About this course

Title: Security Software Engineering
Lecturers: Marco Rocchetto (marco@v-research.it) & Mattia Pacchin (mattia@v-research.it)
Students: ITS 2nd year (@311Verona)
When: November 2021 - February 2022
Office hours: you can always drop us an email to schedule a 1 on 1 meeting.

Learning Outcomes

In this course, the students will be divided into teams with the objective of understanding, designing, and implementing a login system which do not require the user to remember the password. Each team has 3 members, each one with a specific role.

Scientist - A set of high-level functional requirements will be given to the students and the scientist has the objective to refine them by understanding the role of passwords in login systems and how to (if possible) improve the usual username-and-password approach that requires the user to remember the credentials.
Engineer - in this role, the student will design the login system, interacting with the scientist to understand how to satisfy the requirements. His main concerns are not on how to invent a new login system but how to structure/design a login system so that the scientists’ idea are considered and a programmer can effectively implement them. He will work on use cases and UML diagrams (deployment, activity and class diagram).
Programmer, the one who translates the design into practice. He is focused on technologies and he setup the development environment choosing programming languages and technologies to easily and quickly implement the engineer’s design.

Each class will be a continuous workshop where each group works on its project. Collaborations between groups will be facilitated by the teachers, and each lesson will have 3 brainstorming sessions: one with the scientists, one with the engineers, and one with the programmers.

From the RFC 1392, an hacker is

a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term.

GitHub repo for the course here

Lessons

L0. 26-November-2021 (Friday) [9.00-13.00]

Course overview [1h30m]
Intro to GitHub & installation [30m]
Coffee break [15m]
Brainstorming sessions [1h45m]
- Scientists
- Engineers

Lesson 0 - Resources

GitHub SSH key generation guide (link)
GitHub basic commands (pdf)
UML official guide (link)
UML small guide (pdf)

L1. 03-December-2021 (Friday) [9.00-13.00]

Present GitHub Discussions, Issues, and Badges – the GitHub repo
Brainstorming sessions [2h15m]
- Programmers only
Scientists presentation of the work done during the last week [30m]
Engineers presentation of the work done during the last week [30m]
Programmers presentation of the work done during the last week [30m]
Coffee break [15m]
Brainstorming sessions [2h15m]
- Scientists
- Engineers

L2. 21-January-2022 (Friday) [9.00-13.00]

Breakout room -> review work done per each team
Scientist room -> presentation: bitwise XOR for encryption, decryption and OTP
Engineers room -> presentation of the UML design (in Modelio) of Deployment, Class, Activity diagram of a solution to the challenge
Programmers room -> technology review and presentation of a BASH script for the TCP-based (using netcat - nc) authentication process

L3. 28-January-2022 (Friday) [9.00-13.00]

Scientis room -> presentation: Diffie Hellman and RSA
Engineers room -> presentation: UML sequence diagrams (Modelio) of a secure communication.
Programmers room -> presentation of bitwise xor in C language
Scientists + Engineers rooms -> requirement (informal) presentation
Engineers + Programmers room -> design (informal) presentation

L4. 04-February-2022 (Friday) [9.00-13.00]

Project design and development

L5. 11-February-2022 (Friday) [9.00-13.00]

Project design and development

L6. 18-February-2022 (Friday) [9.00-13.00]

Projects presentations (each team)
Passive and active eavesdropping (Risk Assessment)
Injection attacks
Security testing

L7. 25-February-2022 (Friday) [9.00-13.00]

Security testing
Wrap-up