Security of computer systems

obligatory courses

Computer networks 1000-214bSIK
Databases 1000-213bBAD
Operating systems 1000-213bSOP
Software engineering 1000-214bIOP
Web applications 1000-214bWWW

The goal of the course is to make students familiar with the fundamental problems in security of information systems.

The goal of the course is to make students familiar with the fundamental problems of information systems. The course covers in particular the information systems threats for the confidentiality, integrity and availability of data; security models and security classes of the information systems (TCSEC, ITSEC, EAL); the development of the security policies in information systems; the elements of cryptography; the electronic signature and public key infrastructure, models of authorisation, access control strategies, the security of communication protocols and applications. The course will present the problems of secure programming, the monitoring tools and the tools to analyse the protection mechanisms, the local and network systems to discover intruder attacks and to protect against them, the environments with increased security, supporting services (e.g. Kerberos, secure directory services).

WWW applications:

* articles on various types of vulnerabilities (XSS, SQL Injection, XXE, ...) on the Sekurak website,

* articles from the PortSwigger Web Security Academy section: https://portswigger.net/web-security,

* tasks from the Root Me website (https://root-me.org/) from the Web category,

* Michał Bentkowski, Gynvael Coldwind and others: Security of Web Applications.

Reverse engineering:

* FAQ: How to learn reverse-engineering: https://gynvael.coldwind.pl/?id=664,

* book Reverse Engineering for Beginners: https://beginners.re/.

Binary exploitation:

* Tasks from the website https://pwnable.kr/,

* Tasks from the website https://pwnable.xyz/,

* course and assignments from https://pwn.college/.

Cryptography:

* Cryptography I on Coursera.org (free as long as do not want a certificate),

* cryptopals - a set of tasks for the implementation of various cryptographic constructions and classic attacks,

* free cryptography book: Crypto101,

* book on cryptography: Serious Cryptography.

Other:

* Write-ups, i.e. descriptions of how a specific attack was successfully carried out (e.g. at CTF competitions) - they can be found using Google queries such as sql injection with no space writeup,

* tasks from competitions organized by CERT Polska: https://hack.cert.pl/,

* stream on low-level programming and security:: https://www.youtube.com/user/GynvaelColdwind,

* channel on safety: https://www.youtube.com/c/LiveOverflow.

Knowledge:

1. The students have knowledge concerning the security of network technologies, in particular the security of basic communication protocols, network applications, cryptographic protocols, types of security attacks on networks and defence mechanisms (K_W11).

Abilities:

1. The students are able to take care of data security, in particular its secure transmission; they use compression and encryption tools (K_U14).

2. The students are able to evaluate on the basic level the utility of routine IT methods and tools and to choose and apply an appropriate methods and tools to typical computerised tasks (K_U22).

Competences:

1. The studends understand the significance of security both from the point of view of the software developer and the user.

The final grade is based on the sum of the points obtained from the laboratory classes (0 to 40) and exam (0 to 15). The final exam is written and consists of 15 short questions.