AN OFFLINE CAPTURE THE FLAG-STYLE VIRTUAL MACHINE FOR CYBER SECURITY EDUCATION



Similar documents
How To Teach A Cyber Security Course

An Offline Capture The Flag-Style Virtual Machine and an Assessment of its Value for Cybersecurity Education

CS 758: Cryptography / Network Security

Authenticated encryption

CS Computer Security Third topic: Crypto Support Sys

SCP - Strategic Infrastructure Security

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

IronKey Data Encryption Methods

Client Server Registration Protocol

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

RMAR Technologies Pvt. Ltd.

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Secure Network Communications FIPS Non Proprietary Security Policy

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Cryptographic Filesystems. Background and Implementations for Linux and OpenBSD

NETWORK ADMINISTRATION AND SECURITY

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Lecture 9 - Network Security TDTS (ht1)

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

VPN Lesson 2: VPN Implementation. Summary

Secure Remote Password (SRP) Authentication

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

Chapter 8. Network Security

Data Encryption WHITE PAPER ON. Prepared by Mohammed Samiuddin.

Table of Contents. Bibliografische Informationen digitalisiert durch

Cryptography and Network Security: Summary

Password-based encryption in ZIP files

FORBIDDEN - Ethical Hacking Workshop Duration

Deploying EFS: Part 1

Automatic Encryption With V7R1 Townsend Security

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

CSCE 465 Computer & Network Security

Computer Security. Draft Exam with Answers

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Disk encryption... (not only) in Linux. Milan Brož

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

Security for Computer Networks

Secure Password Managers and Military-Grade Encryption on Smartphones: Oh, Really? Andrey Belenko and Dmitry Sklyarov Elcomsoft Co. Ltd.

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Alliance AES Encryption for IBM i Solution Brief

Implementation Vulnerabilities in SSL/TLS

AES1. Ultra-Compact Advanced Encryption Standard Core. General Description. Base Core Features. Symbol. Applications

FPGAs for Trusted Cloud Computing

4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

Lectures for the course: Electronic Commerce Technology (IT 60104)

AutoCrypt 2.1 User Guide!

Support Advisory: ArubaOS Default Certificate Expiration

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

The Encryption Technology of Automatic Teller Machine Networks

Project 2: Penetration Testing (Phase II)

Kerberos. Login via Password. Keys in Kerberos

Secure Storage. Lost Laptops

IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT

EXAM questions for the course TTM Information Security May Part 1

Penetration Testing. Presented by

OBM / FREQUENTLY ASKED QUESTIONS (FAQs) Can you explain the concept briefly on how the software actually works? What is the recommended bandwidth?

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Cryptography & Network Security. Introduction. Chester Rebeiro IIT Madras

Symmetric and Public-key Crypto Due April , 11:59PM

Properties of Secure Network Communication

Loophole+ with Ethical Hacking and Penetration Testing

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

Security Protocols/Standards

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Dashlane Security Whitepaper

Talk announcement please consider attending!

CS Final Exam

Xpresstransfer Online Backup Manager General Technical FAQ

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Network Security - ISA 656 Introduction to Cryptography

The Open Cyber Challenge Platform *

Kaseya US Sales, LLC Virtual System Administrator Cryptographic Module Software Version: 1.0

RemotelyAnywhere Getting Started Guide

BSc (Hons) Sofware Engineering. Examinations for / Semester 2

MOTOROLA MESSAGING SERVER SERVER AND MOTOROLA MYMAIL DESKTOP PLUS MODULE OVERVIEW. Security Policy REV 1.3, 10/2002

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Lecture 4 Data Encryption Standard (DES)

Symmetric Crypto MAC. Pierre-Alain Fouque

10.2 World Wide Web Security S-HTTP (secure hypertext transfer protocol) SEA (security extension architecture)

Three attacks in SSL protocol and their solutions

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

How To Attack A Block Cipher With A Key Key (Dk) And A Key (K) On A 2Dns) On An Ipa (Ipa) On The Ipa 2Ds (Ipb) On Pcode)

Protecting Data with Short- Lived Encryption Keys and Hardware Root of Trust. Dan Griffin DefCon 2013

SSL Protect your users, start with yourself

SSL BEST PRACTICES OVERVIEW

Public Key Infrastructure in idrac

Crypho Security Whitepaper

Pulse Secure, LLC. January 9, 2015

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

Transcription:

AN OFFLINE CAPTURE THE FLAG-STYLE VIRTUAL MACHINE FOR CYBER SECURITY EDUCATION Tom Chothia Chris Novakovic University of Birmingham

Introduction A VM to support cyber security education. The VM creates unique flags, which the students get if they solve the exercise. Flags submitted by students online and used to support marking Comparison of flag only marking vs. traditional continuous assessment marking.

Capture the Flag Competitions

Flag We Have Known: Flag:'a012c434d1ec6db911fda4884de14fdd 31c3_a5bb3ead8fbc6617374ea3f57f0563d2 the_snozberries_taste_like_snozberries 'this is a key SECCON{TeaBreakAtWork} FLAG(CYBERCONTROLCYBERDATACYBERCOR PORATION)

Problems with using CTFs in Education Everyone gets the same flag and same infrastructure. Short lived intense competitions We don t want students to win or loose the course. Not compatible with an 11 week module. Live, online competitions use complex infrastructure and need a lot of support. IT Services do not support large amounts of hostile attack traffic on their network.

Our Solution User space Alice Bob VM Start Up Script K M Course key VM_id {Ex_2:VM_id} KM Source code 1 {Ex_6:VM_id} KM Source code 2 {Ex_7:VM_id} KM Web Server {Ex_4:VM_id} KM SQL Database {Ex_5:VM_id} KM Weak Service 1 Weak Service 2

Exercises Encryption Students need to write code to decrypt RSA & AES: ECB, CBC, CTR, CCM mode encryption. Flags are inside the encrypted messages. Perform known plaintext bit flipping attacks. Access control Start up script writes flags to files and sets access permissions. Subtle errors in the access control allow access to these flags and the shadow file E.g. chained confused deputy using setuid. Cracking the passwords gives access to account with flag Root & some other passwords cannot be cracked.

Examples: Protocol Questions

Exercises Web Security Questions Reverse Engineering question

Feedback From Students Questionaries' On average 6 hours a week on exercises, Rated courses as either the most or second-most worthwhile course they took, Rated themselves as very happy with the course overall, Fifth most difficult of the 35 courses offered by the School.

Assessment We used the existence of flags to aid human marking of written answers and code. Flags were required and gave the marker confidence that code worked and written answers were correct. But we gave no marks for just the flags Would fully automated marking based only on flags have worked? Full marking of exercises let s us test this.

Flag marking Difference between a 1 st and a very high 1 st was showing a full and complete understanding. E.g. Protocols, low 1 st : correct, but inefficient attacks and fixes Protocols, high 1 st : most efficient attacks and fixes possible Reverse engineering, low 1 st : right answer found by lots of trial and error. Reverse engineering, high 1 st : complete understanding of the assembly. Full automated flag only marking would be fine for broad classifications, but would not recognize the best students. Better than no assessed course work.

Plagiarism Plagiarism is an issue with all coursework. 4 cases of plagiarism on 2 iterations of the course. Four submitted the same flags & almost the same answers. Two students submitted different flags & almost the same answers. Two students submitted the same flags. Another two students submitted the same flags. Roughly half the rate of plagiarism as before flags. Questioned informally, students said they didn t plagiarise flags because they had to do written answers and vice versa.

Other issues Problems with flag only marking Value of written solutions and feedback Written work stops flag plagiarism Online monitoring of token submissions. Very useful. Students can bypassing system Good students that finish exercises early encouraged to do this Designed to be harder to bypass exercises than solve correctly.

Summary Design for offline CTF-style, cyber security education VM. Very popular with students, but still difficult exercises. Each student s VM contains unique flags. Flags support human marking and discourage plagiarism. Marking based only on flags would have results in the same grades for students. but would not distinguish between a low 1 st and a high 1 st plagiarism might be an issue with flag only marking.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information