Labtainers:
ADocker-basedFrameworkforCybersecurityLabs
USENIXWorkshoponAdvancesinSecurityEducation15August2017
CynthiaIrvine,MichaelThompson,MichaelMcCarrin,andJeanKhosalim
DepartmentofComputerScienceNavalPostgraduateSchool
NCS,8June2017
Experientiallearningisdesirable,but…
• Institutionalinfrastructuremaybeabsent• Labsaredifficulttobuildanddifficulttomaintain
- Overworkedinstructorsneedwell-vettedlabs
• Studentplatformdiversityintroducesproblems- Differentoperatingsystems,libraries,softwaretools,etc.- Platformsetupforlabdistractsfromlearningobjectives- Labresultsvarywidelyduetoconfigurationdifferences
• Experientiallabsrequireexploration- Howisthisobserved?
• Studentsmayshareorreuseotherwork- Needindividualizedlabs,butgradingeffortbecomeslarge
ASE,15Aug2017 22
NCS,8June2017
LabtainersObjectives
33ASE,15Aug2017
ConsistentandFair• Studentsexecutelabsinidenticalenvironments• Instructorsseeconsistentresultsandassessstudentsontheirwork
ratherthanenvironmentaleffects
Parameterizable• Labsconfiguredsoeachstudent’sworkcanbeunique• Labsaresamelevelofdifficultyforallstudents• Expectedresultsareparameterizedtostreamlinegrading
SupportforAutomaticAssessment• Collectedstudentworkisparsedforspecificoutputs• Toolsmaybedevelopedtosupportassessmentofparticularaspects
ofexercise
NCS,8June2017
Stand-aloneLinuxCybersecurityLabs
• Multi-componentnetworktopologies- PackagedusingDockercontainers- Pre-configuredexecutionenvironments
• Localtostudent’scomputer- OneLinuxhost,(e.g.,VM)runsmanycontainers- Noper-labprovisioningrequiredbythestudent
• Publicrepositoryoflabs&openframework
ASE,15Aug2017 44
NCS,8June2017
Architecture
• LinuxcanruninaVMonanon-Linuxplatform• Preconfiguredcontainersensureconsistencyacross
heterogeneousplatformsASE,15Aug2017 5
Hardware
Linux
DockerEngine
Bins/Libs Bins/Libs
App
A’’
App
B’
OtherApplications
App
A’
App
A
App
B
NCS,8June2017
WhyContainers?
• Similarresourceandnamingisolation- Dockerfilessimplifyprovisioningofcontainers
• Studentlaptopcanrunseveralcontainers- Butmaybeboggeddownby2ormoreVMs- Enableslabswithmanynetworkedcomponents
• AllcontainersshareLinuxkernelwithhost- Butcanhavedistinctpackages&libraryversions- ContainerslimitedtoLinux
ASE,15Aug2017 66
NCS,8June2017
Parameterization
• Individualizeslabsforeachstudent(optional)• Randomnumberseedbasedonstudentemail• Example:sizeofbuffertooverflow
- Symbolicreplacementofvalueinsourcecode- Vulnerableprogramcompiledduringfirstrun- Affectsoffsetofreturnaddresstooverwrite
ASE,15Aug2017 77
NCS,8June2017
AutomatedAssessment
• Studentactivityandfilescollectedasartifacts- Mostlytransparenttostudents,theyseeLinux- Bashhookscapturestdin&stdout- Artifactsforwardedtoinstructor
• Instructortoolsassessstudentperformance- Expectedresultsasdefinedbylabdesigner- Viewofstudent’sfileandabilitytorunprograms
• Labexercisesindividualizedforstudents- Discouragessharinganswers&solutionmining- Automatedassessmentmakesthispractical
ASE,15Aug2017 88
NCS,8June2017
RolesintheWorldofLabtainers
StudentPerforms lab exercise. Learns! Delivers results to instructor forassessment.
DesignerSMEwhoworkswith instructor to create labs basedon learningobjectives. Fine tunes and updates labs. May support auxiliaryassessmenttools.
InstructorDefines learning objectives.Works with (or is) designer. Ensuresstudentreadinesstoperformlabsandconductsassessments.
ASE,15Aug2017 99
NCS,8June2017
• Designer-createdconfigurationfilesprovideautomation(red)for- Containersetupandartifactanalysis
• Manualsteps(green):studentrunslab,studentsendsartifactstoinstructor,instructorreviewsassessmenttable
ASE,15Aug2017 1010
Student Linux System Instructor Linux System
artifacts
Student Container
Docker
artifacts
artifacts
Instructor Container
Docker
artifacts
a
b
f
e
d
c
NCS,8June2017
# goals.config# # Please see labdesigner.md
# Recorded actions or results of student work to be summarized # for instructor
telnetview = matchany : string_equal : fileview : parameter.FSTRINGsshview = matchany : string_equal : sshfileview : parameter.FSTRINGtcpdump_plain = is_true : tcpdumprun failed_login = is_true : failed_login 1111
# results.config# # Please see labdesigner.md
# The following are meant to identify artifacts from telnet lab
fileview = client:telnet.stdout : 4 : STARTSWITH : My string is:sshfileview = client:ssh.stdout : 4 : STARTSWITH : My string is:tcpdumprun = server:tcpdump.stdout : CONTAINS : mydoghasfailed_login = server:/var/log/auth.log : CONTAINS : FAILED LOGIN
ASE,15Aug2017
NCS,8June2017
# Filename : start.config# Description:# A simple configuration file read by start.py
# Defines the containers used by both students and instructors
GLOBAL_SETTINGS # GRADE_CONTAINER - container where instructor will perform grading
GRADE_CONTAINER client# HOST_HOME_XFER - directory to transfer artifact to/from containersHOST_HOME_XFER seed_dir/
# LAB_MASTER_SEED - this is the master seed string specific to this laboratoryLAB_MASTER_SEED telnetlab_jean_seed
# SUBNETSNETWORK SOME_NETWORK
MASK 172.20.0.0/24 GATEWAY 172.20.0.100
# Container name and settings
CONTAINER clientUSER ubuntuTERMINALS 2SOME_NETWORK 172.20.0.2
CONTAINER serverUSER ubuntu
TERMINALS 1SOME_NETWORK 172.20.0.3 1212
Note
Forasimplesingle-containerlab,thereisadefaultconfigurationfile.
ASE,15Aug2017
NCS,8June2017
Parameterization
ASE,15Aug2017 1313
# parameter.config# # Please see labdesigner.pdf
# This string provides per-student parameterization of telnet labFSTRING : HASH_REPLACE : telnetlab.server.student=filetoview.txt : TELNET_STRING : mytelnetfilestirng
• Labsparameterizedusing- Perstudentuniquestring,e.g.emailaddress- Bothstudentandinstructorknowstring
NCS,8June2017
AssessmentSupport
ASE,15Aug2017 1414
telnet SSH tcpdump failed_loginAlan Y X X XAlice Y Y X XBarbara Y Y Y YBill X Y Y XChuck X X X XCorrine Y Y Y Y
• Instructorstartsthelabandautomatically- Containerscreated- Studentartifactspulledin- Resultsconfigurationsetsupassessmentenvironment- Loopthroughallstudentsusing
• Parameterconfiguration• Goalsconfiguration
- Tableofper-studentgoalsproducedtosupportassessment
NCS,8June2017
StatusandNear-TermObjectives
• AfewproofofconceptlabsfromSEED• CurrentLabs
- Formatstring(printf)vulnerabilities- Bufferoverflow- Forensics- Cryptographichashes- Telnet(plaintextpasswordonthenetwork)- VPN(configuringOpenvpntoprotecttraffic)- nmap- gdbintroduction- Severalmore
ASE,15Aug2017 1515
NCS,8June2017
StatusandNear-TermObjectives
• Summer2017- Internaltesting- Threehighschoolinterns- Additionallabs,e.g.ICSsecurity
• EarlyFall2017,initialgeneralrelease
ASE,15Aug2017 1616
NCS,8June2017
JointheLabtainersTeam
• ThebetaversionofLabtainerscanbefoundathttp://my.nps.edu/web/cisr/labtainers
DepartmentofComputerScience
NavalPostgraduateSchoolMonterey,CA93943U.S.A
ASE,15Aug2017 1717