Workshop on Education in Computer Security (WECS '98)

Pacific Grove California, USA, January 19-21 1998

by Cynthia Irvine

The second Workshop on Education in Computer Security (WECS'98) was held from January 19 through January 21, 1998 at the Asilomar Conference Center in Pacific Grove, California. Sponsored by NPS CISR and DISA, the objective of the meeting was to permit security educators to share ideas and techniques for relating complex ideas in computer security to students. The theme of the 1998 meeting was effective use of the laboratory in computer security education. El Nino provided a window of beautiful weather. During breaks, participants strolled the beach and enjoyed the forest setting of one of the Monterey Peninsula's most scenic locations.

We had a pot luck: everyone brought a successful laboratory exercise to share. There was considerable diversity. Topics included network attack/defend; ethics and awareness; cryptography and protocols; passwords and viruses; systems; databases; intrusion detection; formal methods; and network security. In addition, to the variety of topics, the exercises spanned a range of prerequisite knowledge and sophistication, with some exercises for beginning undergraduates and others intended for advanced students.

The first day began with a session entilted Attack/Defend with the first talk by Lt Col Greg White (US Air Force Academy) who described the integration of security topics into a traditional computer science program and the use of laboratory activities to convey security topics. These included implementing a rudimentary cryptographic algorithm in an programming course, designing a virus to learn assembly language, and case studies in trusted operating systems. A capstone exercise involved Linux systems. Here students had to load the operating system, install security patches, and then attack the systems of their fellow students, while defending their own. Willis Marti (Texas A&M University) followed with a discussion of his network security class in which students learn about the defense of networks. What was surprising was the amount of time devoted to teaching ethics and the fact that it took almost three-quarters of the semester to prepare students to conduct an attack/defend exercise.

This led into the next set of presentations on ethics and awareness exercises. Aaron Enright (Wentworth Institute of Technology), a newcomer to computer security education described his plan for an exercise intended to change student perceptions of the players in the security arena. He noted that many undergraduates glorify hackers and consider security as "bad." When laboratory exercises make students the victims of hacking, they may have a better appreciation of defenders. During the discussion period, many agreed with Daniel Faigin when he suggested that system administrators should be depicted as the real "good guys" of the computer world.

Rich Plishka (University of Scranton) discussed the use of security labs in undergraduate computer literacy courses. In a series of simple exercises students learn that they do not work in completely secure environments, but that they must be vigilant. Nancy Mead (Software Engineering Institute) suggested role playing exercises to increase student awareness of a number of simple security measures that non-experts can easily take. These included: account borrowing, software piracy, and accidental virus propagation. It seemed to be an effective "ice-breaker" for a new class.

Following a break, we reconvened to hear about exercises on Cryptography and Protocols. The session started with John Hale (Washington State Univ.) who described a series of graded exercises in which students implemented cryptographic algorithms, cryptanalysis techniques, and protocols. Dan Zhou (Syracuse University) gave a presentation on the formal specification of protocols. Using pencil and paper rather than mechanical proof systems, students analyze properties of several protocols. A particularly interesting presentation was that of Enrique Daltabuit (Universidad Iberoamericana) and A. Gonzales (National Autonomous University of Mexico) who gave back-to-back talks on an exercise to develop secure electronic voting. One exercise focussed on the protocols and mechanism for casting ballots while the other pursued the design of a system for processing the ballots. They noted that since many students were first time voters and that they had participated in an important election, the topic of secure elections held the interest of the students.

Moving to another topic, Daniel Warren (Naval Postgraduate School) described an exercise to illustrate viruses. Because many of his students were not in computer science or engineering, he designed the exercise to use only the Bourne Shell. Using the "shell virus" he illustrated concepts including: access control, false positives, and false negatives. Jeff Bauer (Florida State Univ.) described an exercise for a beginning programming class in which students designed and implemented a simple password server. This was a project with a lot of benefits: not only were students given an introduction to passwords, but the also learned how to implement hash functions.

Following a wonderful Asilomar lunch -- lots of fresh vegetables, good home-style cooking and a view of the beach -- we moved on to Systems. Linda Wilkens (Bridgewater State College) presented exercises on protection that were used in a special topics course and included files, accounts, and e-mail. Each exercise began with a discussion and continued with activities to learn about and experiment with the protection of the item in question. The exercises seemed adaptable to new platforms and, with their use of the Web, easily modernized. Mark Hudson (U.S. Air Force Academy) followed with a presentation on exercises for an advanced course on Security and Information Warfare. Using a specified target system, students explored the use of various tools to learn how both administrators and hackers might use them. These included Crack, Satan, Courtney and Gabriel. As part of a course on secure systems Cynthia Irvine (Naval Postgraduate School) asked students to investigate the exploitation of the TS flag covert channel on Intel x86 processors. Students developed assembly language programs which they tested on a Linux system, where the channel worked, and on a Class B3 XTS-300, where the channel failed. The session concluded with a presentation by Ed Schneider (Institute for Defense Analyses) on the use of chat rooms to illustrate the concept of an information domain. It allowed students to explore policies for application-specific security contexts.

Each day, morning presentations were followed by working sessions in which participants subdivided into four groups to address a variety of topics. On the first afternoon we discussed the kinds of laboratory exercises appropriate to a survey course in computer security and their placement within the syllabus. The context of a course had to be determined in order to select appropriate exercises: the level of sophistication of the students in computer science, equipment resources available, whether students are on-site or remote, and, in the case of attack/defend exercises, various institutional and legal issues. In addition to the laboratory exercises brought to the meeting the groups suggested many new ones. In the area of protection, students could conduct a literature search on object protection, by examining the effects of viruses in Unix or PC systems they could learn about the protection of memory and addressing, they could design an access control mechanism, and they could implement a password policy enforcer to explore user authentication. While studying administrative security, they could use tools to identify and/or exploit security flaws as well as experiment with techniques to map policy into system configurations. To understand enterprise and organizational security problems, students could translate an organizational profile into a security policy. A simple risk assessment for a well-defined environment would give students experience in risk analysis. Similarly, by writing a security plan, students' classroom work would be reenforced. Exercises in disaster recovery could include analysis of log files, creation of a disaster recovery plan, and an exercise to bring the site of a simulated disaster back on line. Several suggestions were made for clever cryptographic exercises. For example, students could play roles in the writing and signing of an on-line will or other legal document. A simple hospital example could be used to demonstrate concepts of database and workflow security. It was suggested that movie clips could be used as a starting point for discussion: How was the alien ship attacked in "Independence Day?" Should there have been a notion of roles and least privilege for the systems in "Jurassic Park?" Could "Sneakers" really happen? One of the groups suggested that to demonstrate denial of service, the instructor, in collaboration with the system administrator, could slow down the response time of the system when students had a deadline. Of course, this would have to be exercised under controlled and limited conditions so that student stress levels would not become to high! A recurring theme was the need for realistic case studies. These ran the gamut from those describing the legal aspects of electronic commerce, to intrusion detection and disaster recovery, to examples of effectively designed systems.

A new addition to this year's meeting was a presentation giving the attendees an in depth look at a particular topic in computer security. During the second morning, Daniel Faigin, of the Aerospace Corporation, gave an excellent presentation on Penetration Testing. He discussed the differences between penetration testing and functional testing; gave a comparative description of the flaw hypothesis and attack tree methodologies; and gave the group guidance on planning a penetration test in a classroom setting. For those attending, Dan's tutorial provided framework in which to teach students about penetration without encouraging reckless behavior. Tutorials will be a part of future workshops.

Following another lunch overlooking the Pacific, we attended the session on networks. Jim Davis (Univ. of Iowa) presented a capstone exercise for a network security course in which students were tasked with obtaining a file from behind a firewall. They had to learn or find the network topology, file names, passwords, and encryption keys necessary to achieve this goal. Don Marks (NIST) discussed an exercise in which students used simple tools such as Perl scripts to detect intrusions in realistic datasets obtained from Dr. Georges Grinstein. He noted that it is often easier to detect anomalous behavior than to explain its cause. Fresh from graduate school Dr. Brenda Timmerman (California State University, Northridge) gave a presentation on using the problem of insuring e-mail privacy and traffic flow confidentiality as a vehicle for introducing exercises in formal methods, system environments, covert channels, system configuration, and evaluation and testing. Finishing the session was a demonstration of an exercise on SSH (Secure Shell) Derek Simmel (Software Engineering Institute). Derek brought laptops with him and showed us how the SSH exercise allowed students to learn how to successfully administer a system and install software that would provide protection against many of the vulnerabilities of the traditional "r-" commands. Not only did the exercise encourage good security habits, but it allowed students to creatively think through configuration decisions in a protected environment.

Workshop discussions on the second day centered on the problem of designing laboratory exercises with the equipment at hand. Several groups indicated that some simulations, perhaps written in Java, would be very useful for educators. A "national security playground" was suggested. Whether this is actually feasible, it is an intriguing idea: just as we have mega computer centers, a center for security experimentation could be established. (Don't sign me up to be a system administrator there!) A list of "essential" lab equipment was identified. It would have to be reconfigurable, flexible, inexpensive, and require low administrative overhead. The user machines could be x86-based systems with SCSI support and perhaps capable of booting multiple operating systems. One machine could be shared by two students. A locked-down server-class machine would be needed. It would be equipped with modems and a network printer. One or more network hubs and/or firewalls would complete the picture and would include, for example, an Internet gateway and be partitionable. Operating systems could be something from Microsoft and free Unix. Programming would be conducted in Perl, tcl, and C or C++. System analysis tools in the form of freeware would permit experiments to be designed.

The last set of workshop discussions dealt with describing minimum and ideal laboratory requirements and cooperation between institutions to create more realistic laboratory exercises. Everyone agreed that, in general, designing laboratory exercises was very challenging and, with the rapid developments in computer and network security, designing timely, pedagogically useful labs was quite difficult. Sharing of information was considered extremely helpful. Laboratory equipment can range from highly sophisticated and expensive to relatively simple. One group suggested that they would like the following: systems to illustrate discretionary access controls (Class C2) and those to enforce mandatory policies (Class B2), modems, logic analyzers, an encrypting router, lots of PCs, and groupware for projects. another group noted that just setting up laboratory exercises can be extremely difficult: qualified personnel are needed just to put systems back on line after the students have made a mistake or after an attack/defend exercises. Others suggested that corporate sponsors might be able to help, both with equipment and with case studies. These ideas merged well with those of another group, which suggested that experiments with VPNs might be interesting. Other aspects of emerging technologies to be formulated into exercises were comparisons of execution models for Web-based environments, experiments to provide authentication for downloaded executables, and virtual meetings. The suggestion was made that interesting cooperations could be created between computer science students and business students.

WECS'98 was very successful and each participant took home a package of laboratory exercises. The program committee consisting of Cynthia Irvine, Daniel Warren, Daniel Warren, Deborah Frinke, Jim Davis, and Heather Hinton as well as the considerable help of Anastascia Cruz-Tokar contributed to an interesting workshop. A WECS mailing list has been set up by Rich Plishka. Write to: Participants expressed interest in exploring the use of tools and case studies in teaching computer and network security. These topics will help to set the theme for the WECS'99 which is being planned for early January 1999, once again at Asilomar.