Applied Security Laboratory
Autumn semester 2018 (252-0811-00L)
Overview
Organizers: Prof. Dr. David Basin, Dr. Christoph Sprenger, and Dr. Ralf Sasse. This is an application course.
Lab hours: Thursday 9–12h, in CAB E 87.1
Credits: 8 ECTS
Language: English
Applied Security Laboratory
Announcements
- Oct 18: The new version of the book with the improved chapter on web application security and the correspoding updates of the VMs Bob and Mallet are available for download from the course material web page.
- Bring your laptop to the introductory lecture on Sep 20, 2018.
Description
This course emphasizes applied aspects of Information Security and consists of two parts.
Independent study
In this part, the students will study a number of topics in a hands-on fashion and carry out experiments in order to better understand the need for secure implementation and configuration of IT systems and to assess the effectivity and impact of security measures. This part is based on a book and virtual machines that include example applications, questions, and answers.
Project work
In the second part, the students will also perform a team project: based on a set of functional and security requirements, they will design and implement a prototypical IT system. In addition, they will conduct a thorough security analysis and devise appropriate security measures for their systems. Finally, they will carry out a technical and conceptual review of another team's system. All project work will be performed in teams and must be properly documented. At the end of the semester, the teams summarize their work in a short presentation.
Topics covered
The Applied Security Laboratory covers four major topics:
- Operating system security (hardening, vulnerability scanning, access control, logging);
- Application security with an emphasis on web applications (web server setup, common web exploits, authentication, session handling, code security);
- Risk analysis and risk management;
- Computer Forensics.
Exam
There will be a written exam at the end of the semester. In addition, all participating students will take part in a longer-term project. The exam will contribute 60% and the project 40% towards the overall grade.
Schedule
- Mandatory introduction lecture: Thursday, Sep 20, 9–10. There will be no other lectures during the semester.
- Assisted lab hours: Thursdays, 9–12.
- Open lab hours for individual work: rest of the week.
Project schedule
- Sep 27: Register project groups ();
- Oct 22, 12:00: Hand in system description and risk analysis overview / concept (), not expected to be complete;
- Oct 26: Feedback to your overview / concept;
- Nov 22: Hand in final system description and risk analysis, max 30 pages (); also hand in your VMs and exchange report and VMs with other group for reviewing (see course material page), please come to the lab for this.
- Dec 13, by 09:00: Hand in final system reviews, max 18 pages (); presentation of main results (CAB H 53, 9-12).
Semester end exam
- Dec 20, CAB H 52, 10:15-11:45: Written, closed-books, 90 minutes.
Requirements
- The lab covers a variety of different techniques. Thus, participating students should have a solid foundation in the following areas: information security, operating system administration (especially Unix/Linux), and networking. Students are also expected to have a basic understanding of HTML, PHP, JavaScript, and MySQL because several examples are implemented in these languages;
- Students must be prepared to spend more than three hours per week to complete the lab assignments and the project. This applies particularly to students who do not meet the recommended requirements given above. Successful participants of the course receive 8 credits as compensation for their effort;
- All participants must agree and sign the lab's charter and usage policy during the introduction lecture.
Course Material
The course is based on the following book
- Applied Information Security– A Hands-on Approach by Prof. Dr. David Basin, Dr. Patrick Schaller, and Dr. Michael Schläpfer.
Additional course material
- protected page Course material: project assignment, templates, slides, links to VMs, and other course material (login with n.ethz credentials)
Literature
Additional recommended reading:
- Pfleeger, Pfleeger: Security in Computing, Third Edition, Prentice Hall, external page available online from within ETH
- Garfinkel, Schwartz, Spafford: Practical Unix & Internet Security, O'Reilly & Associates.
- Various: OWASP Guide to Building Secure Web Applications, external page available online
- Huseby: Innocent Code – A Security Wake-Up Call for Web Programmers, John Wiley & Sons.
- Scambray, Schema: Hacking Exposed Web Applications, McGraw-Hill.
- O'Reilly, Loukides: Unix Power Tools, O'Reilly & Associates.
- Frisch: Essential System Administration, O'Reilly & Associates.
- NIST: Risk Management Guide for Information Technology Systems, external page available online as PDF
- BSI: IT-Grundschutzhandbuch, external page available online (german), external page PDF in english
- BSI: Risk analysis based on IT-Grundschutz, external page available online as PDF (german), english version