Introduction to Computer Security - B4M36BSY

Credits 6
Semesters Winter
Completion Assessment + Examination
Language of teaching Czech
Extent of teaching 2P+2C
Annotation
The aim of this course is to acquaint students with current security risks of operating systems and web applications, such as getting access through the network and escalation of rights. Students will gain an overview of the principles of operating systems administration minimizing security risks, writing safe applications and verifying their security, setting up firewalls and forensic analysis of already infected systems.
Course outlines
1. 6.10.2016 Basic terms and problems in security, Access rights. (TP)
2. 13.10.2016 Support of operating systems to isolate processes. (TP)
3. 20.10.2016 (double lecture) Confinement, Security of web browsers (TP)
4. 27.10.2016 (double labs) Examine foreign binary --- Reverse engineering (TP)
5. 3.11.2016 Guidelines to write the secure code (TP)
6. 10.11.2016 Security of web applications (TP7.)
7. 24.11.2016 DOS --- attacks on server availability (TP)
8. 1.12.2016 Protection of computer networks (TP)
9. 8.12.2016 Malware I (SG)
10. 15.12.2016 Covert channels (TP)
11. 22.12.2016 Security of mobile devices (SG)
12. 5.1.2017 Malware for mobile devices (SG)
13. 12.1.2017 Value of the privacy (open discussion) (TP, SG, JL))
Exercises outlines
1. 6.10.2016 SE Linux (JL)
2. 13.10.2016 Local resource exhaustion (JL)
3. 20.10.2016 double lecture (TP)
4. 27.10.2016 (double labs) Examine foreign binary --- Reverse engineering (JL)
5. 3.11.2016 Buffer overflow, integer overflow, ROI (JL)
6. 10.11.2016 Top ten OWASP attacks (JL)
7. 24.11.2016 Network and resource amplifications attacks (JL)
8. 1.12.2016 Protection of networks (JL)
9. 8.12.2016 Analyze your own malware (SG)
10. 15.12.2016 Design your own covert channel (TP)
11. 22.12.2016 Security of mobile devices (SG)
12. 5.1.2017 Malware of mobile devices (SG)
13. 12.1.2017 TBD. (???)

Links for Labs 6

https://labs.nettitude.com/blog/fuzzing-with-american-fuzzy-lop-afl/
https://www.invincealabs.com/blog/2016/08/fuzzing-nginx-with-afl/
https://gitlab.labs.nic.cz/labs/knot/tree/master/tests-fuzz
Literature
Resources used to prepare lecture and some materials 1

Matt Bishop, Introduction to Computer Security, 2004, Ch 1,2,4
Ryan Ausanka-Crues, Methods for Access Control: Advances and Limitations
https://www.cs.hmc.edu/~mike/public_html/courses/security/s06/projects/ryan.pdf

Resources used to prepare lecture 3

Matt Bishop, Introduction to Computer Security, 2004, Ch 1,2,4
Trent Jaeger, Operating system security, 2008, Ch 1--4

Resources used to prepare lecture 5

Du, W., Jayaraman, K., Tan, X., Luo, T., & Chapin, S. Position paper: Why are there so many vulnerabilities in web applications?. In Proceedings of the 2011 workshop on New security paradigms workshop (pp. 83-94). ACM.
Bortz, A., Barth, A., & Czeskis, A. (2011). Origin cookies: Session integrity for web applications. Web 2.0 Security and Privacy (W2SP).
Barth, A., Jackson, C., & Mitchell, J. C. (2008, October). Robust defenses for cross-site request forgery. In Proceedings of the 15th ACM conference on Computer and communications security (pp. 75-88). ACM.
Finifter, M., Weinberger, J., & Barth, A. (2010, March). Preventing Capability Leaks in Secure JavaScript Subsets. In NDSS (Vol. 99, pp. 1-14).

Resources used to prepare lecture 6

Writing Secure Code (Best Practices), Michale Howard, David LeBlanc, 2004