Seed a suite of instructional laboratories for computer se curity ed ucation
Download
1 / 29

SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation - PowerPoint PPT Presentation


  • 542 Views
  • Uploaded on

SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation. Wenliang (Kevin) Du Department of Electrical Engineering & Computer Science Syracuse University Email: wedu@ecs.syr.edu URL: http://www.cis.syr.edu/~wedu/seed/. Objectives.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation' - sherlock_clovis


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Seed a suite of instructional laboratories for computer se curity ed ucation l.jpg

SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation

Wenliang (Kevin) Du

Department of Electrical Engineering & Computer Science

Syracuse University

Email: wedu@ecs.syr.edu

URL: http://www.cis.syr.edu/~wedu/seed/

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Objectives l.jpg
Objectives

  • Improve experiential learning in computer security education

  • Develop effective security-related labs (or course projects)

    • Targeting both security and non-security courses.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Overview l.jpg
Overview

  • Philosophies behind our approach

  • Lab environment

  • The design of SEED labs

  • Overview of the labs (about 20)

  • Discussions

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


About seed project l.jpg
About SEED Project

  • Funded by the NSF CCLI Program

    • Phase I ($75K) was funded in 2002

    • Phase II ($450K) was funded in 2007

  • Four universities are main partners.

  • Several more universities are using.

  • Web page for all the developed labs

    • http://www.cis.syr.edu/~wedu/seed/

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Philosophy 1 l.jpg
Philosophy #1

  • Computer security education should focus on both the fundamental security principles and security-practice skills.

    • Principles: A wide spectrum.

    • Skills: designing, programming, testing, analyzing, innovating, and applying.

    • Focused and comprehensive labs

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Philosophy 2 l.jpg
Philosophy #2

  • Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


A generic environment l.jpg
A Generic Environment

  • Use for most of the labs:

    • Learning a new environment is not easy

  • Not too expensive:

    • Most schools do not have budget for this

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Finding a system l.jpg
Finding a System

  • A system that can be used to demonstrate a variety of security principles.

    • Interesting: can motivate students

    • Meaningful: not a toy

    • Manageable: doesn’t take months to understand

What can be more comprehensive than operating systems?

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


A unified lab environment l.jpg
A Unified Lab Environment

Labs

Minix

Linux

Virtual Machine

(e.g. vmware)

Host OS (Windows, Linux, etc.)

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Cost of environment l.jpg
Cost of Environment

  • Software cost

    • vmware is free for academic use

    • Minix and Linux are open-source and free

  • Hardware cost

    • Use student’s personal computer:

      • At least 1.5GB RAM, the more the better

    • Use a general computer lab

      • Administrator: install vmware

      • Students: buy a portable hard drive (> 6 G)

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Laboratories l.jpg
Laboratories

  • Three types of labs

    • Design/Implementation Labs

    • Exploration Labs

    • Vulnerability/Attack Labs

  • They cover different sets of skills

  • The time needed for these labs varies (1 week to 6 weeks)

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Design implementation labs l.jpg
Design/Implementation Labs

Design/Implementation

Labs

Minix

Virtual Machine

(e.g. vmware)

Objectives: to build and integrate security mechanisms

in systems, and to apply security principles in

system building.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Design labs l.jpg
Design Labs

Minix OS

Existing Components

Students’ Tasks

  • Properties of this design:

  • Focused on targeted principles

  • Each lab takes 2-6 weeks

  • Difficulties can be adjusted

Capability

Encrypted

File System

Sandbox

MAC

System

Randomization

RBAC

Access Control List

IPSec

Firewall

IDS

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Lab development l.jpg
Lab Development

  • Learning objectives

    • The principles covered by each lab

  • Simplification of the system

    • Multi-year project  Few weeks

    • Self-contained

    • Not over-simplified

  • Reduce non-security critical tasks

    • Simplification

    • Develop supporting materials

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Exploration labs l.jpg
Exploration Labs

Exploration

Labs

Minix

Linux

Virtual Machine

(e.g. vmware)

Objectives: to explore how security mechanisms work,

and to apply security principles in evaluating

those mechanisms.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Exploration labs16 l.jpg
Exploration Labs

Minix/Linux OS

“tour”

Other Components

Security Component

  • Guided Tour:

  • Small experiments

  • Guided activities

  • Interact with security components

  • Observe

  • Explain the observations

Set-UID

PAM: Pluggable

Authentication Module

Intel 80x86 Protection

Mode

Reference

Monitor

SYN

Cookie

All the design labs can

be transformed to exploration labs

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Vulnerability attack labs l.jpg
Vulnerability/Attack Labs

Vulnerability/Attack

Labs

Minix

Linux

Virtual Machine

(e.g. vmware)

Objectives: to learn from mistakes, to see how a flaw

leads to security breaches, to carry out real

attacks in the lab environment, and to apply

security principles in defense.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Vulnerability attack labs18 l.jpg
Vulnerability/Attack Labs

Real-World Vulnerabilities

  • Students’ Tasks:

  • Find out those vulnerabilities

  • Exploit the vulnerabilities

  • Fix the vulnerabilities

  • 4. Design countermeasures

Fault Injection

Linux/Minix OS

User

Space

Kernel

Space

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Vulnerability laboratories l.jpg

Buffer-overflow Lab

Return-to-libc Attack Lab

Race-condition Lab

Format-string Lab

Sandbox(chroot)Lab

Attack Lab on TCP/IP

Attack Lab on DNS (Pharming Attacks)

Cross-Site Scripting Lab

SQL injection attack Lab

Set-UID vulnerability Lab

Lab on various OS kernel vulnerabilities

Vulnerability Laboratories

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Our 2nd philosophy l.jpg
Our 2nd Philosophy

  • Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Examples for operating systems l.jpg
Examples for Operating Systems

  • File Systems

    • Encrypted File System (EFS) Lab

  • Access Control

    • Capability Lab

    • RBAC (Role-Based Access Control) Lab: demo

  • Memory Management

    • Memory Randomization Lab

  • Privilege Escalation

    • Set-UID Lab

  • Privilege Restriction

    • Chroot Sandboxing Lab

    • Set-RandomUID Sandboxing Lab

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Os continued l.jpg
OS (continued)

  • Enhancing OS to protect against attacks on vulnerable programs.

    • Buffer-overflow Lab: demo

    • Format-string Lab

    • Race condition Lab

    • Sandbox Lab

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Networking l.jpg
Networking

  • TCP/IP Protocols:

    • TCP/IP attack Labs (e.g. SYN flooding, TCP RST attacks, TCP session hijacking, Port scanning)

    • SYN-Cookie Labs (defend against DOS attacks)

  • DNS Protocol

    • Pharming Attacks Labs

  • IP Routing:

    • IPSec/VPN Labs

    • Firewall Labs

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


For other courses l.jpg
For Other Courses

  • Computer Architecture

    • 80386 Protection Mode Lab

  • Compilers

    • Return-to-libc lab (how stack works)

  • Software Engineering

    • Capability, RBAC labs (requirement analysis, design architecture, testing)

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Web programming l.jpg
Web Programming

  • Hardening systems to defeat attacks on web applications.

    • SQL Injection

    • XSS

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Evaluation l.jpg
Evaluation

  • Survey-based evaluation

    • Anonymous survey after each lab

    • Group interview (by a specialist) each semester

  • Student feedbacks

    • Interview experiences

    • Job experiences

  • Peer reviews

    • Publications

    • Interviews

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Experience l.jpg
Experience

  • Developed 20 Labs during the last 6 years

  • Used in 3 courses at Syracuse University

    • One senior-level and two graduate-level

  • Also used by several other universities

    • Including non-secure courses.

  • The results are very encouraging

    • Evaluation results can be found in our published papers and web sites.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Discussion topics l.jpg
Discussion Topics

  • Ideas of labs for various courses

  • Dissemination

    • We need to get others to use the labs, how?

    • Reach out to our own community.

    • A barrier: interested use

Secure Coding Faculty Workshop, April 14-15, Orlando, FL


Initiative open source library of labs l.jpg
Initiative: Open-source Library of Labs

  • Hosting and Coordinating

    • Organizers and Industry/NSF sponsors

  • Contributing mechanisms

    • Portal or repository

  • Categorization mechanisms

    • By courses, topics, principles, difficulties, book chapters

  • Feedback mechanism

    • Anonymous comments, endorsements by employers

    • # of downloads

  • Discussion Forums

Secure Coding Faculty Workshop, April 14-15, Orlando, FL