Application Security 1 | Integrated course (iL) | Coursecode: 180419105Secure Mobile Software Development 3 SWS4 ECTS
Development of basic apps using the functionality of mobile frameworks. Furthermore advanced knowledge of interaction concepts, navigation patterns, touch and guestures as well as sensors and location based services. All aspects are treated with special focus on security.
Software problems are a central critical aspect of computer security. Software security deals with active management of security risks. It starts with good software engineering practices and includes security aspects in each phase of software development.
Students should get to know the fundamental principles of the development of secure software systems:
- Secure Software Development Lifecycle
- Reverse Engineering
- Secure Coding
Error Handling & Logging
- Static Code Analysis
The following topics are covered within the lecture:
Number Theory, Review linear algebra, Galois Fields in a Nutshell, Asymetric primitives (RSA, Diffie-Hellman), Formal Cryptosystems, Checksums, Hashes, Symmetric Primitives (DES/AES/etc.), Key Exchange Protocols, Authentication Protocols, Zero-Knowledge Protocols, Attacks & Defences, PKI - Concept
Information Systems | Tutorial (Ue) | Coursecode: 180419107Cloud Computing 3 SWS5 ECTS
Definition and characteristics of cloud computing, service and deployment models, hands-on experience with IaaS and PaaS systems
Information Systems | Integrated course (iL) | Coursecode: 180419108Operating Systems 2 SWS2 ECTS
Operating system basics, architectures and functional principles; special focus on operating systems in mobile systems and the specific requirements in this field, Introduction to C as a systems programming language and it's application; Virtualization principles
Information Systems | Tutorial (Ue) | Coursecode: 180419106Platform Specific Mobile Apps 3 SWS3 ECTS
Platform specific app development for iOS. Knowledge of Prototyping, Storyboards, Application Architecture, iOS Design patterns. Paradigms of Swift programming. Selected frameworks to use sensors, actuators watch or cloud services.
The course covers layer 1-4 of the OSI-model (Open Systems Interconnection Model) as the main topic. The focus is placed on attack vectors against computer networks and their countermeasures and mitigation strategies. In the first part of the course, the basic mechanisms (Addressing, address resolution, routing and packet filtering) of computer networks are repeated to create a common basis.
Topics: Physical Security, Layer-2 Security, VoIP-Security, WiFi Security, 802.1x, Spoofing, Denial of service attacks, trace back mechanisms and countermeasures.
Another part of the course is to work in small groups on a current topic of network security, build a practical szenario in the lab and present the results in form of a group presentation.
System near apps using the competences acquired in "Mobile Operating Systems" (C-Programming). Mobile Platform Native app development for several mobile operating systems (iOS, WP8, ...) including their special approaches and differences are covered.
Security is a very important topic for distributed software systems. In this lecture, different practices for the design of secure web applications are introduced.
- Architectural Risk Analysis
Secure Design Principles
- Secure Web Applications
Web Application Architecture & Risk Analysis
HTTP / HTTPS Protocol
Development of HTML5 web apps for different platforms (Web, Android, iOS). Selected HTML5 APIs are discussed, for example, to use local storage, sensors, gps for location based services or web sockets for real time web application. Furthermore, social media integration will be covered.
The following topics are covered within the lecture:
Application in example Internet Protocols (IPSec, SSL, TLS, SSH), Random Number Generators, Cryptographic Libraries & APIs for mobile Platform, Correct usage of cryptographic primitives in mobile solutions, Challenge/Response techniques, One Time Passwords, Elliptic Curves, Anonymity + Unlinkability, selected advanced topics
This course covers all important aspects of Database Security (DB-Authentication, Applicaton & Password-Security, DB-Authorization, Granular Access Control, DB2DB Communication, DB-Encryption, DB Auditing). It also provides a thorough introduction to the subject of data quality by studying definitions of data quality, methods of measurement and assurance of data quality (e.g., metrics & constraints) and DB refactoring.
This course expands the basic knowledge of network security to get an insight into security for mobile devices and mobile infrastructures. The main topics of the course are Wireless LAN, WiMax, Bluetooth, NFC, etc. After an introduction to mobile networks such as GSM, UMTS, LTE follows SSL, SSH and VPN-technologies as the basis for a secure connection within distributed networks. The topic VPN includes the basics, authentication and the implementation in the OSI layers 2, 3, and 4. In addition, the course discusses core topics such as IPSec, "KeyManagement", opportunistic encryption, performance, availability, DDOS-solution, " network monitoring ", NIDS, algorithms for pattern recognition, "honeypots/ -nets" as well as "Intrusion Prevention and Detection Systems". An outlook on "Next Generation Networks" like Sensornets and "Smart Grids" etc. concludes the course at hand.
Mobile Development | Integrated course (iL) | Coursecode: 180419205Mobile Cross-Platform Development 2 SWS5 ECTS
Selected aspects of mobile development like cross-plattform code generation are presented in this lecture.
The course covers the topic of Penetration Testing (also known as white hat hacking oder ethical hacking). In the first part typical attack verctors are analyzed and simulated in a laboratory environment. The main focus is placed on the exploitation of programming errors and other typical weaknesses of software products (Buffer overflows, race conditions, logical errors). Students are aware of exploit development methods and exploit mitigation mechanisms of modern operating systems (ASLR, Stack cookies, SafeSEH, DEP,..).
Another focus is to understand typical weaknesses and attack patterns of WEB applications and the mitigation steps to avoid them.
The third part of the course covers the structured analysis of security problems and steps used in a Penetration test. (Analysis, preparation, exploitation, documentation, giving recommendations)
This course teaches students about the basic principles of scientific work in the field of applied computer sciences. It is an introduction into the fascinating field of research. The course shows the power of theory and literature, helps formulating intriguing research questions, provides an overview of scientific methods and data analysis, and gives hints on how to derive insightful conclusions out of results. Using this topic area, we will understand what it means to 'do science' and to develop skills such as how to do literature review, how to critically read and review written papers, hold oral presentations and posters.
Advanced Security | Seminar (Se) | Coursecode: 180419307Secure Big Data 1 SWS2 ECTS
The course offers an application-oriented study of Big Data data models, architectures and principles. Storage and database systems in the Big Data environment are tested using practice-oriented scenarios. In particular, the security aspects of these technologies, as well as related best practices, are discussed. Special care is taken to provide enough room for discussion of current technological developments in the area of ??Big Data.
Enterprise applications consist typically of different services manufactures in different programming languages, which operate on different platforms. Service oriented architectures and microservices are attempts to realize such huge heterogenous distributed systems.
In this lecture, the following security relevant topics of web services are introduced
- Web Service Architecture & Risk Analysis
- Access Control
- XML Attacks & Schema Validation
- Message Encryption
The course covers advanced attack scenarios of experienced hackers. The attack vectors are analyzed and simulated in a lab environment. The main focus is on the detection, analysis and design of countermeasures.
Race conditions in software
Bypass methods of exploit mitigation mechanisms like ASLR, SafeSEH, SEHOP, DEP by using advanced exploitation techniques like ROP (return oriented programming), Heap Spraying, partial overwrite of memory areas,..
Bypass anti virus protection
Attacks against cryptographic systems, secure/unsecure algorithms and implementations
Attacks against ICS systems and countermeasures
Basic, inherent security mechanisms of operating systems, especially those common in mobile environments. Security enhancements, specific high security operating systems, security certification of operating systems
Project Work | Seminar (Se) | Coursecode: 180419302Project Work 8 SWS10 ECTS
Students are expected to independently carry out a medium sized project of average difficulty. The tasks of this project reflect most of the main objectives of the master program.
An introduction into quantum cryptography, its physical fundamentals and technical implementation as well as a comparison to standard cryptographic methods, revealing the benefits and drawbacks of quantum cryptography and its present state of development.
System Security | Integrated course (iL) | Coursecode: 180419304Secure Systems 2 SWS3 ECTS
Introduction on Secure Elements
• Key Parameters
Secure Implementation and building blocks
• Mobile Phone and Device security
• Memory technology
• Secure Cryptographic Implementations
• Random Number Generators
• Physical uncloneable functions
Introduction on Embedded Secure Elements
• Programming Interfaces
• Secure System Integration
* Attack Scenarios and Countermeasures
• Differential Power Analysis and EMA Attacks
• Light Attacks
• Timing Analysis
• Countermeasures in HW and SW
• Setups for Analysis and Attacks
* Common Criteria Certification
• Development Process and Security Evaluation
Students work independently on a research topic and write their master thesis. They are expected to make use of scientific research methods and to demonstrate a high level of expertise in the particular field of their thesis.
This seminar aims at helping students to develop effective scientific writing skills (clear and effective academic writing; note-taking; paraphrasing; register) becasue not matter how professional a student/ researcher's background may be, often difficulties arise in conveying technical and academic content concisely in English. The objective of the course is to improve the participants' written expression in English: identifiyng and practicing common phrases and terms used in scientific writing, common errors' correction.
The course will cover management systems for secure IT operations. Information Security Management Systems (ISMS) and Business Continuity Management Systems (BCM) are the core topics. Students are given an insight into the conception, introduction, operation and ongoing improvement of the systems. Topics such as risk assessments and risk management as well as compliance requirements and the preparation of companies for an ISO 27001 certification round off the topic.