Latest News
- 09.07.2015: Exercise 5 online
- 11.06.2015: Exercise 3 online
- 29.05.2015: Exercise 2 online
- 21.05.2015: Exercise 1 online
- 30.04.2015: Topic assignments and Exercise 0 online
- 28.04.2015: Switched dates for web security and forensic topics
- 22.04.2015: Registration closed
- 14.04.2015: Registration opened
- 24.03.2015: Shifted the date of the kick-off meeting
- 17.03.2015: The course website is online
Description
Goal of this Proseminar is to give students a deep understanding of the typical security problems and weaknesses that pervade all kinds of IT systems today. The participants should be enabled to analyze IT systems for security vulnerabilities and hence to optimally secure such systems.
To this end, this seminar deals primarily with offensive aspects and techniques of IT security, for example, as used to compromise and infiltrate computer systems. A particular focus lies on the exploitation of vulnerabilities in security protocols and of software implementations. To provide a more solid understanding of the discussed attack techniques, this seminar strongly mixes theoretical and practical aspects. On the one hand, participants are conveyed the typical Proseminar learning contents (e.g., presentation techniques, autonomous work on the assigned topic, etc.). On the other hand, the participants are required to also introduce and apply established tools for exploiting and attacking IT systems in the context of capture-the-flag styled exercises as well as to consider defensive mechanisms to mitigate and prevent those attacks. Solely the topic “Social Engineering” is an exception from this approach and is discussed only theoretically.
Students are organised in teams of two. Every team has to deal in depth with one topic and give one presentation on their assigned topic. The practical exercises have to be worked on by every team. In contrast to the presentation sessions, there are no fixed dates for the practical exercises, but instead these tasks have to be solved in between the presentation session dates.
The exercise topic list includes:
- Discovery and analysis of target systems
- Breaking passwords
- Breaking WEP/WPA
- Attacks on web applications
- Software exploitation
- Forensic techniques
- Privilege escalation and operating system security
- Side-channel attacks
Registration
We are sorry, but the registration has been closed ealier due to the enormous rush on the seminar places! Thus, all available places have been assigned.
For registered students: Final registration is done at the kick-off meeting and physical presence at this meeting is required for participation in the seminar. An ordered list of the registered students will be propagated via email soon.
Please note that the number of participants is limited to 24 (12 teams)!
Prerequisites
There are no formal requirements for participation. However, basics in the area of computer networks as well as basics in programming are expected to be able to solve the practical exercises.
A CIP pool with workstations for the practical exercises is provided, however, for some tasks, it is beneficial if the participants have a laptop available.
Modus operandi
1) Proseminar Talk and Summary
Each team gives one presentation in English (20 minutes plus 10 minutes discussion) and provides a written summary in English (2-3 pages) about their assigned topic. Templates for common presentation programs are provided . The summary must be written in LaTeX (you can use our template with example bibliography file). The summary should include a short overview of the topic including necessary technical background information as well as a thorough description of the assigned attack/vulnerability. Each team must submit a draft version of their report at latest two weeks before the end of the seminar to receive feedback from their assigned TA. The final reports are due at the end of the seminar!
Each team will be supervised by the TA responsible for the assigned topic. There will be a discussion session where each team meets with their advisor and discusses the topic. Before giving the presentation, each team will have to give a practice talk in a separate session with their advisor before the presentation.
Submitting a draft report and giving a practice talk are mandatory to successfully pass this seminar!
Deadlines for talks and reports:
- Practice talk: At latest the Tuesday before your presentation date! Contact your assigned TA to schedule a meeting!
- Draft report: July 6
- Final report: July 20
Here is a list of recommended literature on how to prepare a good presentation and a good report:
- Educate and Entertain – A Guide for a Good Talk by Prof. Matteo Maffei
- Presentations by Prof. Andreas Zeller
- How to give a good research talk by Prof. Andreas Zeller
- How To Make an Oral Presentation of Your Research
- how to give a good presentation
- Hints for Writing a Seminar Report, a Paper, or a Thesis by Prof. Philipp Slusallek
- A TED speaker coach shares 11 tips for right before you go on stage by Gina Barnett
- Additionally some books on scientific writing and presentations can be borrowed from Sven Bugiel
2) Practical Exercises and Exercise Reports
Additionally, between two presentation sessions, the participants have to solve a practical exercise. Each exercise deals with the topic of the last presentation session, i.e., after the first teams presented WLAN/Network security, the practical exercise deals with, for instance, breaking wireless WLAN encryption. A list of recommended tools to perform the practical exercise is provided further down on this site. Prior to the subsequent presentation session, each team has to submit a short report on how they solved the exercise. In contrast to the assigned Proseminar summary (see above), these exercise reports are not evaluated by their form and layout, but purely by their content. Thus, although we encourage the use of LaTex to practice writing scientific documents, these reports can be authored in any other program (e.g., MS Word, OpenOffice, nano,…) as long as they remain readable.
Every presentation session starts with a short recap on how to solve the last exercise, thus, also reserving time to answer open questions and briefly discuss alternative approaches or counter-measures.
Presentation session schedule
All presentation sessions take place between
14:00-16:00 (c.t.) in E1.1 Room 2.06 (CIP Pool of the InfSec group) at the following dates
. Participation in the organizational meeting and all the presentation sessions is mandatory!
We encourage all students to present in English (see below for an explanation), but we allow presentations in German when requested.
| Date | Topic | TA | Students |
|---|---|---|---|
| 2015-Apr-30 (14:00 s.t.) | Kick-off meeting | ||
| 2015-May-21 | Password security | frederik.moellers(aeht)uni-saarland.de | Nicolas Schäfer, Joris Nix |
| Legal aspects | christoph.sorge(aeht)uni-saarland.de">Prof. Christoph Sorge | Marius Steffens, Christian Thiel | |
| 2015-May-28 | File system forensic | frederik.moellers(aeht)uni-saarland.de | Christian Herz, Sebastian Fasig |
| Coldboot attacks | frederik.moellers(aeht)uni-saarland.de | Thomas Zapp, Hans Jörg Bernardi | |
| 2015-Jun-11 | WLAN Security | bugiel(aeht)cs.uni-saarland.de">Sven Bugiel | Julius Kilger, Fabian Spaniol |
| Network Layer 2 | bugiel(aeht)cs.uni-saarland.de">Sven Bugiel | Jonas Cirotzki, Peter Axt | |
| 2015-Jun-25 | Buffer Overflow | nuernberger(aeht)cs.uni-saarland.de">Stefan Nürnberger | Julian Jacques Maurer, Jonas Hollm |
| Return-Oriented Programming | nuernberger(aeht)cs.uni-saarland.de">Stefan Nürnberger | Kai Greshake, Jens Heyens | |
| 2015-Jul-09 | SQL Injection | styp-rekowsky(aeht)cs.uni-saarland.de">Philipp von Styp-Rekowsky | Daniel Schäfer, Dominik Weber |
| XSS | styp-rekowsky(aeht)cs.uni-saarland.de">Philipp von Styp-Rekowsky | Christian Becker, Philipp Staudt | |
| 2015-Jul-23 | Side-Channel Attacks 1 | bugiel(aeht)cs.uni-saarland.de">Sven Bugiel | Paul Szymanski, Birk Blechschmidt |
| Side-Channel Attacks 2 | bugiel(aeht)cs.uni-saarland.de">Sven Bugiel | Pascal Dupre, Ferdinand Jost | |
| 2015-Jul-30 | Concluding meeting | ||
| TBA | Hacker Jeopardy |
Please note that this list of dates might be subject to changes! Any changes will be propagated via email to the participants.
List of tools
The following list provides an overview of the suggested tools to be used in the practical exercises. In general, most of these tools are already available in the software repositories of the major Linux distributions and are included in dedicated Linux distributions for security testing such as Kali .
| Tool | URL | Description |
|---|---|---|
| nmap | nmap.org | Open source for network discovery; additions are available like GUI or tools for results analysis |
| Wireshark | wireshark.org | Network sniffer |
| Etherape | etherape.sourceforge.net | Network monitor |
| Ettercap | ettercap.github.io | Network monitor and tool for man-in-the-middle attacks |
| Netcat | netcat.sourceforge.net | Network “swiss army knife” |
| OpenVAS | openvas.org | Open source vulnerability scanner |
| Metasploit | metasploit.com | Penetration test suite |
| John the ripper | openwall.com/john/ | Password cracker |
| Cain and Abel | oxid.it/cain.html | Password recovery tool |
| Rainbow tables | project-rainbowcrack.com | General purpose cracking of hashes |
| Aircrack-ng | aircrack-ng.org | WEP and WPA-PSK key cracker |
| Kismet | kismetwireless.net | WLAN detector and sniffer |
Why English?
Like other groups, we decided to hold this Proseminar in English for several reasons:
- The research papers, books, and other literature that is provided to you is written in English.
- For most notions that occur in the security and computer science literature the English notion has been commonly adopted in German (e.g., “stack” instead of “Kellerspeicher”) or are sometimes ambiguous in German. For instance, both “security” and “safety’ translate to “Sicherheit”, but have a different meaning in the literature. So for a German talk you would most likely resort to a presentation in “Denglisch”.
- The proseminar provides you with a safe space to practice your English. Speaking and writing in English will be required of you in most of your follow-up courses and seminars (if not all) and in your future career.
- English is fun!
The TAs speak both German and English and will help you in case of problems. Moreover, your grade will not be influenced by your language skills! We strongly encourage you for above mentioned reasons to present in English, but we allow presentations in German if favoured by the speaker.
Requirements for obtaining credit points (Scheinvergabe)
Your final grade is based on 1) the quality of your presentation and the quality of your written summary (
35%
); and 2) solving the practical exercises and submitting reports on how they were solved (
65%
). Both grades must be 4.0 or higher to successfully pass the course.
Participation in the organisational meeting and all the presentation sessions is required for obtaining the credit points! Submitting a draft report and giving a practice talk to your TA is required for obtaining the credit points!