Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional...

Secure Coding Faculty Workshop, April 14-15, Orlando, FL

1

SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation

Wenliang (Kevin) DuDepartment of Electrical Engineering & Computer Science

Syracuse University

Email: [email protected]

URL: http://www.cis.syr.edu/~wedu/seed/


2

Objectives

• Improve experiential learning in computer security education

• Develop effective security-related labs (or course projects)• Targeting both security and non-security

courses.


3

Overview

• Philosophies behind our approach• Lab environment• The design of SEED labs• Overview of the labs (about 20)• Discussions


4

About SEED Project

• Funded by the NSF CCLI Program • Phase I ($75K) was funded in 2002

• Phase II ($450K) was funded in 2007

• Four universities are main partners.• Several more universities are using.• Web page for all the developed labs

• http://www.cis.syr.edu/~wedu/seed/


5

Philosophy #1

• Computer security education should focus on both the fundamental security principles and security-practice skills.• Principles: A wide spectrum.

• Skills: designing, programming, testing, analyzing, innovating, and applying.

• Focused and comprehensive labs


6

Philosophy #2

• Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc.


7

A Generic Environment

• Use for most of the labs:• Learning a new environment is not easy

• Not too expensive:• Most schools do not have budget for this


8

Finding a System

• A system that can be used to demonstrate a variety of security principles.• Interesting: can motivate students

• Meaningful: not a toy

• Manageable: doesn’t take months to understand

What can be more comprehensive than operating systems?


9

A Unified Lab Environment

Labs

Minix Linux

Virtual Machine(e.g. vmware)

Host OS (Windows, Linux, etc.)


10

Cost of Environment

• Software cost• vmware is free for academic use

• Minix and Linux are open-source and free

• Hardware cost• Use student’s personal computer:

• At least 1.5GB RAM, the more the better

• Use a general computer lab• Administrator: install vmware

• Students: buy a portable hard drive (> 6 G)


11

Laboratories

• Three types of labs• Design/Implementation Labs

• Exploration Labs

• Vulnerability/Attack Labs

• They cover different sets of skills • The time needed for these labs varies (1

week to 6 weeks)


12

Design/Implementation Labs

Design/ImplementationLabs

Minix


Objectives: to build and integrate security mechanisms in systems, and to apply security principles in system building.


13

Design Labs

Students’ Tasks

Existing Components

Capability

Access Control List

SandboxEncrypted

File System

Properties of this design:• Focused on targeted principles • Each lab takes 2-6 weeks• Difficulties can be adjusted

RBAC

MAC

IPSec Firewall IDS

Minix OS

SystemRandomization


14

Lab Development

• Learning objectives• The principles covered by each lab

• Simplification of the system• Multi-year project Few weeks• Self-contained• Not over-simplified

• Reduce non-security critical tasks• Simplification• Develop supporting materials


15

Exploration Labs

ExplorationLabs

Minix Linux


Objectives: to explore how security mechanisms work, and to apply security principles in evaluating those mechanisms.


16

Exploration LabsMinix/Linux OS

Security Component

Other Components

Guided Tour:• Small experiments• Guided activities• Interact with security components• Observe• Explain the observations

“tour”

Set-UIDPAM: Pluggable

Authentication ModuleReference

Monitor

All the design labs can be transformed to exploration labs

Intel 80x86 ProtectionMode

SYNCookie


17

Vulnerability/Attack Labs

Vulnerability/AttackLabs

Minix Linux


Objectives: to learn from mistakes, to see how a flaw leads to security breaches, to carry out real attacks in the lab environment, and to apply security principles in defense.


18

Vulnerability/Attack Labs

Linux/Minix OS

User Space

Kernel Space

Real-World Vulnerabilities

Fault Injection

Students’ Tasks:1. Find out those vulnerabilities2. Exploit the vulnerabilities3. Fix the vulnerabilities4. Design countermeasures


19

Vulnerability Laboratories

• Buffer-overflow Lab• Return-to-libc Attack Lab• Race-condition Lab• Format-string Lab• Sandbox(chroot)Lab• Attack Lab on TCP/IP• Attack Lab on DNS

(Pharming Attacks)

• Cross-Site Scripting Lab• SQL injection attack Lab• Set-UID vulnerability Lab• Lab on various OS kernel

vulnerabilities


20

Our 2nd Philosophy

• Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc.


21

Examples for Operating Systems• File Systems

• Encrypted File System (EFS) Lab

• Access Control• Capability Lab• RBAC (Role-Based Access Control) Lab: demo

• Memory Management• Memory Randomization Lab

• Privilege Escalation• Set-UID Lab

• Privilege Restriction • Chroot Sandboxing Lab• Set-RandomUID Sandboxing Lab


22

OS (continued)

• Enhancing OS to protect against attacks on vulnerable programs.• Buffer-overflow Lab: demo

• Format-string Lab

• Race condition Lab

• Sandbox Lab


23

Networking

• TCP/IP Protocols: • TCP/IP attack Labs (e.g. SYN flooding, TCP RST

attacks, TCP session hijacking, Port scanning)

• SYN-Cookie Labs (defend against DOS attacks)

• DNS Protocol• Pharming Attacks Labs

• IP Routing: • IPSec/VPN Labs

• Firewall Labs


24

For Other Courses• Computer Architecture

• 80386 Protection Mode Lab

• Compilers• Return-to-libc lab (how stack works)

• Software Engineering• Capability, RBAC labs (requirement analysis,

design architecture, testing)


25

Web Programming

• Hardening systems to defeat attacks on web applications.• SQL Injection

• XSS


26

Evaluation

• Survey-based evaluation• Anonymous survey after each lab• Group interview (by a specialist) each semester

• Student feedbacks• Interview experiences• Job experiences

• Peer reviews• Publications• Interviews


27

Experience

• Developed 20 Labs during the last 6 years• Used in 3 courses at Syracuse University

• One senior-level and two graduate-level• Also used by several other universities

• Including non-secure courses.• The results are very encouraging

• Evaluation results can be found in our published papers and web sites.


28

Discussion Topics

• Ideas of labs for various courses

• Dissemination• We need to get others to use the labs, how?

• Reach out to our own community.

• A barrier: interested use


29

Initiative: Open-source Library of Labs

• Hosting and Coordinating• Organizers and Industry/NSF sponsors

• Contributing mechanisms• Portal or repository

• Categorization mechanisms• By courses, topics, principles, difficulties, book chapters

• Feedback mechanism• Anonymous comments, endorsements by employers• # of downloads

• Discussion Forums

Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional...

Documents

Transcript of Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional...