In the past few years, numerous universities have incorporated computer security courses into their
undergraduate curricula. Recent studies show that students can effectively gain their knowledge and
experience in building secure computer systems by conducting course projects. However, existing
computer security laboratory exercises are comprised of small-scale, fragmented, and isolated course projects, making it inadequate to prepare undergraduate students to implement real-world secure computing systems. Conventional wisdom in designing computer security course projects pays little
attention to train students to assemble small building blocks into a large-scale secure computing and information system. To overcome students’ lack of experience in implementing large-scale secure software, we propose a novel application-oriented approach to teaching computer security courses by constructing course projects for computer security education. In this pilot project we will develop an extensible application framework for computer security course projects. The framework will provide valuable learning materials that can enable undergraduate students to gain unique experience of building large-scale trustworthy computer systems. Course projects are implemented as plugin modules of an application-based framework. After integrating all the security modules together in the framework, undergraduate students can experiment with various ways of implementing sophisticated
secure computer and information systems.
An Application-Oriented Approach for Computer Security Education
1. An Application-Oriented Approach for Computer Security Education Xiao Qin Department of Computer Science and Software Engineering Auburn University Email: xqin@auburn.edu URL: http://www.eng.auburn.edu/~xqin
2. Goal and Objectives Goal: New approaches for computer security education Objective 1: To prepare students to design, implement, and test secure software Objective 2: A holistic platform for constructing computer security course projects Student-centered learning Professor-centered platform
3.
4. Challenges Student -Centered Learning Teamwork Secure Software Design Programming What projects can help students to learn about teamwork? Must we teach students how to design secure software? How to provide engaging computer security projects ? How to teach multiple programming languages?
5. Challenges Professor -Centered Platform Flexibility Preparation Grading Teaching What projects can be tailored to students to learn about teamwork? What is a good way to grade computer security projects? How to quickly prepare engaging computer security projects ? How to teach computer security projects?
6.
7.
8. Our Solution: Application-Oriented Approach Security Sensitive Applications Security Module 1 User Interface OS (Windows, Linux, etc.) Non-Security Modules Security Module n Security Modules
9.
10. A Unified Programming Environment Security Sensitive Applications Security Module 1 User Interface OS (Windows, Linux, etc.) Non-Security Modules Security Module n Virtual Machine (e.g. vmware, virtualBox )
11.
12. Flexibility How Modules Are Packaged Beginner Easy Intermediate Moderate Advanced Hard Explorative Light Editing Basic Understand Of Concepts Normal Implementation Depth Understanding Of Concept Advanced Implementation
13.
14.
15.
16.
17. Workflow A professor’s perspective Teach Concept Generate Project Description Design Survey Questions Choose Apps & Difficulty Work On Project Evaluation/Feedback Design Docs & Partial Code System Setup
19. Put It All Together An example A Banking System Access Control User Interface OS (Windows, Linux, etc.) Non-Security Modules Encryption IPSec Virtual Machine (e.g. vmware, virtualBox )
20. Class Diagram A secure teller terminal system Intermediate
21. Class Diagram A secure teller terminal system Advanced No security modules in the design document (e.g., class diagram)
30. Evaluation Results (1) (1) ≤ 5 hours (2) 6-10 hours (3) 11-20 hours (4) 21-30 hours (5) > 30 hours Survey: Approximately, how many hours did you spend on the project? Design 81% <10h Implementation 46% >21h Entire Project 40% >30h
31. Evaluation Results (2) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: The project instructions were clear. Teller terminal system 69%: agree or strongly agree Cryptographic system 58%: agree or strongly agree
32. Evaluation Results (3) (1) Very easy (2) Somewhat easy (3) Average (4) Somewhat difficult (5) Very difficult Survey: What was the level of difficulty of this project? Teller terminal system 61%: somewhat difficult or very difficult Cryptographic system 53%: somewhat difficult or very difficult
33. Evaluation Results (4) Survey: What was the level of interest in this project? Teller terminal system 58%: Average, High, or very high Cryptographic system 85%: Average, High, or very high 1. (1) Very low (2) Low (3) Average (4) High (5) Very high
34. Evaluation Results (5) Survey: What was the most time consuming part of in the design portion of the project? Teller terminal system 44%: Use cases Cryptographic system 58%: Testing (1) Use Cases (2) Class Diagram (3) System Sequence Diagram (4) Testing
35. Evaluation Results (6) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: As a result of the lab, I am more interested in computer security. Teller terminal system 17%: strongly disagree or disagree Cryptographic system 20%: strongly disagree or disagree
36.
37. Evaluation Results (7 cont.) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: Overall, I have attained the learning objectives of the project. Teller terminal system 52%: strongly agree or agree Cryptographic system 65%: strongly agree or agree
Research Assistants: Alfred Nelson, Andrew Pitchford, and John Barton
1: Provide engaging computer security laboratory and experiences. The project will facilitate novel computer security laboratory exercises that are holistically and seamlessly integrated into the QoSec middleware framework, which aim at preparing undergraduate students to implement real-world secure software applications. Using QoSec, students can effectively and successfully carry out computer security laboratory experiments that enable students to build relevant security modules, which in turn can be put together in QoSec to develop secure applications. To shorten the learning curve introduced by professional middleware, QoSec - to be used in engaging computer security laboratories - has an easy interface to reduce complexity of implementing large-scale secure computer and information systems. Students are expected to gain their practical experience in developing secure computing and information systems by conducting course projects integrated within QoSec. 2: Share the QoSec framework and its instructional materials. To allow other computer security educators to build on, connect to, and enhance the extensible QoSec framework, we will share QoSec and its accompanying instructional materials within the computer security education community. Other computer security educators have flexibility to design new and upgraded course projects as plugin modules of the QoSec framework, making it possible for their students to readily and seamlessly integrate the new and upgraded course projects into QoSec. This goal will be accomplished by the wide dissemination of QoSec and its learning materials to a growing network of computer security instructors through presentations at regional and national conferences.
Share my experience: 1 project. 10-20 hours to prepare a project; 20-50 hours to implement a project. Can we save professors time spent in preparing labs?
See also teaching philosophy from Wenliang Du’s SEED project.
Recent studies (see, for example, [1] and [2]) show that students can effectively gain their knowledge and experience in building secure computer systems by conducting course projects. [1] W.-L Du and R.-H Wang, “SEED: A Suite of Instructional Laboratories for Computer Security Education,” The ACM Journal on Educational Resources in Computing (JERIC) , vol. 8, no. 1, March 2008. [2] S.J. Lincke, “Network Security Auditing as a Community-Based Learning Project,” Proc. 38th SIGCSE Tech. Symp. Computer Science Education , pp. 476-480, March 2007. Problem: existing computer security laboratory exercises are comprised of small-scale, fragmented, and isolated course projects.
Conventional Computer Security curriculums Exercises which engage the student in real world scenarios Developing practice laboratory modules Network security design principles
Next: let’s consider programming environment.
Conventional Computer Security curriculums Exercises which engage the student in real world scenarios Developing practice laboratory modules Network security design principles
3 research assistants Approach 1: each RA design and implement a security sensitive application Approach 2: 3 RAs collaborate on a single application. We took approach 2.
3 research assistants Approach 1: each RA design and implement a security sensitive application Approach 2: 3 RAs collaborate on a single application. We took approach 2.
Integrate modules Students – integrate the security modules. Learn to manage existing system. Experience reading other’s code.
Conventional Computer Security curriculums Exercises which engage the student in real world scenarios Developing practice laboratory modules Network security design principles Another example: access control Need a better way of teaching Access Control. Usually, a very simple project, 3-4 classes. Built from scratch, very shallow. Our solution: implement it within our Banking project.
No security modules in the design document
Recap Learn general principles of software security. Simple yet sophisticated. Learn to integrate module into existing system.
How to choose a course to test our approach? Comp 4370 – Introduction to Computer and Network Security Introductory-level course Students have programming experiences Small-scale projects for advanced students Comp 7370 – Advanced Computer and Network Security Research projects e.g.,memory attacks. Performance evaluation Comp 2710 – Software Construction No design experience Weak programming skill (Note: Engaging weak programmers in problem solving ) Quickly teach/learn basic security concepts Motivate us to improve students’ design skill and design tools 57 Students 48 participants
57 Students 48 participants
57 Students 48 participants, project 1 53 project 2
Interface, simple database, access control
Interface, simple database, access control
Interface, simple database, access control
Interface, simple database, access control Observation: Easier -> more interests Implication: Help students to better design and implement applications
Interface, simple database, access control Observation: help students with the time-consuming parts Implication: Help students to efficiently design applications