Security of computer systems 1000-215bBSK
The goal of the course is to make students familiar with the fundamental problems of information systems. The course covers in particular the information systems threats for the confidentiality, integrity and availability of data; security models and security classes of the information systems (TCSEC, ITSEC, EAL); the development of the security policies in information systems; the elements of cryptography; the electronic signature and public key infrastructure, models of authorisation, access control strategies, the security of communication protocols and applications. The course will present the problems of secure programming, the monitoring tools and the tools to analyse the protection mechanisms, the local and network systems to discover intruder attacks and to protect against them, the environments with increased security, supporting services (e.g. Kerberos, secure directory services).
Type of course
Requirements
Course coordinators
Learning outcomes
Knowledge:
1. The students have knowledge concerning the security of network technologies, in particular the security of basic communication protocols, network applications, cryptographic protocols, types of security attacks on networks and defence mechanisms (K_W11).
Abilities:
1. The students are able to take care of data security, in particular its secure transmission; they use compression and encryption tools (K_U14).
2. The students are able to evaluate on the basic level the utility of routine IT methods and tools and to choose and apply an appropriate methods and tools to typical computerised tasks (K_U22).
Competences:
1. The studends understand the significance of security both from the point of view of the software developer and the user.
Assessment criteria
The final grade is based on the sum of the points obtained from the laboratory classes (0 to 40) and exam (0 to 15). The final exam is written and consists of 15 short questions.
Bibliography
WWW applications:
* articles on various types of vulnerabilities (XSS, SQL Injection, XXE, ...) on the Sekurak website,
* articles from the PortSwigger Web Security Academy section: https://portswigger.net/web-security,
* tasks from the Root Me website (https://root-me.org/) from the Web category,
* Michał Bentkowski, Gynvael Coldwind and others: Security of Web Applications.
Reverse engineering:
* FAQ: How to learn reverse-engineering: https://gynvael.coldwind.pl/?id=664,
* book Reverse Engineering for Beginners: https://beginners.re/.
Binary exploitation:
* Tasks from the website https://pwnable.kr/,
* Tasks from the website https://pwnable.xyz/,
* course and assignments from https://pwn.college/.
Cryptography:
* Cryptography I on Coursera.org (free as long as do not want a certificate),
* cryptopals - a set of tasks for the implementation of various cryptographic constructions and classic attacks,
* free cryptography book: Crypto101,
* book on cryptography: Serious Cryptography.
Other:
* Write-ups, i.e. descriptions of how a specific attack was successfully carried out (e.g. at CTF competitions) - they can be found using Google queries such as sql injection with no space writeup,
* tasks from competitions organized by CERT Polska: https://hack.cert.pl/,
* stream on low-level programming and security:: https://www.youtube.com/user/GynvaelColdwind,
* channel on safety: https://www.youtube.com/c/LiveOverflow.
Additional information
Information on level of this course, year of study and semester when the course unit is delivered, types and amount of class hours - can be found in course structure diagrams of apropriate study programmes. This course is related to the following study programmes:
Additional information (registration calendar, class conductors, localization and schedules of classes), might be available in the USOSweb system: