Explaining the Buffer Overflow Problem: Instructional Design and Evaluation in Information Security Education

1
Explaining the Buffer Overflow Problem
Instructional Design and Evaluation in
Information Security Education

• Embry-Riddle Aeronautical University Prescott,
  Arizona
• http//nsfsecurity.pr.erau.edu

2
Grant Overview (Author)

• NSF Federal Cyber Service Scholarships for
  Service Institutional Capacity-building Award
  No. 0113627
• College of Engineering
• Dr. Susan L. Gerhart
• Dr. Matthew S. Jaffe
• Dr. Paul Hriljac
• Science, Technology, Globalization Program
• Dr. Richard Bloom
• Consultants
• Dr. Jan G. Hogle (Ed. Tech.)
• Jedidiah Crandall (Student)

Science, Technology, and Glob
3
Grant Overview Goals

• interactive modules for undergraduate curricula
• The Buffer Overflow problem
• Cryptography
• Interdependent Security Dimensions
• Personnel Screening
• Increased Student Interest in Security, possible
  degree program
• Dissemination to other universities

4
Buffer Overflow Module The Problem

• Buffer Overflow When data is written outside the
  bounds of its allocated memory
• Vulnerabilities Attacker can
• hijack program execution
• overwrite security-sensitive data in memory
• cause a program crash leading to
  Denial-of-Service or a core dump of
  security-sensitive data

5
Buffer Overflow ModuleMotivation

• Pervasive and costly public enemy 1 gt½ CERT
  alerts
• Improve software engineering practice
• Hook for introducing security in several courses
• Good application for interactive educational
  technology

6
Buffer Overflow Module Approach

• Demo Simulated abstract machine (Java Applets)
• Instructional Methodology
• Audiences Programmer, Tester, Journalist, IT
  Manager
• Goals/objectives What to learn, how to measure
  learning
• Evaluation Interviews, questionnaires, quizzes,
  

7
Buffer Overflow Module Interactive Educational
Package

• Stand-alone Authorware Website
• Explanations of Attacks and Defenses
• Demo Applets and Instructor Guide
• Links, Code Red case study
• Quiz and Scavenger Hunt
• Courses Programming, languages, operating
  systems, software engineering, security
• Requires 30 min. to demo prerequisite
  introduction depth (depends on course)
• Results Rapid learning, high impact
  presentation, learner engagement, retention

8
Demohttp//nsfsecurity.pr.erau.edu/bom

• Stacks
• How a typical C compiler uses run-time stacks
• Spock
• How security-sensitive data can be overwritten
• Smasher
• How program execution can be diverted away from
  the normal program execution path
• StackGuard
• How one particular defense against stack smashing
  works

9
Evaluation

• Needs Analysis Matrix
• Formative Evaluation
• Pre-quiz memory, C, SE practice
• Post (interview, questionnaire)New?
  Understandable? Useful?
• Suggestions color change, spock?
• Website traffic high
• 33,000 page views since Aug. 2002
• Average 25 visitors/day, 4 pages/visitor
• gt50 international

10
Lessons Learned

• Carefully defining audience paid off
• Interactivation is hard!
• Professors arent comfortable, students are
  natural
• Must abstract from processes, like B.O.
• Quizzes, scavenger hunts easy and fun
• Whats learning? Whats gratuitous
• Hard to obtain feedback forms hated