Implementing and administering a secure system requires understanding of (1) assets being protected, and (2) threats, vulnerabilities, and attacks against the system. The goal of this course is to learn how to find vulnerabilities and how to protect against attacks exploiting the vulnerabilities. The approach towards this goal is to try exploiting vulnerabilities in practice, document the results of the attacks, and describe how the attacks could be prevented.

Identifying vulnerabilities and finding information about them are valuable tools in practical information security. Assuming the viewpoint of an attacker helps the students learn how to defend against attacks. Because attacks are tried out in practice, students learn to assess difficulty of attacks and defenses more realistically.

Students learn about vulnerabilities, attacks, and defenses in pairs. Course staff does not teach how to carry out attacks – one important goal for the students is to learn how to find information on their own.

Legal note

NOTE!

All vulnerabilities found during the course must be reported to the course staff.

Information gained during the course must not be used for unethical or illegal purposes.

Helsinki University of Technology accepts no responsibility for any damages (direct or consequential) related to the student work in the course.

Each student is wholly responsible for all his/her own course work (such as study of vulnerabilities). Each student must also arrange for a secure environment for course work on his/her own. The course cannot provide such an environment.

Course language

All deliverables and lectures are in English. Presentation must be given in English.

Prerequisites

T-110.4200 Tietoturvallisuustekniikka (T-110.402) or equivalent (basic concepts of information security)
T-110.4100 Tietokoneverkot (T-110.350) or equivalent (basics of Internet, TCP/IP, DNS, routing, etc)
T-110.5100 Tietoliikenneohjelmistojen laboratoriotyöt (T-110.400) or equivalent (practical experience in telecommunications software)
C programming language (practical skills to write new or change existing tools for an attack)
Optional: UNIX administration experience (useful for preparing and executing attacks)
Optional: T-79.4501 Cryptography and Data Security
Optional: T-110.5210 Cryptosystem

Course material

No course material (only course web page)

Course staff

Lecturer - Sami Vaarala
Assistant - Antti Nuopponen

Required for passing the course

Registration and selecting pairs; all course work is done in pairs

Writing and presenting a paper on chosen topic; peer review

You choose a topic and investigate the vulnerabilities you choose for your topic. You'll document your findings in a 8-10 page paper and a 20 minute presentation based on your paper. The paper must be based on actual attack tests related to the vulnerabilities. The attack tests must be analyzed and documented; similarly, you must document how the attacks could be prevented or their impact minimized in vulnerability reports.

See Selecting a topic, Deliverable instructions.

Course information

Course Noppa web page, Noppa news, e-mail to course participants

Submitting deliverables

Send e-mail by 24:00:

To: t-110.5230@tml.hut.fi
(Peer reviews are sent both to the course e-mail address and the e-mail addresses of the group members whose work you review.)
Subject: T-110.5230: <specific topic>, <your names>
Unless said otherwise, all deliverables must be returned as attachments, .zip (preferred) or .tar.gz file(s) containing deliverable files (to ensure integrity). This is a change from previous years.
PDF files (generated from a LaTeX and BibTeX source) must be compatible with latest Acrobat Reader.
For LaTeX deliverables: in addition to a PDF output file, a full, compilable LaTeX source package must be returned (i.e. it must be possible for us to regenerate the PDF from the LaTeX sources, BibTeX file, and other related files).

Grading

The assignment is graded as a whole. Individual deliverables are not graded separately.

Grade	Requirements
0	Clearly inadequate effort or missing a deadline.
1	Minimum effort for credits.
3	Medium effort, course goals have been achieved. The students have investigated their topic well and attack tests have been done. A clear and readable paper fulfilling the other course requirements.
5	Excellent effort, requirements have been clearly surpassed. Paper has good motivation and analysis, attacks are well thought out and executed. Paper has been well written and is clear, and has a contribution.

Laboratory network

The course does not provide an environment where attack tests may be carried out. You will need to find an environment yourself. Virtualization software (such as VMware, Virtual PC, Virtual Server, Hyper-V, KVM) can be used to create test networks on a single computer. These can be used for many topics to simulate real servers and networks.