Secure Coding Faculty Wor kshop, April 14-15, Orlan do, FL 1 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin) Du Department of Electrical Engineering & Computer Science Syracuse University Email: [email protected]URL: http://www.cis.syr.edu/~wedu/seed/
29
Embed
Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin)
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
1
SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation
Wenliang (Kevin) DuDepartment of Electrical Engineering & Computer Science
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
2
Objectives
• Improve experiential learning in computer security education
• Develop effective security-related labs (or course projects)• Targeting both security and non-security
courses.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
3
Overview
• Philosophies behind our approach• Lab environment• The design of SEED labs• Overview of the labs (about 20)• Discussions
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
4
About SEED Project
• Funded by the NSF CCLI Program • Phase I ($75K) was funded in 2002
• Phase II ($450K) was funded in 2007
• Four universities are main partners.• Several more universities are using.• Web page for all the developed labs
• http://www.cis.syr.edu/~wedu/seed/
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
5
Philosophy #1
• Computer security education should focus on both the fundamental security principles and security-practice skills.• Principles: A wide spectrum.
• Skills: designing, programming, testing, analyzing, innovating, and applying.
• Focused and comprehensive labs
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
6
Philosophy #2
• Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
7
A Generic Environment
• Use for most of the labs:• Learning a new environment is not easy
• Not too expensive:• Most schools do not have budget for this
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
8
Finding a System
• A system that can be used to demonstrate a variety of security principles.• Interesting: can motivate students
• Meaningful: not a toy
• Manageable: doesn’t take months to understand
What can be more comprehensive than operating systems?
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
9
A Unified Lab Environment
Labs
Minix Linux
Virtual Machine(e.g. vmware)
Host OS (Windows, Linux, etc.)
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
10
Cost of Environment
• Software cost• vmware is free for academic use
• Minix and Linux are open-source and free
• Hardware cost• Use student’s personal computer:
• At least 1.5GB RAM, the more the better
• Use a general computer lab• Administrator: install vmware
• Students: buy a portable hard drive (> 6 G)
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
11
Laboratories
• Three types of labs• Design/Implementation Labs
• Exploration Labs
• Vulnerability/Attack Labs
• They cover different sets of skills • The time needed for these labs varies (1
week to 6 weeks)
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
12
Design/Implementation Labs
Design/ImplementationLabs
Minix
Virtual Machine(e.g. vmware)
Objectives: to build and integrate security mechanisms in systems, and to apply security principles in system building.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
13
Design Labs
Students’ Tasks
Existing Components
Capability
Access Control List
SandboxEncrypted
File System
Properties of this design:• Focused on targeted principles • Each lab takes 2-6 weeks• Difficulties can be adjusted
RBAC
MAC
IPSec Firewall IDS
Minix OS
SystemRandomization
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
14
Lab Development
• Learning objectives• The principles covered by each lab
• Simplification of the system• Multi-year project Few weeks• Self-contained• Not over-simplified
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
15
Exploration Labs
ExplorationLabs
Minix Linux
Virtual Machine(e.g. vmware)
Objectives: to explore how security mechanisms work, and to apply security principles in evaluating those mechanisms.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
16
Exploration LabsMinix/Linux OS
Security Component
Other Components
Guided Tour:• Small experiments• Guided activities• Interact with security components• Observe• Explain the observations
“tour”
Set-UIDPAM: Pluggable
Authentication ModuleReference
Monitor
All the design labs can be transformed to exploration labs
Intel 80x86 ProtectionMode
SYNCookie
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
17
Vulnerability/Attack Labs
Vulnerability/AttackLabs
Minix Linux
Virtual Machine(e.g. vmware)
Objectives: to learn from mistakes, to see how a flaw leads to security breaches, to carry out real attacks in the lab environment, and to apply security principles in defense.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
18
Vulnerability/Attack Labs
Linux/Minix OS
User Space
Kernel Space
Real-World Vulnerabilities
Fault Injection
Students’ Tasks:1. Find out those vulnerabilities2. Exploit the vulnerabilities3. Fix the vulnerabilities4. Design countermeasures
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
19
Vulnerability Laboratories
• Buffer-overflow Lab• Return-to-libc Attack Lab• Race-condition Lab• Format-string Lab• Sandbox(chroot)Lab• Attack Lab on TCP/IP• Attack Lab on DNS
(Pharming Attacks)
• Cross-Site Scripting Lab• SQL injection attack Lab• Set-UID vulnerability Lab• Lab on various OS kernel
vulnerabilities
Secure Coding Faculty Workshop, April 14-15, Orlando, FL
20
Our 2nd Philosophy
• Computer security education should be integrated into many other courses, including Operating Systems, Networking, Computer Architecture, Compilers, Software Engineering, etc.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL