Lectures

Lectures are held weekly on Thursdays, 12:45-14:15 in KN:E-301 according to the following plan:

Date	Topic	Additional Resources
22.9.2022	Introduction
29.9.2022	(In)security of Internet protocols	TCP sequence numbers Mitnick's attack Attacks on TCP Explanation of DNS request Improved version of DNS poisoning in 2020 slides
6.10.2022	Secure Protocols	overview of issues in certificate revocation DNSSEC Securing BGP
13.10.2022	Covert channels, Steganography and Steganalysis	slides
20.10.2022	Securing private networks	slides Chapter 21 of Security Engineering Beyond corporation networks
27.10.2022	Access control models	slides Chapter 8 of Security Engineering
3.11.2022	Privilege Escalation	slides System calls memory system CPU and rings Explanation of Stack Buffer Overflow and canaries Heap overflow
10.11.2022	Virtualization	slides Evolution of attacks, threat models, and solutions for virtualized systems
17.11.2022	Class cancelled (National Holiday)
24.11.2022	Security of Browsers	slides Capabilities namespaces Inside Browser chromium sandbox
1.12.2022	Security of Web Applications	slides CSP sandboxed iframes Trusted Types The tangled web
8.12.2022	Denial of Service
15.12.2022	Secure Code
19.12.2022 - 8.1.2023	Christmas Break
12.1.2023	TBA

You can also watch the lectures in live on livestream. After post-processing, lectures are published on this youtube channel

In addition to the extensive “Additional reading” section in each lecture, you can see (and improve) the material created by Vojtech Kozel in 2021

ItemCourse objectives
What assets do we want to protect: confidentiality, integrity, availability.
Difference between policy and mechanism and the struggles to create a good policy.
Economics of information system
- Characteristics of a market:
  - price of information
  - technical lock-in
  - asymetric information
- Economics of security and dependability
  - Security seems to be a public good
  - Security is a power relationship
- How much effort should I put into design, development, and testing?

The importance of a protocol design
An assumption under which legacy protocols were designed
Threat model for network security
- Man in the middle
- Participation in the protocol
- Eavesdropping
Evil Twin/Honeypot Attack
ARP spoofing/poisoning
TCP / IP protocol
- security guarantees
- TCP sequence number attack
- Mitnick attack
UDP and DNS
- Dan Kaminsky attack
- Cache poisoning
- Changing DNS in a router
- Impact on the security of web
BGP protocol
- Hijacking BGP protocol
- Defences?

Key exchange with public-private keys
The role of certificates in the exchange
Advantages of certificates and who gets/lose the money
Problems of certificates — a revocation nightmare
- deleting CA
- OCSP
- OCSP stapling
- public ledger
Issuing certificates — verification of identity
UI aspect of certificates and who can safely use them?
Attacks
- Cache poisoning
- HTTPS stripping
- Protocol downgrading
- Man-in-the-middle attack
HSTS
Certificate pinning
DNS-Sec — chain of trust