10/1/23, 12:25 Programma Dettagliato

schedaincarico

Risorse Scheda Riassuntiva

bibliografiche
Anno
2022/2023
Risorsa Accademico
bibliografica
obbligatoria Scuola Scuola di Ingegneria Industriale e dell'Informazione

Risorsa Insegnamento 055633 - COMPUTER SECURITY - UIC 587

bibliografica Docente Zanero Stefano
facoltativa
Tipo
Cfu 5.00 Monodisciplinare
insegnamento

Codice Piano di
Studio Da A
Corso di Studi Insegnamento
preventivamente (compreso) (escluso)
approvato

Ing Ind - Inf (Mag.) 055633 -

(ord. 270) - CR (263) COMPUTER
* A ZZZZ
MUSIC AND ACOUSTIC SECURITY - UIC
ENGINEERING 587

Ing Ind - Inf (Mag.)

(ord. 270) - MI (471) 055633 -
BIOMEDICAL COMPUTER
* A E
ENGINEERING - SECURITY - UIC
INGEGNERIA 587
BIOMEDICA

Ing Ind - Inf (Mag.)

(ord. 270) - MI (474) 055633 -
TELECOMMUNICATION COMPUTER
* A E
ENGINEERING - SECURITY - UIC
INGEGNERIA DELLE 587
TELECOMUNICAZIONI

Ing Ind - Inf (Mag.)

(ord. 270) - MI (481) 055633 -
COMPUTER SCIENCE COMPUTER
* A E
AND ENGINEERING - SECURITY - UIC
INGEGNERIA 587
INFORMATICA

Obiettivi dell'insegnamento
Modern computer systems routinely handle high-value information such as financial and
personal data, economic transactions, and various forms of valuable intellectual property.
Moreover, computer systems are becoming pervasive, always-on and increasingly
interconnected. Ensuring information security in this landscape is an extremely
challenging task.
Security engineering, the discipline of designing and building secure systems, is a
complex, interdisciplinary problem mixing elements of cryptography, software
engineering, secure networking, as well as political and social challenges.
This course is an extensive introduction to the challenges of cybersecurity, and to the
methodology to build, validate, and (ethically) bypass security systems with the goal of
learning how to secure them properly.
During the lectures, we will analyze the various building blocks of a computer and
information system, including their security subsystems. We will constructively analyze
their vulnerabilities, see how these can be exploited, and deductively learn what was
wrong and how to avoid repeating such engineering mistakes.

Risultati di apprendimento attesi

At the end of the course, students will know the basic terminology of security and the
elements of a risk assessment methodology. They will have a broad knowledge of basic
security technologies and of their fallacies and issues. They will also have a working
knowledge of some basic examples of vulnerabilities and their exploitation.
After the exam and the optional hacking lab, students will have developed the skills
needed to assess the basic security issues of systems, networks and applications. They
will be able to discuss security choices in meaningful terms, to evaluate a provided

https://www11.ceda.polimi.it/schedaincarico/schedaincarico/controller/scheda_pubblica/SchedaPublic.do?&evn_default=evento&c_classe=789223&po… 1/3
10/1/23, 12:25 Programma Dettagliato
solution and improve over it, or to offer and sketch a solution to a security problem
provided. They will also be able to exploit simple application vulnerabilities, and to
develop basic patches. 

Argomenti trattati
1) Introduction to information security
- What is information security: examples
- Vulnerabilities, Risks, Exploits, Attackers: definitions
- Security as risk management
 
2) A short introduction to cryptography
- Brief history of cryptography, highlighting paradigm shifts
- Definition of perfect and computational confidentiality, and constructions to achieve
them
- Definition of data integrity, and Message Authentication Codes (MACs)
- Definition of cryptographic hash functions, and their uses
- Asymmetric cryptographic primitives: definition of key agreement, key exchange,
digital signatures
- Structure of a Public Key Infrastructure (PKI), and analysis of practical instances
- Critical analysis of engineering mishaps in digital signature schemes and in PKI
 
 
3) Authentication
- The three factors of authentication
- Multifactor authentication
- Authentication technologies evaluation; bypassing authentication controls
 
4) Authorization and access control
- Discretionary (DAC) and mandatory (MAC) access control policies
- Multilevel security and its applications: military secrets management
 
5) Software vulnerabilities
- Design, implementation and configuration bugs
- Typical memory errors: buffer overflow and format string bugs
- Exploiting applications and local privilege escalation (*)
- Web application security: introduction
- Typical code-injection vulnerabilities: cross-site scripting and SQL injections
- Exploiting real web applications (*)
 
6) Secure networking architectures
- Network protocol attacks: sniffing, denial of service, spoofing
- Firewall: taxonomy and technologies
- Secure network architectures (DMZ and multi-zone networks)
- Virtual private networks (VPN)
- Secure connections and transactions: SSL and SET
 
7) Malicious software
- The evolution of malicious software: from the Morris worms to modern malware
- Botnets and underground economy
- Malware analysis
- Antimalware techniques
- Rootkits

The course is complementary and not alternative to cryptography courses such as

"095947 CRYPTOGRAPHY AND ARCHITECTURES FOR COMPUTER SECURITY". The overlap
with such courses is minimal.
The course has a strong "hands-on" philosophy. Practical exercises will be conducted for
all the topics marked with a (*) in the following syllabus. A virtual "hacking lab"
experience will be available, where students can practice how to bypass and secure
computer applications.

Prerequisiti
Students will need a basic knowledge of the following topics:
Network protocols (in particular the TCP/IP suite and HTTP)
Web applications and their 3-tier architecture
C language, and possibly a language useful to create simple scripts such as
Python
Operating systems, in particular memory allocation and protection
Assembly language (an X86 assembly language introductory class will be provided
during the course)

https://www11.ceda.polimi.it/schedaincarico/schedaincarico/controller/scheda_pubblica/SchedaPublic.do?&evn_default=evento&c_classe=789223&po… 2/3
10/1/23, 12:25 Programma Dettagliato

Modalità di valutazione
The exam is a written test (Italian students can, if they so wish, answer in Italian). The
test is comprised of open questions, relative to theory or to simple applications of theory
and reasoning to use cases, code samples, network schemes, etc. A large collection of
previous exams, in large part with solutions, is provided on Beep.
The grade can be integrated with points (up to 3) available during the year with specific
"assignments", such as breaking into applications made available in the virtual hacking
lab. Such assignments are completely optional, and the maximum grade cum laude can
be obtained also with the final written exam alone.

Bibliografia
Dieter Gollmann, Computer Security - 3rd edition, Editore: Wiley, Anno edizione:
2011, ISBN: 978-0-470-74115-3
Note: It is vital that you get the 3rd edition if you choose this book!

Ross Anderson, Security Engineering, Editore: Wiley, ISBN: 0-471-38922-6

http://www.cl.cam.ac.uk/~rja14/book.html

The Joy of Cryptography by Mike Rosulek https://joyofcryptography.com/

Note: An introductory cryptography textbook (freely available)

Software utilizzato
Nessun software richiesto

Forme didattiche
Ore di attività Ore di studio
Tipo Forma Didattica svolte in aula autonome
(hh:mm) (hh:mm)
Lezione 30:00 45:00
Esercitazione 20:00 20:00
Laboratorio Informatico 0:00 10:00
Laboratorio Sperimentale 0:00 0:00
Laboratorio Di Progetto 0:00 0:00
Totale 50:00 75:00

Informazioni in lingua inglese a supporto dell'internazionalizzazione

Insegnamento erogato in lingua Inglese

Disponibilità di materiale didattico/slides in lingua inglese
Disponibilità di libri di testo/bibliografia in lingua inglese
Possibilità di sostenere l'esame in lingua inglese
Disponibilità di supporto didattico in lingua inglese

schedaincarico v. 1.8.0 / 1.8.0 Area Servizi ICT 10/01/2023

https://www11.ceda.polimi.it/schedaincarico/schedaincarico/controller/scheda_pubblica/SchedaPublic.do?&evn_default=evento&c_classe=789223&po… 3/3