Security Flaws
Security Flaws
| Seminare | 2 SWS / 5 ECTS |
| Veranstalter: | Fabian Franzen |
| Zeit und Ort: | Monday (bi-weekly) 14:00-15:30, 01.08.033 |
| Beginn: | 2019-10-15 |
Das Veranstaltungsmaterial ist in Moodle verfügbar
The lecture material are available in Moodle
Appointments
- 2019-07-16 - 12:00: Premeeting in room 01.08.033 [Slides]
Application
You have to apply for a spot in the course via the Matching-System. In order to be considered for a place in the seminar, you have to solve a small qualification task. For more details see the premeeting slides or below.
Qualification Task
You have to solve the qualification task until 24.07.2019 23:59. The qualification task should be self-explanatory and will be released for the moment without source code or executable. The task can be found at the following address:port : honeynet.sec.in.tum.de:5556
Additional Remark: Actually, there are two flags for you in the qualification challenge. One relatively easy to spot and one that is a little bit more difficult to spot. You are qualified when you get at least one, if you want to further increase your chances you can also look for the second.
Hint 1: Try to connect with a program like telnet or netcat to get an idea: nc honeynet.sec.in.tum.de 5556
Hint 2: The STARTTLS command needs to be terminated with the \n character and NOT using \r\n. The server expects the first message of the TLS handshake to be send by your directly after the command. There is NO further confirmation message of the server as in SMTP.
Solve Count (last update 2019-07-19 14:14):
- first flag: 8 persons
- second flag: 2 persons
Please submit two flags now in order to participate!
Contents
In this seminar we will deal with the popular and less popular security flaws of the past years. How do they work? What did go wrong in software development and how can they be prevented? Besides the security flaws itself, we consider which impact they had on academic security research. We put them into context and make our mind about how to avoid them in the future.
Prerequisites for the course
Basic knowledge about IT-Security, Operating systems, and computer architecture.
Topics
Every participant will work on on of the following topics (however this list does not have to be final by now):
- CPU-Flaws: Spectre & Meltdown
- Hardware-Flaws: Rowhammer
- WLAN-Flaws: KRACK & Dragonblood
- Crypto-Flaws: CRIME, BEAST, BREACH, TIME, POODLE, Heartbleed
- Android & Linux Flaws: Dirty COW, Stagefright, GHOST (glibc), Badlock, ImageTragick
- Windows: Badlock, EternalBlue, SambaCry
- VM-Escapes: VENOM, VMWare Escape (Pwn2Own 2017)
- Web: Drupalgeddon (I & II), ...
- [Students are encouraged to suggest their own topics!]