Barbara MASUCCI | Secure Programming
Barbara MASUCCI Secure Programming
cod. 0522500065
SECURE PROGRAMMING
| 0522500065 | |
| DIPARTIMENTO DI INFORMATICA | |
| EQF7 | |
| COMPUTER SCIENCE | |
| 2018/2019 |
| YEAR OF COURSE 2 | |
| YEAR OF DIDACTIC SYSTEM 2016 | |
| SECONDO SEMESTRE |
| SSD | CFU | HOURS | ACTIVITY | |
|---|---|---|---|---|
| INF/01 | 6 | 48 | LESSONS |
| Objectives | |
|---|---|
| KNOWLEDGE AND UNDERSTANDING THE AIM OF THIS CLASS IS TO INTRODUCE PRINCIPLES AND PRACTICES OF SECURE PROGRAMMING. APPLYING KNOWLEDGE AND UNDERSTANDING THE MAIN GOALS OF THIS CLASS ARE THE FOLLOWING: -UNDERSTANDING THE RISKS OF INSECURE SOFTWARE APPLICATIONS; -EVALUATING THE LEVEL OF SECURITY OF AN EXISTING SOFTWARE APPLICATION; -SECURITY, SAFETY, AND PRIVACY OF A SOFTWARE APPLICATION BY DESIGN. |
| Prerequisites | |
|---|---|
| BASIC KNOWLEDGE AND FAMILIARITY WITH COMPUTER NETWORKS, OPERATING SYSTEMS AND PROGRAMMING LANGUAGES. |
| Contents | |
|---|---|
| -INTRODUCTION TO SECURE PROGRAMMING. -HISTORICAL NOTES AND TERMINOLOGY. -SOFWARE VULNERABILIYIES AND WEAKNESSES. -PRIVILEGES DROP AND RESTORE IN UNIX AND LINUX SYSTEMS. -TECHNIQUES FOR LOCAL CODE INJECTION BY USING ENVIRONMENT VARIABLES AND SHARED LIBRARIES. -TECHNIQUES FOR REMOTE CODE INJECTION: SQL INJECTION, CROSS-SITE SCRIPTING, CROSS-SITE REQUEST FORGERY. -TECHNIQUES FOR MEMORY CORRUPTION: ARBITRARY CODE EXECUTION BU MEANS OF STACK-BASED BUFFER OVERFLOWS. |
| Teaching Methods | |
|---|---|
| THE CLASS OFFERS THEORETICAL LECTURES IN ORDER TO TRANSFER THE NECESSARY KNOWLEDGE NEEDED TO UNDERSTAND THE TOPICS ADDRESSED. MOREOVER, THERE WILL BE SOME PRACTICAL LECTURES BASED ON THE USE OF DIFFERENT VIRTUAL MACHINES FOR THE SOLUTION OF "CAPTURE THE FLAG" CHALLENGES RELATED TO ALL TOPICS ADDRESSED IN THE COUSE. |
| Verification of learning | |
|---|---|
| IN ORDER TO SHOW THE ACHIEVEMENT OF THE OBJECTIVES OF THIS CLASS, STUDENTS HAVE TO PASS AN ORAL EXAMINATION, WHICH CONSISTS IN A SET OF QUESTIONS AND DISCUSSIONS ON THE THEORETICAL AND PRACTICAL TOPICS STUDIED IN THE COURSE. THE GOAL OF SUCH AN EXAMINATION IS TO ASSESS THE LEVEL OF KNOWLEDGE AND UNDERSTANDING ACQUIRED BY THE STUDENT. MORE PRECISELY, THE EXAM CONSISTS OF THREE QUESTIONS, WHERE EACH QUESTION IS WORTH AT MOST 10 POINTS. IN THE CASE ALL QUESTIONS ARE POSITIVELY ANSWERED, THE INSTRUCTOR CAN PROPOSE A FURTHER QUESTION IN ORDER TO INCREASE THE STUDENT’S SCORE. SUCH A FURTHER QUESTION WILL BE MORE COMPLEX THAN THE PREVIOUS ONES, AND IF POSITIVELY ANSWERED CAN RESULT IN A SCORE EQUAL TO 30 CUM LAUDE. ON THE OTHER HAND, IF THE QUESTION WILL NOT BE POSITIVELY ANSWERED, THE FINAL SCORE WILL BE DECREASED ON THE BASIS OF THE MISTAKES DONE BY THE STUDENT. THE NECESSARY CONDITION FOR A STUDENT TO GET A PASS GRADE CONSISTS OF 1) DEMONSTRATING KNOWLEDGE OF THE BEST PRACTICES IN THE DESIGN AND THE ANALYSIS OF SECURE SOFTWARE; 2) SHOWING THE ABILITY TO ANALYSE AND SOLVE THE SECURITY PROBLEMS WHICH CAN ARISE IN THE DESIGN AND DEVELOPMENT OF COMPLEX SOFTWARE APPLICATIONS; 3) UNDERSTANDING THE RISKS OF INSECURE SOFTWARE APPLICATIONS. THE CANDIDATE ACHIEVES AN OUTSTANDING GRADE IF HE/SHE IS ABLE TO PROVIDE SOLUTIONS TO COMPLEX PROBLEMS, ESPECIALLY IF NOT EXPLICITLY COVERED DURING THE CLASS. THE EVALUATION IS BASED ON THE SKILLS ACQUIRED ON THE CONTENTS AND METHODOLOGICAL TOOLS PRESENTED DURING THE COURSE, ALSO TAKING INTO ACCOUNT THE QUALITY OF THE ORAL EXPOSURE, AS WELL AS THE SHOWN AUTONOMOUS ASSESSMENTS. |
| Texts | |
|---|---|
| MICHAEL HOWARD, DAVID LEBLANC WRITING SECURE CODE: PRACTICAL STRATEGIES AND PROVEN TECHNIQUES FOR BUILDING SECURE APPLICATIONS IN A NETWORKED WORLD MICROSOFT PRESS, 2002 ISBN: 0735617228 MICHAEL HOWARD, DAVID LEBLANC, JOHN VIEGA 24 DEADLY SINS OF SOFTWARE SECURITY: PROGRAMMING FLAWS AND HOW TO FIX THEM MCGRAW HILL, 2009 ISBN: 0071626751 |
| More Information | |
|---|---|
| SLIDES AND EXERCISES PROVIDED BY THE INSTRUCTOR. |
BETA VERSION Data source ESSE3 [Ultima Sincronizzazione: 2019-10-21]
