Main page | Study Branches/Specializations | Groups of Courses | All Courses | Roles                Instructions

A course is the basic teaching unit, it's design as a medium for a student to acquire comprehensive knowledge and skills indispensable in the given field. A course guarantor is responsible for the factual content of the course.
For each course, there is a department responsible for the course organisation. A person responsible for timetabling for a given department sets a time schedule of teaching and for each class, s/he assigns an instructor and/or an examiner.
Expected time consumption of the course is expressed by a course attribute extent of teaching. For example, extent = 2 +2 indicates two teaching hours of lectures and two teaching hours of seminar (lab) per week.
At the end of each semester, the course instructor has to evaluate the extent to which a student has acquired the expected knowledge and skills. The type of this evaluation is indicated by the attribute completion. So, a course can be completed by just an assessment ('pouze zápočet'), by a graded assessment ('klasifikovaný zápočet'), or by just an examination ('pouze zkouška') or by an assessment and examination ('zápočet a zkouška') .
The difficulty of a given course is evaluated by the amount of ECTS credits.
The course is in session (cf. teaching is going on) during a semester. Each course is offered either in the winter ('zimní') or summer ('letní') semester of an academic year. Exceptionally, a course might be offered in both semesters.
The subject matter of a course is described in various texts.

BIK-BEK.21 Secure Code Extent of teaching: 14KP+4KC
Instructor: Kokeš J. Completion: Z,ZK
Department: 18106 Credits: 5 Semester: L

Annotation:
The students will learn how to assess security risks and how to take them into account in the design phase of their own code and solutions. After getting familiar with the threat modeling theory, students gain practical experience with running programs with reduced privileges and methods of specifying these privileges, since not every program needs to run with administrator privileges. Dangers inherent in buffer overflows will be practically demonstrated. Students will be introduced to the principles of securing data and the relationships of security and database systems, web, remote procedure calls, and sockets in general. The module concludes with Denial of Service attacks and the defense against them.

Lecture syllabus:
1. Introduction to debuggers
2. Code generation, structure of an executable file
3. Buffer overflow
4. Writing secure code in C
5. Security layers, access levels
6. Running with the least privileges
7. Data security and integrity
8. Data input, canonical representation and security
9. Security of databases
10. Security of web applications
11. Security of sockets
12. Denial-of-service attacks

Seminar syllabus:
1. Introduction to debuggers
2. Code generation, analysis of an existing application
3. Buffer overflow
4. Buffer overflow II
5. Writing secure code in C
6. Data security and integrity
7. Running with the least privileges
8. SQL injection
9. Secure programming of databases
10. Security of web applications
11. Buffer overflow on the heap
12. Malware

Literature:
[1] Howard, M. - LeBlanc, D.: Writing Secure Code, 2nd Edition. Microsoft Press, 2003, 9780735617223.
[2] Howard, M. - LeBlanc, D.: Writing Secure Code for Windows Vista. Microsoft Press, 2007, 9780735623934.
[3] Seacord, R. C.: Secure Coding in C and C++, 2nd Edition. Addison-Wesley Professional, 2013, 9780321822130.
[4] Zhirkov, I.: Low-Level Programming: C, Assembly, and Program Execution on Intel 64 Architecture. Apress, 2017, 9781484224021.
[5] Shostack, A.: Threat Modeling: Designing for Security. Wiley, 2014, 9781118809990.
[6] Hoffman, A.: Web Application Security: Exploitation and Countermeasures for Modern Web Applications. O'Reilly Media, 2020, 9781492053118.

Requirements:
Programming in C, knowledge of basic application interfaces and computer systems architectures, basic knowledge of SQL, basic knowledge of Javascript. It is recommended to also take the Crytography and Security (BIE-KAB) course.

Chybí některá textová pole,vyplněny mají být anotace, požadavky, osnova (sylabus), osnova cvičení, studijní materiály, klíčová slova, CZ i EN, webová strana předmětu

The course is also part of the following Study plans:
Study Plan Study Branch/Specialization Role Recommended semester
BIK-IB.21 Information Security 2021 (in Czech) PS 4
BIK-SPOL.21 Unspecified Branch/Specialisation of Study VO 4
BIK-PS.21 Computer Networks and Internet 2021 (in Czech) V 4


Page updated 28. 3. 2024, semester: Z/2023-4, L/2019-20, L/2022-3, Z/2019-20, Z/2022-3, L/2020-1, L/2023-4, Z/2020-1, Z,L/2021-2, Send comments to the content presented here to Administrator of study plans Design and implementation: J. Novák, I. Halaška