Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 An Application-Oriented Approach for Computer Security Education Xiao Qin Department of Computer Science and Software Engineering Auburn University Email:

Published byEdwina Lamb Modified over 9 years ago

Similar presentations

Presentation on theme: "1 An Application-Oriented Approach for Computer Security Education Xiao Qin Department of Computer Science and Software Engineering Auburn University Email:"— Presentation transcript:

1 1 An Application-Oriented Approach for Computer Security Education Xiao Qin Department of Computer Science and Software Engineering Auburn University Email: xqin@auburn.edu URL: http://www.eng.auburn.edu/~xqin

2 2 Goal and Objectives Goal: New approaches for computer security education Objective 1: To prepare students to design, implement, and test secure software Objective 2: A holistic platform for constructing computer security course projects Student-centered learning Professor-centered platform

3 3 From CSSE Students to Software Engineers To produce reliable, robust, secure software. To work in interdisciplinary teams. To use appropriate design notations, such as UML. To work in multiple programming languages.

4 4 Teamwork Secure Software DesignProgramming What projects can help students to learn about teamwork? Must we teach students how to design secure software? How to provide engaging computer security projects? How to teach multiple programming languages? Challenges Student-Centered Learning

5 5 Flexibility Preparation Grading Teaching What projects can be tailored to students to learn about teamwork? What is a good way to grade computer security projects? How to quickly prepare engaging computer security projects? How to teach computer security projects? Challenges Professor-Centered Platform

6 6 Teaching Philosophy Computer security education should focus on: Fundamental security principles Security-practice skills.

7 7 Motivation Security principles: Fundamental A wide spectrum. PracticePrinciples Real-World Systems and Apps Laboratory exercises: Observing Evaluating Testing Course projects: Analyzing Designing Programming Real-world secure computing systems: Programming standards Large scale Work on existing products CollegeIndustry small-scale, fragmented, and isolated course projects

8 8 Our Solution: Application-Oriented Approach Security Sensitive Applications Security Module 1 User Interface OS (Windows, Linux, etc.) Non-Security Modules Security Module n Security Modules

9 9 Considerations Security modules: related to fundamental security principles. Applications: represent real world scenario(s) Each application: contains all possible security modules. Flexibility: difficulty levels are configurable. Programming environment: easy setup Hints for students: data structures and algorithms

10 10 A Unified Programming Environment Security Sensitive Applications Security Module 1 User Interface OS (Windows, Linux, etc.) Non-Security Modules Security Module n Virtual Machine (e.g. vmware, virtualBox )

11 11 Flexibility Levels of Difficulty –Beginner –Intermediate –Advanced Objective 1: To prepare students to design, implement, and test secure software Objective 2: A holistic platform for constructing computer security course projects Student-centered learning Professor-centered platform

12 12 Flexibility How Modules Are Packaged Beginner Easy Intermediate Moderate Advanced Hard Explorative Light Editing Basic Understand Of Concepts Normal Implementation Depth Understanding Of Concept Advanced Implementation

13 13 Types of Course Projects Explorative based projects. Partial Implementation projects. Full Implementations projects. Vulnerability testing, attacking, and fixing. Hybrid labs (Exploration & Implementation, etc.) Beginner Intermediate Advanced

14 14 Choose the First Application Real World Scenarios –Banking System: Implemented –P2P File-Sharing: future work Three RAs worked on this project –Strategy 1: each RA design and implement a security sensitive application –Strategy 2: three RAs collaborate on a single application.

15 15 Banking Application Toy Application –A Secure Teller Terminal System –ATM Documentations –Design –Test Cases –Makefile –Readme

16 16 Implementation Projects Students’ Tasks Existing Components Access Control List Integrity Checking Data Encryption Module Properties of these projects: Focused on targeted principles Focused on a single application Each project takes 2-6 weeks Difficulties can be adjusted IPSecInAttack Lab Banking Application Buffer overflow

17 17 Workflow A professor’s perspective Teach Concept Generate Project Description Design Survey Questions Choose Apps & Difficulty Work On Project Evaluation/Feedback Design Docs & Partial Code System Setup

18 18 Design Document Example: Data Flow – High Level

19 19 Put It All Together An example A Banking System Access Control User Interface OS (Windows, Linux, etc.) Non-Security Modules EncryptionIPSec Virtual Machine (e.g. vmware, virtualBox )

20 20 Class Diagram A secure teller terminal system Intermediate

21 21 Class Diagram A secure teller terminal system Advanced No security modules in the design document (e.g., class diagram)

22 22 An Encrypted Staff File Beginner Easy Explorative Light Editing

23 23 An Unencrypted Staff File Beginner Easy Explorative Light Editing

24 24 EncryptionModules Transposition - good, low-level encryption algorithm. Substitution - good, low-level encryption algorithm. Put both of them together – A transposition of a substitution.

25 25 Access Control Role-based system. Implemented in a separate module. Give students data flow diagram.

26 26 Access Control Students implement Access Control module. Allows them to insert in existing system. Better real world experience.

27 27 Choose a Course to Test Our Approach Introductory-level Programming experiences Small-scale projects work Introduction to Computer Security Advanced Computer Security Research projects Examples Memory attacks Parallel Antivirus Testing Security CoursesOther Courses No design experience New programming language Weak programming skill Teach/learn basic security concepts e.g., Software Construction

28 28 Comp 2710 Software Construction Two projects –A secure teller terminal system: access control –A cryptographic system: two algorithms 57 students (CSSE and ECE) –Computer Science –Software Engineering –Electrical Engineering –Wireless Engineering

29 29 Preliminary Studies Survey Questionnaires –The quality of project design –Students’ evaluation on projects: How interested they are Programming background Whether the labs spark their interests in security How many hours they spent on the projects Participants: –48 students for project 1 –53 students for project 2

30 30 Evaluation Results (1) (1) ≤ 5 hours(2) 6-10 hours(3) 11-20 hours (4) 21-30 hours (5) > 30 hours Survey: Approximately, how many hours did you spend on the project? Design 81% <10h Implementation 46% >21h Entire Project 40% >30h

31 31 Evaluation Results (2) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: The project instructions were clear. Teller terminal system 69%: agree or strongly agree Cryptographic system 58%: agree or strongly agree

32 32 Evaluation Results (3) (1) Very easy (2) Somewhat easy (3) Average (4) Somewhat difficult (5) Very difficult Survey: What was the level of difficulty of this project? Teller terminal system 61%: somewhat difficult or very difficult Cryptographic system 53%: somewhat difficult or very difficult

33 33 Evaluation Results (4) Survey: What was the level of interest in this project? Teller terminal system 58%: Average, High, or very high Cryptographic system 85%: Average, High, or very high 1. (1) Very low (2) Low(3) Average (4) High (5) Very high

34 34 Evaluation Results (5) Survey: What was the most time consuming part of in the design portion of the project? Teller terminal system 44%: Use cases Cryptographic system 58%: Testing (1) Use Cases (2) Class Diagram (3) System Sequence Diagram (4) Testing

35 35 Evaluation Results (6) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: As a result of the lab, I am more interested in computer security. Teller terminal system 17%: strongly disagree or disagree Cryptographic system 20%: strongly disagree or disagree

36 36 Evaluation Results (7) develop a non-trivial application using classes, constructors, vectors, and operator overloading; learn a security issue – authentication; perform object-oriented analysis, design, and testing; and develop a reasonably user-friendly application. learn two cryptographic algorithms; develop a simple cryptographic tool; perform separate compilation; and to develop a command- line application. Survey: Overall, I have attained the learning objectives of the project. Teller terminal system Cryptographic system

37 37 Evaluation Results (7 cont.) (1) Strongly disagree (2) Disagree (3) Neutral (4) Agree (5) Strongly agree Survey: Overall, I have attained the learning objectives of the project. Teller terminal system 52%: strongly agree or agree Cryptographic system 65%: strongly agree or agree

38 38 About the QoSec Project Funded by the NSF CCLI Program –Phase I ($150K) was funded in 2009 –1 PI and 4 Research Assistants –Alfred Nelson –Andrew Pitchford –John Barton Web pages of the project will be available soon: –http://www.eng.auburn.edu/~xqin

39 39 Plan and Collaborations Prepare for an NSF TUES Phase II Project –Four to six universities involved –10 Pis –More tool applications –More preliminary results –Evidence for collaborations Contact me if you are interested in –this NSF CCLI Phase I project or –our future NSF TUES Phase II project Xiao Qin: xqin@auburn.edu

40 40

41 41 Demo & Examples

42 42 Questions? If you are interested in information regarding this project, add your name to our newsletter list after this discussion. http://www.eng.auburn.edu/~xqin Slides are available at http://www.slideshare.net/xqin74

Download ppt "1 An Application-Oriented Approach for Computer Security Education Xiao Qin Department of Computer Science and Software Engineering Auburn University Email:"

Similar presentations

CS 501: Software Engineering Fall 2000 Lecture 2 The Software Process.

CS 501: Software Engineering Fall 2000 Lecture 2 The Software Process.
Slide 01-1COMP 7370, Auburn University COMP 7370 Advanced Computer and Network Security Dr. Xiao Qin Auburn University

Slide 01-1COMP 7370, Auburn University COMP 7370 Advanced Computer and Network Security Dr. Xiao Qin Auburn University
Team Software Project - Ebnenasir - Spring 2008 1 CS 3141: Team Software Project - Introduction Ali Ebnenasir Department of Computer Science Michigan Technological.

Team Software Project - Ebnenasir - Spring CS 3141: Team Software Project - Introduction Ali Ebnenasir Department of Computer Science Michigan Technological.
3/10/07ACM SIGCSE'071 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin) Du Zhouxuan Teng & Ronghua Wang Department.

3/10/07ACM SIGCSE'071 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin) Du Zhouxuan Teng & Ronghua Wang Department.
1 CS 501 Spring 2003 CS 501: Software Engineering Lecture 2 Software Processes.

1 CS 501 Spring 2003 CS 501: Software Engineering Lecture 2 Software Processes.
The Education of a Software Engineer Mehdi Jazayeri Presented by Matthias Hauswirth.

The Education of a Software Engineer Mehdi Jazayeri Presented by Matthias Hauswirth.
R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.

R R R CSE870: Advanced Software Engineering (Cheng): Intro to Software Engineering1 Advanced Software Engineering Dr. Cheng Overview of Software Engineering.
IS 421 Information Systems Management James Nowotarski 16 September 2002.

IS 421 Information Systems Management James Nowotarski 16 September 2002.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Programming Languages Structure

Programming Languages Structure
Concordia University Department of Computer Science and Software Engineering Click to edit Master title style ADVANCED PROGRAMING PRACTICES Introduction.

Concordia University Department of Computer Science and Software Engineering Click to edit Master title style ADVANCED PROGRAMING PRACTICES Introduction.
Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin)

Secure Coding Faculty Workshop, April 14-15, Orlando, FL 1 SEED: A Suite of Instructional Laboratories for Computer SEcurity EDucation Wenliang (Kevin)
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 8 Slide 1 Tools of Software Development l 2 types of tools used by software engineers:

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 8 Slide 1 Tools of Software Development l 2 types of tools used by software engineers:
SYSTEMS ANALYSIS. Chapter Five Systems Analysis Define systems analysis Describe the preliminary investigation, problem analysis, requirements analysis,

SYSTEMS ANALYSIS. Chapter Five Systems Analysis Define systems analysis Describe the preliminary investigation, problem analysis, requirements analysis,
Section 01Resources1 HSQ - DATABASES & SQL 01 Resources And Franchise Colleges Name :MANSHA NAWAZ room :G 0/32

Section 01Resources1 HSQ - DATABASES & SQL 01 Resources And Franchise Colleges Name :MANSHA NAWAZ room :G 0/32
Annual SERC Research Review - Student Presentation, October 5-6, 2011 1 Extending Model Based System Engineering to Utilize 3D Virtual Environments Peter.

Annual SERC Research Review - Student Presentation, October 5-6, Extending Model Based System Engineering to Utilize 3D Virtual Environments Peter.
CASE Tools And Their Effect On Software Quality Peter Geddis – pxg07u.

CASE Tools And Their Effect On Software Quality Peter Geddis – pxg07u.
Issues in Teaching Software Engineering Virendra C. Bhavsar Professor and Director, Advanced Computational Research Laboratory Faculty of Computer Science.

Issues in Teaching Software Engineering Virendra C. Bhavsar Professor and Director, Advanced Computational Research Laboratory Faculty of Computer Science.
Lecture 1: Welcome Computer Architecture Kai Bu

Lecture 1: Welcome Computer Architecture Kai Bu
CS 21a: Intro to Computing I Department of Information Systems and Computer Science Ateneo de Manila University.

CS 21a: Intro to Computing I Department of Information Systems and Computer Science Ateneo de Manila University.

Similar presentations

Ads by Google