1 / 29

SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation

SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation. Wenliang (Kevin) Du Department of Electrical Engineering & Computer Science Syracuse University Email: wedu@ecs.syr.edu URL: http://www.cis.syr.edu/~wedu/seed/. Objectives.

sherlock_clovis
Download Presentation

SEED : A Suite of Instructional Laboratories for Computer SE curity ED ucation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin) Du Department of Electrical Engineering & Computer Science Syracuse University Email: wedu@ecs.syr.edu URL: http://www.cis.syr.edu/~wedu/seed/ Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  2. Objectives • Improve experiential learning in computer security education • Develop effective security-related labs (or course projects) • Targeting both security and non-security courses. Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  3. Overview • Philosophies behind our approach • Lab environment • The design of SEED labs • Overview of the labs (about 20) • Discussions Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  4. About SEED Project • Funded by the NSF CCLI Program • Phase I ($75K) was funded in 2002 • Phase II ($450K) was funded in 2007 • Four universities are main partners. • Several more universities are using. • Web page for all the developed labs • http://www.cis.syr.edu/~wedu/seed/ Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  5. Philosophy #1 • Computer security education should focus on both the fundamental security principles and security-practice skills. • Principles: A wide spectrum. • Skills: designing, programming, testing, analyzing, innovating, and applying. • Focused and comprehensive labs Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  6. Philosophy #2 • Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc. Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  7. A Generic Environment • Use for most of the labs: • Learning a new environment is not easy • Not too expensive: • Most schools do not have budget for this Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  8. Finding a System • A system that can be used to demonstrate a variety of security principles. • Interesting: can motivate students • Meaningful: not a toy • Manageable: doesn’t take months to understand What can be more comprehensive than operating systems? Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  9. A Unified Lab Environment Labs Minix Linux Virtual Machine (e.g. vmware) Host OS (Windows, Linux, etc.) Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  10. Cost of Environment • Software cost • vmware is free for academic use • Minix and Linux are open-source and free • Hardware cost • Use student’s personal computer: • At least 1.5GB RAM, the more the better • Use a general computer lab • Administrator: install vmware • Students: buy a portable hard drive (> 6 G) Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  11. Laboratories • Three types of labs • Design/Implementation Labs • Exploration Labs • Vulnerability/Attack Labs • They cover different sets of skills • The time needed for these labs varies (1 week to 6 weeks) Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  12. Design/Implementation Labs Design/Implementation Labs Minix Virtual Machine (e.g. vmware) Objectives: to build and integrate security mechanisms in systems, and to apply security principles in system building. Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  13. Design Labs Minix OS Existing Components Students’ Tasks • Properties of this design: • Focused on targeted principles • Each lab takes 2-6 weeks • Difficulties can be adjusted Capability Encrypted File System Sandbox MAC System Randomization RBAC Access Control List IPSec Firewall IDS Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  14. Lab Development • Learning objectives • The principles covered by each lab • Simplification of the system • Multi-year project  Few weeks • Self-contained • Not over-simplified • Reduce non-security critical tasks • Simplification • Develop supporting materials Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  15. Exploration Labs Exploration Labs Minix Linux Virtual Machine (e.g. vmware) Objectives: to explore how security mechanisms work, and to apply security principles in evaluating those mechanisms. Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  16. Exploration Labs Minix/Linux OS “tour” Other Components Security Component • Guided Tour: • Small experiments • Guided activities • Interact with security components • Observe • Explain the observations Set-UID PAM: Pluggable Authentication Module Intel 80x86 Protection Mode Reference Monitor SYN Cookie All the design labs can be transformed to exploration labs Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  17. Vulnerability/Attack Labs Vulnerability/Attack Labs Minix Linux Virtual Machine (e.g. vmware) Objectives: to learn from mistakes, to see how a flaw leads to security breaches, to carry out real attacks in the lab environment, and to apply security principles in defense. Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  18. Vulnerability/Attack Labs Real-World Vulnerabilities • Students’ Tasks: • Find out those vulnerabilities • Exploit the vulnerabilities • Fix the vulnerabilities • 4. Design countermeasures Fault Injection Linux/Minix OS User Space Kernel Space Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  19. Buffer-overflow Lab Return-to-libc Attack Lab Race-condition Lab Format-string Lab Sandbox(chroot)Lab Attack Lab on TCP/IP Attack Lab on DNS (Pharming Attacks) Cross-Site Scripting Lab SQL injection attack Lab Set-UID vulnerability Lab Lab on various OS kernel vulnerabilities Vulnerability Laboratories Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  20. Our 2nd Philosophy • Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc. Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  21. Examples for Operating Systems • File Systems • Encrypted File System (EFS) Lab • Access Control • Capability Lab • RBAC (Role-Based Access Control) Lab: demo • Memory Management • Memory Randomization Lab • Privilege Escalation • Set-UID Lab • Privilege Restriction • Chroot Sandboxing Lab • Set-RandomUID Sandboxing Lab Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  22. OS (continued) • Enhancing OS to protect against attacks on vulnerable programs. • Buffer-overflow Lab: demo • Format-string Lab • Race condition Lab • Sandbox Lab Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  23. Networking • TCP/IP Protocols: • TCP/IP attack Labs (e.g. SYN flooding, TCP RST attacks, TCP session hijacking, Port scanning) • SYN-Cookie Labs (defend against DOS attacks) • DNS Protocol • Pharming Attacks Labs • IP Routing: • IPSec/VPN Labs • Firewall Labs Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  24. For Other Courses • Computer Architecture • 80386 Protection Mode Lab • Compilers • Return-to-libc lab (how stack works) • Software Engineering • Capability, RBAC labs (requirement analysis, design architecture, testing) Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  25. Web Programming • Hardening systems to defeat attacks on web applications. • SQL Injection • XSS Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  26. Evaluation • Survey-based evaluation • Anonymous survey after each lab • Group interview (by a specialist) each semester • Student feedbacks • Interview experiences • Job experiences • Peer reviews • Publications • Interviews Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  27. Experience • Developed 20 Labs during the last 6 years • Used in 3 courses at Syracuse University • One senior-level and two graduate-level • Also used by several other universities • Including non-secure courses. • The results are very encouraging • Evaluation results can be found in our published papers and web sites. Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  28. Discussion Topics • Ideas of labs for various courses • Dissemination • We need to get others to use the labs, how? • Reach out to our own community. • A barrier: interested use Secure Coding Faculty Workshop, April 14-15, Orlando, FL

  29. Initiative: Open-source Library of Labs • Hosting and Coordinating • Organizers and Industry/NSF sponsors • Contributing mechanisms • Portal or repository • Categorization mechanisms • By courses, topics, principles, difficulties, book chapters • Feedback mechanism • Anonymous comments, endorsements by employers • # of downloads • Discussion Forums Secure Coding Faculty Workshop, April 14-15, Orlando, FL

More Related