Programme

• Course introduction
• Introduction to computer security and terminology
• Vulneability and threats
◦ Software vulnerabilities. Trusted and untrusted input, input validation. Vulnerabilities of applications written with interpreted languages, code injection. Injection into web pages: XSS. Cross site request forgery. OWASP.
▪ Example of web site that is vulnerable to sql injection
◦ buffer overflow attacks. Exploitation: privilege excalation, intrusions through opens services, intrusions through untrusted documents (email, web, etc).
▪ Example of vulnerable code, buffer overflow and related exploit
◦ Vulnerabilities of networks: sniffing, mac flood, ARP poisoning, vulnerability of DNS, Kaminsky attack. TCP session hijecking, MitM attack, DoS and Distributed DoS, Route hijacking.
• Security planning : security plan content, risk analysis.
• Countermeasures
◦ Design principles of policies and mechanisms.
◦ Models: AAA, confinement, DAC, MAC, access control matrix 
◦ Cryptographic techniques:
▪ critptography basics (hash, symmetric c., asymmetric c., MAC, digital signature), birthday attack, rainbow, key quality, pseudo-random number generators.
▪ Authentication protocols and key exchange. replay and reflection attacks. Nonces. Perfect Forward Secrecy. Diffie-Helman. 
▪ Certificates, certification authority, public key infrastructures and their vulnerabilities.
▪ Applications: Protocols ssl, tls, ssh, virtual private networks, ipsec, etc. Autnetication protocols wan and lan. radius and vulnerabilities. Other applications.
◦ Anomaly detection systems.
◦ System security:
▪ general principles: passwords and their vulnerabilities, hardening, assessment and auditing
▪ unix: discertionaly access control, file system security, authentication, PAM, syslog
◦ Network security:
▪ Firewalling:stateless and statefull firewall, connections, syn-proxy and syn-cookies, load balancing and high availability, linux netfilter and configuration examples.
▪ Network siecurity at level 1 and 2.
▪ Applicative proxies and network intrusion detection systems .
• Authenticated Data Structures
• Distributed Ledger Technologies and Bitcoin
• Smart contracts
• Cybersecurity in big organizations.

Core Documentation

Course handouts

Reference Bibliography

M. Bishop, "Computer Security: Art and Science", Addison-Weslesy. C. Kaufman, R. Perlman, M. Speciner, "Network Security: Private Comunication in a Public World (second edition)", Prentice Hall. C. Pfleeger, S. Pfleeger, "Security in Computing", Pearson - Prentice Hall. A. Antonopoulos, Mastering Bitcoin, 2nd Edition, O'Reilly, ,2017 A. Antonopoulos, G, Wood, Mastering ethereum: building smart contracts and dapps. O'Reilly Media, 2018

Type of delivery of the course

Lectures

Type of evaluation

Students will be evaluated on the basis of a written exam (for about 66% of the final grade) and of an personal project (for about 33% of the final grade).

Programme

• Course introduction
• Introduction to computer security and terminology
• Vulneability and threats
◦ Software vulnerabilities. Trusted and untrusted input, input validation. Vulnerabilities of applications written with interpreted languages, code injection. Injection into web pages: XSS. Cross site request forgery. OWASP.
▪ Example of web site that is vulnerable to sql injection
◦ buffer overflow attacks. Exploitation: privilege excalation, intrusions through opens services, intrusions through untrusted documents (email, web, etc).
▪ Example of vulnerable code, buffer overflow and related exploit
◦ Vulnerabilities of networks: sniffing, mac flood, ARP poisoning, vulnerability of DNS, Kaminsky attack. TCP session hijecking, MitM attack, DoS and Distributed DoS, Route hijacking.
• Security planning : security plan content, risk analysis.
• Countermeasures
◦ Design principles of policies and mechanisms.
◦ Models: AAA, confinement, DAC, MAC, access control matrix 
◦ Cryptographic techniques:
▪ critptography basics (hash, symmetric c., asymmetric c., MAC, digital signature), birthday attack, rainbow, key quality, pseudo-random number generators.
▪ Authentication protocols and key exchange. replay and reflection attacks. Nonces. Perfect Forward Secrecy. Diffie-Helman. 
▪ Certificates, certification authority, public key infrastructures and their vulnerabilities.
▪ Applications: Protocols ssl, tls, ssh, virtual private networks, ipsec, etc. Autnetication protocols wan and lan. radius and vulnerabilities. Other applications.
◦ Anomaly detection systems.
◦ System security:
▪ general principles: passwords and their vulnerabilities, hardening, assessment and auditing
▪ unix: discertionaly access control, file system security, authentication, PAM, syslog
◦ Network security:
▪ Firewalling:stateless and statefull firewall, connections, syn-proxy and syn-cookies, load balancing and high availability, linux netfilter and configuration examples.
▪ Network siecurity at level 1 and 2.
▪ Applicative proxies and network intrusion detection systems .
• Authenticated Data Structures
• Distributed Ledger Technologies and Bitcoin
• Smart contracts
• Cybersecurity in big organizations.

Core Documentation

Course handouts

Reference Bibliography

M. Bishop, "Computer Security: Art and Science", Addison-Weslesy. C. Kaufman, R. Perlman, M. Speciner, "Network Security: Private Comunication in a Public World (second edition)", Prentice Hall. C. Pfleeger, S. Pfleeger, "Security in Computing", Pearson - Prentice Hall. A. Antonopoulos, Mastering Bitcoin, 2nd Edition, O'Reilly, ,2017 A. Antonopoulos, G, Wood, Mastering ethereum: building smart contracts and dapps. O'Reilly Media, 2018

Type of delivery of the course

Lectures

Type of evaluation

Students will be evaluated on the basis of a written exam (for about 66% of the final grade) and of an personal project (for about 33% of the final grade).

Programme

• Course introduction
• Introduction to computer security and terminology
• Vulneability and threats
◦ Software vulnerabilities. Trusted and untrusted input, input validation. Vulnerabilities of applications written with interpreted languages, code injection. Injection into web pages: XSS. Cross site request forgery. OWASP.
▪ Example of web site that is vulnerable to sql injection
◦ buffer overflow attacks. Exploitation: privilege excalation, intrusions through opens services, intrusions through untrusted documents (email, web, etc).
▪ Example of vulnerable code, buffer overflow and related exploit
◦ Vulnerabilities of networks: sniffing, mac flood, ARP poisoning, vulnerability of DNS, Kaminsky attack. TCP session hijecking, MitM attack, DoS and Distributed DoS, Route hijacking.
• Security planning : security plan content, risk analysis.
• Countermeasures
◦ Design principles of policies and mechanisms.
◦ Models: AAA, confinement, DAC, MAC, access control matrix 
◦ Cryptographic techniques:
▪ critptography basics (hash, symmetric c., asymmetric c., MAC, digital signature), birthday attack, rainbow, key quality, pseudo-random number generators.
▪ Authentication protocols and key exchange. replay and reflection attacks. Nonces. Perfect Forward Secrecy. Diffie-Helman. 
▪ Certificates, certification authority, public key infrastructures and their vulnerabilities.
▪ Applications: Protocols ssl, tls, ssh, virtual private networks, ipsec, etc. Autnetication protocols wan and lan. radius and vulnerabilities. Other applications.
◦ Anomaly detection systems.
◦ System security:
▪ general principles: passwords and their vulnerabilities, hardening, assessment and auditing
▪ unix: discertionaly access control, file system security, authentication, PAM, syslog
◦ Network security:
▪ Firewalling:stateless and statefull firewall, connections, syn-proxy and syn-cookies, load balancing and high availability, linux netfilter and configuration examples.
▪ Network siecurity at level 1 and 2.
▪ Applicative proxies and network intrusion detection systems .
• Authenticated Data Structures
• Distributed Ledger Technologies and Bitcoin
• Smart contracts
• Cybersecurity in big organizations.

Core Documentation

Course handouts

Reference Bibliography

M. Bishop, "Computer Security: Art and Science", Addison-Weslesy. C. Kaufman, R. Perlman, M. Speciner, "Network Security: Private Comunication in a Public World (second edition)", Prentice Hall. C. Pfleeger, S. Pfleeger, "Security in Computing", Pearson - Prentice Hall. A. Antonopoulos, Mastering Bitcoin, 2nd Edition, O'Reilly, ,2017 A. Antonopoulos, G, Wood, Mastering ethereum: building smart contracts and dapps. O'Reilly Media, 2018

Type of delivery of the course

Lectures

Type of evaluation

Students will be evaluated on the basis of a written exam (for about 66% of the final grade) and of an personal project (for about 33% of the final grade).

Programme

• Course introduction
• Introduction to computer security and terminology
• Vulneability and threats
◦ Software vulnerabilities. Trusted and untrusted input, input validation. Vulnerabilities of applications written with interpreted languages, code injection. Injection into web pages: XSS. Cross site request forgery. OWASP.
▪ Example of web site that is vulnerable to sql injection
◦ buffer overflow attacks. Exploitation: privilege excalation, intrusions through opens services, intrusions through untrusted documents (email, web, etc).
▪ Example of vulnerable code, buffer overflow and related exploit
◦ Vulnerabilities of networks: sniffing, mac flood, ARP poisoning, vulnerability of DNS, Kaminsky attack. TCP session hijecking, MitM attack, DoS and Distributed DoS, Route hijacking.
• Security planning : security plan content, risk analysis.
• Countermeasures
◦ Design principles of policies and mechanisms.
◦ Models: AAA, confinement, DAC, MAC, access control matrix 
◦ Cryptographic techniques:
▪ critptography basics (hash, symmetric c., asymmetric c., MAC, digital signature), birthday attack, rainbow, key quality, pseudo-random number generators.
▪ Authentication protocols and key exchange. replay and reflection attacks. Nonces. Perfect Forward Secrecy. Diffie-Helman. 
▪ Certificates, certification authority, public key infrastructures and their vulnerabilities.
▪ Applications: Protocols ssl, tls, ssh, virtual private networks, ipsec, etc. Autnetication protocols wan and lan. radius and vulnerabilities. Other applications.
◦ Anomaly detection systems.
◦ System security:
▪ general principles: passwords and their vulnerabilities, hardening, assessment and auditing
▪ unix: discertionaly access control, file system security, authentication, PAM, syslog
◦ Network security:
▪ Firewalling:stateless and statefull firewall, connections, syn-proxy and syn-cookies, load balancing and high availability, linux netfilter and configuration examples.
▪ Network siecurity at level 1 and 2.
▪ Applicative proxies and network intrusion detection systems .
• Authenticated Data Structures
• Distributed Ledger Technologies and Bitcoin
• Smart contracts
• Cybersecurity in big organizations.

Core Documentation

Course handouts

Reference Bibliography

M. Bishop, "Computer Security: Art and Science", Addison-Weslesy. C. Kaufman, R. Perlman, M. Speciner, "Network Security: Private Comunication in a Public World (second edition)", Prentice Hall. C. Pfleeger, S. Pfleeger, "Security in Computing", Pearson - Prentice Hall. A. Antonopoulos, Mastering Bitcoin, 2nd Edition, O'Reilly, ,2017 A. Antonopoulos, G, Wood, Mastering ethereum: building smart contracts and dapps. O'Reilly Media, 2018

Type of delivery of the course

Lectures

Type of evaluation

Students will be evaluated on the basis of a written exam (for about 66% of the final grade) and of an personal project (for about 33% of the final grade).