Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
An Application-Oriented Approach for Computer Security Education Xiao Qin Department of Computer Science and Software Engi...
Goal and Objectives Goal:  New approaches for computer security education   Objective 1:   To prepare students to design, ...
From CSSE Students to Software Engineers <ul><li>To produce reliable, robust,  secure  software. </li></ul><ul><li>To work...
Challenges  Student -Centered Learning Teamwork Secure Software Design Programming What projects can help students to lear...
Challenges  Professor -Centered Platform Flexibility Preparation Grading Teaching What projects can be tailored to student...
Teaching Philosophy <ul><li>Computer security education should focus on: </li></ul><ul><ul><li>Fundamental  security princ...
Motivation <ul><li>Security principles: </li></ul><ul><li>Fundamental </li></ul><ul><li>A wide spectrum. </li></ul>Practic...
Our Solution:   Application-Oriented Approach  Security Sensitive Applications Security Module 1 User Interface OS (Window...
Considerations <ul><li>Security modules:  related to fundamental security principles. </li></ul><ul><li>Applications:  rep...
A Unified Programming Environment Security Sensitive Applications Security Module 1 User Interface OS (Windows, Linux, etc...
Flexibility <ul><li>Levels of Difficulty </li></ul><ul><ul><li>Beginner </li></ul></ul><ul><ul><li>Intermediate </li></ul>...
Flexibility How Modules Are Packaged Beginner Easy Intermediate Moderate Advanced Hard Explorative Light Editing Basic Und...
Types of Course Projects <ul><li>Explorative  based projects. </li></ul><ul><li>Partial  Implementation projects. </li></u...
Choose the First Application <ul><li>Real World Scenarios </li></ul><ul><ul><li>Banking System:  Implemented </li></ul></u...
Banking Application <ul><li>Toy Application </li></ul><ul><ul><li>A Secure Teller Terminal System  </li></ul></ul><ul><ul>...
Implementation Projects Students’ Tasks Existing Components Access Control List Integrity  Checking Data Encryption Module...
Workflow A professor’s perspective Teach Concept Generate Project Description Design Survey Questions Choose Apps & Diffic...
Design Document Example: Data Flow – High Level
Put It All Together  An example A Banking System Access Control User Interface OS (Windows, Linux, etc.) Non-Security Modu...
Class Diagram  A  secure teller terminal system Intermediate
Class Diagram  A  secure teller terminal system Advanced No security modules in the design document (e.g., class diagram)
An Encrypted Staff File Beginner Beginner Easy Explorative Light Editing
An Unencrypted Staff File Beginner Beginner Easy Explorative Light Editing
Encryption Modules <ul><li>Transposition - good, low-level encryption algorithm. </li></ul><ul><li>Substitution - good, lo...
Access Control <ul><li>Role-based system. </li></ul><ul><li>Implemented in a separate module. </li></ul><ul><li>Give stude...
Access Control <ul><li>Students implement Access Control module. </li></ul><ul><li>Allows them to insert in existing syste...
Choose a Course to Test Our Approach <ul><li>Introductory-level </li></ul><ul><li>Programming  </li></ul><ul><li>experienc...
Comp 2710 Software Construction <ul><li>Two projects </li></ul><ul><ul><li>A  secure teller terminal system : access contr...
Preliminary Studies <ul><li>Survey Questionnaires </li></ul><ul><ul><li>The quality of project design </li></ul></ul><ul><...
Evaluation Results (1) (1) ≤ 5 hours (2) 6-10 hours (3) 11-20 hours  (4) 21-30 hours (5) > 30 hours  Survey:  Approximatel...
Evaluation Results (2) (1) Strongly disagree  (2) Disagree  (3) Neutral  (4) Agree (5) Strongly agree Survey:  The project...
Evaluation Results (3) (1) Very easy  (2) Somewhat easy  (3) Average  (4) Somewhat difficult  (5) Very difficult Survey:  ...
Evaluation Results (4) Survey:  What was the level of interest in this project? Teller terminal system 58%: Average, High,...
Evaluation Results (5) Survey:  What was the most time consuming part of in the design portion of the project?  Teller ter...
Evaluation Results (6) (1) Strongly disagree  (2) Disagree  (3) Neutral  (4) Agree (5) Strongly agree Survey:  As a result...
Evaluation Results (7) <ul><li>develop a non-trivial application using classes, constructors, vectors, and operator overlo...
Evaluation Results (7 cont.) (1) Strongly disagree  (2) Disagree  (3) Neutral  (4) Agree (5) Strongly agree Survey:  Overa...
About the QoSec Project <ul><li>Funded by the NSF CCLI Program  </li></ul><ul><ul><li>Phase I ($150K) was funded in 2009 <...
Plan and Collaborations <ul><li>Prepare for an NSF TUES Phase II Project </li></ul><ul><ul><li>Four to six universities in...
 
Demo & Examples
Questions? <ul><li>If you are interested in information regarding this project, add your name to our newsletter list after...
Upcoming SlideShare
Loading in …5
×

An Application-Oriented Approach for Computer Security Education

2,338 views

Published on

In the past few years, numerous universities have incorporated computer security courses into their
undergraduate curricula. Recent studies show that students can effectively gain their knowledge and
experience in building secure computer systems by conducting course projects. However, existing
computer security laboratory exercises are comprised of small-scale, fragmented, and isolated course projects, making it inadequate to prepare undergraduate students to implement real-world secure computing systems. Conventional wisdom in designing computer security course projects pays little
attention to train students to assemble small building blocks into a large-scale secure computing and information system. To overcome students’ lack of experience in implementing large-scale secure software, we propose a novel application-oriented approach to teaching computer security courses by constructing course projects for computer security education. In this pilot project we will develop an extensible application framework for computer security course projects. The framework will provide valuable learning materials that can enable undergraduate students to gain unique experience of building large-scale trustworthy computer systems. Course projects are implemented as plugin modules of an application-based framework. After integrating all the security modules together in the framework, undergraduate students can experiment with various ways of implementing sophisticated
secure computer and information systems.

Published in: Education
  • Be the first to like this

An Application-Oriented Approach for Computer Security Education

  1. 1. An Application-Oriented Approach for Computer Security Education Xiao Qin Department of Computer Science and Software Engineering Auburn University Email: xqin@auburn.edu URL: http://www.eng.auburn.edu/~xqin
  2. 2. Goal and Objectives Goal: New approaches for computer security education Objective 1: To prepare students to design, implement, and test secure software Objective 2: A holistic platform for constructing computer security course projects Student-centered learning Professor-centered platform
  3. 3. From CSSE Students to Software Engineers <ul><li>To produce reliable, robust, secure software. </li></ul><ul><li>To work in interdisciplinary teams . </li></ul><ul><li>To use appropriate design notations, such as UML. </li></ul><ul><li>To work in multiple programming languages. </li></ul>
  4. 4. Challenges Student -Centered Learning Teamwork Secure Software Design Programming What projects can help students to learn about teamwork? Must we teach students how to design secure software? How to provide engaging computer security projects ? How to teach multiple programming languages?
  5. 5. Challenges Professor -Centered Platform Flexibility Preparation Grading Teaching What projects can be tailored to students to learn about teamwork? What is a good way to grade computer security projects? How to quickly prepare engaging computer security projects ? How to teach computer security projects?
  6. 6. Teaching Philosophy <ul><li>Computer security education should focus on: </li></ul><ul><ul><li>Fundamental security principles </li></ul></ul><ul><ul><li>Security- practice skills. </li></ul></ul>
  7. 7. Motivation <ul><li>Security principles: </li></ul><ul><li>Fundamental </li></ul><ul><li>A wide spectrum. </li></ul>Practice Principles Real-World Systems and Apps <ul><li>Laboratory exercises: </li></ul><ul><li>Observing </li></ul><ul><li>Evaluating </li></ul><ul><li>Testing </li></ul><ul><li>Course projects: </li></ul><ul><li>Analyzing </li></ul><ul><li>Designing </li></ul><ul><li>Programming </li></ul><ul><li>Real-world secure </li></ul><ul><li>computing systems: </li></ul><ul><li>Programming </li></ul><ul><li>standards </li></ul><ul><li>Large scale </li></ul><ul><li>Work on existing </li></ul><ul><li>products </li></ul>College Industry small-scale, fragmented, and isolated course projects
  8. 8. Our Solution: Application-Oriented Approach Security Sensitive Applications Security Module 1 User Interface OS (Windows, Linux, etc.) Non-Security Modules Security Module n Security Modules
  9. 9. Considerations <ul><li>Security modules: related to fundamental security principles. </li></ul><ul><li>Applications: represent real world scenario(s) </li></ul><ul><li>Each application: contains all possible security modules. </li></ul><ul><li>Flexibility: difficulty levels are configurable. </li></ul><ul><li>Programming environment: easy setup </li></ul><ul><li>Hints for students: data structures and algorithms </li></ul>
  10. 10. A Unified Programming Environment Security Sensitive Applications Security Module 1 User Interface OS (Windows, Linux, etc.) Non-Security Modules Security Module n Virtual Machine (e.g. vmware, virtualBox )
  11. 11. Flexibility <ul><li>Levels of Difficulty </li></ul><ul><ul><li>Beginner </li></ul></ul><ul><ul><li>Intermediate </li></ul></ul><ul><ul><li>Advanced </li></ul></ul>Objective 1: To prepare students to design, implement, and test secure software Objective 2: A holistic platform for constructing computer security course projects Student-centered learning Professor-centered platform
  12. 12. Flexibility How Modules Are Packaged Beginner Easy Intermediate Moderate Advanced Hard Explorative Light Editing Basic Understand Of Concepts Normal Implementation Depth Understanding Of Concept Advanced Implementation
  13. 13. Types of Course Projects <ul><li>Explorative based projects. </li></ul><ul><li>Partial Implementation projects. </li></ul><ul><li>Full Implementations projects. </li></ul><ul><li>Vulnerability testing, attacking, and fixing. </li></ul><ul><li>Hybrid labs (Exploration & Implementation, etc.) </li></ul>Beginner Intermediate Advanced
  14. 14. Choose the First Application <ul><li>Real World Scenarios </li></ul><ul><ul><li>Banking System: Implemented </li></ul></ul><ul><ul><li>P2P File-Sharing: future work </li></ul></ul><ul><li>Three RAs worked on this project </li></ul><ul><ul><li>Strategy 1: each RA design and implement a security sensitive application </li></ul></ul><ul><ul><li>Strategy 2: three RAs collaborate on a single application. </li></ul></ul>
  15. 15. Banking Application <ul><li>Toy Application </li></ul><ul><ul><li>A Secure Teller Terminal System </li></ul></ul><ul><ul><li>ATM </li></ul></ul><ul><li>Documentations </li></ul><ul><ul><li>Design </li></ul></ul><ul><ul><li>Test Cases </li></ul></ul><ul><ul><li>Makefile </li></ul></ul><ul><ul><li>Readme </li></ul></ul>
  16. 16. Implementation Projects Students’ Tasks Existing Components Access Control List Integrity Checking Data Encryption Module <ul><li>Properties of these projects: </li></ul><ul><li>Focused on targeted principles </li></ul><ul><li>Focused on a single application </li></ul><ul><li>Each project takes 2-6 weeks </li></ul><ul><li>Difficulties can be adjusted </li></ul>IPSec In Attack Lab Banking Application Buffer overflow
  17. 17. Workflow A professor’s perspective Teach Concept Generate Project Description Design Survey Questions Choose Apps & Difficulty Work On Project Evaluation/Feedback Design Docs & Partial Code System Setup
  18. 18. Design Document Example: Data Flow – High Level
  19. 19. Put It All Together An example A Banking System Access Control User Interface OS (Windows, Linux, etc.) Non-Security Modules Encryption IPSec Virtual Machine (e.g. vmware, virtualBox )
  20. 20. Class Diagram A secure teller terminal system Intermediate
  21. 21. Class Diagram A secure teller terminal system Advanced No security modules in the design document (e.g., class diagram)
  22. 22. An Encrypted Staff File Beginner Beginner Easy Explorative Light Editing
  23. 23. An Unencrypted Staff File Beginner Beginner Easy Explorative Light Editing
  24. 24. Encryption Modules <ul><li>Transposition - good, low-level encryption algorithm. </li></ul><ul><li>Substitution - good, low-level encryption algorithm. </li></ul><ul><li>Put both of them together – A transposition of a substitution. </li></ul>
  25. 25. Access Control <ul><li>Role-based system. </li></ul><ul><li>Implemented in a separate module. </li></ul><ul><li>Give students data flow diagram. </li></ul>
  26. 26. Access Control <ul><li>Students implement Access Control module. </li></ul><ul><li>Allows them to insert in existing system. </li></ul><ul><li>Better real world experience. </li></ul>
  27. 27. Choose a Course to Test Our Approach <ul><li>Introductory-level </li></ul><ul><li>Programming </li></ul><ul><li>experiences </li></ul><ul><li>Small-scale projects </li></ul><ul><li>work </li></ul>Introduction to Computer Security Security Courses Other Courses Advanced Computer Security <ul><li>Research projects </li></ul><ul><li>Examples </li></ul><ul><ul><li>Memory attacks </li></ul></ul><ul><ul><li>Parallel Antivirus </li></ul></ul><ul><ul><li>Testing </li></ul></ul><ul><li>No design experience </li></ul><ul><li>New programming </li></ul><ul><li>language </li></ul><ul><li>Weak programming </li></ul><ul><li>skill </li></ul><ul><li>Teach/learn basic </li></ul><ul><li>security concepts </li></ul>e.g., Software Construction
  28. 28. Comp 2710 Software Construction <ul><li>Two projects </li></ul><ul><ul><li>A secure teller terminal system : access control </li></ul></ul><ul><ul><li>A cryptographic system: two algorithms </li></ul></ul><ul><li>57 students (CSSE and ECE) </li></ul><ul><ul><li>Computer Science </li></ul></ul><ul><ul><li>Software Engineering </li></ul></ul><ul><ul><li>Electrical Engineering </li></ul></ul><ul><ul><li>Wireless Engineering </li></ul></ul>
  29. 29. Preliminary Studies <ul><li>Survey Questionnaires </li></ul><ul><ul><li>The quality of project design </li></ul></ul><ul><ul><li>Students’ evaluation on projects: </li></ul></ul><ul><ul><ul><li>How interested they are </li></ul></ul></ul><ul><ul><ul><li>Programming background </li></ul></ul></ul><ul><ul><ul><li>Whether the labs spark their interests in security </li></ul></ul></ul><ul><ul><ul><li>How many hours they spent on the projects </li></ul></ul></ul><ul><li>Participants: </li></ul><ul><ul><li>48 students for project 1 </li></ul></ul><ul><ul><li>53 students for project 2 </li></ul></ul>
  30. 30. Evaluation Results (1) (1) ≤ 5 hours (2) 6-10 hours (3) 11-20 hours (4) 21-30 hours (5) > 30 hours Survey: Approximately, how many hours did you spend on the project? Design 81% <10h Implementation 46% >21h Entire Project 40% >30h
  31. 31. Evaluation Results (2) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: The project instructions were clear. Teller terminal system 69%: agree or strongly agree Cryptographic system 58%: agree or strongly agree
  32. 32. Evaluation Results (3) (1) Very easy (2) Somewhat easy (3) Average (4) Somewhat difficult (5) Very difficult Survey: What was the level of difficulty of this project? Teller terminal system 61%: somewhat difficult or very difficult Cryptographic system 53%: somewhat difficult or very difficult
  33. 33. Evaluation Results (4) Survey: What was the level of interest in this project? Teller terminal system 58%: Average, High, or very high Cryptographic system 85%: Average, High, or very high 1.  (1) Very low (2) Low (3) Average (4) High (5) Very high
  34. 34. Evaluation Results (5) Survey: What was the most time consuming part of in the design portion of the project? Teller terminal system 44%: Use cases Cryptographic system 58%: Testing (1) Use Cases (2) Class Diagram (3) System Sequence Diagram (4) Testing
  35. 35. Evaluation Results (6) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: As a result of the lab, I am more interested in computer security. Teller terminal system 17%: strongly disagree or disagree Cryptographic system 20%: strongly disagree or disagree
  36. 36. Evaluation Results (7) <ul><li>develop a non-trivial application using classes, constructors, vectors, and operator overloading; </li></ul><ul><li>learn a security issue – authentication; </li></ul><ul><li>perform object-oriented analysis, design, and testing; and </li></ul><ul><li>develop a reasonably user-friendly application. </li></ul><ul><li>learn two cryptographic algorithms; </li></ul><ul><li>develop a simple cryptographic tool; </li></ul><ul><li>perform separate compilation; and </li></ul><ul><li>to develop a command-line application. </li></ul>Survey: Overall, I have attained the learning objectives of the project. Teller terminal system Cryptographic system
  37. 37. Evaluation Results (7 cont.) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: Overall, I have attained the learning objectives of the project. Teller terminal system 52%: strongly agree or agree Cryptographic system 65%: strongly agree or agree
  38. 38. About the QoSec Project <ul><li>Funded by the NSF CCLI Program </li></ul><ul><ul><li>Phase I ($150K) was funded in 2009 </li></ul></ul><ul><ul><li>1 PI and 4 Research Assistants </li></ul></ul><ul><ul><li>Alfred Nelson </li></ul></ul><ul><ul><li>Andrew Pitchford </li></ul></ul><ul><ul><li>John Barton </li></ul></ul><ul><li>Web pages of the project will be available soon: </li></ul><ul><ul><li>http://www.eng.auburn.edu/~xqin </li></ul></ul>
  39. 39. Plan and Collaborations <ul><li>Prepare for an NSF TUES Phase II Project </li></ul><ul><ul><li>Four to six universities involved </li></ul></ul><ul><ul><li>10 Pis </li></ul></ul><ul><ul><li>More tool applications </li></ul></ul><ul><ul><li>More preliminary results </li></ul></ul><ul><ul><li>Evidence for collaborations </li></ul></ul><ul><li>Contact me if you are interested in </li></ul><ul><ul><li>this NSF CCLI Phase I project or </li></ul></ul><ul><ul><li>our future NSF TUES Phase II project </li></ul></ul>Xiao Qin: xqin@auburn.edu
  40. 41. Demo & Examples
  41. 42. Questions? <ul><li>If you are interested in information regarding this project, add your name to our newsletter list after this discussion. </li></ul><ul><li>http://www.eng.auburn.edu/~xqin </li></ul><ul><li>Slides are available at </li></ul><ul><li>http://www.slideshare.net/xqin74 </li></ul>

×