Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional...
-
date post
22-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional...
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
1
SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation
Wenliang (Kevin) DuDepartment of Electrical Engineering & Computer Science
Syracuse University
Email: [email protected]
URL: http://www.cis.syr.edu/~wedu/seed/
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
2
Objectives
• Improve experiential learning in computer security education
• Develop effective security-related labs (or course projects)• Targeting both security and non-security
courses.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
3
Overview
• Philosophies behind our approach• Lab environment• The design of SEED labs• Overview of the labs (about 20)• Discussions
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
4
About SEED Project
• Funded by the NSF CCLI Program • Phase I ($75K) was funded in 2002
• Phase II ($450K) was funded in 2007
• Four universities are main partners.• Several more universities are using.• Web page for all the developed labs
• http://www.cis.syr.edu/~wedu/seed/
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
5
Philosophy #1
• Computer security education should focus on both the fundamental security principles and security-practice skills.• Principles: A wide spectrum.
• Skills: designing, programming, testing, analyzing, innovating, and applying.
• Focused and comprehensive labs
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
6
Philosophy #2
• Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
7
A Generic Environment
• Use for most of the labs:• Learning a new environment is not easy
• Not too expensive:• Most schools do not have budget for this
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
8
Finding a System
• A system that can be used to demonstrate a variety of security principles.• Interesting: can motivate students
• Meaningful: not a toy
• Manageable: doesn’t take months to understand
What can be more comprehensive than operating systems?
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
9
A Unified Lab Environment
Labs
Minix Linux
Virtual Machine(e.g. vmware)
Host OS (Windows, Linux, etc.)
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
10
Cost of Environment
• Software cost• vmware is free for academic use
• Minix and Linux are open-source and free
• Hardware cost• Use student’s personal computer:
• At least 1.5GB RAM, the more the better
• Use a general computer lab• Administrator: install vmware
• Students: buy a portable hard drive (> 6 G)
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
11
Laboratories
• Three types of labs• Design/Implementation Labs
• Exploration Labs
• Vulnerability/Attack Labs
• They cover different sets of skills • The time needed for these labs varies (1
week to 6 weeks)
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
12
Design/Implementation Labs
Design/ImplementationLabs
Minix
Virtual Machine(e.g. vmware)
Objectives: to build and integrate security mechanisms in systems, and to apply security principles in system building.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
13
Design Labs
Students’ Tasks
Existing Components
Capability
Access Control List
SandboxEncrypted
File System
Properties of this design:• Focused on targeted principles • Each lab takes 2-6 weeks• Difficulties can be adjusted
RBAC
MAC
IPSec Firewall IDS
Minix OS
SystemRandomization
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
14
Lab Development
• Learning objectives• The principles covered by each lab
• Simplification of the system• Multi-year project Few weeks• Self-contained• Not over-simplified
• Reduce non-security critical tasks• Simplification• Develop supporting materials
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
15
Exploration Labs
ExplorationLabs
Minix Linux
Virtual Machine(e.g. vmware)
Objectives: to explore how security mechanisms work, and to apply security principles in evaluating those mechanisms.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
16
Exploration LabsMinix/Linux OS
Security Component
Other Components
Guided Tour:• Small experiments• Guided activities• Interact with security components• Observe• Explain the observations
“tour”
Set-UIDPAM: Pluggable
Authentication ModuleReference
Monitor
All the design labs can be transformed to exploration labs
Intel 80x86 ProtectionMode
SYNCookie
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
17
Vulnerability/Attack Labs
Vulnerability/AttackLabs
Minix Linux
Virtual Machine(e.g. vmware)
Objectives: to learn from mistakes, to see how a flaw leads to security breaches, to carry out real attacks in the lab environment, and to apply security principles in defense.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
18
Vulnerability/Attack Labs
Linux/Minix OS
User Space
Kernel Space
Real-World Vulnerabilities
Fault Injection
Students’ Tasks:1. Find out those vulnerabilities2. Exploit the vulnerabilities3. Fix the vulnerabilities4. Design countermeasures
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
19
Vulnerability Laboratories
• Buffer-overflow Lab• Return-to-libc Attack Lab• Race-condition Lab• Format-string Lab• Sandbox(chroot)Lab• Attack Lab on TCP/IP• Attack Lab on DNS
(Pharming Attacks)
• Cross-Site Scripting Lab• SQL injection attack Lab• Set-UID vulnerability Lab• Lab on various OS kernel
vulnerabilities
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
20
Our 2nd Philosophy
• Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
21
Examples for Operating Systems• File Systems
• Encrypted File System (EFS) Lab
• Access Control• Capability Lab• RBAC (Role-Based Access Control) Lab: demo
• Memory Management• Memory Randomization Lab
• Privilege Escalation• Set-UID Lab
• Privilege Restriction • Chroot Sandboxing Lab• Set-RandomUID Sandboxing Lab
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
22
OS (continued)
• Enhancing OS to protect against attacks on vulnerable programs.• Buffer-overflow Lab: demo
• Format-string Lab
• Race condition Lab
• Sandbox Lab
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
23
Networking
• TCP/IP Protocols: • TCP/IP attack Labs (e.g. SYN flooding, TCP RST
attacks, TCP session hijacking, Port scanning)
• SYN-Cookie Labs (defend against DOS attacks)
• DNS Protocol• Pharming Attacks Labs
• IP Routing: • IPSec/VPN Labs
• Firewall Labs
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
24
For Other Courses• Computer Architecture
• 80386 Protection Mode Lab
• Compilers• Return-to-libc lab (how stack works)
• Software Engineering• Capability, RBAC labs (requirement analysis,
design architecture, testing)
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
25
Web Programming
• Hardening systems to defeat attacks on web applications.• SQL Injection
• XSS
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
26
Evaluation
• Survey-based evaluation• Anonymous survey after each lab• Group interview (by a specialist) each semester
• Student feedbacks• Interview experiences• Job experiences
• Peer reviews• Publications• Interviews
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
27
Experience
• Developed 20 Labs during the last 6 years• Used in 3 courses at Syracuse University
• One senior-level and two graduate-level• Also used by several other universities
• Including non-secure courses.• The results are very encouraging
• Evaluation results can be found in our published papers and web sites.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
28
Discussion Topics
• Ideas of labs for various courses
• Dissemination• We need to get others to use the labs, how?
• Reach out to our own community.
• A barrier: interested use
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
29
Initiative: Open-source Library of Labs
• Hosting and Coordinating• Organizers and Industry/NSF sponsors
• Contributing mechanisms• Portal or repository
• Categorization mechanisms• By courses, topics, principles, difficulties, book chapters
• Feedback mechanism• Anonymous comments, endorsements by employers• # of downloads
• Discussion Forums