Advanced Internet Security

Vorlesung mit Uebung (3.0 ECTS) - 183.222

Slides

06.10.2016, Introduction, Web Security III
11.10.2017, Reverse Engineering

Lecturers

This lecture is held as a cooperation between the Secure Systems Lab at the Automation Systems Group (183/1) and the Information and Software Engineering Group (188/1)

Tutor

Abstract

Advanced Internet Security (previously Internet Security 2) serves as a continuation for the class Internet Security. The idea is to present problems in more detail and allow students to apply their knowledge in practical exercises. The lecture deals with common programming mistakes and ways to detect and avoid them. Examples are used to highlight general error classes, such as stack overflow and format string vulnerabilities.

In order to teach the subject in the most authentic way, the lecture uses an "offensive approach": Security-related topics are viewed from an attacker's perspective and possible attack scenarios are shown. In practical challenges the students need to exploit previously discussed security vulnerabilities inside a controlled challenge-environment. This improves the students' understanding of the handled topics and guarantees that they will not make similar mistakes in own projects and allows them to actively take security measures when handling security relevant projects.

As part of the class, students are able to participate in a hacking contest in which they can prove their knowledge of security and system management by competing with their peers or, as a team, against other Universities spread around the globe.

Prerequisites

Location, Dates and Times

Assignments

There are a set of "challenges" that the students are required to solve. These challenges are security-related programming assignments (e.g., buffer overflows, application cracking, virus coding, etc.).
The challenges will be announced on a regular basis, most of them following the content of the lectures.

"Stuff" to hack and crack
During the InetSec 2 course, we will announce a "challenge" here every couple of weeks that you need to solve. These challenges aim to allow you to gain practical experience in the penetration testing and the vulnerability analysis of software and applications. We have planned a set of challenges that deal with topics such as application vulnerabilities, buffer and heap overflows, viruses, application cracking and spoofing. The challenges are directly related to the concepts discussed in the lecture.
In order to successfully pass the Advanced InetSec course, you have to have at least 50% on the challenges and 50% on the written exam. Challenges are worth 20% each, and if you manage to solve all 6 Challenges you get an additional 10% on the last one (amounting to a total of 110%). Challenges and Exam Results are weighted 1/3 + 2/3 for the final grade. These challenges are not necessarily difficult (for advanced programmers), but will probably require you to do research on the Internet, reading of documentation, patience, endurance and coding. If you did Inetsec 1, you know what we are talking about.

Special "challenge" for us
This is supposed to be fun for us too (;-)) so if we manage to find out your password during the course (e.g., crack your password), you will be "punished". So start by changing your password and follow the instructions on this Web site.
By the way, we introduced a new challenge environment last year. We think we have everything covered, but history tells us, that nobody is perfect. So we trust you that you will not try to break the system. However, if you manage to find an exploitable vulnerability in our system and report it to us, possibly with a solution to make it better, we will not be avaricious. It rather tells us that our teaching was not fruitless.
Good luck and happy debugging ;-)

Forum

If you have questions regarding the lab challenges, please use the TISS Forum to exchange yourself with other students. Our tutor is reading it on a daily basis and usually quick to answer with help. Please refrain from posting (partial) solutions, as you will spoil the fun for others. If you think, you need help beyond that do contact us per email at the address at the top of this page.

Examination

Date: January 24th, 18:00
About 15-20 questions, 75 minutes time, no course material allowed.

Internships, Theses

Are you a motivated student and looking for a bachelor's thesis or master's thesis, visited our courses and are otherwise also very interested in the security topic? Please visit the internship and theses pages of Seclab and SBA Research:
  • Internships and Theses at SBA Research
  • Internships and Theses at Seclab Vienna

    Registration

    Registration is handled over the TISS site now!
    Once the course has started, register via TISS. We will import your data, and send you the credentials for our environment via email. From that point, all communication is handled via this site. Your account will be valid for the whole semester and give you detailed feedback on submissions, current points etc..