Description:

The students will learn how to assess security risks and how to take them into account in the design phase of their own code and solutions. After getting familiar with the threat modeling theory, students gain practical experience with running programs with reduced privileges and methods of specifying these privileges, since not every program needs to run with administrator privileges. Dangers inherent in buffer overflows will be practically demonstrated. Students will be introduced to the principles of securing data and the relationships of security and database systems, web, remote procedure calls, and sockets in general. The module concludes with Denial of Service attacks and the defense against them.

Contents:

1. Introduction to debuggers
2. Code generation, structure of an executable file
3. Buffer overflow
4. Writing secure code in C
5. Security layers, access levels
6. Running with the least privileges
7. Data security and integrity
8. Data input, canonical representation and security
9. Security of databases
10. Security of web applications
11. Security of sockets
12. Denial-of-service attacks

Seminar contents:

1. Introduction to debuggers
2. Code generation, analysis of an existing application
3. Buffer overflow
4. Buffer overflow II
5. Writing secure code in C
6. Data security and integrity
7. Running with the least privileges
8. SQL injection
9. Secure programming of databases
10. Security of web applications
11. Buffer overflow on the heap
12. Malware

Recommended literature:

[1] Howard, M. - LeBlanc, D.: Writing Secure Code, 2nd Edition. Microsoft Press, 2003, 9780735617223.
[2] Howard, M. - LeBlanc, D.: Writing Secure Code for Windows Vista. Microsoft Press, 2007, 9780735623934.
[3] Seacord, R. C.: Secure Coding in C and C++, 2nd Edition. Addison-Wesley Professional, 2013, 9780321822130.
[4] Zhirkov, I.: Low-Level Programming: C, Assembly, and Program Execution on Intel 64 Architecture. Apress, 2017, 9781484224021.
[5] Shostack, A.: Threat Modeling: Designing for Security. Wiley, 2014, 9781118809990.
[6] Hoffman, A.: Web Application Security: Exploitation and Countermeasures for Modern Web Applications. O'Reilly Media, 2020, 9781492053118.

Keywords:

Security, secure development, vulnerability, threat, buffer overflow, SQL injection, access rights, Denial of Service.

Abbreviations used:

Semester:

• W ... winter semester (usually October - February)
• S ... spring semester (usually March - June)
• W,S ... both semesters

Mode of completion of the course:

• A ... Assessment (no grade is given to this course but credits are awarded. You will receive only P (Passed) of F (Failed) and number of credits)
• GA ... Graded Assessment (a grade is awarded for this course)
• EX ... Examination (a grade is awarded for this course)
• A, EX ... Examination (the award of Assessment is a precondition for taking the Examination in the given subject, a grade is awarded for this course)

Weekly load (hours per week):

• P ... lecture
• C ... seminar
• L ... laboratory
• R ... proseminar
• S ... seminar