seed a suite of instructional laboratories for computer se curity ed ucation l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation PowerPoint Presentation
Download Presentation
SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation

Loading in 2 Seconds...

play fullscreen
1 / 29

SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation - PowerPoint PPT Presentation


  • 551 Views
  • Uploaded on

SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation. Wenliang (Kevin) Du Department of Electrical Engineering & Computer Science Syracuse University Email: wedu@ecs.syr.edu URL: http://www.cis.syr.edu/~wedu/seed/. Objectives.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
seed a suite of instructional laboratories for computer se curity ed ucation

SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation

Wenliang (Kevin) Du

Department of Electrical Engineering & Computer Science

Syracuse University

Email: wedu@ecs.syr.edu

URL: http://www.cis.syr.edu/~wedu/seed/

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

objectives
Objectives
  • Improve experiential learning in computer security education
  • Develop effective security-related labs (or course projects)
    • Targeting both security and non-security courses.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

overview
Overview
  • Philosophies behind our approach
  • Lab environment
  • The design of SEED labs
  • Overview of the labs (about 20)
  • Discussions

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

about seed project
About SEED Project
  • Funded by the NSF CCLI Program
    • Phase I ($75K) was funded in 2002
    • Phase II ($450K) was funded in 2007
  • Four universities are main partners.
  • Several more universities are using.
  • Web page for all the developed labs
    • http://www.cis.syr.edu/~wedu/seed/

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

philosophy 1
Philosophy #1
  • Computer security education should focus on both the fundamental security principles and security-practice skills.
    • Principles: A wide spectrum.
    • Skills: designing, programming, testing, analyzing, innovating, and applying.
    • Focused and comprehensive labs

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

philosophy 2
Philosophy #2
  • Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

a generic environment
A Generic Environment
  • Use for most of the labs:
    • Learning a new environment is not easy
  • Not too expensive:
    • Most schools do not have budget for this

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

finding a system
Finding a System
  • A system that can be used to demonstrate a variety of security principles.
    • Interesting: can motivate students
    • Meaningful: not a toy
    • Manageable: doesn’t take months to understand

What can be more comprehensive than operating systems?

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

a unified lab environment
A Unified Lab Environment

Labs

Minix

Linux

Virtual Machine

(e.g. vmware)

Host OS (Windows, Linux, etc.)

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

cost of environment
Cost of Environment
  • Software cost
    • vmware is free for academic use
    • Minix and Linux are open-source and free
  • Hardware cost
    • Use student’s personal computer:
      • At least 1.5GB RAM, the more the better
    • Use a general computer lab
      • Administrator: install vmware
      • Students: buy a portable hard drive (> 6 G)

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

laboratories
Laboratories
  • Three types of labs
    • Design/Implementation Labs
    • Exploration Labs
    • Vulnerability/Attack Labs
  • They cover different sets of skills
  • The time needed for these labs varies (1 week to 6 weeks)

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

design implementation labs
Design/Implementation Labs

Design/Implementation

Labs

Minix

Virtual Machine

(e.g. vmware)

Objectives: to build and integrate security mechanisms

in systems, and to apply security principles in

system building.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

design labs
Design Labs

Minix OS

Existing Components

Students’ Tasks

  • Properties of this design:
  • Focused on targeted principles
  • Each lab takes 2-6 weeks
  • Difficulties can be adjusted

Capability

Encrypted

File System

Sandbox

MAC

System

Randomization

RBAC

Access Control List

IPSec

Firewall

IDS

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

lab development
Lab Development
  • Learning objectives
    • The principles covered by each lab
  • Simplification of the system
    • Multi-year project  Few weeks
    • Self-contained
    • Not over-simplified
  • Reduce non-security critical tasks
    • Simplification
    • Develop supporting materials

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

exploration labs
Exploration Labs

Exploration

Labs

Minix

Linux

Virtual Machine

(e.g. vmware)

Objectives: to explore how security mechanisms work,

and to apply security principles in evaluating

those mechanisms.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

exploration labs16
Exploration Labs

Minix/Linux OS

“tour”

Other Components

Security Component

  • Guided Tour:
  • Small experiments
  • Guided activities
  • Interact with security components
  • Observe
  • Explain the observations

Set-UID

PAM: Pluggable

Authentication Module

Intel 80x86 Protection

Mode

Reference

Monitor

SYN

Cookie

All the design labs can

be transformed to exploration labs

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

vulnerability attack labs
Vulnerability/Attack Labs

Vulnerability/Attack

Labs

Minix

Linux

Virtual Machine

(e.g. vmware)

Objectives: to learn from mistakes, to see how a flaw

leads to security breaches, to carry out real

attacks in the lab environment, and to apply

security principles in defense.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

vulnerability attack labs18
Vulnerability/Attack Labs

Real-World Vulnerabilities

  • Students’ Tasks:
  • Find out those vulnerabilities
  • Exploit the vulnerabilities
  • Fix the vulnerabilities
  • 4. Design countermeasures

Fault Injection

Linux/Minix OS

User

Space

Kernel

Space

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

vulnerability laboratories
Buffer-overflow Lab

Return-to-libc Attack Lab

Race-condition Lab

Format-string Lab

Sandbox(chroot)Lab

Attack Lab on TCP/IP

Attack Lab on DNS (Pharming Attacks)

Cross-Site Scripting Lab

SQL injection attack Lab

Set-UID vulnerability Lab

Lab on various OS kernel vulnerabilities

Vulnerability Laboratories

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

our 2nd philosophy
Our 2nd Philosophy
  • Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

examples for operating systems
Examples for Operating Systems
  • File Systems
    • Encrypted File System (EFS) Lab
  • Access Control
    • Capability Lab
    • RBAC (Role-Based Access Control) Lab: demo
  • Memory Management
    • Memory Randomization Lab
  • Privilege Escalation
    • Set-UID Lab
  • Privilege Restriction
    • Chroot Sandboxing Lab
    • Set-RandomUID Sandboxing Lab

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

os continued
OS (continued)
  • Enhancing OS to protect against attacks on vulnerable programs.
    • Buffer-overflow Lab: demo
    • Format-string Lab
    • Race condition Lab
    • Sandbox Lab

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

networking
Networking
  • TCP/IP Protocols:
    • TCP/IP attack Labs (e.g. SYN flooding, TCP RST attacks, TCP session hijacking, Port scanning)
    • SYN-Cookie Labs (defend against DOS attacks)
  • DNS Protocol
    • Pharming Attacks Labs
  • IP Routing:
    • IPSec/VPN Labs
    • Firewall Labs

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

for other courses
For Other Courses
  • Computer Architecture
    • 80386 Protection Mode Lab
  • Compilers
    • Return-to-libc lab (how stack works)
  • Software Engineering
    • Capability, RBAC labs (requirement analysis, design architecture, testing)

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

web programming
Web Programming
  • Hardening systems to defeat attacks on web applications.
    • SQL Injection
    • XSS

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

evaluation
Evaluation
  • Survey-based evaluation
    • Anonymous survey after each lab
    • Group interview (by a specialist) each semester
  • Student feedbacks
    • Interview experiences
    • Job experiences
  • Peer reviews
    • Publications
    • Interviews

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

experience
Experience
  • Developed 20 Labs during the last 6 years
  • Used in 3 courses at Syracuse University
    • One senior-level and two graduate-level
  • Also used by several other universities
    • Including non-secure courses.
  • The results are very encouraging
    • Evaluation results can be found in our published papers and web sites.

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

discussion topics
Discussion Topics
  • Ideas of labs for various courses
  • Dissemination
    • We need to get others to use the labs, how?
    • Reach out to our own community.
    • A barrier: interested use

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

initiative open source library of labs
Initiative: Open-source Library of Labs
  • Hosting and Coordinating
    • Organizers and Industry/NSF sponsors
  • Contributing mechanisms
    • Portal or repository
  • Categorization mechanisms
    • By courses, topics, principles, difficulties, book chapters
  • Feedback mechanism
    • Anonymous comments, endorsements by employers
    • # of downloads
  • Discussion Forums

Secure Coding Faculty Workshop, April 14-15, Orlando, FL