Informacije o predmetu

Zaradi povečane uporabe tehnologije v sistemih, ki obravnavajo občutljive podatke, učinkovitost in hitrost nista več edina pogoja, ko pride do izdelave programske opreme. Vse večjo pozornost je treba posvečati varnosti in zanesljivosti. Pri predmetu bomo študente seznanili s sodobnimi tehnikami zlorabe programske opreme, kot tudi z varnostnimi mehanizmi vgrajenimi v programsko opremo, z namenom preprečevanja ter zajezitve dosega zlorabe. Vsebine predmeta obsegajo naslednje tematike: • Uporabniški vnosi in problematika (sanitizacija, napadi s kompresijo) Vrivanje zlonamerne kode v komunikacijo z zalednim delom (SQL, komentarji, timing napadi, eksfiltracija podatkov, pisanje datotek) • Prelivanje skozi tipe (velika števila, nepredstavljiva števila, velikost nizov) • Napadi skozi XML/HTML (escaping, stored/cross-site scripting, server-side request forgery) • Vrivanje preko formatov (executable regex in format string, format mismatching) • Dnevniški zapisi (uporabnost, vrivanje, monitoring, vrivanje ukazov) • Zloraba kriptografskih standardov (HMAC, podpisovanje, kodiranje CBC/ECB/GCM, podpisovanje za dokazovanje obstoja) • Avtentikacijski algoritmi (JWT, openID, Auth0) • Deserializacija objektov (nevarnosti, JSON dump, user state) • Problematika odvisnih knjižnic (omejevanje na različico knjižnice, supply chain napadi) • Race condition (skozi niti/procese) • Defenzivno programiranje (Preverjanje napak, pričakovanje izjem, preverjanje nedefiniranih rezultatov funkcij, sanitizacija vhodnih podatkov, povratek v stabilno stanje) • Orodja za razhroščevanje, ponovljivost prevedene kode, CI/CD • Penetracijski testi • statična analiza kode, fuzzer, orodja za avtomatično preverjanje kvalitete kode.

Due to the increased use of technology in systems that deal with sensitive data, efficiency and speed are no longer the only conditions when it comes to software development. More and more attention must be paid to security and reliability. In the course, students will be introduced to modern software abuse techniques, as well as with security mechanisms built into the software, with the aim of preventing and limiting the scope of abuse. The contents of the course include the following topics: • User inputs and related issues (sanitization, compression attacks) Injecting malicious code into communication with the backend (SQL, comments, timing attacks, data exfiltration, writing files) • Casting through types (large numbers, unrepresentable numbers, string size) • Attacks through XML/HTML (escaping, stored/cross-site scripting, server-side request forgery) • Format attacks (executable regex and format string, format mismatching) • Logs (usability, injection, monitoring, drilling commands) • Abuse of cryptographic standards (HMAC, signing, CBC/ECB/GCM encoding, proofof-existence signing) • Authentication algorithms (JWT, openID, Auth0) • Deserialization of objects (dangers, JSON dump, user state) • The issue of dependent libraries (library version limitation, supply chain attacks) • Race condition (through threads/processes) • Defensive programming (Error checking, expecting exceptions, checking undefined function results, sanitizing input data, returning to stable state) • Debugging tools, reproducibility of compiled code, CI/CD • Penetration tests • Static code analysis, fuzzer, tools for automatic code quality check.