All partial grades presented will be rounded to the hundredths (X.XX).

Attendance Rules

Students can choose to attend the theoretical classes, and is highly recommended they do so every week. Attendance to practical classes is mandatory as students faults will be recorded.

According to the current regulation, students must be present at 80% of the practical classes. For this edition that results in 2 unjustified faults. If a student exceeds the number of faults allowed it will automatically fail the subject and won’t be allowed at any other evaluation event during the current school year.

Grading rules

Grading will be composed by two components, each contributing with 10 points (50%) to the final grade.

  1. Theoretical Component:
    • Option 1: 1 intermediate test, and 1 final test, each worthing half of this component points.
    • Delivering the intermediate test implies following Option 1 (i.e. students cannot do the final exam)
    • Option 2: 1 final exam that includes all topics, worthing 20 points (in 20)
    • Final Theoretical Grade: (IT + FT) or (FE)
    • Minimal grade of this component: 8.50 in 20
      • i.e. $$it + ft >= 8.50 \text{ or } fe >= 8.50$$ 
  2. Practical Component:
    • Development of two projects by a group of 2 students. Exceptionally 3 may be allowed.
      • groups with additional members will be penalized by 1 point per extra member (per project).
      • groups with one member will have a bonus of 1 point (per project)
    • Each project contributes with 10 points (50%) to this component
    • Minimal grade of this component: 8.50 in 20
      • i.e. $$proj_1 + proj_2 >= 8.50$$

The final grade is composed by the sum of each component.

That is:

$$ final = \begin{cases}\frac{t + p}{2} & \text{if } t \in [8.50, 20] \text{ and } p \in [8.50, 20]\ \text{fail due to minimum grade} & \text{if } t \in [0, 8.50[ \text{ or } p \in [0, 8.50[\ \text{fail due to excessive absence} & \text{if } faults > 2 \end{cases} $$

where

$$ t = \begin{cases}\frac{it + ft}{2} & \text{if } it \text{ delivered}\ {fe} & \text{if } it\text{ not delivered}\ \end{cases} $$

and

$$ p = \frac{proj_1 + proj_2}{2} $$

with

$$ \forall p,t,p_1,p_2,it,ft \in [0, 20] $$

Students are considered to pass the subject if their final grade is at least 9.50 (in 20).

(back to top)

Theoretical classes

  1. Introduction: Slides

  2. Security of networked systems: Slides

  3. Cryptography: Slides

  4. Management of Asymmetric Keys: Slides

  5. Authentication Protocols: Slides, Slides CC

  6. Access Control Models Slides

  7. Security in Operating Systems Slides

  8. Secure File Systems Slides

(back to top)

Practical classes

Project: Identity Enabled Distribution Control System

  • Project description: v1.0, previous versions: none

Topics

  1. ARP Spoofing: slides, guide, resources

  2. Cross Site Scripting (XSS): slides, guide, examples, Url Encoder/Decoder

  3. Buffer Overflow: slides, guide, examples, resources

  4. Symmetric Ciphers: guide, resources

  5. Asymmetric Ciphers: guide
  6. SmartCards: slides, guide, resources

  7. Pluggable Authentication Methods: slides, guide

  8. Web Authentication: guide, PTEID_CA.zip, Makefile
  9. Confinement: guide
  10. Secure File Systems: guide
  11. SQL Injections: slides guide

(back to top)

Exams

Exams from previous years are available here.

(back to top)

Useful Software

You can find a Linux image that is prepared for the execution of these guides. Download it here, uncompress the file and use it as an hard disk for you virtual machine. To uncompress the image, use some software like 7zip or lzma directly:

{% codeblock %} lzma -d security.vdi.lzma

The image was created in Virtualbox using a 32bit Debian guest template. 512MB of RAM should be more than enough for command line tools and LXDE. When creating the VM you should enable PAE/NX.

This image already contains: Apache, Mysql, PHP, phpmyadmin, GCC, GDB, WebScarab, Java, netcat, python-scapy, cherrypy, and the software for accessing the Portuguese Citizen Card.

Login is root or security, password is always security. For MySQL you can use root both as login and password

In order to speed up disk access, check the option Use Host I/O Cache in the SATA controller settings of the virtual machine.

(back to top)