DESIGNING WEB LABS FOR TEACHING SECURITY CONCEPTS ABSTRACT

Transcription

1 DESIGNING WEB LABS FOR TEACHING SECURITY CONCEPTS ABSTRACT Security education is critical in today s cyber threat environment. Many schools have investigated different approaches to teaching fundamental security concepts through lectures, hands on labs, security education tools, competitions, and integrated curricula. At our institution, we have used interactive tools in and out of the classroom to teach security concepts for several years. Several of our tools present concepts in a simulated environment with a higher level of abstraction than running a real tool on an actual machine. We have also begun experimenting with embedding the tools in a set of web pages that can be used to direct the student through the concepts, suggest experiments to try, and provide additional explanation of results. These web labs are well suited to remote access and online learning environments. This paper will describe the general design philosophy of such labs, give specific examples, and discuss our experience and future plans. INTRODUCTION Computer security and information assurance are important topics in computer science education. Security issues and principles are identified as core topic areas for computer science education by the ACM and IEEE recommended curricula ( The National Security Agency (NSA) and Department of Homeland Security (DHS) offer the Center of Academic Excellence (CAE) in Information Security Education designation to schools meeting stringent requirements in curricular topics, research, and institutional support ( Many new textbooks, recommended curricula, and teaching approaches have been developed to address these topics. Conferences and workshops such as the Colloquium for Information Systems Security Education (CISSE ) and the Information Security Education Curriculum Development (InfoSecCD) have been created to provide a forum for promoting information security education techniques at both the undergraduate and graduate levels. Different approaches to teaching security have been presented in these forums. One approach is to distribute security concepts across existing CS courses and integrate them at the point they are most relevant [8]. The advantage of this approach is that security is seen as an integral part of all areas of computer science versus a separate topic in and of itself. A different approach is to create separate security courses and/or set up complete programs and concentrations in security [1,2,4,13]. Perhaps, the most common approach is a hybrid of these two in which one or two security courses are available that focus on security concepts while fundamental security topics are distributed in existing courses such as networks, operating systems, software engineering, and databases. Regardless of the course structure chosen for teaching security, many educators advocate a hands on approach to teaching security and integrate a laboratory component into their program [7]. This provides a means for students to receive instruction on the concepts of security while gaining experience with the tools and techniques of security professionals. The Department of Computer Science at our institution has been teaching information security since Over the past 13 years, we have developed a variety of security curricula, tried numerous approaches to teaching specific concepts, developed labs for security education, created educational tools to foster student participation and understanding, and participated in various information security competitions. In 2003, our institution pursued and was recognized as a Center of Academic Excellence in Information Assurance Education.

2 HANDS ON TECHNIQUES Security Laboratories Our program emphasizes a hands on approach to security education through labs, interactive tools, and participation in competitions. Teaching students tools and techniques for information security leads to obvious issues regarding ethical challenges in ensuring students are aware of appropriate behavior and are held accountable for their actions. We dedicate several lessons in various courses to the ethical and legal issues and responsibilities associated with security. In addition to the ethical component, security labs face logistical challenges unlike other CS labs. Students are experimenting with potentially harmful malicious software that needs to be properly handled and isolated. At our institution, the security lab is not tied into either the school network or the internet. This needs to be taken into consideration when developing labs. The challenges of security labs become even greater for distance learning environments in which a centralized physical laboratory is not practical. One approach that some schools have taken to deal with this issue is the use of virtual machines [3]. While virtualization software is available for free, there is a large overhead in terms of laboratory management and maintenance. The largest problem we have faced with our security labs is the level of detailed underlying knowledge our students must have to fully utilize existing tools and understand their impact. While our students are exposed to multiple operating systems, their level of knowledge at the system administrator level is limited. We need to carefully construct labs to provide sufficient background for students to understand what is happening without either overwhelming them with system level details, or simply giving them a checkbox list of things to do without explanation. Interactive Classroom Visualizations To address the problem of lack of background knowledge while still providing a meaningful experience with security concepts, we have developed a suite of interactive tools that operate at a more abstract level [9,10,11]. These tools, known as interactive classroom visualizations, or ICV s, were originally developed for use in the classroom as active learning techniques [12]. They are short interactive tools for teaching concepts such as cipher algorithms, formal security models, public key infrastructure, security protocols, etc. They teach concepts at an abstract level and do not require students understand underlying system details to interact with and learn the concepts. These tools were developed specifically for instructor demonstration followed by student interaction as a classroom activity. They were not intended to be used in a standalone mode without additional instructional material. While this was adequate for the primary purpose of this approach, it does not allow the flexibility necessary for applications such as independent student exploration or distance learning. WEB LABS Concept

3 Extending the goals of the interactive classroom visualizations, our aim in developing security web labs is to demonstrate complex security concepts in an easily accessible way while requiring minimal prior preparation, lab support, or background knowledge. We accomplish this by focusing on higher levels of abstraction and providing sufficient informational context to make each lab largely standalone for the intended audience. Design Our web labs are designed to meet the following stated goals: Combine higher level of abstraction with sufficient explanatory context, Provide sufficient background information to ensure each lab is standalone, and Ensure the labs are interactive and experimental. We rely heavily on visualization components to achieve higher levels of concept abstraction. For example, when presenting relative password strengths, one approach is to numerically or mathematically present the size of the search space or amount of potential entropy. Our approach uses visualization to graphically relate the size of the search space between passwords of different lengths or consisting of larger character sets (e.g. numbers and special characters included). In addition to the visual demonstration of the concept, sufficient explanatory text is always included to fully describe the concept. Our audience ranges from college aged, non computer science freshman to senior level computer science and computer engineering majors. Keeping the audience in mind, we target the depth and amount of background information to ensure each lab can be a standalone experience. An example of this can be seen in our buffer overflow web labs. We begin the lab with a discussion of the Von Newman architecture and the concept of instructions and data sharing memory space. This background is essential to ensure each audience has sufficient foundation to understand the concept being introduced. A key to creating compelling web labs is to make them interactive and experimental in nature. Our suite of cryptographic web labs accomplishes this by providing the student the ability to interactively enter information, choose an encryption key and method, and watch the cipher text creation on the fly. This is further enhanced by guiding them through a set of experiments that interactively demonstrate different attack techniques for each encryption method. In the end, the concepts are built from a set of foundational information, through several different encryption methods, accompanied by multiple historical cryptographic attacks based on the relative strengths and weaknesses of each method. We find that designing web labs with the above stated goals in mind increases the students ability to complete them, increases their interest and enjoyment while working through complex topics, and increases their ability to understand and eventually apply the knowledge they have gained. Using Web Labs There are a number of ways to integrate web labs into a course or workshop. As mentioned earlier, we use them in a number of contexts. Here is a short list of possible ways they can be used followed by a discussion of their application in a few of the many ways we have employed them. Web labs can be used: Pre lecture to motivate or reinforce the concepts included in a preparatory reading,

4 Separate lab experience to demonstrate or reinforce concepts presented in a lecture, Distance learning the web labs can be accessed either online or offline in support of distance learning, In class as a learning focused exercise in class to work through difficult concepts with concrete examples, and In small groups the exercises can be used to initiate discussions and problem solving in small groups of students to enable collaborative learning. We employ web labs in many ways, ranging from high school level guided workshops through senior college level computer science classes. In many cases we even utilize the same web lab in these very different applications. We accomplish this by creating unique sets of questions and experiments targeted to the audience being taught. The web lab is focused on presenting, explaining, and demonstrating concepts. The targeted set of questions and experiments build on the conceptual material in the web lab to focus each set of students with the correct level of depth and difficulty. A few examples may best illustrate the ability to tailor the use of web labs in these ways. Our most versatile and widely used web lab to date is the suite of cryptography tools. We use these in a summer scientific seminar to guide high school seniors through the history and application of cryptography. We are careful to guide them through each cipher, its techniques, applications, and eventual attack and defeat in a historical context similar to the story of cryptography told in Simon Singh s excellent work The Code Book [13]. The experiments and exercises are presented and worked through with close instructor guidance by the entire class or in small groups of students. The material is presented at a much slower pace with less depth to ensure the group stays focused and engaged. Contrast this with our use of the same cryptography web labs used in our introduction to computing course consisting of mainly college freshmen. We cover the same material in a 50 minute class lecture that was presented in a roughly 3 hour workshop to high school students. For the college freshman we introduce the complexity required to break each cipher and begin to discuss the mathematical nature of the encryption. Lastly, we apply this same web lab in our college senior level cryptography course taken by computer science and systems engineering majors. In this context we assign the web lab as a prelecture exercise to review background material and set the stage for a much more rigorous in class lecture on the mathematical details and analysis of a variety of historically significant ciphers. The other web labs developed to date have proven to be equally versatile. The SQL injection lab is equally applicable in our information warfare course and our database course when accompanied with appropriate tailored questions and experiments. The buffer overflow web lab can be introduced in an operating systems class to demonstrate the concepts of stack frames and shared memory. Later in the curriculum, we more fully utilize the buffer overflow web lab in our information warfare course to demonstrate the core concepts of this exploit. OUR EXPERIENCE One of the motivations for creating security web labs was to provide a hands on laboratory experience without requiring the necessary background knowledge to run an actual tool in an actual environment. In addition, we wanted students to have sufficient explanation and direction to be able to complete the labs without instructor interaction or extensive reference material. Our initial experience with them is that they satisfy these requirements. Students are able to complete the labs in a timely fashion without requiring additional assistance. Students rate the labs as enjoyable and less frustrating than understanding the details associated with actual security tools. We have not attempted to quantify the

5 educational impact of the labs, as we have a small sample size of students and a formalized analysis with control groups is not practical. However, student reaction suggests the labs are an enjoyable and motivational part of the course. Currently, the following web labs have been completed: Cipher algorithms SQL Injection Database inference Password strength and cracking Buffer overflow Our existing Interactive Classroom Visualizations in formal models, security protocols, and public key infrastructure are being converted from standalone applications to the web lab format. Additional web labs are being developed in the areas of firewalls, access control, and denial of service. The tools will be hosted on a publically accessible web site for general use. Further information can be obtained by contacting the authors. BIBLIOGRAPHY [1] Azadegan, S., Lavine, M., O'Leary, M., Wijesinha, A., and Zimand, M An undergraduate track in computer security. In Proceedings of the 8th Annual Conference on innovation and Technology in Computer Science Education (Thessaloniki, Greece, June 30 July 02, 2003). D. Finkel, Ed. ITiCSE '03. ACM Press, New York, NY, [2] Bacon, T. and Tikekar, R Experiences with developing a computer security information assurance curriculum. J. Comput. Small Coll. 18, 4 (Apr. 2003), [3] Bullers, W. I., Burd, S., and Seazzu, A. F Virtual machines an idea whose time has returned: application to network, security, and database courses. In Proceedings of the 37th SIGCSE Technical Symposium on Computer Science Education (Houston, Texas, USA, March 03 05, 2006). SIGCSE '06. [4] Crowley, E Information system security curricula development. In Proceeding of the 4th Conference on information Technology Curriculum (Lafayette, Indiana, USA, October 16 18, 2003). CITC4 '03. ACM Press, New York, NY, [5] Ebeling, D. and Santos, R. Public Key Infrastructure Visualization. J. Comput. Small Coll. October [6] Ma, K Cyber security through visualization. In Proceedings of the 2006 Asia Pacific Symposium on information Visualisation Volume 60 (Tokyo, Japan). K. Misue, K. Sugiyama, and J. Tanaka, Eds. ACM International Conference Proceeding Series, vol Australian Computer Society, Darlinghurst, Australia, 3 7. [7] Mattord, H. J. and Whitman, M. E Planning, building and operating the information security and assurance laboratory. In Proceedings of the 1st Annual Conference on information Security Curriculum Development (Kennesaw, Georgia, October 08 08, 2004). InfoSecCD '04. ACM Press, New York, NY, [8] Petrova, K., Philpott, A., Kaskenpalo, P., and Buchan, J Embedding information security curricula in existing programmes. In Proceedings of the 1st Annual Conference on information Security Curriculum Development (Kennesaw, Georgia, October 08 08, 2004). InfoSecCD '04. ACM Press, New York, NY, [9] Schweitzer D. and Baird L., The design and use of interactive visualization applets for teaching ciphers. Proceedings of the 7th IEEE Workshop on Information Assurance, June 2006.

6 [10] Schweitzer D., Baird L., Collins M., Brown W., Sherman M. GRASP: A visualization tool for teaching security protocols. Proceedings of the 10th Colloquium for Information Systems Security Education, June [11] Schweitzer D., Collins M., Baird L. A Visual Approach to Teaching Formal Access Models in Security. Proceedings of the 11th Colloquium for Information Systems Security Education, June [12] Schweitzer, D., Gibson, D., Collins, M Active Learning in the Security Classroom, Proceedings of the Hawaii International Conference on System Science, HICSS 42,.[13] Vaughn, R. B., Dampier, D. A., and Warkentin, M. B Building an information security education program. In Proceedings of the 1st Annual Conference on information Security Curriculum Development (Kennesaw, Georgia, October 08 08, 2004). InfoSecCD '04. ACM Press, New York, NY, [13] Singh, S. The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography. Fourth Estate, London