How To Teach A Cyber Security Course



Similar documents
AN OFFLINE CAPTURE THE FLAG-STYLE VIRTUAL MACHINE FOR CYBER SECURITY EDUCATION

An Offline Capture The Flag-Style Virtual Machine and an Assessment of its Value for Cybersecurity Education

Authenticated encryption

CS Computer Security Third topic: Crypto Support Sys

SCP - Strategic Infrastructure Security

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Client Server Registration Protocol

CS 758: Cryptography / Network Security

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

RMAR Technologies Pvt. Ltd.

Secure Remote Password (SRP) Authentication

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Common Pitfalls in Cryptography for Software Developers. OWASP AppSec Israel July The OWASP Foundation

IronKey Data Encryption Methods

Network Security. Modes of Operation. Steven M. Bellovin February 3,

Cryptographic Filesystems. Background and Implementations for Linux and OpenBSD

Network Security. Chapter 3 Symmetric Cryptography. Symmetric Encryption. Modes of Encryption. Symmetric Block Ciphers - Modes of Encryption ECB (1)

Lecture 9 - Network Security TDTS (ht1)

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Error oracle attacks and CBC encryption. Chris Mitchell ISG, RHUL

VPN Lesson 2: VPN Implementation. Summary

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Chapter 8. Network Security

Secure Network Communications FIPS Non Proprietary Security Policy

Table of Contents. Bibliografische Informationen digitalisiert durch

Data Encryption WHITE PAPER ON. Prepared by Mohammed Samiuddin.

Cryptography and Network Security: Summary

Password-based encryption in ZIP files

FORBIDDEN - Ethical Hacking Workshop Duration

Automatic Encryption With V7R1 Townsend Security

Deploying EFS: Part 1

CSCE 465 Computer & Network Security

Disk encryption... (not only) in Linux. Milan Brož

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

Security for Computer Networks

Secure Password Managers and Military-Grade Encryption on Smartphones: Oh, Really? Andrey Belenko and Dmitry Sklyarov Elcomsoft Co. Ltd.

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Alliance AES Encryption for IBM i Solution Brief

NETWORK ADMINISTRATION AND SECURITY

Implementation Vulnerabilities in SSL/TLS

AES1. Ultra-Compact Advanced Encryption Standard Core. General Description. Base Core Features. Symbol. Applications

FPGAs for Trusted Cloud Computing

4.2: Kerberos Kerberos V4 Kerberos V5. Chapter 5: Security Concepts for Networks. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Lectures for the course: Electronic Commerce Technology (IT 60104)

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

AutoCrypt 2.1 User Guide!

Support Advisory: ArubaOS Default Certificate Expiration

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

Project 2: Penetration Testing (Phase II)

The Encryption Technology of Automatic Teller Machine Networks

Kerberos. Login via Password. Keys in Kerberos

Secure Storage. Lost Laptops

IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT

EXAM questions for the course TTM Information Security May Part 1

Penetration Testing. Presented by

OBM / FREQUENTLY ASKED QUESTIONS (FAQs) Can you explain the concept briefly on how the software actually works? What is the recommended bandwidth?

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

Properties of Secure Network Communication

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

Loophole+ with Ethical Hacking and Penetration Testing

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

Security Protocols/Standards

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

lundi 1 octobre 2012 In a set of N elements, by picking at random N elements, we have with high probability a collision two elements are equal

Computer Security. Draft Exam with Answers

Dashlane Security Whitepaper

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Mitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Xpresstransfer Online Backup Manager General Technical FAQ

Network Security - ISA 656 Introduction to Cryptography

The Open Cyber Challenge Platform *

Kaseya US Sales, LLC Virtual System Administrator Cryptographic Module Software Version: 1.0

RemotelyAnywhere Getting Started Guide

MOTOROLA MESSAGING SERVER SERVER AND MOTOROLA MYMAIL DESKTOP PLUS MODULE OVERVIEW. Security Policy REV 1.3, 10/2002

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Lecture 4 Data Encryption Standard (DES)

Introduction. Where Is The Threat? Encryption Methods for Protecting Data. BOSaNOVA, Inc. Phone: Web:

Symmetric Crypto MAC. Pierre-Alain Fouque

10.2 World Wide Web Security S-HTTP (secure hypertext transfer protocol) SEA (security extension architecture)

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Protecting Data with Short- Lived Encryption Keys and Hardware Root of Trust. Dan Griffin DefCon 2013

SSL Protect your users, start with yourself

SSL BEST PRACTICES OVERVIEW

Public Key Infrastructure in idrac

Crypho Security Whitepaper

Overview. SSL Cryptography Overview CHAPTER 1

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

Introduction to Cyber Security / Information Security

Authentication. Computer Security. Authentication of People. High Quality Key. process of reliably verifying identity verification techniques

Symmetric and Public-key Crypto Due April , 11:59PM

The Misuse of RC4 in Microsoft Word and Excel

Last Updated: July STATISTICA Enterprise Server Security

Application Note: Onsight Device VPN Configuration V1.1

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

Transcription:

AN OFFLINE CAPTURE THE FLAG-STYLE VIRTUAL MACHINE FOR CYBER SECURITY EDUCATION Tom Chothia Chris Novakovic University of Birmingham

Introduction A VM to support cyber security education. The VM creates unique flags, which the students get if they solve the exercise. Flags submitted by students online and used to support marking. Comparison of flag only marking vs. traditional continuous assessment marking.

Capture the Flag Competitions

Flag We Have Known: Flag:'a012c434d1ec6db911fda4884de14fdd 31c3_a5bb3ead8fbc6617374ea3f57f0563d2 the_snozberries_taste_like_snozberries 'this is a key SECCON{TeaBreakAtWork} FLAG(CYBERCONTROLCYBERDATACYBERCOR PORATION)

Problems with using CTFs in Education Everyone gets the same flag and same infrastructure. Short lived intense competitions We don t want students to win or loose the course. Not compatible with an 11 week module. Live, online competitions use complex infrastructure and need a lot of support. IT Services do not support large amounts of hostile attack traffic on their network.

Our Solution User space Alice Bob VM Start Up Script K M Course key VM_id {Ex_2:VM_id} KM Source code 1 {Ex_6:VM_id} KM Source code 2 {Ex_7:VM_id} KM Web Server {Ex_4:VM_id} KM SQL Database {Ex_5:VM_id} KM Weak Service 1 Weak Service 2

Exercises Encryption Students need to write code to decrypt RSA & AES: ECB, CBC, CTR, CCM mode encryption. Flags are inside the encrypted messages. Perform known plaintext bit flipping attacks. Access control Start up script writes flags to files and sets access permissions. Subtle errors in the access control allow access to these flags and the shadow file E.g. chained confused deputy using setuid. Cracking the passwords gives access to account with flag Root & some other passwords cannot be cracked.

Examples: Protocol Questions

Student Feedback Each time taught it has been the most popular course in the school

Assessment We used the existence of flags to aid human marking of written answers and code. Flags were required and gave the marker confidence that code worked and that written answers were correct. But we gave no marks for just the flags Would fully automated marking based only on flags have worked? Full marking of exercises let s us test this.

Flag marking Difference between a 1 st and a very high 1 st was showing a full and complete understanding. E.g. Protocols, low 1 st : correct, but inefficient attacks and fixes Protocols, high 1 st : most efficient attacks and fixes possible Reverse engineering, low 1 st : right answer found by lots of trial and error. Reverse engineering, high 1 st : complete understanding of the assembly. Fully automated flag only marking would be fine for broad classifications, but would not recognize the best students. Better than no assessed course work.

Using Flags to Assess Ability Could better flag exercises accurately assess ability? As exercises become harder, luck plays more of a part. Too many exercises make them a race against time. IMHO: Flags are a great way to make CTFs fun, but can only play a small part in academic assessment. Side note: the best CTF teams will write up their CTF results.

Plagiarism Plagiarism is an issue with all coursework. 4 cases of plagiarism on 3 iterations of the course. Four submitted the same flags & almost the same answers. Two students submitted different flags & almost the same answers. Two students submitted the same flags. Another two students submitted the same flags. Roughly half the rate of plagiarism as before flags. Questioned informally, students said they didn t plagiarise flags because they had to do written answers and vice versa.

Other issues Other problems with flag only marking: Value of written solutions and feedback Written work stops flag plagiarism Online monitoring of token submissions. Very useful. Students can bypass system Good students that finish exercises early, encouraged to do this Designed to be harder to bypass exercises than solve correctly.

Summary Design for offline CTF-style, cyber security education VM. Each student s VM contains unique flags. Very popular with students but still difficult exercises. Publically available, no restrictions on use http://www.cs.bham.ac.uk/~tpc/seceduvm/ Flags support human marking and discourage plagiarism. Marking based only on flags would not have accurately assessed good students.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information