Hauptseminar: IT-Security Threats


This seminar is intended to coincide with an IT security curriculum by giving you a hands-on, applied view of IT security threats that are often only lightly touched upon in the usual curriculum due to their low-level, fairly specific nature. For this reason, we will delve past the foundation provided by the typical introductory IT security curriculum and explore contemporary IT threats that security professionals see on a day-to-day basis. Topics include buffer overflows, SQL injection, cross-site scripting, rootkits, and more from both an attackers and a researchers perspective.


  1. Intrusion Detection

    This topic explores intrusions and their detection in a broad sense. You will explore characteristics of intrusions and security flaws which may lead to intrusions as well as models and architectures for intrusion detection.

    • T. Aslam, I. Krsul, and E. Spafford. "Use of a Taxonomy of Security Faults." Proceedings of the 19th NIST-NCSC National Information Systems Security Conference, September 1996.
    • C. Ko, G. Fink, K. Levitt, "Automated Detection of Vulnerabilities in Privileged Programs by Execution Monitoring," Proc. of the 10th Annual Computer Security Applications Conference, Orlando, FL, 5-9 Dec. 1994, pp. 134-144.
    • M. Bishop, "Computer Security: Art and Science." Addison-Wesley, Boston, MA. 2001, pp. 723-765
    • V.Y egneswaran , P. Barford and J.Ullric h, "Internet intrusions: global characteristics and prevalence," in Proc. of ACM SIGMETRICS, 2003.
  2. Malicious Software

    This topic explores viruses and worms, a taxonomy, and their propagation methods. You will explore everything from the most advanced worms to the tried and true email propagating virus.

    • M. Bishop, "Computer Security: Art and Science." Addison-Wesley, Boston, MA. 2001, pp. 613-640
    • G. Serazzi, S. Zanero, Computer virus propagation models, Proceedings of 11th IEEE/ACM Symposium on Modeling, Analysis and Simulation of Computer and Telecommunication Systems (MASCOTS), 2003 October.
    • Nicholas Weaver , Vern Paxson , Stuart Staniford , Robert Cunningham, A taxonomy of computer worms, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
    • P. Singh and A. Lakhotia. Analysis and detection of computer viruses and worms: An annotated bibliography. ACM SIGPLAN Notices, 37(2):29-35, Feb. 2002.
  3. Buffer Overflows

    This topic explores what is possibly the most exploited vulnerability type in contemporary computing systems, the buffer overflow. You will explore not only basic "stack smashing" techniques, but also advanced methods for overflowing buffers. Finally, you will also look at mitigation techniques. This topic will require the student to have/acquire some basic assembly language and process layout understanding.

    • Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), 1998.
    • Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie and Jonathan Walpole. Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade. DARPA Information Survivability Conference and Exposition. January 2000.
    • Jonathan Pincus , Brandon Baker, Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, IEEE Security and Privacy, v.2 n.4, p.20-27, July 2004
    • C. Cowan, C. Pu, D. Maier, H. Hinton, P. Bakke, S. Beattie, A. Grier, P. Wagle, Q. Zhang, "StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks," Proc. 7th USENIX Security Conf., Jan. 1998.
    • J. Koziol et. al. "The Shellcoder's Handbook: Discovering and Exploiting Security Holes." Wiley Publishing, Indianapolis, IN. 2004
    • G. Hoglund and G. McGraw, "Exploiting Software: How to Break Code." Addison-Wesley, Boston, MA. 2004, pp. 277-366
  4. Rootkits

    Rootkits have a very interesting history and are standard in many contemporary attacks. They range from simple binary replacements to complex kernel hacks; you will explore all variants. This topic will require the student to have/acquire OS architecture understanding.

    • Del Rio, Chico. "Rootkits: A State of the Art." Hakin9 6/2007: 34-49.
    • Levine, J., Grizzard, J., Owen, H.: A methodology to detect and characterize kernel level rootkit exploits involving redirection of the system call table. In: Proceedings of Second IEEE International Information Assurance Workshop, IEEE (2004) 107-125
    • Levine, J.G., Grizzard, J.B., Owen, H.L.: A methodology to characterize kernel level rootkit exploits that overwrite the system call table. In: Proceedings of IEEE SoutheastCon, IEEE (2004) 25-31
    • S. Sparks and J. Butler "Shadow Walker: Raising The Bar For Windows Rootkit Detection." Phrack Magazine, 63(8), 2005
    • John Levine, Brian Culver, Henry Owen: A Methodology of Detecting New Binary Rootkit Exploits. Proceedings IEEE SouthEastCon 2003, April 2003.
    • G. Hoglund and J. Butler. "Rootkits: Subverting the Windows Kernel." Addison-Wesley, Upper Saddle River, NJ. 2005.
    • G. Hoglund and G. McGraw, "Exploiting Software: How to Break Code." Addison-Wesley, Boston, MA. 2004, pp. 367-447
  5. Denial of Service

    This topic explores denial of service threats. Launching such an attack is trivial thus leading to their prevalence. However, classifying such an attack or identifing the source is often a difficult task. You will explore classifications of DoS attacks as well as identification, mitigation, and response strategies.

    • CERT, "Denial of Service Attacks." http://www.cert.org/tech_tips/denial_of_service.html
    • Hussain, A., Heidemann, J., and Papadopoulos, C. 2003. A Framework for Classifying Denial-of-Service Attacks. Karlsruhe, Germany, 99--110.
    • D. Moore, G. Voelker, and S. Savage. Inferring Internet Denial of Service Activity. USENIX Security Symposium, August 2001.
    • Jelena Mirkovic , Peter Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, v.34 n.2, April 2004
    • S. Savage, D. Wetherall, A. Karlin and T. Anderson, Network support for IP traceback, ACM/IEEE Transactions on Networking 9 (2001) (3), pp. 226-237.
    • M. Walfish, M. Vutukuru, H. Balakrishnan, D. Karger, and S. Shenker. DDoS defense by offense. In Proc. SIGCOMM, 2006.
  6. Web Security Threats

    While Web security covers a broad range of threats, the suggested literature focuses on SQL injection attacks and cross-site scripting attacks and their mitigation. Of course, the student is encouraged to explore additional web security threats if they see fit.

    • S. Friedl. "SQL Injection Attacks by Example." unixwiz.net http://www.unixwiz.net/techtips/sql-injection.html
    • W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proc. of the Intl. Symposium on Secure Software Engineering, Mar. 2006.
    • G. Hoglund and G. McGraw, "Exploiting Software: How to Break Code." Addison-Wesley, Boston, MA. 2004, pp. 212-232
    • CERT, "Advisory CA-2000-02 Malicious HTML Tags Embedded in Client Web Requests." http://www.cert.org/advisories/CA-2000-02.html
    • G. D. Lucca, A. Fasolino, M. Mastroianni, and P. Tramontana. Identifying Cross Site Scripting Vulnerabilities in Web Applications. In Sixth IEEE International Workshop on Web Site Evolution (WSE '04), pages 71-80, September 2004.
  7. Wireless Security Threats

    This topic explores both 802.11 and bluetooth wireless security threats. Among other things, you will explore WEP (i.e. RC4) weaknesses.

    • H. Berghel. Wireless infidelity I: war driving. Communications of the ACM, 47(9):21-26, 2004.
    • H. Berghel and J. Uecker. Wireless infidelity II: airjacking. Communications of the ACM, 47(12):15-20, 2004.
    • S. Fluhrer, A. Shamir, and I. Mantin, "Weaknesses in the Key Scheduling Algorithm of RC4," Sel. Areas of Cryptography, Toronto, Canada, 2001.
    • Tews, E., Weinmann, R.P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds. Cryptology ePrint Archive, Report 2007/120 (2007), http://eprint.iacr.org/
    • Thomas G. Xydis, Simon Blake-Wilson: Security Comparison: Bluetooth (TM) Communications vs. 802.11. Bluetooth Security Experts Group, 2002


After being assigned a topic each student must take the semester to research their topic. An adviser will be assigned to each student in the event that he/she has questions. At the end of the semester each student must then prepare and give a 45 minute presentation and submit a 7-9 page summary paper about their assigned topic. The grades will given based on the quality of the presentation's content, the presentation itself, and the quality of the paper.

Please do NOT come with a "book report" summary of the given literature. In most cases this is too much content for a 45 minute presentation and a 7-9 page paper anyway. Instead, take the semester to research and inform yourself about the topic you have been given and teach us and your colleagues about that which you have spent the semester researching (it's allot more interesting for us as teachers and advisers if we too learn something, its no fun to hear 7 book reports about literature that we handed you).

The literature for each topic is meant as a base for your research. Students are encouraged to find literature on their own and incorporate this into their project. Please make sure that this literature is from a credible source and if there are any doubts, contact your adviser (that's what they're there for).

Finally, when submitting your paper it is essential that all literature is cited in a references section at the back of your paper and that works are cited in-line where necessary. It is generally not good practice to use direct quotes from a source so summarize where appropriate and remember that anytime you are presenting someone else's ideas or thoughts they must be cited in-line and a reference must be given in the references section of the paper. The style you use is left up to you.

Grading Guidelines

Grading Rubric

I have come up with a grading rubric that clearly defines all requirements for this project. Please conform to this rubric as it is used to come up with your grades.


Interessenten können sich per Email an Jonas Pfoh anmelden. In der Email sollen folgende Informationen enthalten sein:
  • Name, Vorname
  • Studiengang und Studienfach
  • Semester
  • Matrikelnummer und Geburtsdatum
  • bevorzugtes Thema

Project Sequence

As described under the Requirements heading, this project will consist of a presentation and a paper. The presentations will be held at the end of the semester (exact dates will be given once all registration requests have been recieved) and the papers will be due 2 weeks after the presentation is given.

The suggested sequence of events pertaining to the project is as follows:

5 weeks before the presentation Set up a first meeting with your adviser. This meeting is meant to take care of any questions one may have. Please come having read the literature, don't expect the adviser to explain to you everything that you should have read. Instead, come with specific questions.
2-3 weeks before the presentation Submit an outline for your presentation and paper to your adviser.
1 week before the presentation Submit your presentation slides to your adviser and give a practice presentation.
Presentation Deadline Be prepared to give to give your presentation on the date and time assigned at the beginnning of the semester. Unless you have previously made arrangements with your adviser, not having the presentation ready will have serious repercussions on your grade (we are, of course, sensitive to extenuating circumstances).
2 weeks after the presentation Submit your completed paper.

Dates and Advisers

January 15, 13:00 - 16:00 in MI 03.11.018
January 22, 13:00 - 16:00 in MI 03.11.018

We expect all students attend ALL presentations. If there are any extraneous circumstances that do not allow you to come to a specific presentation, you must let me know by Jan. 08, 2009. Specific presentation dates and times are listed below.
Student Name Topic Adviser Name Adviser Email Presentation Date/Time
Dimitar Dimitrov Malicious Code Jonas Pfoh pfoh@in.tum.de January 15, 2009; 13:00
Marc Hoffmann Intrusion Detection Matthias Baumgart baumgart@in.tum.de January 15, 2009; 14:00
Christian Heindl Rootkits Jonas Pfoh pfoh@in.tum.de January 15, 2009; 15:00
Hagen Fritsch Buffer Overflows Riko Jacob jacob@in.tum.de January 22, 2009; 13:00
Michael Weissberger Wireless Security Threats Stefan Schmid schmiste@in.tum.de January 22, 2009; 14:00
Artem Grebenkin Web Security Threats Hanjo Taeubig taeubig@in.tum.de January 22, 2009; 15:00