Software & Web Security 1

Software & Web Security 1, NWI-IPC025, Spring 2014

This course is taught by Erik Poll, Peter Schwabe, Pol Van Aubel, and Ko Stoffelen.
It is is part of the Cyber Security Track of the Bachelor Informatica.
More info in the studiegids.

The course gives an introduction to C programming (incl. the use of pointers and dynamically allocated data), the underlying memory representation on the stack and the heap, and ways to abuse all this (with buffer overflows, integer overflows, and format strings attacks). The course also teaches some basic command lines skills in Linux/UNIX, incl. shell scripts and Makefiles.

Parts of the course are inspired by or based on material from the SysSec Common Curriculum.

Hoorcollege: woensdag 15:30-17:30 in HG00.307 (except on March 19, then it's in HG00.303).
Werkcollege: dinsdag 8:30-10:30 in HG00.075
Vereiste voorkennis: Imperatief programmeren 1 & 2 (NWI-IPC014, NWI-IPC015 ) en Processoren (NWI-IPC006)

For this course there are obligatory weekly programming or hacking exercises, which have to be done in pairs. At most one of these exercises may have been marked as nsi (niet serieus ingeleverd) in order for you to take the exam. Exercises have to be handed in via Blackboard.

Schedule & course material

4 feb college 1 Intro [slides]
10 feb practicum 1 The Linux command line, gcc, and make:
[assignment1] [linux-cheat-sheet]
11 feb college 2 Compilation & interpretation. C data types incl. pointers [slides] (NB slide 59 corrected 12/3/2014!)
The code demo-ed during the lecture to check alignment is alignment.c; compile with option -O2 to get gcc to re-align data (at least, it does on my 64-bit machine).
Read Section 9.1 of your 'Program Solving with C++' book for another explanation of pointers.
18 feb practicum 2 Messing around on the stack: [assignment2 (version 2)] Note: Version 2 as of 2014-02-20 19:30
Note: exercises use some things from college 3.
19 feb college 3 Memory management: the stack & the heap [slides]
A bit childish maybe, but the C pointer movie from Stanford explains the basic pointer operations and heap-allocation using malloc. ([Hi res version]
25 feb practicum 3 Messing around on the heap: [assignment 3]
Note: exercises use some things from college 4.
26 feb college 4 Memory management continued [slides]; gdb [slides]
4 maart geen practicum vanwege carnaval
5 maart college 5 Buffer overflows and format strings attacks [slides]
Read the tutorial on buffer overflows by Herbert Bos and lecture notes on format strings by Wenliang Du.
11 maart practicum 4 Simple `local' buffer overflows attacks (without machine code payloads):
[assignment 4]
12 maart college 6 Buffer overflows: more attacks and defenses
18 maart practicum 5 A classic `remote' buffer overflow attack (with machine code payload):
[assignment 5]
19 maart college 7 Discussion of assignment 4; Reflection [slides]
25 maart practicum 6 Working session on final assignment
26 maart college 8 Discussion of assignment 5 [slides]; Q&A session voor het tentamen
dinsdag 1 april tentamen in HG00.304, 8:30-11:30 (HG00.065 voor mensen met extra tijd)
dinsdag 8 juli hertentamen in HG00.108, 8:30-11:30

Reference material about C

Some links that may be useful for the lab sessions: