TUM Logo

Security Flaws

Security Flaws  

Seminare 2 SWS / 5 ECTS
Veranstalter: Fabian Franzen
Zeit und Ort:

Monday (bi-weekly) 14:00-15:30, 01.08.033

Beginn: 2019-10-15

The lecture is given in german and english / Die Veranstaltung wird in Deutsch und Englisch gehalten
The slides are available in english

Das Veranstaltungsmaterial ist in Moodle verfügbar
The lecture material are available in Moodle


  • 2019-07-16 - 12:00: Premeeting in room 01.08.033 [Slides]


You have to apply for a spot in the course via the Matching-System. In order to be considered for a place in the seminar, you have to solve a small qualification task. For more details see the premeeting slides or below.

Qualification Task

You have to solve the qualification task until 24.07.2019 23:59. The qualification task should be self-explanatory and will be released for the moment without source code or executable. The task can be found at the following address:port : honeynet.sec.in.tum.de:5556

Additional Remark: Actually, there are two flags for you in the qualification challenge. One relatively easy to spot and one that is a little bit more difficult to spot. You are qualified when you get at least one, if you want to further increase your chances you can also look for the second.

Hint 1: Try to connect with a program like telnet or netcat to get an idea: nc honeynet.sec.in.tum.de 5556
Hint 2: The STARTTLS command needs to be terminated with the \n character and NOT using \r\n. The server expects the first message of the TLS handshake to be send by your directly after the command. There is NO further confirmation message of the server as in SMTP.

Solve Count (last update 2019-07-19 14:14):
 - first flag: 8 persons
 - second flag: 2 persons

Please submit two flags now in order to participate!


In this seminar we will deal with the popular and less popular security flaws of the past years. How do they work? What did go wrong in software development and how can they be prevented? Besides the security flaws itself, we consider which impact they had on academic security research. We put them into context and make our mind about how to avoid them in the future.

Prerequisites for the course

Basic knowledge about IT-Security, Operating systems, and computer architecture.


Every participant will work on on of the following topics (however this list does not have to be final by now):

  • CPU-Flaws: Spectre & Meltdown
  • Hardware-Flaws: Rowhammer
  • WLAN-Flaws: KRACK & Dragonblood
  • Crypto-Flaws: CRIME, BEAST, BREACH, TIME, POODLE, Heartbleed
  • Android & Linux Flaws: Dirty COW, Stagefright, GHOST (glibc), Badlock, ImageTragick
  • Windows: Badlock, EternalBlue, SambaCry
  • VM-Escapes: VENOM, VMWare Escape (Pwn2Own 2017)
  • Web: Drupalgeddon (I & II), ...
  • [Students are encouraged to suggest their own topics!]