| [Site home] |
| [Site map] |
| [Downloads] |
| [Bulletin board] |
| [Review questions] |
| [Projects] |
| [History] |
DescriptionThe course is lectured every autumn semester at the Department of informatics, University of Bergen, Norway.
Lectures: 13 weeks with two sessions per week and 1.5 hours per session. Contents: INF143 describes attacks exploiting common vulnerabilities in client-server applications and shows how the use of risk management techniques can increase the security of these applications. The course is partly based on material found in the three textbooks shown on the right. (You do not need to buy all three books to attend the course.) Required reading must be done before class. In-class time will be divided between lectures and discussions. The first part of the course analyzes attacks exploiting vulnerabilities in web applications. Examples are cross-site scripting, SQL injection and denial-of-service attacks. One lecture also considers CCTV systems, location based services, and the identity theft problem. The final lecture discusses how cryptography in databases can protect sensitive information. The second part of INF143 discusses authentication techniques in more detail and introduces PKIs (Public Key Infrastructures). It is shown how a PKI can be combined with the widely used SSL protocol to provide authentication, integrity, and confidentiality services. The third part gives an introduction to security risk management. Several large examples illustrate the most important steps in the risk management process. The examples consider both technical, judicial, and usability aspects of risk management. In particular, it is explained why the poor usability of SSL simplifies phishing attacks. The fourth and final part of the course builds on the knowledge gained earlier to develop the architecture of a framework for secure client-server applications. The framework supports thin clients such as smartphones. Lecture slides on download page. For more information, visit the course history page or see list of review questions (in Norwegian). Recommended qualifications INF142: A basic understanding of wired networks, including the TCP/IP protocols and the OSI (Open Systems Interconnection) reference model. EthicsUnless you have written authorization from the owner and operators, you should not attempt to penetrate or affect the operation of any application or its underlying computer system. The course staff may demonstrate attacks to give you a better understanding of how to protect applications and systems. We will also discuss how it may be possible for crackers to successfully attack applications of national importance and cause serious damage. We will only discuss attacks that are known to the security community. In no way should these discussions be seen as an encouragement to carry out a real attack. Any such activity is a gross violation of the trust the course staff have shown you by accepting you as a student. You should know that some security professionals are of the opinion that it is wrong to explain known attacks on computer systems. During the course you will be encouraged to develop your own view on how to best develop better security. Last updated 15.06.08. Webmaster KJH |
see larger photo
see larger photo
see larger photo