Politecnico di Milano
Funzioni disponibili

Risorse bibliografiche
Risorsa bibliografica obbligatoria
Risorsa bibliografica facoltativa
Scheda Riassuntiva
Anno Accademico 2014/2015
Scuola Scuola di Ingegneria Industriale e dell'Informazione
Insegnamento 094777 - PRIVACY AND SECURITY
Docente Zanero Stefano
Cfu 5.00 Tipo insegnamento Monodisciplinare

Corso di Studi Codice Piano di Studio preventivamente approvato Da (compreso) A (escluso) Insegnamento

Programma dettagliato e risultati di apprendimento previsti

Modern computer systems routinely handle high-value information, such as financial data, economic transactions, and various forms of valuable intellectual property. Moreover, information systems are becoming pervasive, always-on and increasingly interconnected. Ensuring information security in this landscape is an extremely challenging task.

Designing and building secure information systems is a complex, interdisciplinary problem mixing elements of cryptoghraphy, software engineering, secure networking, as well as political and social challenges.This course is an extensive introduction to the challenges of security engineering and to the methodology to build, validate, and break security systems.

The approach will be hands-on. During the lecture we will analyze (supposedly) secure systems, see how they can be broken (hacked) into, and deductively learn what was wrong and how to avoid repeating such mistakes.




1) Introduction to Information Security

- What is information security: examples
- Vulnerabilities, Risks, Exploits, Attackers: definitions
- Security as risk management
- Development of an enterprise security policy


2) A short introduction to Cryptography

- Basic concepts: cypher, transposition, substitution
- Symmetric and asymmetric ciphers
- Hash functions, digital signatures and PKI
- Vulnerabilities in digital signature schemes and in PKI
- Why all of the above is almost useless as a security defense (*)


3) Authentication

- The three ways of authentication
- Multifactor authentication
- Authentication technologies evaluation; bypassing authentication control (*)


4) Authorization and access control

-Discrectionary (DAC) and mandatory (MAC) access control policies
- Multilevel security and its applications: military secrets management
- Access controls in DBMS


5) Software vulnerabilities

- Errors in design, in implementation and in configuration
- Software vulnerability examples: buffer overflow, format string bugs
- Exploiting applications, local privilege escalation (*)
- Web application security: introduction
- Examples of web application vulnerabilities: Cross-site scripting, SQL Injection
- Hacking real web applications (*)
- Code review and fuzzing: finding bugs in real world application


6) Secure networking architectures

- Network protocol attacks: Sniffing, Denial of service, Spoofing, DNS poisoning, ARP poisoning
- Firewall: classification, available technologies
- Secure network architectures (DMZ)
- Virtual Private Networks (VPN)
- Protocols for transaction security: SSL, SET
- Wireless security: WEP, EAP, 802.1X, WPA
- Networks security assessment tools (*)
- Intrusion detection systems


7) Malware and security incident management

- Virus, worm, trojan: malware
- Honeypots and malware analysis


Practical exercises will be conducted for all the topics marked with a (*). A virtual environment (hacking lab) will be available, where students can practice breaking into applications.

Risorsa bibliografica facoltativaRoss Anderson, Security Engineering, Editore: Wiley, ISBN: 0-471-38922-6 http://www.cl.cam.ac.uk/~rja14/book.html
Risorsa bibliografica facoltativaDieter Gollmann, Computer Security - 3rd edition, Editore: Wiley, Anno edizione: 2011, ISBN: 978-0-470-74115-3

It is vital that you get the 3rd edition if you choose this book!

Mix Forme Didattiche
Tipo Forma Didattica Ore didattiche
laboratorio informatico
laboratorio sperimentale
laboratorio di progetto

Informazioni in lingua inglese a supporto dell'internazionalizzazione
Insegnamento erogato in lingua Inglese
DisponibilitÓ di materiale didattico/slides in lingua inglese
DisponibilitÓ di libri di testo/bibliografia in lingua inglese
PossibilitÓ di sostenere l'esame in lingua inglese
DisponibilitÓ di supporto didattico in lingua inglese

Note Sulla ModalitÓ di valutazione

The exam is a written test (Italian students can, if they so wish, answer in Italian). The grade can be integrated with points available during the year with specific "assignments", such as breaking into applications made available in the virtual hacking lab, or solving specific problems handed out during classes.

23/06/2017 Area Servizi ICT v. 1.2.1 / 1.2.1