SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation - PowerPoint PPT Presentation

About This Presentation

Title:

SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation

Description:

Secure Coding Faculty Workshop, April 14-15, Orlando, FL. 1 ... Secure Coding Faculty Workshop, April 14-15, Orlando, FL. 10. Cost of Environment. Software cost ... – PowerPoint PPT presentation

Number of Views:204

Avg rating:3.0/5.0

Slides: 30

Provided by: cis86

Learn more at: https://web.ecs.syr.edu

Category:

more less

Transcript and Presenter's Notes

Title: SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation

1
SEED A Suite of Instructional Laboratories for
Computer SEcurity EDucation

Wenliang (Kevin) Du
Department of Electrical Engineering Computer
Science
Syracuse University
Email wedu_at_ecs.syr.edu
URL http//www.cis.syr.edu/wedu/seed/

2
Objectives

Improve experiential learning in computer
security education
Develop effective security-related labs (or
course projects)
Targeting both security and non-security courses.

3
Overview

Philosophies behind our approach
Lab environment
The design of SEED labs
Overview of the labs (about 20)
Discussions

4
About SEED Project

Funded by the NSF CCLI Program
Phase I (75K) was funded in 2002
Phase II (450K) was funded in 2007
Four universities are main partners.
Several more universities are using.
Web page for all the developed labs
http//www.cis.syr.edu/wedu/seed/

5
Philosophy 1

Computer security education should focus on both
the fundamental security principles and
security-practice skills.
Principles A wide spectrum.
Skills designing, programming, testing,
analyzing, innovating, and applying.
Focused and comprehensive labs

6
Philosophy 2

Computer security education should be integrated
into many other courses, including Operating
Systems, Networking, Computer Architecture,
Compilers, Software Engineering, etc.

7
A Generic Environment

Use for most of the labs
Learning a new environment is not easy
Not too expensive
Most schools do not have budget for this

8
Finding a System

A system that can be used to demonstrate a
variety of security principles.
Interesting can motivate students
Meaningful not a toy
Manageable doesnt take months to understand

What can be more comprehensive than operating
systems?
9
A Unified Lab Environment
Labs
Minix
Linux
Virtual Machine (e.g. vmware)
Host OS (Windows, Linux, etc.)
10
Cost of Environment

Software cost
vmware is free for academic use
Minix and Linux are open-source and free
Hardware cost
Use students personal computer
At least 1.5GB RAM, the more the better
Use a general computer lab
Administrator install vmware
Students buy a portable hard drive (gt 6 G)

11
Laboratories

Three types of labs
Design/Implementation Labs
Exploration Labs
Vulnerability/Attack Labs
They cover different sets of skills
The time needed for these labs varies (1 week to
6 weeks)

12
Design/Implementation Labs
Design/Implementation Labs
Minix
Virtual Machine (e.g. vmware)
Objectives to build and integrate security
mechanisms in systems, and to
apply security principles in
system building.
13
Design Labs
Minix OS
Existing Components
Students Tasks

Properties of this design
Focused on targeted principles
Each lab takes 2-6 weeks
Difficulties can be adjusted

Capability
Sandbox
Encrypted File System
MAC
System Randomization
Access Control List
RBAC
IPSec
Firewall
IDS
14
Lab Development

Learning objectives
The principles covered by each lab
Simplification of the system
Multi-year project ? Few weeks
Self-contained
Not over-simplified
Reduce non-security critical tasks
Simplification
Develop supporting materials

15
Exploration Labs
Exploration Labs
Minix
Linux
Virtual Machine (e.g. vmware)
Objectives to explore how security mechanisms
work, and to apply security
principles in evaluating
those mechanisms.
16
Exploration Labs
Minix/Linux OS
tour
Other Components
Security Component

Guided Tour
Small experiments
Guided activities
Interact with security components
Observe
Explain the observations

Set-UID
PAM Pluggable Authentication Module
Reference Monitor
Intel 80x86 Protection Mode
All the design labs can be transformed to
exploration labs
SYN Cookie
17
Vulnerability/Attack Labs
Vulnerability/Attack Labs
Minix
Linux
Virtual Machine (e.g. vmware)
Objectives to learn from mistakes, to see how a
flaw leads to security
breaches, to carry out real
attacks in the lab environment, and to apply
security principles in defense.
18
Vulnerability/Attack Labs
Real-World Vulnerabilities

Students Tasks
Find out those vulnerabilities
Exploit the vulnerabilities
Fix the vulnerabilities
4. Design countermeasures

Fault Injection
Linux/Minix OS
User Space
Kernel Space
19
Vulnerability Laboratories

Buffer-overflow Lab
Return-to-libc Attack Lab
Race-condition Lab
Format-string Lab
Sandbox(chroot)Lab
Attack Lab on TCP/IP
Attack Lab on DNS (Pharming Attacks)

Cross-Site Scripting Lab
SQL injection attack Lab
Set-UID vulnerability Lab
Lab on various OS kernel vulnerabilities

20
Our 2nd Philosophy

Computer security education should be integrated
into many other courses, including Operating
Systems, Networking, Computer Architecture,
Compilers, Software Engineering, etc.

21
Examples for Operating Systems

File Systems
Encrypted File System (EFS) Lab
Access Control
Capability Lab
RBAC (Role-Based Access Control) Lab demo
Memory Management
Memory Randomization Lab
Privilege Escalation
Set-UID Lab
Privilege Restriction
Chroot Sandboxing Lab
Set-RandomUID Sandboxing Lab

22
OS (continued)

Enhancing OS to protect against attacks on
vulnerable programs.
Buffer-overflow Lab demo
Format-string Lab
Race condition Lab
Sandbox Lab

23
Networking

TCP/IP Protocols
TCP/IP attack Labs (e.g. SYN flooding, TCP RST
attacks, TCP session hijacking, Port scanning)
SYN-Cookie Labs (defend against DOS attacks)
DNS Protocol
Pharming Attacks Labs
IP Routing
IPSec/VPN Labs
Firewall Labs

24
For Other Courses