Web e mobile system security

A.Y. 2020/2021
Overall hours
Learning objectives
The purpose of the course is twofold: on the one hand, we will introduce the basic concepts on computer security, on the other hand, we will cover the security problems specific to Web and mobile systems.
Expected learning outcomes
· Being able to identify the security properties a system must ensure in order to be considered "secure"
· Knowing the main approaches that can be used to authenticate users to a machine
· Being able to analyse a security protocol and possibly highlight the vulnerabilities with respect to the most common types of attack
· Being able to identify and describe the most common attacks on Web applications
· Knowing the most frequent malware and how they propagate
· Being able to describe the security issues of mobile devices
Course syllabus and organization

Single session

Lesson period
Third four month period
Lessons will be given in mixed form, i.e. there will be lessons in presence with the possibility of participating in streaming. In case of online teaching, lessons will be delivered only in synchronous mode via Microsoft Teams platform.

The video recording of the lessons will be made available on the Ariel site of the course, where the entire teaching material of the course is available.
Course syllabus
1. Introduction to computer security. The problem of computer security: how to protect yourself, against whom or what.
2. The access control problem. Access control models and security policies: discretionary access control (DAC), mandatory access control (MAC), role based access control (RBAC). Man-machine authentication. Access control in Linux.
3. Secure communication along an insecure channel: security protocols and cryptographic primitives. Common attacks to security protocols.
4. Security of Web systems. The HTTP protocol vulnerabilities. SQL Injection and Cross Site Scripting (XSS). Email security. Malware. Web Application fingerprinting. The privacy problem.
5. Security of mobile systems. Common vulnerabilities, malware and attacks. Android security as case study.
Prerequisites for admission
Teaching methods
Theory is carried out through lectures. The lab sessions alternate lectures with exercises and activities carried out individually or in small groups.
Teaching Resources
Web site: http://cbraghinsswm.ariel.ctu.unimi.it

Course slides, notes taken in class and articles in English which are part of the course programme.
Assessment methods and Criteria
The exam consists of a one and a half hour written test with open questions.
The evaluation takes into account the level of mastery of the subject and the clarity of presentation.
INF/01 - INFORMATICS - University credits: 6
Lessons: 48 hours
Professor: Braghin Chiara