1 / 14

Teaching Secure Systems Development with the Support of Industrial Partners

Teaching Secure Systems Development with the Support of Industrial Partners. Nick Efford School of Computing University of Leeds. Outline. Software security: a neglected area? Examples Challenges for educators The Leeds experience Taking advantage of industry support. An Example.

talon-chan
Download Presentation

Teaching Secure Systems Development with the Support of Industrial Partners

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Teaching Secure Systems Development with the Supportof Industrial Partners Nick EffordSchool of ComputingUniversity of Leeds Teaching of Security Workshop, 20 January 2005

  2. Outline • Software security: a neglected area? • Examples • Challenges for educators • The Leeds experience • Taking advantage of industry support Teaching of Security Workshop, 20 January 2005

  3. An Example Teaching of Security Workshop, 20 January 2005

  4. Public Enemy #1… Teaching of Security Workshop, 20 January 2005

  5. Public Enemy #1… Teaching of Security Workshop, 20 January 2005

  6. Stack Smashing High memory Caller’sstack frame …and overwrites return address, gaining control of execution! Parameters Return address Saved frame pointer Frame pointer Other localvariables Attacker overruns buffer… Buffer Low memory Stack pointer Teaching of Security Workshop, 20 January 2005

  7. SQL Injection String query ="SELECT * FROM accounts WHERE user='" + user + "' AND password='" + passwd + "'" ; SELECT * FROM accounts WHERE user='nde' -- 'AND password='' SELECT * FROM accounts WHERE user='nde' OR 1=1 --'AND password='' Teaching of Security Workshop, 20 January 2005

  8. A Common Theme • Buffer overruns and SQL injection are examples of input validation problems • Students need to learn that “all input is evil” • How good are we at teaching this? • Difficult to do as part of introductory programming • Difficult for students to appreciate the extreme things that attackers will try as input Teaching of Security Workshop, 20 January 2005

  9. Challenges For Educators • Programming • System architecture • Software development processes Teaching of Security Workshop, 20 January 2005

  10. Secure Computing at theUniversity of Leeds • 10 credit module for level 3 undergraduates • Lecture-based (20 hours) • 30% coursework, 70% examination • Compromise solution • Emphasises issues of secure programming and design, but does not focus on them exclusively Teaching of Security Workshop, 20 January 2005

  11. Initial Syllabus • Basic cryptography [3] • Threat modelling [1] • Network-related threats & malware [5] • System building [8] • Low- & high-level vulnerabilities • Secure system design principles • Security in Java & .NET • Quality assurance, testing & deployment • Operational issues [2] Teaching of Security Workshop, 20 January 2005

  12. Microsoft’s Involvement • What they provided • Problem identification • Financial support to develop module • Access to Microsoft’s own security experts • Free copy of a textbook for students • What they expected in return • Emphasis on secure development • No say in the detailed syllabus, surprisingly! • Materials to be made freely available Teaching of Security Workshop, 20 January 2005

  13. Good & Bad Points • Money with ‘no strings attached’ • Hands-off approach • PR activities • ‘Hate mail’! • Hands-off approach Teaching of Security Workshop, 20 January 2005

  14. Summary • The secure design and implementation of software is a hitherto neglected area • We need to ensure that graduates have these skills, or at least awareness of issues • The Leeds-Microsoft project shows that • Industry concerns can feed into academic practice • This can be relatively painless experience • Academic integrity need not be compromised Teaching of Security Workshop, 20 January 2005

More Related