Latest News

Exercise sheet #4: question (h) removed and question (g) changed to the following:
- (g) (3 point) Which of these protocols required authentication and what servers were involved in each case?
Project #3: grading changed to the following:
- Exercise 1: Standard Traceroute (2 points)
- Exercise 2: Versatile Traceroute (1 point)
- Exercise 3: Statistics Reporting (1 point)
- Exercise 4: Path Diagnostics (3 points; 1 point each)
- Exercise 5: Firewall Handling (3 points; 1 point each)
You still need 6 points (now out of 10!) to achieve the maximum grade in this project. If you get more than 6 points the extra points count as bonus points, up to a maximum of 2 bonus points (everything over 2 bonus points will be truncated).
Exercise sheet #4 is out (due by 17 July at 14:00)
Project #3 is out (due by 24 July at 14:00)
Exercise sheet #3 is out (due by 21 June at 23:59)
Project #2 is out (due by 26 June at 14:00)
Problem 3 in exercise sheet 2 was slightly updated
Exercise sheet #2 is out (due by 29 May at 14:00)
Project #1 is out (due by 5 June at 14:00)
Exercise sheet #1 is out (due by 15 May at 14:00)
Lecture starts on Friday, April 24 at 14:00.

Description

This course covers practical aspects of security. We give many examples of how things can go wrong when trying to build secure systems, as well as principles and tools that can help defend against such attacks. The list of topics comprises:

Software security:
- Secure system design, access control, and protection
- Malware: computer viruses, spyware, and key-loggers
- Low level software security: buffer overflow and similar attacks
- Fuzzing and tools for writing robust application code
- Side-channel attacks
Web security:
- Cross-site scripting and SQL injection attacks
- Web browser security
- Web authentication: password management, phishing, user interfaces, single sign on
Network security
- Security problems in network protocols (TCP, DNS, SMTP, and routing)
- Security protocols (SSH, TLS)
- Network defense tools: firewalls, VPNs, intrusion detection, and filters
- Unwanted traffic: denial of service attacks and spam email
- Network worms and bot-nets

Prerequisites

This course is an advanced practical lecture. It assumes solid knowledge in programming, computer networks and operating systems (Unix in particular). The first and the third projects additionally require experience with a low-level language such as C (maybe also a little x86 ASM for the first project), while the second project might be a little easier if you already know something about web programming (HTML, JavaScript and PHP).

Tutorials

Stefan Lorenz: Wednesday 10:00 - 12:00, building E1.3, Seminar room 015
Christian Holler: Thursday 14:00 - 16:00, building E1.3, Seminar room 016

Office Hours

Michael Backes will be available for your questions every Wednesday 14:00 - 15:00 in building E1.1, room 2.11.

Catalin Hritcu will be available for your questions every Tuesday, 14:00 - 15:00 in building E1.1, room 2.10.

Homework

Homework accounts for 20% of the final grade. There will be 4 exercise sheets that each student has to solve individually. Each sheet will contain both questions you have to answer in written form (as preparation for the final exam), as well as simple programming exercises that require you to get familiar with the concepts and tools that are presented in the lecture.

Exercise sheets will be handed out in class and posted on the course page web page roughly every 3 weeks (the precise dates are listed below). The solutions have to be submitted by email in one week's time, and will be graded. Sample solutions to the exercise sheets will be posted on this web site and discussed in the tutorial.

Projects

Three projects account for 50% of the final grade: one on software security, one on web security, and one on network security. The first two projects will require you to mount specific attacks against real systems in a simulated environment (e.g. inside a virtual machine we provide). The attacks you need to mount will vary in difficulty, from easy ones to more sophisticated. For such tasks you will be graded solely by the number of attacks you successfully mount. The second and third project will require you to also defend against specific attacks. For such tasks you will be graded solely by the number of attacks you could successfully defend against. If you go over a certain threshold you might receive bonus points (if that is the case the project description will mention that explicitly).

You can work in teams of up to two people. The first team that manages to perform a certain attack/defense and provides proof of that by email receives additional bonus points. The status of each problem will be displayed on an internal web page, and kept up-to-date as successful exploits/defenses arrive.

The projects are going to be handed out in class and posted on the course page web page roughly every 4 weeks (the precise dates are listed below). Each team has to submit the set of successful exploits/defenses it could produce in three week's time. Sample exploits/defenses will be posted on an internal web page and discussed in the tutorial.

Final Exam

The final exam will be a written test of two hours. It will make up 30% of your final grade, and you need at least 50% to pass the course.

The final exam will take place instead of the last lecture, on the 31st of July at 14:00.

Grading & Requirements for passing the course

The final grade is computed as: 0.2 * H + 0.5 * P + 0.3 * F, where H is the grade obtained for the homework, P the one for the projects and F the grade in the final exam. Because of bonus points P can slightly exceed 100%, and will not be truncated.

To be permitted to the final exam you need to have at least 50% of the weighted sum of the grade obtained for the homework and for the projects, i.e. at least 50% of (0.2 * H + 0.5 * P). Additionally, you need at least 50% in the final exam to pass the course.

Backup Exams

The backup exam will be written. To be permitted to the backup exam you need to fulfill the same condition as for the final: to have at least 50% of (0.2 * H + 0.5 * P). Please note that if you have passed the final exam and also take the backup exam, the better score between the two will count for your final grade.

Date of the backup exam: TBA

Lecture Overview & Material

Date	Topics	Slides	References
2009-04-24	Course Overview
2009-04-24 and 2009-05-08	Secure system design, access control and protection
2009-05-08	Malware
2009-05-15	Control hijacking attacks
2009-05-22	Control hijacking defenses
2009-05-29	Fuzzing
2009-06-05	Web Security: Introduction, SQL Injection and Cross-Site Scripting (XSS)
2009-06-12	Web Browser Security
2009-06-19	Web Authentication
2009-06-26	Security Problems in Network Protocols; TLS
2009-07-03	Network Security Protocols and Defense Mechanisms
2009-07-10	Denial of Service and Spam (Lecture given by Krishna Gummadi, MPI-SWS)
2009-07-24	Side-channel attacks

Bulletin Board

We have set up a bulletin board where you can ask questions and discuss about topics related to the lecture.

Notes

In this course we discuss vulnerabilities and attacks. Most vulnerabilities have been fixed, still some attacks may cause harm. Do not try these at home or anyplace else.