About this course
- Title: Security Software Engineering
- Lecturers: Marco Rocchetto (marco@v-research.it) & Mattia Pacchin (mattia@v-research.it)
- Students: ITS 2nd year (@311Verona)
- When: November 2021 - February 2022
- Office hours: you can always drop us an email to schedule a 1 on 1 meeting.
Learning Outcomes
In this course, the students will be divided into teams with the objective of understanding, designing, and implementing a login system which do not require the user to remember the password. Each team has 3 members, each one with a specific role.
-
Scientist - A set of high-level functional requirements will be given to the students and the scientist has the objective to refine them by understanding the role of passwords in login systems and how to (if possible) improve the usual username-and-password approach that requires the user to remember the credentials.
-
Engineer - in this role, the student will design the login system, interacting with the scientist to understand how to satisfy the requirements. His main concerns are not on how to invent a new login system but how to structure/design a login system so that the scientists’ idea are considered and a programmer can effectively implement them. He will work on use cases and UML diagrams (deployment, activity and class diagram).
-
Programmer, the one who translates the design into practice. He is focused on technologies and he setup the development environment choosing programming languages and technologies to easily and quickly implement the engineer’s design.
Each class will be a continuous workshop where each group works on its project. Collaborations between groups will be facilitated by the teachers, and each lesson will have 3 brainstorming sessions: one with the scientists, one with the engineers, and one with the programmers.
From the RFC 1392, an hacker is
a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.
GitHub repo for the course here
Lessons
L0. 26-November-2021 (Friday) [9.00-13.00]
- Course overview [1h30m]
- Intro to GitHub & installation [30m]
- Coffee break [15m]
- Brainstorming sessions [1h45m]
- Scientists
- Engineers
Lesson 0 - Resources
- GitHub SSH key generation guide (link)
- GitHub basic commands (pdf)
- UML official guide (link)
- UML small guide (pdf)
L1. 03-December-2021 (Friday) [9.00-13.00]
- Present GitHub Discussions, Issues, and Badges – the GitHub repo
- Brainstorming sessions [2h15m]
- Programmers only
- Scientists presentation of the work done during the last week [30m]
- Engineers presentation of the work done during the last week [30m]
- Programmers presentation of the work done during the last week [30m]
- Coffee break [15m]
- Brainstorming sessions [2h15m]
- Scientists
- Engineers
L2. 21-January-2022 (Friday) [9.00-13.00]
- Breakout room -> review work done per each team
- Scientist room -> presentation: bitwise XOR for encryption, decryption and OTP
- Engineers room -> presentation of the UML design (in Modelio) of Deployment, Class, Activity diagram of a solution to the challenge
- Programmers room -> technology review and presentation of a BASH script for the TCP-based (using netcat -
nc
) authentication process
L3. 28-January-2022 (Friday) [9.00-13.00]
- Scientis room -> presentation: Diffie Hellman and RSA
- Engineers room -> presentation: UML sequence diagrams (Modelio) of a secure communication.
- Programmers room -> presentation of bitwise xor in C language
- Scientists + Engineers rooms -> requirement (informal) presentation
- Engineers + Programmers room -> design (informal) presentation
L4. 04-February-2022 (Friday) [9.00-13.00]
Project design and development
L5. 11-February-2022 (Friday) [9.00-13.00]
Project design and development
L6. 18-February-2022 (Friday) [9.00-13.00]
- Projects presentations (each team)
- Passive and active eavesdropping (Risk Assessment)
- Injection attacks
- Security testing
L7. 25-February-2022 (Friday) [9.00-13.00]
- Security testing
- Wrap-up