Persönlicher Status und Werkzeuge

Security-Labor

Type:Praktikum
Semester:Wintersemester 2013/14
Location:MI 01.10.021
Time:Mon, Tue, Thu:    14:00 - 16:00
Begin:

14.10.2013

Preliminary Discussion / Enrollment:

3.7.2013, 14:00-15:00, Location: 01.09.014

Max. group size:

20

Lecturer:

Prof. Dr. Alexander Pretschner
Matthias Buechler
Florian Kelbert

SWS:6
ECTS:10
LvNr:453
Module:IN2106
Links:Module IN2106 Master Practical Course
Contact:Matthias Buechler

Overview

The goal of this lab is to teach students how to defend against computer security vulnerabilities through hands-on assignments. We will analyze well known security vulnerabilities, reproduce them in a controlled environment, and implement countermeasures. After doing this lab, students will know how to apply security defense principles in real life to protect computer systems.

Contents: Computer security principles and techniques provide guidelines on how computer systems can be protected against security attacks. In practice, however, it is not clear how the adherence to security principles and techniques affect the security of real life computer systems. In this lab, we demonstrate well-known practical security vulnerabilities (Unix/Linux) alongside with the underlying theory, and guide students to creative implementations of countermeasures. The lab includes hands-on activities for the analysis of and countermeasures against vulnerabilities of system libraries, system configurations, networks, and (web) applications. As a result of the practical nature of this class, the students will also learn concepts of systems administration and configuration.

What we teach ...

Network Security

  • Basics of network security
  • ARP spoofing
  • DNS pharming
  • Man-in-the-middle attack

Web and Database Security

  • Authentication and access control
  • SQL and script injections
  • Cross site scripting

Operating System Security

  • Set UID vulnerability
  • Stack buffer overflow and source code
  • Return to lib-c
  • Format string
  • Race condition
  • Chroot sandbox

Secure Implementation

  • Cryptography in Java and C
  • Trusted Computing Platform
  • File system encryption and VPN tunnels
  • System call interposition sand-boxing
  • XACML policies in Java and XACML

Cryptography

  • Basics of cryptanalysis and Cryptool and challenges
  • Rainbow tables (sha1-challenges.txt and rainbow-tables.xls)

Secure Design

  • Manual code review and dummies
  • Automated code review 

Forensics

  • Analyzing system logs and files

Assessment

 In order to successfully pass this lab you have to achieve both of the following:

  • During the semester 75% of all exercises have to be solved and handed in.
  • At the end of the semester you have to pass an oral exam.

Your final grade is the grade that you achieve in the oral exam.

In case of illness, the missing exercise has to be "handed in" in form of a personal discussion with us.

Registration

Please register online: https://campus.tum.de