Labtainers:

ADocker-basedFrameworkforCybersecurityLabs

USENIXWorkshoponAdvancesinSecurityEducation15August2017

CynthiaIrvine,MichaelThompson,MichaelMcCarrin,andJeanKhosalim

DepartmentofComputerScienceNavalPostgraduateSchool

NCS,8June2017

Experientiallearningisdesirable,but…

•  Institutionalinfrastructuremaybeabsent•  Labsaredifficulttobuildanddifficulttomaintain

-  Overworkedinstructorsneedwell-vettedlabs

•  Studentplatformdiversityintroducesproblems-  Differentoperatingsystems,libraries,softwaretools,etc.-  Platformsetupforlabdistractsfromlearningobjectives-  Labresultsvarywidelyduetoconfigurationdifferences

•  Experientiallabsrequireexploration-  Howisthisobserved?

•  Studentsmayshareorreuseotherwork-  Needindividualizedlabs,butgradingeffortbecomeslarge

ASE,15Aug2017 22

NCS,8June2017

LabtainersObjectives

33ASE,15Aug2017

ConsistentandFair•  Studentsexecutelabsinidenticalenvironments•  Instructorsseeconsistentresultsandassessstudentsontheirwork

ratherthanenvironmentaleffects

Parameterizable•  Labsconfiguredsoeachstudent’sworkcanbeunique•  Labsaresamelevelofdifficultyforallstudents•  Expectedresultsareparameterizedtostreamlinegrading

SupportforAutomaticAssessment•  Collectedstudentworkisparsedforspecificoutputs•  Toolsmaybedevelopedtosupportassessmentofparticularaspects

ofexercise

NCS,8June2017

Stand-aloneLinuxCybersecurityLabs

• Multi-componentnetworktopologies-  PackagedusingDockercontainers-  Pre-configuredexecutionenvironments

•  Localtostudent’scomputer-  OneLinuxhost,(e.g.,VM)runsmanycontainers-  Noper-labprovisioningrequiredbythestudent

• Publicrepositoryoflabs&openframework

ASE,15Aug2017 44

NCS,8June2017

Architecture

•  LinuxcanruninaVMonanon-Linuxplatform•  Preconfiguredcontainersensureconsistencyacross

heterogeneousplatformsASE,15Aug2017 5

Hardware

Linux

DockerEngine

Bins/Libs Bins/Libs

App

A’’

App

B’

OtherApplications

App

A’

App

A

App

B

NCS,8June2017

WhyContainers?

•  Similarresourceandnamingisolation-  Dockerfilessimplifyprovisioningofcontainers

•  Studentlaptopcanrunseveralcontainers-  Butmaybeboggeddownby2ormoreVMs-  Enableslabswithmanynetworkedcomponents

• AllcontainersshareLinuxkernelwithhost-  Butcanhavedistinctpackages&libraryversions-  ContainerslimitedtoLinux

ASE,15Aug2017 66

NCS,8June2017

Parameterization

•  Individualizeslabsforeachstudent(optional)• Randomnumberseedbasedonstudentemail•  Example:sizeofbuffertooverflow

-  Symbolicreplacementofvalueinsourcecode-  Vulnerableprogramcompiledduringfirstrun-  Affectsoffsetofreturnaddresstooverwrite

ASE,15Aug2017 77

NCS,8June2017

AutomatedAssessment

•  Studentactivityandfilescollectedasartifacts-  Mostlytransparenttostudents,theyseeLinux-  Bashhookscapturestdin&stdout-  Artifactsforwardedtoinstructor

•  Instructortoolsassessstudentperformance-  Expectedresultsasdefinedbylabdesigner-  Viewofstudent’sfileandabilitytorunprograms

•  Labexercisesindividualizedforstudents-  Discouragessharinganswers&solutionmining-  Automatedassessmentmakesthispractical

ASE,15Aug2017 88

NCS,8June2017

RolesintheWorldofLabtainers

StudentPerforms lab exercise. Learns! Delivers results to instructor forassessment.

DesignerSMEwhoworkswith instructor to create labs basedon learningobjectives. Fine tunes and updates labs. May support auxiliaryassessmenttools.

InstructorDefines learning objectives.Works with (or is) designer. Ensuresstudentreadinesstoperformlabsandconductsassessments.

ASE,15Aug2017 99

NCS,8June2017

•  Designer-createdconfigurationfilesprovideautomation(red)for-  Containersetupandartifactanalysis

•  Manualsteps(green):studentrunslab,studentsendsartifactstoinstructor,instructorreviewsassessmenttable

ASE,15Aug2017 1010

Student Linux System Instructor Linux System

artifacts

Student Container

Docker

artifacts

artifacts

Instructor Container

Docker

artifacts

a

b

f

e

d

c

NCS,8June2017

# goals.config# # Please see labdesigner.md

# Recorded actions or results of student work to be summarized # for instructor

telnetview = matchany : string_equal : fileview : parameter.FSTRINGsshview = matchany : string_equal : sshfileview : parameter.FSTRINGtcpdump_plain = is_true : tcpdumprun failed_login = is_true : failed_login 1111

# results.config# # Please see labdesigner.md

# The following are meant to identify artifacts from telnet lab

fileview = client:telnet.stdout : 4 : STARTSWITH : My string is:sshfileview = client:ssh.stdout : 4 : STARTSWITH : My string is:tcpdumprun = server:tcpdump.stdout : CONTAINS : mydoghasfailed_login = server:/var/log/auth.log : CONTAINS : FAILED LOGIN

ASE,15Aug2017

NCS,8June2017

# Filename : start.config# Description:# A simple configuration file read by start.py

# Defines the containers used by both students and instructors

GLOBAL_SETTINGS # GRADE_CONTAINER - container where instructor will perform grading

GRADE_CONTAINER client# HOST_HOME_XFER - directory to transfer artifact to/from containersHOST_HOME_XFER seed_dir/

# LAB_MASTER_SEED - this is the master seed string specific to this laboratoryLAB_MASTER_SEED telnetlab_jean_seed

# SUBNETSNETWORK SOME_NETWORK

MASK 172.20.0.0/24 GATEWAY 172.20.0.100

# Container name and settings

CONTAINER clientUSER ubuntuTERMINALS 2SOME_NETWORK 172.20.0.2

CONTAINER serverUSER ubuntu

TERMINALS 1SOME_NETWORK 172.20.0.3 1212

Note

Forasimplesingle-containerlab,thereisadefaultconfigurationfile.

ASE,15Aug2017

NCS,8June2017

Parameterization

ASE,15Aug2017 1313

# parameter.config# # Please see labdesigner.pdf

# This string provides per-student parameterization of telnet labFSTRING : HASH_REPLACE : telnetlab.server.student=filetoview.txt : TELNET_STRING : mytelnetfilestirng

•  Labsparameterizedusing-  Perstudentuniquestring,e.g.emailaddress-  Bothstudentandinstructorknowstring

NCS,8June2017

AssessmentSupport

ASE,15Aug2017 1414

telnet SSH tcpdump failed_loginAlan Y X X XAlice Y Y X XBarbara Y Y Y YBill X Y Y XChuck X X X XCorrine Y Y Y Y

•  Instructorstartsthelabandautomatically-  Containerscreated-  Studentartifactspulledin-  Resultsconfigurationsetsupassessmentenvironment-  Loopthroughallstudentsusing

• Parameterconfiguration• Goalsconfiguration

-  Tableofper-studentgoalsproducedtosupportassessment

NCS,8June2017

StatusandNear-TermObjectives

• AfewproofofconceptlabsfromSEED•  CurrentLabs

-  Formatstring(printf)vulnerabilities-  Bufferoverflow-  Forensics-  Cryptographichashes-  Telnet(plaintextpasswordonthenetwork)-  VPN(configuringOpenvpntoprotecttraffic)-  nmap-  gdbintroduction-  Severalmore

ASE,15Aug2017 1515

NCS,8June2017

StatusandNear-TermObjectives

•  Summer2017-  Internaltesting-  Threehighschoolinterns-  Additionallabs,e.g.ICSsecurity

•  EarlyFall2017,initialgeneralrelease

ASE,15Aug2017 1616

NCS,8June2017

JointheLabtainersTeam

•  ThebetaversionofLabtainerscanbefoundathttp://my.nps.edu/web/cisr/labtainers

ContactCynthiaIrvineirvine@nps.edu

MikeThompsonmftomps@nps.edu

DepartmentofComputerScience

NavalPostgraduateSchoolMonterey,CA93943U.S.A

ASE,15Aug2017 1717