Barbara MASUCCI | SECURE PROGRAMMING

cod. 0522500065

SECURE PROGRAMMING

	0522500065
	DIPARTIMENTO DI INFORMATICA
	EQF7
	COMPUTER SCIENCE
	2020/2021

CURRICULUM CYBERSECURITY

	YEAR OF COURSE 2
	YEAR OF DIDACTIC SYSTEM 2016
	SECONDO SEMESTRE

TEACHING UNITS

	SSD	CFU	HOURS	ACTIVITY	TYPE OF ACTIVITY
	INF/01	6	48	LESSONS	SUPPLEMENTARY COMPULSORY SUBJECTS

	Objectives
	THE COURSE INTRODUCES THE FUNDAMENTAL CONCEPTS OF SECURE PROGRAMMING AND DELVES INTO THE METHODOLOGIES AND TECHNIQUES WHICH ARE REQUIRED TO EVALUATE SOFTWARE SECURITY. THE COURSE AIMS TO PROVIDE STUDENTS WITH A NUMBER OF GUIDELINES FOR WRITING SECURE SOFTWARE. SUCH GUIDELINES ARE DEVELOPED AS A SET OF LESSONS LEARNED FROM CASE STUDIES REGARDING DIFFERENT PROGRAMMING AND SCRIPT LANGUAGES, SUCH AS C, PERL, PHP AND PYTHON, AND DIFFERENT OPERATING SYSTEMS, WITH A MAIN EMPHASIS ON UNIX-LIKE OPERATING SYSTEMS. MORE PRECISELY, DURING THE COURSE STUDENTS WILL HAVE THE CHANCE TO DEEPLY STUDY SOME KINDS OF VULNERABILITIES, IN ORDER TO ANSWER QUESTIONS LIKE: “UNDER WHICH ASSUMPTION SUCH VULNERABILITIES HOLD?”, “WHICH ARE THE CONSEQUENCES OF SUCH VULNERABILITIES?” AND “HOW TO MITIGATE SUCH VULNERABILITIES?” THE INVESTIGATION WILL HAVE A STRONG PRACTICAL CONNOTATION: STUDENTS WILL BE PROVIDED WITH DIFFERENT VIRTUAL MACHINES IN ORDER TO CARRY OUT THEIR EXPERIMENTS INDIVIDUALLY AND IN FULL AUTONOMY. VIRTUAL MACHINES USED DURING THE COURSE WILL PROVIDE THE STUDENTS WITH A VARIETY OF CTF CHALLENGES COVERING DIFFERENT TOPICS, SUCH AS LOCAL CODE INJECTION, REMOTE CODE INJECTION, AND MEMORY CORRUPTION. CTF STANDS FOR “CAPTURE THE FLAG”: IT’S A HACKING COMPETITION WHERE THE CHALLENGES ARE SET UP FOR STUDENTS TO HACK. ONCE THE STUDENTS SUCCESSFULLY SOLVE A CHALLENGE, THEY GET A “FLAG”. KNOWLEDGE AND UNDERSTANDING •MAIN CONCEPTS AND MAIN PECULIARITIES UNDERLYING SECURE PROGRAMMING •MAIN KIND OF EXISTING VULNERABILITIES BEHIND SECURITY INCIDENTS WHICH HAVE HAPPENED IN THE LAST YEARS •DIFFERENT TECHNIQUES FOR PRIVILEGES MANAGEMENT IN UNIX-LIKE OPERATING SYSTEMS •DIFFERENT KIND OF TECHNIQUES FOR LOCAL CODE INJECTION •DIFFERENT KIND OF TECHNIQUES FOR REMOTE CODE INJECTION •DIFFERENT KIND OF TECHNIQUES FOR MEMORY CORRUPTION APPLYING KNOWLEDGE AND UNDERSTANDING •IDENTIFY, EVALUATE AND EXPLAIN THE SECURITY THREATS PRESENT IN A PROGRAM, IN ORDER TO PREVENT HACKERS FROM EXPLOITING THEM •TAKE A LOOK AT THE ARCHIVES OF PUBLICLY KNOWN INFORMATION SECURITY WEAKNESSES AND VULNERABILITIES •SOLVE CTF CHALLENGES BY USING THE DIFFERENT TECHNIQUES LEARNED IN THE COURSE (LOCAL CODE INJECTION, REMOTE CODE INJECTION, MEMORY CORRUPTION) •PROPOSE MITIGATIONS TO FIX SECURITY THREATS FOUND IN THE ANALYZED CTF CHALLENGES.

THE COURSE INTRODUCES THE FUNDAMENTAL CONCEPTS OF SECURE PROGRAMMING AND DELVES INTO THE METHODOLOGIES AND TECHNIQUES WHICH ARE REQUIRED TO EVALUATE SOFTWARE SECURITY.
THE COURSE AIMS TO PROVIDE STUDENTS WITH A NUMBER OF GUIDELINES FOR WRITING SECURE SOFTWARE. SUCH GUIDELINES ARE DEVELOPED AS A SET OF LESSONS LEARNED FROM CASE STUDIES REGARDING DIFFERENT PROGRAMMING AND SCRIPT LANGUAGES, SUCH AS C, PERL, PHP AND PYTHON, AND DIFFERENT OPERATING SYSTEMS, WITH A MAIN EMPHASIS ON UNIX-LIKE OPERATING SYSTEMS.
MORE PRECISELY, DURING THE COURSE STUDENTS WILL HAVE THE CHANCE TO DEEPLY STUDY SOME KINDS OF VULNERABILITIES, IN ORDER TO ANSWER QUESTIONS LIKE: “UNDER WHICH ASSUMPTION SUCH VULNERABILITIES HOLD?”, “WHICH ARE THE CONSEQUENCES OF SUCH VULNERABILITIES?” AND “HOW TO MITIGATE SUCH VULNERABILITIES?” THE INVESTIGATION WILL HAVE A STRONG PRACTICAL CONNOTATION: STUDENTS WILL BE PROVIDED WITH DIFFERENT VIRTUAL MACHINES IN ORDER TO CARRY OUT THEIR EXPERIMENTS INDIVIDUALLY AND IN FULL AUTONOMY. VIRTUAL MACHINES USED DURING THE COURSE WILL PROVIDE THE STUDENTS WITH A VARIETY OF CTF CHALLENGES COVERING DIFFERENT TOPICS, SUCH AS LOCAL CODE INJECTION, REMOTE CODE INJECTION, AND MEMORY CORRUPTION.
CTF STANDS FOR “CAPTURE THE FLAG”: IT’S A HACKING COMPETITION WHERE THE CHALLENGES ARE SET UP FOR STUDENTS TO HACK. ONCE THE STUDENTS SUCCESSFULLY SOLVE A CHALLENGE, THEY GET A “FLAG”.

KNOWLEDGE AND UNDERSTANDING
•MAIN CONCEPTS AND MAIN PECULIARITIES UNDERLYING SECURE PROGRAMMING
•MAIN KIND OF EXISTING VULNERABILITIES BEHIND SECURITY INCIDENTS WHICH HAVE HAPPENED IN THE LAST YEARS
•DIFFERENT TECHNIQUES FOR PRIVILEGES MANAGEMENT IN UNIX-LIKE OPERATING SYSTEMS
•DIFFERENT KIND OF TECHNIQUES FOR LOCAL CODE INJECTION
•DIFFERENT KIND OF TECHNIQUES FOR REMOTE CODE INJECTION
•DIFFERENT KIND OF TECHNIQUES FOR MEMORY CORRUPTION

APPLYING KNOWLEDGE AND UNDERSTANDING
•IDENTIFY, EVALUATE AND EXPLAIN THE SECURITY THREATS PRESENT IN A PROGRAM, IN ORDER TO PREVENT HACKERS FROM EXPLOITING THEM
•TAKE A LOOK AT THE ARCHIVES OF PUBLICLY KNOWN INFORMATION SECURITY WEAKNESSES AND VULNERABILITIES
•SOLVE CTF CHALLENGES BY USING THE DIFFERENT TECHNIQUES LEARNED IN THE COURSE (LOCAL CODE INJECTION, REMOTE CODE INJECTION, MEMORY CORRUPTION)
•PROPOSE MITIGATIONS TO FIX SECURITY THREATS FOUND IN THE ANALYZED CTF CHALLENGES.

	Prerequisites
	FOR THE ACHIEVEMENT OF THE SET OBJECTIVES, KNOWLEDGE OF COMPUTER NETWORKS, OPERATING SYSTEMS AND OF MAIN PROGRAMMING LANGUAGES IS REQUIRED.

	Contents
	THE COURSE FOCUSES ON THE METHODOLOGICAL AND TECHNOLOGICAL ASPECTS NECESSARY TO EVALUATE SOFTWARE SECURITY. IN DETAIL, THE COURSE MAINLY ADDRESSES THE FOLLOWING TOPICS: -INTRODUCTION TO SECURE PROGRAMMING [2H LESSONS] -HISTORICAL NOTES AND TERMINOLOGY [4H LESSONS] -SOFWARE VULNERABILIYIES AND WEAKNESSES [6H LESSONS] -PRIVILEGES DROP AND RESTORE IN UNIX AND LINUX SYSTEMS [6H LESSONS] -TECHNIQUES FOR LOCAL CODE INJECTION BY USING ENVIRONMENT VARIABLES AND SHARED LIBRARIES [10H LESSONS] -TECHNIQUES FOR REMOTE CODE INJECTION: SQL INJECTION, CROSS-SITE SCRIPTING, CROSS-SITE REQUEST FORGERY [10H LESSONS] -TECHNIQUES FOR MEMORY CORRUPTION: FLOW EXECUTION MODIFICATION AND ARBITRARY CODE EXECUTION BY MEANS OF STACK-BASED BUFFER OVERFLOWS [10H LESSONS]

Contents

THE COURSE FOCUSES ON THE METHODOLOGICAL AND TECHNOLOGICAL ASPECTS NECESSARY TO EVALUATE SOFTWARE SECURITY. IN DETAIL, THE COURSE MAINLY ADDRESSES THE FOLLOWING TOPICS:
-INTRODUCTION TO SECURE PROGRAMMING [2H LESSONS]
-HISTORICAL NOTES AND TERMINOLOGY [4H LESSONS]
-SOFWARE VULNERABILIYIES AND WEAKNESSES [6H LESSONS]
-PRIVILEGES DROP AND RESTORE IN UNIX AND LINUX SYSTEMS [6H LESSONS]
-TECHNIQUES FOR LOCAL CODE INJECTION BY USING ENVIRONMENT VARIABLES AND SHARED LIBRARIES [10H LESSONS]
-TECHNIQUES FOR REMOTE CODE INJECTION: SQL INJECTION, CROSS-SITE SCRIPTING, CROSS-SITE REQUEST FORGERY [10H LESSONS]
-TECHNIQUES FOR MEMORY CORRUPTION: FLOW EXECUTION MODIFICATION AND ARBITRARY CODE EXECUTION BY MEANS OF STACK-BASED BUFFER OVERFLOWS [10H LESSONS]

	Teaching Methods
	THE TEACHING ACTIVITY, AIMED AT PROVIDING BOTH METHODOLOGICAL AND TECHNOLOGICAL KNOWLEDGE TO EVALUATE PROGRAM SECURITY, IS CHARACTERIZED BY 6 CFU DISTRIBUTED IN 48 HOURS OF FRONTAL LESSONS. MORE PRECISELY, THE CLASS OFFERS THEORETICAL LECTURES IN ORDER TO TRANSFER THE NECESSARY KNOWLEDGE NEEDED TO UNDERSTAND THE TOPICS ADDRESSED. MOREOVER, THERE WILL BE SOME PRACTICAL LECTURES BASED ON THE USE OF DIFFERENT VIRTUAL MACHINES FOR THE SOLUTION OF "CAPTURE THE FLAG" CHALLENGES RELATED TO ALL TOPICS ADDRESSED IN THE COURSE. STUDENTS ARE GUIDED TO LEARN CRITICALLY AND RESPONSIBLY ALL THAT IS EXPLAINED TO THEM IN THE CLASSROOM AND TO ENRICH THEIR JUDGMENT SKILLS THROUGH THE STUDY OF THE TEACHING MATERIAL INDICATED BY THE TEACHER. THE TEACHING MATERIAL CAN BE ACCESSED THROUGH THE COURSE WEBSITE. ATTENDANCE IS STRONGLY RECOMMENDED. STUDENTS MUST SPEND A FAIR AMOUNT OF TIME FOR INDIVIDUAL STUDY. ADEQUATE PREPARATION REQUIRES, ON AVERAGE, TWO HOURS OF STUDY FOR EACH HOUR OF CLASS. FURTHERMORE, IT IS ESSENTIAL TO SPEND A FAIR AMOUNT OF TIME IN PRACTICAL EXERCISES TO BE CARRIED OUT INDIVIDUALLY AND IN FULL AUTONOMY.

Teaching Methods

THE TEACHING ACTIVITY, AIMED AT PROVIDING BOTH METHODOLOGICAL AND TECHNOLOGICAL KNOWLEDGE TO EVALUATE PROGRAM SECURITY, IS CHARACTERIZED BY 6 CFU DISTRIBUTED IN 48 HOURS OF FRONTAL LESSONS. MORE PRECISELY, THE CLASS OFFERS THEORETICAL LECTURES IN ORDER TO TRANSFER THE NECESSARY KNOWLEDGE NEEDED TO UNDERSTAND THE TOPICS ADDRESSED.
MOREOVER, THERE WILL BE SOME PRACTICAL LECTURES BASED ON THE USE OF DIFFERENT VIRTUAL MACHINES FOR THE SOLUTION OF "CAPTURE THE FLAG" CHALLENGES RELATED TO ALL TOPICS ADDRESSED IN THE COURSE.

STUDENTS ARE GUIDED TO LEARN CRITICALLY AND RESPONSIBLY ALL THAT IS EXPLAINED TO THEM IN THE CLASSROOM AND TO ENRICH THEIR JUDGMENT SKILLS THROUGH THE STUDY OF THE TEACHING MATERIAL INDICATED BY THE TEACHER. THE TEACHING MATERIAL CAN BE ACCESSED THROUGH THE COURSE WEBSITE.

ATTENDANCE IS STRONGLY RECOMMENDED. STUDENTS MUST SPEND A FAIR AMOUNT OF TIME FOR INDIVIDUAL STUDY. ADEQUATE PREPARATION REQUIRES, ON AVERAGE, TWO HOURS OF STUDY FOR EACH HOUR OF CLASS. FURTHERMORE, IT IS ESSENTIAL TO SPEND A FAIR AMOUNT OF TIME IN PRACTICAL EXERCISES TO BE CARRIED OUT INDIVIDUALLY AND IN FULL AUTONOMY.

	Verification of learning
	THE ACHIEVEMENT OF THE TEACHING OBJECTIVES IS CERTIFIED BY PASSING AN EXAM WITH AN ASSESSMENT OUT OF THIRTY. THE EXAM INVOLVES THE REALIZATION OF INDIVIDUAL OR GROUP PROJECT ACTIVITY, PREVIOUSLY AGREED WITH THE INSTRUCTOR, AND AN ORAL TEST. THE PROJECT ACTIVITY COULD CONSIST EITHER IN THE ANALYSIS OF A CTF CHALLENGE NOT COVERED IN CLASS, OR IN A DEEPLY STUDY OF SPECIFIC VULNERABILITIES. THE ORAL TEST CONSISTS OF AN INTERVIEW WITH QUESTIONS AND WILL FOCUS ON THE DISCUSSION OF THE SALIENT ASPECTS RELATING TO THE PROJECT CARRIED OUT AND THE THEORETICAL AND METHODOLOGICAL CONTENTS INDICATED IN THE TEACHING PROGRAM. THE ORAL TEST IS AIMED AT ASCERTAINING THE LEVEL OF KNOWLEDGE AND MATURITY REACHED BY THE STUDENT ON THE METHODOLOGICAL, TECHNICAL, AND INSTRUMENTAL CONTENTS OF THE COURSE PROGRAM AND THEIR APPLICATION TO THE PROJECT ACTIVITY CARRIED OUT. THE FINAL EVALUATION IS BASED ON THE FOLLOWING ELEMENTS: - ABILITY TO PROPERLY MOTIVATE AND ARGUE THE CHOICES MADE TO CARRY OUT THE PROJECT ACTIVITY - ABILITY TO DISCUSS, THROUGH APPROPRIATE TERMINOLOGY, THE PROJECT ACTIVITY CARRIED OUT AND THE THEORETICAL AND METHODOLOGICAL CONTENTS INDICATED IN THE TEACHING PROGRAM THE CANDIDATE ACHIEVES AN OUTSTANDING GRADE IF HE/SHE IS ABLE TO PROVIDE SOLUTIONS TO COMPLEX PROBLEMS, ESPECIALLY IF NOT EXPLICITLY COVERED DURING THE CLASS. THE EVALUATION IS BASED ON THE SKILLS ACQUIRED ON THE CONTENTS AND METHODOLOGICAL TOOLS PRESENTED DURING THE COURSE, ALSO TAKING INTO ACCOUNT THE QUALITY OF THE ORAL EXPOSURE, AS WELL AS THE SHOWN AUTONOMOUS ASSESSMENTS.

Verification of learning

THE ACHIEVEMENT OF THE TEACHING OBJECTIVES IS CERTIFIED BY PASSING AN EXAM WITH AN ASSESSMENT OUT OF THIRTY. THE EXAM INVOLVES THE REALIZATION OF INDIVIDUAL OR GROUP PROJECT ACTIVITY, PREVIOUSLY AGREED WITH THE INSTRUCTOR, AND AN ORAL TEST. THE PROJECT ACTIVITY COULD CONSIST EITHER IN THE ANALYSIS OF A CTF CHALLENGE NOT COVERED IN CLASS, OR IN A DEEPLY STUDY OF SPECIFIC VULNERABILITIES. THE ORAL TEST CONSISTS OF AN INTERVIEW WITH QUESTIONS AND WILL FOCUS ON THE DISCUSSION OF THE SALIENT ASPECTS RELATING TO THE PROJECT CARRIED OUT AND THE THEORETICAL AND METHODOLOGICAL CONTENTS INDICATED IN THE TEACHING PROGRAM. THE ORAL TEST IS AIMED AT ASCERTAINING THE LEVEL OF KNOWLEDGE AND MATURITY REACHED BY THE STUDENT ON THE METHODOLOGICAL, TECHNICAL, AND INSTRUMENTAL CONTENTS OF THE COURSE PROGRAM AND THEIR APPLICATION TO THE PROJECT ACTIVITY CARRIED OUT.

THE FINAL EVALUATION IS BASED ON THE FOLLOWING ELEMENTS:

- ABILITY TO PROPERLY MOTIVATE AND ARGUE THE CHOICES MADE TO CARRY OUT THE PROJECT ACTIVITY

- ABILITY TO DISCUSS, THROUGH APPROPRIATE TERMINOLOGY, THE PROJECT ACTIVITY CARRIED OUT AND THE THEORETICAL AND METHODOLOGICAL CONTENTS INDICATED IN THE TEACHING PROGRAM

THE CANDIDATE ACHIEVES AN OUTSTANDING GRADE IF HE/SHE IS ABLE TO PROVIDE SOLUTIONS TO COMPLEX PROBLEMS, ESPECIALLY IF NOT EXPLICITLY COVERED DURING THE CLASS.
THE EVALUATION IS BASED ON THE SKILLS ACQUIRED ON THE CONTENTS AND METHODOLOGICAL TOOLS PRESENTED DURING THE COURSE, ALSO TAKING INTO ACCOUNT THE QUALITY OF THE ORAL EXPOSURE, AS WELL AS THE SHOWN AUTONOMOUS ASSESSMENTS.

	Texts
	MICHAEL HOWARD, DAVID LEBLANC WRITING SECURE CODE: PRACTICAL STRATEGIES AND PROVEN TECHNIQUES FOR BUILDING SECURE APPLICATIONS IN A NETWORKED WORLD MICROSOFT PRESS, 2002 ISBN: 0735617228 MICHAEL HOWARD, DAVID LEBLANC, JOHN VIEGA 24 DEADLY SINS OF SOFTWARE SECURITY: PROGRAMMING FLAWS AND HOW TO FIX THEM MCGRAW HILL, 2009 ISBN: 0071626751

	More Information
	SLIDES AND EXERCISES PROVIDED BY THE INSTRUCTOR ON THE COURSE WEBSITE. FOR ANY OTHER INFORMATION, YOU CAN CONTACT THE INSTRUCTOR AT BMASUCCI@UNISA.IT.

BETA VERSION Data source ESSE3 [Ultima Sincronizzazione: 2022-05-23]

Barbara MASUCCI | SECURE PROGRAMMING

SECURE PROGRAMMING

CURRICULUM CYBERSECURITY

TEACHING UNITS

PROFESSORS

SHEET

-

Barbara MASUCCI | SECURE PROGRAMMING