Topic outline

  • B4M36BSY - Bezpečnost systémů

    Goal of the course is to introduce security issues in contemporary operating systems and web applications. Participants will get basic knowledge of theoretical models of access rights, security models of operating systems, sandboxing, browsers, web applications, and networking. Furthermore there will be lectures about designing secure applications, verification of correctness, and testing. After the course, participants should better understand the risk and be able to design more secure security solutions. 

    Grading:

    Students has to finish semestral project for which they will be awarded up to 10 points with extra five points for the best project. Points of early / middle bird projects presented in October / November will be multiplied by 1.5 / 1.25. 

    Written exam will be awarded by up to 20 points. To pass the course with the lowest possible mark, you have to have at least 15 points.

    Tutors:

    Josef Liska: josef.liska@virtualmaster.com

    Balasz Kutil: balazs@kutilovi.cz

    Linux command line

    For those who do not know the linux command line, following tutorial might be helpful

    https://ryanstutorials.net/linuxtutorial/#introduction

    git repository for lab materials 

    https://gitlab.com/bsy-prague/labs

  • Přednášky

    Lectures

    1. 5.10.2017 Basic terms and problems in security
    2. 12.10.2017 Access rights. Support of operating systems to isolate processes.
    3. 19.10.2017 Confinement 
    4. 26.10.2017 Security of web browsers 
    5. 2.11.2017 Security of web applications (TP)
    6. 9.11.2017 Guidelines to write the secure code (TP)
    7. 23.11.2017 DOS --- attacks on server availability (TP)
    8. 30.11.2017 Protection of computer networks (TP)
    9. 7.12.2017 Malware I (SG)
    10. 14.12.2017 Covert channels (TP)
    11. 21.12.2017 Security of mobile devices (SG) 
    12. 4.1.2018 Malware for mobile devices (SG) 
    13. 11.1.2018 Value of the privacy (open discussion) (TP, SG, JL))
    14. 18.1.2018

    Labs:

    1. 6.10.2016 SE Linux (JL)
    2. 13.10.2016 SE Linux (JL)
    3. 20.10.2016 Local resource exhaustion  (JL)
    4. 27.10.2016 (double labs) Examine foreign binary --- Reverse engineering (JL)
    5. 3.11.2016 Buffer overflow, integer overflow, ROI (JL)
    6. 10.11.2016 Top ten OWASP attacks (JL)
    7. 24.11.2016 Network and resource amplifications attacks (JL)
    8. 1.12.2016 Protection of networks (JL)
    9. 8.12.2016 Analyze your own malware (SG)
    10. 15.12.2016 Design your own covert channel (TP)
    11. 22.12.2016 Security of mobile devices (SG)
    12. 5.1.2017 Malware of mobile devices  (SG)
    13. 12.1.2017 TBD. (???)

    • Cvičení

      Resources for Labs 1

      https://host.chl.cz/c7.vdi.gz

      sha1sum 85f97c004c2bf2b3d7d46500e595222eb2ac70ef

      root password: bedrichsmetana

      Gunzip after download.

      Links for Labs 6

      https://labs.nettitude.com/blog/fuzzing-with-american-fuzzy-lop-afl/

      https://www.invincealabs.com/blog/2016/08/fuzzing-nginx-with-afl/

      https://gitlab.labs.nic.cz/labs/knot/tree/master/tests-fuzz

       

      • Úkoly

        • Perform static analysis of Android malware. Explore communication channels, describe information extracted from user device, and possible anti-analysis techniques.
        • Implement proof of concept covert channel by piggybacking data extracted from user device on http headers.
        • Show, how different network elements (firewalls, proxy servers, application firewalls, web servers) implement differently parsing of the HTTP header and how it can be exploited. http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf, http://delivery.acm.org/10.1145/2980000/2978394/p1516-chen.pdf?ip=173.38.220.59&id=2978394&acc=OPENTOC&key=4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E9F04A3A78F7D3B8D&CFID=990572166&CFTOKEN=24451070&__acm__=1506744918_b3689a1e519f9ad1841578e2b8e99cac
        • Implement software to run on linux router, e.g. openwrt or normal distro like CentOS or Debian, that will block any outbound communication not matched to ipv4 and ipv6 addresses previously resolved by dnsmasq or similar service on that box. Demo should show that bittorent is blocked, but wikipedia works. As a bonus point, create netflow export with added info about domains used.
        • Implement protection of arp spoofing on linux and (rooted) android device.
        • Discus problems of full disk encryption. Implement simple full disk encryption scheme that is both encrypted and authenticated. It should provide tamper-evidence. Use AES-GCM as cipher. For simplicity, operate on pairs of sectors on actual device. One should contain actual cyphertext and second necessary metadata. Total capacity will be 1/2.
        • Use man-in-the-middle proxy to implement javascript injection. Injected js should then open a websocket and send all keypresses there, without user noticing it.
        • Implement simple browser extension that will generally connect to a websocket and wait for commands.
        • Extract (short) private key from webservice vulnerable to side channels.
        • Implement persistent keylogger by flashing old school network card with (fake) netboot flash.
        • Implement timing attack to crack the password (over a network) too. Even if it'd fail to discover the password, it'd be interesting to e.g. discuss the methods, and various sources of noise and how to suppress them.
        • Use fuzzing (AFL) to discover a bug (possibly new), triage it/submit it upstream & talk about the process. Mruby (https://github.com/mruby/mruby/issues/3789), is ripe for these - it is a small-ish project, has a quite good test suite coverage. There is also a bounty program over at https://hackerone.com/shopify-scripts, which could serve as a motivation / additional topic.
        • Demonstrate data exfiltration through timing of packet / http request. It is an example of covert channel, which can be done even between two processes on the same computer. Estimate the robustness / capacity of the channel.
        • Describe the native-client sandboxing solution by google and show a simple program (hello world?) that will use it. Focus on the security related features of the solution.
        • Talk about separation of privileges in q-mail (http://css.csail.mit.edu/6.858/2015/readings/qmail.pdf). What are its security features?
        • Explain the return oriented programming and show, how an attack can be done on own buggy program.
        • Describe the motivations behind qubeos and demonstrate it. Ideally, try to use it for couple days and talk about your own experiences (https://www.qubes-os.org/)
        • Describe, how docker can be used to improve the security of the server running multiple web services? How its security can be furhter improved with AppArmour / Seccomp https://docs.docker.com/engine/security/security/
        • Describe, how system memory manager can be manipulated through Javascript. Discuss motivations for manipulating the memory layout. Any demonstration of the technique is welcomed. (material: Heap feng shui in Javascript)
        • Describe and demonstrate the exploit of buffer overflow. (material: Smashing stack for fun and profit)
        • Demonstrate code injection in windows / linux and present how to prevent it
          • Atom bombing: http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions
          • DLL injection: http://resources.infosecinstitute.com/code-injection-techniques/
        • SEH Exploit Explained: Structured Exception Handler Overwrite (material: https://www.rapid7.com/resources/structured-exception-handler-overwrite-explained/)
        • describe how openauth / JWT works and demonstrate, how it can be used.

        • Wiki

          • Course materials

            Resources used to prepare lecture 1 and some reading

            1. Matt Bishop, Introduction to Computer Security, 2004, Ch 1,2
            2. Ryan Ausanka-Crues, Methods for Access Control: Advances and Limitations 
              https://www.cs.hmc.edu/~mike/public_html/courses/security/s06/projects/ryan.pdf

            Resources used to prepare lecture 3

            1. Matt Bishop, Introduction to Computer Security, 2004, Ch 1,2,4
            2. Trent Jaeger, Operating system security, 2008, Ch 1--4

            Resources used to prepare lecture 5

            • Du, W., Jayaraman, K., Tan, X., Luo, T., & Chapin, S. Position paper: Why are there so many vulnerabilities in web applications?. In Proceedings of the 2011 workshop on New security paradigms workshop (pp. 83-94). ACM.
            • Bortz, A., Barth, A., & Czeskis, A. (2011). Origin cookies: Session integrity for web applications. Web 2.0 Security and Privacy (W2SP).
            • Barth, A., Jackson, C., & Mitchell, J. C. (2008, October). Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security (pp. 75-88). ACM.
            • Finifter, M., Weinberger, J., & Barth, A. (2010, March). Preventing Capability Leaks in Secure JavaScript Subsets. In NDSS (Vol. 99, pp. 1-14).

            Resources used to prepare lecture 6

            • Writing Secure Code (Best Practices), Michale Howard, David LeBlanc, 2004