Building Security In January 2009 Workshop Harry Hochheiser, Building Security In: January 2009 Workshop Harry Hochheiser Towson

Building Security In January 2009 WorkshopHarry Hochheiser, [email protected]

Building Security In: January 2009 Workshop

Harry Hochheiser

Towson University Department of Computer and Information Sciences

410 704 3090http://triton.towson.edu/~hhochhei/


Today's Goals

• Review Project • Discuss specifics: CS0, CS1, CS2, CIS0

– How to use materials, how to assess, etc..

• Plan, revise, brainstorm, etc...


Project Goals and Motivations

• Students need better background in computer security

– Or, any background?

• Can't just add required classes– “too little, too late”

• Security track and classes limited in impact– Too few students

• How to add security earlier without detracting from other material?


Approach: Security Injections

• Self-contained modules• Based on labs from traditional sciences• “Drop-in” to existing classes• Minmally-invasive: no class time necessary.


Past and Future Work

Past: successful deployment in CS 0 and CS1 at Towson– Taylor & Azadegan, SIGCSE 2008

Future: Expand Depth: add numerous new classes

CS2, CIS0, Web, DB, networks. Others?

Breadth: Deploy to Anne Arundel, Baltimore County, Harford, Bowie State Others?


Process

Towson, Bowie State develop materials, pilot and train Community colleges deploy and assist with assessment TU and BSU assess and revise MAISA recreates

Develop Materials

Train Pilot Test

Deploy Replicate

Assess & Revise

Assess & Revise


Current Status

• Draft materials for CS0, CS1, CS2 available on Wiki– Integer Overflow, Buffer Overflow, Input Validation– Modules– Learning objectives (with mappings to assignments)– Sample Assessment exercises

• CIS0 under development– phishing


Timeline: Short term• January 2009 Training• Spring 2009

– CS0, CS1 deployed at TU, pilot at BSU, partners? – CS2 Pilot at TU– CIS0 Pilot @ BSU– Develop Materials for Database

• Summer 2009– Train BSU and partners on CS2– Train TU,BSU on CIS0 and DB– Analyze Data


Assessment

• Success:– Lots of students learn more about security– Many institutions adopt our materials

• How do we document pedagogical success?– Awareness and interest surveys– Faculty responses– Specific exercises on quizzes/exams for content.


Security Injections: Contents

Background– Description– Risk – how can it happen?– Example of occurrence– Example in Code– How can I avoid?

lab/homework assignment– security checklist– discussion questions

security scorecard – use checklist to grade any code.


Security Awareness Survey

• “ What are the possible consequences of insufficient computer security?”

• “Integer overflow occurs...”

• Which programming mistake is one of the major vulnerabilities in today's applications”

• “Which of the following should your well-designed program do before processing user input?”

• 7 demographic questions

• Nothing asking about previous exposure to security concerns in courses – should we add it?

• Online – through studentvoice.com


The Process

• Start of semester – give awareness survey– Online, via link to be provided

• Assign modules when appropriate – it's up to you– Use checklists as grading scorecards– Possibly retain some for our research

• Assess student learning– Example exercises for quizzes/exams given in

assessment docs

• Repeat awareness survey at end of semester.


Questions

• What will it take to make this work well?• How can we get colleagues to adopt?• What project support is needed?• What institutional support is needed?• Are there issues specific to your context that we

should know about?


The wiki

• http://triton.towson.edu/~cssecinj/dokuwiki• http://www.dokuwiki.org/manual• Demonstration...

http://triton.towson.edu/~cssecinj/dokuwiki

http://www.dokuwiki.org/manual


CS0, CS1, CS2

• Integer Overflow• Input Validation• Buffer Overflow• Other topics?

– General introduction to vulnerabilities?

• C++ and Java versions


ObjectivesCS0 CS1 CS2

Describe the vulnerability X X X

Describe potential problems that may result from the vulnerability

X X X

Identify vulnerabilities in a simple program written in the language of instruction

X X X

Discuss general strategies for mitigating vulnerabilities

X X

Write code that uses appropriate techniques to mitigate or avoid the vulnerability

X X

Revise a program, eliminating vulnerabilities X

Discuss the impact of the choice of programming language on susceptibility to the vulnerability

X


Example: Buffer Overflow for CS2• Example in Code

public class BufferOverflow { public static void main(String[] args) { int[] vals = new int[10]; for (int i = 0; i <20; i++) { vals[i] = i; } } }• Tips for avoiding: validate indices, don't allocate storage until

needs are known, etc..• Assignment: Write a procedure that will copy an arbitrary subrange of one array of integers into an other array.


Thoughts, reactions?

• Breakout into groups by topic or class• Discuss in details

– What works, what doesn't

• Download from wiki, revise• upload

Documents

Building Security In January 2009 Workshop Harry Hochheiser, Building Security In: January 2009 Workshop Harry Hochheiser Towson