Upload
russell-williamson
View
226
Download
0
Embed Size (px)
Citation preview
Explaining the Buffer Overflow Problem:
Instructional Design and Evaluation in Information Security
Education
Embry-Riddle Aeronautical University Prescott, Arizona
http://nsfsecurity.pr.erau.edu
Grant Overview (**Author)
NSF Federal Cyber Service “Scholarships for Service” Institutional Capacity-building Award No. 0113627
College of Engineering ** Dr. Susan L. Gerhart Dr. Matthew S. Jaffe Dr. Paul Hriljac
Science, Technology, Globalization Program Dr. Richard Bloom
Consultants ** Dr. Jan G. Hogle (Ed. Tech.) ** Jedidiah Crandall (Student)
Science, Technology, and Glob
Grant Overview Goals
interactive modules for undergraduate curricula
The Buffer Overflow problem Cryptography Interdependent Security Dimensions Personnel Screening
Increased Student Interest in Security, possible degree program
Dissemination to other universities
Buffer Overflow Module: The Problem
Buffer Overflow: When data is written outside the bounds of its allocated memory
Vulnerabilities: Attacker can “hijack” program execution overwrite security-sensitive data in memory cause a program crash leading to Denial-of-
Service or a core dump of security-sensitive data
Buffer Overflow Module:Motivation
Pervasive and costly “public enemy #1” >½ CERT alerts
Improve software engineering practice
Hook for introducing security in several courses
Good application for interactive educational technology
Buffer Overflow Module: Approach
Demo: Simulated abstract machine (Java Applets)
Instructional Methodology:Audiences:
Programmer, Tester, Journalist, IT Manager
Goals/objectives: What to learn, how to measure learning
Evaluation: Interviews, questionnaires, quizzes, …
Buffer Overflow Module: Interactive Educational Package
Stand-alone Authorware + Website
Explanations of Attacks and Defenses Demo Applets and Instructor Guide Links, Code Red case study Quiz and Scavenger Hunt
Courses: Programming, languages, operating systems, software engineering, security
Requires: 30 min. to demo + prerequisite introduction + depth (depends on course)
Results: Rapid learning, high impact presentation, learner engagement, retention
Demohttp://nsfsecurity.pr.erau.edu/bom
Stacks How a typical C compiler uses run-time stacks
Spock How security-sensitive data can be overwritten
Smasher How program execution can be diverted away
from the normal program execution path
StackGuard How one particular defense against stack
smashing works
Evaluation
Needs Analysis MatrixFormative Evaluation Pre-quiz: memory, C, SE practice Post (interview, questionnaire):
New? Understandable? Useful? Suggestions: color change, spock?
Website traffic high 33,000 page views since Aug. 2002 Average 25 visitors/day, 4 pages/visitor >50% international
Lessons Learned
Carefully defining audience paid off“Interactivation” is hard!Professors aren’t comfortable, students are
naturalMust abstract from processes, like B.O.Quizzes, scavenger hunts easy and funWhat’s learning? What’s gratuitous
Hard to obtain feedback – forms hated