An Application-Oriented Approach for Computer Security Education

2,011 views
1,820 views

Published on

In the past few years, numerous universities have incorporated computer security courses into their
undergraduate curricula. Recent studies show that students can effectively gain their knowledge and
experience in building secure computer systems by conducting course projects. However, existing
computer security laboratory exercises are comprised of small-scale, fragmented, and isolated course projects, making it inadequate to prepare undergraduate students to implement real-world secure computing systems. Conventional wisdom in designing computer security course projects pays little
attention to train students to assemble small building blocks into a large-scale secure computing and information system. To overcome students’ lack of experience in implementing large-scale secure software, we propose a novel application-oriented approach to teaching computer security courses by constructing course projects for computer security education. In this pilot project we will develop an extensible application framework for computer security course projects. The framework will provide valuable learning materials that can enable undergraduate students to gain unique experience of building large-scale trustworthy computer systems. Course projects are implemented as plugin modules of an application-based framework. After integrating all the security modules together in the framework, undergraduate students can experiment with various ways of implementing sophisticated
secure computer and information systems.

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,011
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Research Assistants: Alfred Nelson, Andrew Pitchford, and John Barton
  •  1: Provide engaging computer security laboratory and experiences. The project will facilitate novel computer security laboratory exercises that are holistically and seamlessly integrated into the QoSec middleware framework, which aim at preparing undergraduate students to implement real-world secure software applications. Using QoSec, students can effectively and successfully carry out computer security laboratory experiments that enable students to build relevant security modules, which in turn can be put together in QoSec to develop secure applications. To shorten the learning curve introduced by professional middleware, QoSec - to be used in engaging computer security laboratories - has an easy interface to reduce complexity of implementing large-scale secure computer and information systems. Students are expected to gain their practical experience in developing secure computing and information systems by conducting course projects integrated within QoSec.  2: Share the QoSec framework and its instructional materials. To allow other computer security educators to build on, connect to, and enhance the extensible QoSec framework, we will share QoSec and its accompanying instructional materials within the computer security education community. Other computer security educators have flexibility to design new and upgraded course projects as plugin modules of the QoSec framework, making it possible for their students to readily and seamlessly integrate the new and upgraded course projects into QoSec. This goal will be accomplished by the wide dissemination of QoSec and its learning materials to a growing network of computer security instructors through presentations at regional and national conferences.
  • Share my experience: 1 project. 10-20 hours to prepare a project; 20-50 hours to implement a project. Can we save professors time spent in preparing labs?
  • See also teaching philosophy from Wenliang Du’s SEED project.
  • Recent studies (see, for example, [1] and [2]) show that students can effectively gain their knowledge and experience in building secure computer systems by conducting course projects. [1] W.-L Du and R.-H Wang, “SEED: A Suite of Instructional Laboratories for Computer Security Education,” The ACM Journal on Educational Resources in Computing (JERIC) , vol. 8, no. 1, March 2008. [2] S.J. Lincke, “Network Security Auditing as a Community-Based Learning Project,” Proc. 38th SIGCSE Tech. Symp. Computer Science Education , pp. 476-480, March 2007. Problem: existing computer security laboratory exercises are comprised of small-scale, fragmented, and isolated course projects.
  • Conventional Computer Security curriculums Exercises which engage the student in real world scenarios Developing practice laboratory modules Network security design principles
  • Next: let’s consider programming environment.
  • Conventional Computer Security curriculums Exercises which engage the student in real world scenarios Developing practice laboratory modules Network security design principles
  • 3 research assistants Approach 1: each RA design and implement a security sensitive application Approach 2: 3 RAs collaborate on a single application. We took approach 2.
  • 3 research assistants Approach 1: each RA design and implement a security sensitive application Approach 2: 3 RAs collaborate on a single application. We took approach 2.
  • Integrate modules Students – integrate the security modules. Learn to manage existing system. Experience reading other’s code.
  • Conventional Computer Security curriculums Exercises which engage the student in real world scenarios Developing practice laboratory modules Network security design principles Another example: access control Need a better way of teaching Access Control. Usually, a very simple project, 3-4 classes. Built from scratch, very shallow. Our solution: implement it within our Banking project.
  • No security modules in the design document
  • Recap Learn general principles of software security. Simple yet sophisticated. Learn to integrate module into existing system.
  • How to choose a course to test our approach? Comp 4370 – Introduction to Computer and Network Security Introductory-level course Students have programming experiences Small-scale projects for advanced students Comp 7370 – Advanced Computer and Network Security Research projects e.g.,memory attacks. Performance evaluation Comp 2710 – Software Construction No design experience Weak programming skill (Note: Engaging weak programmers in problem solving ) Quickly teach/learn basic security concepts Motivate us to improve students’ design skill and design tools 57 Students 48 participants
  • 57 Students 48 participants
  • 57 Students 48 participants, project 1 53 project 2
  • Interface, simple database, access control
  • Interface, simple database, access control
  • Interface, simple database, access control
  • Interface, simple database, access control Observation: Easier -> more interests Implication: Help students to better design and implement applications
  • Interface, simple database, access control Observation: help students with the time-consuming parts Implication: Help students to efficiently design applications
  • Interface, simple database, access control
  • Interface, simple database, access control
  • Interface, simple database, access control
  • An Application-Oriented Approach for Computer Security Education

    1. 1. An Application-Oriented Approach for Computer Security Education Xiao Qin Department of Computer Science and Software Engineering Auburn University Email: xqin@auburn.edu URL: http://www.eng.auburn.edu/~xqin
    2. 2. Goal and Objectives Goal: New approaches for computer security education Objective 1: To prepare students to design, implement, and test secure software Objective 2: A holistic platform for constructing computer security course projects Student-centered learning Professor-centered platform
    3. 3. From CSSE Students to Software Engineers <ul><li>To produce reliable, robust, secure software. </li></ul><ul><li>To work in interdisciplinary teams . </li></ul><ul><li>To use appropriate design notations, such as UML. </li></ul><ul><li>To work in multiple programming languages. </li></ul>
    4. 4. Challenges Student -Centered Learning Teamwork Secure Software Design Programming What projects can help students to learn about teamwork? Must we teach students how to design secure software? How to provide engaging computer security projects ? How to teach multiple programming languages?
    5. 5. Challenges Professor -Centered Platform Flexibility Preparation Grading Teaching What projects can be tailored to students to learn about teamwork? What is a good way to grade computer security projects? How to quickly prepare engaging computer security projects ? How to teach computer security projects?
    6. 6. Teaching Philosophy <ul><li>Computer security education should focus on: </li></ul><ul><ul><li>Fundamental security principles </li></ul></ul><ul><ul><li>Security- practice skills. </li></ul></ul>
    7. 7. Motivation <ul><li>Security principles: </li></ul><ul><li>Fundamental </li></ul><ul><li>A wide spectrum. </li></ul>Practice Principles Real-World Systems and Apps <ul><li>Laboratory exercises: </li></ul><ul><li>Observing </li></ul><ul><li>Evaluating </li></ul><ul><li>Testing </li></ul><ul><li>Course projects: </li></ul><ul><li>Analyzing </li></ul><ul><li>Designing </li></ul><ul><li>Programming </li></ul><ul><li>Real-world secure </li></ul><ul><li>computing systems: </li></ul><ul><li>Programming </li></ul><ul><li>standards </li></ul><ul><li>Large scale </li></ul><ul><li>Work on existing </li></ul><ul><li>products </li></ul>College Industry small-scale, fragmented, and isolated course projects
    8. 8. Our Solution: Application-Oriented Approach Security Sensitive Applications Security Module 1 User Interface OS (Windows, Linux, etc.) Non-Security Modules Security Module n Security Modules
    9. 9. Considerations <ul><li>Security modules: related to fundamental security principles. </li></ul><ul><li>Applications: represent real world scenario(s) </li></ul><ul><li>Each application: contains all possible security modules. </li></ul><ul><li>Flexibility: difficulty levels are configurable. </li></ul><ul><li>Programming environment: easy setup </li></ul><ul><li>Hints for students: data structures and algorithms </li></ul>
    10. 10. A Unified Programming Environment Security Sensitive Applications Security Module 1 User Interface OS (Windows, Linux, etc.) Non-Security Modules Security Module n Virtual Machine (e.g. vmware, virtualBox )
    11. 11. Flexibility <ul><li>Levels of Difficulty </li></ul><ul><ul><li>Beginner </li></ul></ul><ul><ul><li>Intermediate </li></ul></ul><ul><ul><li>Advanced </li></ul></ul>Objective 1: To prepare students to design, implement, and test secure software Objective 2: A holistic platform for constructing computer security course projects Student-centered learning Professor-centered platform
    12. 12. Flexibility How Modules Are Packaged Beginner Easy Intermediate Moderate Advanced Hard Explorative Light Editing Basic Understand Of Concepts Normal Implementation Depth Understanding Of Concept Advanced Implementation
    13. 13. Types of Course Projects <ul><li>Explorative based projects. </li></ul><ul><li>Partial Implementation projects. </li></ul><ul><li>Full Implementations projects. </li></ul><ul><li>Vulnerability testing, attacking, and fixing. </li></ul><ul><li>Hybrid labs (Exploration & Implementation, etc.) </li></ul>Beginner Intermediate Advanced
    14. 14. Choose the First Application <ul><li>Real World Scenarios </li></ul><ul><ul><li>Banking System: Implemented </li></ul></ul><ul><ul><li>P2P File-Sharing: future work </li></ul></ul><ul><li>Three RAs worked on this project </li></ul><ul><ul><li>Strategy 1: each RA design and implement a security sensitive application </li></ul></ul><ul><ul><li>Strategy 2: three RAs collaborate on a single application. </li></ul></ul>
    15. 15. Banking Application <ul><li>Toy Application </li></ul><ul><ul><li>A Secure Teller Terminal System </li></ul></ul><ul><ul><li>ATM </li></ul></ul><ul><li>Documentations </li></ul><ul><ul><li>Design </li></ul></ul><ul><ul><li>Test Cases </li></ul></ul><ul><ul><li>Makefile </li></ul></ul><ul><ul><li>Readme </li></ul></ul>
    16. 16. Implementation Projects Students’ Tasks Existing Components Access Control List Integrity Checking Data Encryption Module <ul><li>Properties of these projects: </li></ul><ul><li>Focused on targeted principles </li></ul><ul><li>Focused on a single application </li></ul><ul><li>Each project takes 2-6 weeks </li></ul><ul><li>Difficulties can be adjusted </li></ul>IPSec In Attack Lab Banking Application Buffer overflow
    17. 17. Workflow A professor’s perspective Teach Concept Generate Project Description Design Survey Questions Choose Apps & Difficulty Work On Project Evaluation/Feedback Design Docs & Partial Code System Setup
    18. 18. Design Document Example: Data Flow – High Level
    19. 19. Put It All Together An example A Banking System Access Control User Interface OS (Windows, Linux, etc.) Non-Security Modules Encryption IPSec Virtual Machine (e.g. vmware, virtualBox )
    20. 20. Class Diagram A secure teller terminal system Intermediate
    21. 21. Class Diagram A secure teller terminal system Advanced No security modules in the design document (e.g., class diagram)
    22. 22. An Encrypted Staff File Beginner Beginner Easy Explorative Light Editing
    23. 23. An Unencrypted Staff File Beginner Beginner Easy Explorative Light Editing
    24. 24. Encryption Modules <ul><li>Transposition - good, low-level encryption algorithm. </li></ul><ul><li>Substitution - good, low-level encryption algorithm. </li></ul><ul><li>Put both of them together – A transposition of a substitution. </li></ul>
    25. 25. Access Control <ul><li>Role-based system. </li></ul><ul><li>Implemented in a separate module. </li></ul><ul><li>Give students data flow diagram. </li></ul>
    26. 26. Access Control <ul><li>Students implement Access Control module. </li></ul><ul><li>Allows them to insert in existing system. </li></ul><ul><li>Better real world experience. </li></ul>
    27. 27. Choose a Course to Test Our Approach <ul><li>Introductory-level </li></ul><ul><li>Programming </li></ul><ul><li>experiences </li></ul><ul><li>Small-scale projects </li></ul><ul><li>work </li></ul>Introduction to Computer Security Security Courses Other Courses Advanced Computer Security <ul><li>Research projects </li></ul><ul><li>Examples </li></ul><ul><ul><li>Memory attacks </li></ul></ul><ul><ul><li>Parallel Antivirus </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><li>No design experience </li></ul><ul><li>New programming </li></ul><ul><li>language </li></ul><ul><li>Weak programming </li></ul><ul><li>skill </li></ul><ul><li>Teach/learn basic </li></ul><ul><li>security concepts </li></ul>e.g., Software Construction
    28. 28. Comp 2710 Software Construction <ul><li>Two projects </li></ul><ul><ul><li>A secure teller terminal system : access control </li></ul></ul><ul><ul><li>A cryptographic system: two algorithms </li></ul></ul><ul><li>57 students (CSSE and ECE) </li></ul><ul><ul><li>Computer Science </li></ul></ul><ul><ul><li>Software Engineering </li></ul></ul><ul><ul><li>Electrical Engineering </li></ul></ul><ul><ul><li>Wireless Engineering </li></ul></ul>
    29. 29. Preliminary Studies <ul><li>Survey Questionnaires </li></ul><ul><ul><li>The quality of project design </li></ul></ul><ul><ul><li>Students’ evaluation on projects: </li></ul></ul><ul><ul><ul><li>How interested they are </li></ul></ul></ul><ul><ul><ul><li>Programming background </li></ul></ul></ul><ul><ul><ul><li>Whether the labs spark their interests in security </li></ul></ul></ul><ul><ul><ul><li>How many hours they spent on the projects </li></ul></ul></ul><ul><li>Participants: </li></ul><ul><ul><li>48 students for project 1 </li></ul></ul><ul><ul><li>53 students for project 2 </li></ul></ul>
    30. 30. Evaluation Results (1) (1) ≤ 5 hours (2) 6-10 hours (3) 11-20 hours (4) 21-30 hours (5) > 30 hours Survey: Approximately, how many hours did you spend on the project? Design 81% <10h Implementation 46% >21h Entire Project 40% >30h
    31. 31. Evaluation Results (2) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: The project instructions were clear. Teller terminal system 69%: agree or strongly agree Cryptographic system 58%: agree or strongly agree
    32. 32. Evaluation Results (3) (1) Very easy (2) Somewhat easy (3) Average (4) Somewhat difficult (5) Very difficult Survey: What was the level of difficulty of this project? Teller terminal system 61%: somewhat difficult or very difficult Cryptographic system 53%: somewhat difficult or very difficult
    33. 33. Evaluation Results (4) Survey: What was the level of interest in this project? Teller terminal system 58%: Average, High, or very high Cryptographic system 85%: Average, High, or very high 1.  (1) Very low (2) Low (3) Average (4) High (5) Very high
    34. 34. Evaluation Results (5) Survey: What was the most time consuming part of in the design portion of the project? Teller terminal system 44%: Use cases Cryptographic system 58%: Testing (1) Use Cases (2) Class Diagram (3) System Sequence Diagram (4) Testing
    35. 35. Evaluation Results (6) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: As a result of the lab, I am more interested in computer security. Teller terminal system 17%: strongly disagree or disagree Cryptographic system 20%: strongly disagree or disagree
    36. 36. Evaluation Results (7) <ul><li>develop a non-trivial application using classes, constructors, vectors, and operator overloading; </li></ul><ul><li>learn a security issue – authentication; </li></ul><ul><li>perform object-oriented analysis, design, and testing; and </li></ul><ul><li>develop a reasonably user-friendly application. </li></ul><ul><li>learn two cryptographic algorithms; </li></ul><ul><li>develop a simple cryptographic tool; </li></ul><ul><li>perform separate compilation; and </li></ul><ul><li>to develop a command-line application. </li></ul>Survey: Overall, I have attained the learning objectives of the project. Teller terminal system Cryptographic system
    37. 37. Evaluation Results (7 cont.) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: Overall, I have attained the learning objectives of the project. Teller terminal system 52%: strongly agree or agree Cryptographic system 65%: strongly agree or agree
    38. 38. About the QoSec Project <ul><li>Funded by the NSF CCLI Program </li></ul><ul><ul><li>Phase I ($150K) was funded in 2009 </li></ul></ul><ul><ul><li>1 PI and 4 Research Assistants </li></ul></ul><ul><ul><li>Alfred Nelson </li></ul></ul><ul><ul><li>Andrew Pitchford </li></ul></ul><ul><ul><li>John Barton </li></ul></ul><ul><li>Web pages of the project will be available soon: </li></ul><ul><ul><li>http://www.eng.auburn.edu/~xqin </li></ul></ul>
    39. 39. Plan and Collaborations <ul><li>Prepare for an NSF TUES Phase II Project </li></ul><ul><ul><li>Four to six universities involved </li></ul></ul><ul><ul><li>10 Pis </li></ul></ul><ul><ul><li>More tool applications </li></ul></ul><ul><ul><li>More preliminary results </li></ul></ul><ul><ul><li>Evidence for collaborations </li></ul></ul><ul><li>Contact me if you are interested in </li></ul><ul><ul><li>this NSF CCLI Phase I project or </li></ul></ul><ul><ul><li>our future NSF TUES Phase II project </li></ul></ul>Xiao Qin: xqin@auburn.edu
    40. 41. Demo & Examples
    41. 42. Questions? <ul><li>If you are interested in information regarding this project, add your name to our newsletter list after this discussion. </li></ul><ul><li>http://www.eng.auburn.edu/~xqin </li></ul><ul><li>Slides are available at </li></ul><ul><li>http://www.slideshare.net/xqin74 </li></ul>

    ×